Exploiting Blind Sql Injections

• Use differences in web application output to see if value returns true or false (i.e. value
being info from the sql database that we're trying to find. Like is the first letter of the
password “b”).

Tell a true condition from a false condition in the output:

extract database version one character at a time substring() function:

So, what's the first character? Is it 0?

No it is not (showing false condition);

We increment and find first character of version string is a 5 as shows true condition:

→ can do this much quicker with e-learnsecurity script: blind2.sh

note the special characters are escaped with backslash to prevent bash interpreting them;
note: hardcode payload in script;
note: iterates through and finds details for you but you have to set maximum length you are looking
for – e.g. 20:
improve script to accept query on command line: blind3.sh:

reveals a MySQL database before, so let's use MySQL functions:

→ let's enclose with double quotes to prevent user() from being interpreted as a function;

→ check current database with database() function:

Use cheat sheets to find specific payloads;

e.g. “list tables” query and customize it to work with our script:

and then modify it to select just table_name field and limit to just the first record with limit
statement:

which shows first table is “accounts”;

then update limit clause to display second table name: from 0,1 → 1,1;

etc.

Now with table names, extract information about columns (and limit the query to the first result
with 0,1):

first column is “USERNAME”

now get second column, and don't forget to update limit to 1,1 to get second column, etc.
etc, etc.

Now create payload to extract username & password pairs (i.e. data dumping) – use mySQL concat
function:

SQL Injection basics:

e.g. simple page where people can upload their selfies:

if you click on the picture it will take you to another page with an “id=” parameter. E.g. let's click
on the dog:
id=2230

by replacing with id=' an error is generated and also reveals we are dealing with a mySQL database:

let's try an always true condition which should show the dog again, since it's a true condition:

now let's try an always false condition which should have no result:

behind the scenes, we can imagine the sql query is something like the following (for the always true
condition):
and behind the scenes for the always false query:

let's use SQLMap to extract data from the database:

e.g. basic usage:

get database banner:

let's enumerate tables:

now enumerate columns of table/s of interest:

now dump data, which may include password hashes, etc.

More SQLMap stuff:

→ manually test sql injections with always true and always false queries:
→ then union select queries:

→ here we get an error which could be because of different number of columns in table than we
injected;
→ so keep adding fields until error goes:

→ union based sql injections are quicker to exploit than boolean based sql injections;

→ -p indicates parameter to inject; --technique=U indicates to use Union select sql injection
technique; most of time, SQLmap can figure out the best technique for itself, but this just helps to
ensure we eliminate any unnecessary noise that could be detected;

→ now verify we can grab banner of db:

→ now find out what query sqlmap used to obtain the banner:

→ the payload sqlmap used to extract the banner:

→ enumerate users:

→ what databases are connected:

Now enumerate tables in “blogdb” database:

Found “users” table, now enumerate columns:

Now dump username, and password columns:

Can also do sql injection tests from Burpe:

“true” returns three new headers in the response:

let's see what “false” returns – the output is different, so we can distinguish between true and false:
note it's a good idea to try multiple sql true / false tests, just to confirim;

now move to sqlmap and exploit this sql vuln: note it's different to the other example since we can't
exploit the sql injection from the URL bar like in the one above – also using the “Boolean” tests and
not “Union select” this time; -p is to inject sql commands in the user parameter;

now enumerate databases:

and then do the same as the above: tables, columns, data dumps.

--flush-session deletes info and allows us to start afresh;