Project Description
Marathon Tool is a POC for using heavy queries to perform a Time-Based Blind SQL Injection attack. This tool is still work in progress but is right now in a very good alpha version to extract information from web applications using Microsoft SQL Server, Microsoft Access, MySQL or Oracle Databases.

Application Supported features:

  • Database Schema extraction from SQL Server, Oracle and MySQL
  • Data extraction from Microsoft Access 97/2000/2003/2007 databases
  • Parameter Injection using HTTP GET or POST
  • SSL support
  • HTTP proxy connection available
  • Authentication methods: Anonymous, Basic, Digest and NTLM
  • Variable and value insertion in cookies (Does not support dynamic values)
  • Configuration available an flexible for injections
  • Configurable Log

Reference Links

Configuration Section

This information is entered in the Basic Configuration panel:

  • Engine: Microsoft SQL Server, MySQL or Oracle Database Server. When Microsoft SQL Server is selected, Marathon Tool will, by default, use sys.databases or sysusers tables to construct the heavy queries. If Oracle Database is selected then the tables used by default will be userobjects, allobjects or usertables. If MySQL, then the table configured by default is informationschema.columns. These tables can be changed in the injection options.
  • Target base URL: Web application to test, and connection details. SSL is not supported in this version.
  • Parameters: Can be GET or POST parameters, and can be injectable parameters or not. The application will try to find out heavy queries for all the injectable ones.
  • Cookies: A list of variables and values in the cookie can be configured in this section but this version don´t support dynamic values.
  • Authentication: In this section user credentials can be setup to connect to the web application before start the test. This version supports Basic, Digest and NTLM authentication methods.
  • Proxy: An HTTP proxy can be setup.
  • Start Injection with and End Injection with</i> are used to configure a prefix and/or a suffix value in the injection test.

As it can be seen in Figure, there are several parameters that can be tuned to improve the performance of the tool in the injection options panel:

  • Min heavy query time: This parameter sets the minimal amount of time between a true answer and a false answer. If the difference between the true response time and false response time is lower than this value Marathon tool will keep on looking for a new heavy query. If the tool is being tested in a local network with a very good connection then this value can be small, either the value should be increased.
  • Http request timeout: After this time Marathon Tool resets the http connection assuming this query to be a heavy query.
  • Request tests count: Once the tool detects a true answer it repeats the test to make sure it is due heavy query and not to thefor any other reason.
  • Pause after heavy query: After every heavy query the tool pauses this time. This is due to the fact that a large number of big heavy queries at the same time could result in false positives or in a denial of service attack against the web application.
  • Pause after any query: After every query, no matter if it is a heavy one or not the tool pauses for this amount of time.
  • Minimum joins for queries: This value is the initial number of tables used in the query when the tool is looking for a heavy query.
  • Maximum joins for queries: If the tool hasn’t found a heavy query after constructing a query with this number of tables in join clause then the tool stops.
  • Enable equal sign in selects: To construct the heavy query, depending on the web application, web firewalls or databases, the tool constructs the heavy queries using relational operators or equals operators.
  • Heavy queries tables: These are the tables Marathon Tool will use to construct heavy queries. Depending on the database engine selected the tool selects default ones, but they can be enteredoverriden by the user.

Once the Configuration section is complete and the injection options are configured, Marathon Tool needs to initialize the test. In this initialization test Marathon Tool will look for a valid heavy query in the injectable value to prove the configuration as valid. When it finished the tool can retrieve the schema of the database or the user used in the web application to connect against the database engine.

Database Schema
This section shows the information Marathon Tool has collected from the web application using Time-Based Blind SQL Injection with heavy queries. It is not a quick method for extracting information but in some web applications based in database engines that do not have time-delay functions it could be the only exploitation method available.

Debug Log Section
This panel shows the queries that had been thrown against the web application. It has different detail levels to see all the tests, only the positive answers or only the values Marathon Tool is collecting. This log is a good tool to analyze the behaviour of the web application in the test and it is good for tuning purposes.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s