In Chapter 6, Exploitation – Low Hanging Fruits, we exploited an error-based SQL Injection and now we will identify and exploit a Blind SQL Injection using Burp Suite's Intruder as our main tool.
http://192.168.56.102/WebGoat
and log in with webgoat
as both the username and password.101
as the account number and click Go!.1011
.Up to now, we have seen the behavior of the application, it only tells us if the account number is valid or not.
101 and 1=1
.101 and 1=2
.It looks like we have a blind injection here, injecting true statement results into a valid account, with a false one the Invalid account number message appears.
101 AND 1=char_length(current_user)
1
after the AND
, as shown:We need to make this change in every intruder tab we use for this attack.
We need to make this change in every intruder tab we use for this attack.
It found a valid response on the number 2, this means that the username is only two characters long.
101 AND 1=(current_user LIKE 'b%')
.We chose b
as the first letter to get BurpSuite to obtain the request, it could have been any letter.
b
that is the first letter of the name.The first letter of our user name is an S.
101 AND 1=(current_user='Sa')
to the application's textbox and send the request to the intruder.The second character of the name is A so the user of the database that the application uses to make queries is SA. SA means System Administrator in Microsoft's SQL Server databases.
Exploiting a Blind SQL Injection takes up more effort and time than an error-based injection; in this recipe we saw how to obtain the name of the user connected to the database while, in the SQLi exploitation in Chapter 6, Exploitation – Low Hanging Fruits, we used a single command to get it.
We could have used a dictionary approach to see if the current user was in a list of names but it would take up much more time and the name might not be in the list anyway.
We initially identified the vulnerability and revealed the messages telling us whether our requests were true or false.
Once we knew there was an injection and what a positive response would look like, we proceeded to ask for the length of the current username, asking the database, is 1 the length of the current username, is it 2, and so on, until the length is discovered. It is useful to know when to stop looking for characters in the username.
After finding the length, we use the same technique to discover the first letter, the LIKE 'b%'
statement tells the SQL interpreter whether or not the first letter is b; the rest doesn't matter, it could be anything (%
is the wildcard character for most SQL implementations). Here, we saw that the first letter was an S. Using the same principle, we found the second character and worked out the name.
This attack could continue by finding out the DBMS and the version being used and then using vendor-specific commands to see if the user has administrative privileges. If they do, you would extract all usernames and passwords, activate remote connections, and many more things besides
One other thing you could try is using SQLMap to exploit this kind of injection.
There is another kind of blind injection, which is the Time-Based Blind SQL Injection, in which we don't have a visual clue whether or not the command was executed (as in valid or invalid account messages); instead, we need to send a sleep
command to the database and, if the response time is slightly longer than the one we sent, then it is a true response. This kind of attack is really slow as it is sometimes necessary to wait even 30 seconds to get just one character. It is very useful to have tools like sqlninja or SQLMap in these situations (https://www.owasp.org/index.php/Blind_SQL_Injection).
18.225.149.238