Faster blind SQL injection exploitation through parallelized bisection

Here is a small paper about a faster exploitation technique of blind SQL injection vulnerabilities based on a bisection approach.

The idea came after a quick brainstorming about how to improve blind SQL injection exploitation in Python. After a few benchmarks, we noticed that multi-threading could be a solution to all of our problems. The first way to improve the injection that came into our minds was to test for every bit of a given byte in eight separated threads (and it has already been done many years ago), but this is not supported by all the DBMS and therefore cannot be used as a generic technique. The other way is to use a bisection, that is divide in two sections the search space and test the middle value amongst the searched character ASCII code: if this value is less or equal than the searched character’s ASCII code, then the server will answer with a page considered as a «True» response, otherwise with a page considered as a «False» response. The boolean state corresponding to the response provided by the web application has to be determined before the injection step begins. This injection technique has a major weakness: since it is based on an iterative process, this takes time to complete. A lot of time.

We found a way to use multi-threading to improve this exploitation technique and goes 40% faster than the classic way. Theory and practical tests are detailed in the attached paper, proof of concept is also provided.