Types Of SQL Injection Attacks - Blind Based Attacks

Well here we are, the last blog of this series. The last type of SQL injection attack to cover is blind based injection attacks. There are two types of Blind Based injection attacks, Boolean and time based. Let us focus on the Boolean and if the reader finds themselves curious, they can follow the link below how time based attacks work:
https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection

Let's revisit our favorite site:
http://www.site.com/table?column=x

Let's say this site has a table that allows users to order the columns. When navigating to this table, the address changes to:
http://www.site.com/table?order=column

This table contains two creatively named columns:

  1. column
  2. column2
Utilizing our previous attacks (e.g. error and union based attacks) only returns a generic error. It seems our targeted web developers have become a little smarter and are starting to implement error handling for invalid queries. This still doesn't stop us from discovering tables and columns for ex-filtrating data. We can deduce that "order" likely means order by column asc in the sql query. We can inject some sql code here to ask the system some questions. However, how can we get the systems to respond with a yes or no?

Thankfully, SQL consists of flow control which includes IF and CASE expressions. We can assume the query behind the scenes looks like the following below with column getting replaced by the red injection string:

SELECT * FROM table ORDER BY Column
CASE WHEN (SELECT TOP 1 ASCII(SUBSTRING(name,1,1) FROM sys.tables))<=109
THEN column ELSE column2 END

What this query says is if the first letter of the table is m or letter before m , then order by column. If it is false, then the table will order by column2. This midpoint method can be used to find each letter of each table. The injection part can be placed in the address:

http://www.site.com/table?order=CASE WHEN (SELECT TOP 1 ASCII(SUBSTRING(name,1,1) FROM sys.tables))<=109 THEN column ELSE column2 END

The attacker then sits there for 5 days straight without food or drink and increments that substring start position until all letters in that single table have been discovered. Just kidding, this is were automation comes in. In the previous blog, I mentioned SQLMap. Lets take a look at what that may look like on a command line:

root@kali:~# sqlmap.py -u "http://www.site.com/table?order=column" --schema

What it returns, may be:

 Database: <DatabaseName>
Table: table
[2 columns]
+-----------+-------+
| Column   | Type  |
+-----------+-------+
| Column   | char   |
| Column2 | int      |
+-----------+-------+

Phew, thank you SQLMap. More information may be found below:

Hunt, T. (2015, May). Ethical Hacking: SQL Injection. Retrieved from https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection 

Comments

Popular posts from this blog

Covering Your Tracks

LDAP Vulnerabilities

Setting Up a Proxy to Protect Your Public IP (An Introduction to Proxies)