Types Of SQL Injection Attacks - Blind Based Attacks

Well here we are, the last blog of this series. The last type of SQL injection attack to cover is blind based injection attacks. There are two types of Blind Based injection attacks, Boolean and time based. Let us focus on the Boolean and if the reader finds themselves curious, they can follow the link below how time based attacks work:
https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection

Let's revisit our favorite site:
http://www.site.com/table?column=x

Let's say this site has a table that allows users to order the columns. When navigating to this table, the address changes to:
http://www.site.com/table?order=column

This table contains two creatively named columns:

  1. column
  2. column2
Utilizing our previous attacks (e.g. error and union based attacks) only returns a generic error. It seems our targeted web developers have become a little smarter and are starting to implement error handling for invalid queries. This still doesn't stop us from discovering tables and columns for ex-filtrating data. We can deduce that "order" likely means order by column asc in the sql query. We can inject some sql code here to ask the system some questions. However, how can we get the systems to respond with a yes or no?

Thankfully, SQL consists of flow control which includes IF and CASE expressions. We can assume the query behind the scenes looks like the following below with column getting replaced by the red injection string:

SELECT * FROM table ORDER BY Column
CASE WHEN (SELECT TOP 1 ASCII(SUBSTRING(name,1,1) FROM sys.tables))<=109
THEN column ELSE column2 END

What this query says is if the first letter of the table is m or letter before m , then order by column. If it is false, then the table will order by column2. This midpoint method can be used to find each letter of each table. The injection part can be placed in the address:

http://www.site.com/table?order=CASE WHEN (SELECT TOP 1 ASCII(SUBSTRING(name,1,1) FROM sys.tables))<=109 THEN column ELSE column2 END

The attacker then sits there for 5 days straight without food or drink and increments that substring start position until all letters in that single table have been discovered. Just kidding, this is were automation comes in. In the previous blog, I mentioned SQLMap. Lets take a look at what that may look like on a command line:

root@kali:~# sqlmap.py -u "http://www.site.com/table?order=column" --schema

What it returns, may be:

 Database: <DatabaseName>
Table: table
[2 columns]
+-----------+-------+
| Column   | Type  |
+-----------+-------+
| Column   | char   |
| Column2 | int      |
+-----------+-------+

Phew, thank you SQLMap. More information may be found below:

Hunt, T. (2015, May). Ethical Hacking: SQL Injection. Retrieved from https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection 

Comments

Post a Comment

Popular posts from this blog

Covering Your Tracks

The ability to remain stealth during a penetration exercise is what separates a sophisticated hacker from a script kitty. The phrase “The Quieter You Become, The More You Are Able to Hear” holds true, especially in the field of hacking. Being able to perform Ani-forensics and avoid detection is critical to the success of hacking and penetration testing and understanding these methods is beneficial, even for white hat hackers, as there will be times in a penetration where the system is already compromised. In such cases, understanding what the attacker is doing in order to cover their tracks can help determine the sophistication of the attack or bring prosecution to the attacker. All hacks begin with system enumeration and nmap is one of the best tools to use during this discovery phase. However, as I explained in Scanning With nmap blog, port scanning a bunch of IP Addresses or every port on a target system is noisy and can cause denial of service conditions (very bad if you are
Read more

Covering Your Tracks - Anti-forensics for the Cloud - Introduction

Image
Before delving into cloud forensics there are some concepts that need to be explained. The cloud consisted of two entities, provider (companies that host cloud technologies) and tenants (companies that use cloud technologies from the providers). The cloud generally consists of three service models:  Infrastructure-as-a-Service (IaaS) where the provider provides the hardware and network. Platform-as-a-Service (PaaS) where the provider provides all the components to a tenant's application. Software-as-a-Service (SaaS) where the provider supplies the software and the components to run it and the tenant uses and at most configures the application. Chris Brenton gives a great overview of the cloud and the challenges it poses in the link below: https://www.sans.org/blog/pen-testing-in-the-cloud/ Surprisingly there is not a lot of coverage out on the web for cloud forensics and this makes sense. Cloud forensics analysts, especially for tenants, may be somewhat limited on acc
Read more

Cross-Site Scripting (XSS) Introduction

Image
  Cross-Site Scripting (XSS) Introduction Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course . Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.   Introduction XSS is an often-overlooked vulnerability. The generic “Hello World” example of XSS (e.g. <script>alert(“XSS”);</script>) is an overly benign example. Once an XSS vulnerability is discovered it becomes possible for attackers to modify the webpage to re-direct users to malicious site, steal a user’s session or cookie, or bypass a log in. Because XSS is such a huge topic, a series will be developed with exploitations to follow. For this blog article, XSS detection will be focused on. Eventually this series will cover JSON, XML, XPath, JQuery, and other typ
Read more