Exfiltrate data from Blind SQL Injection (Boolean Based) | Using Scripting
Hey guys,
we all know what is SQLi and also know Blind SQLi but we will talk about how to exfiltrate data using Blind SQL (Boolean based).
Boolean Based
This type is referer to True and False we will ask if this item exists and the application will answer with Yes or No.
We will try this attack on a vulnerable login page, the following screenshot is a simple request to login
we can simply try a payload list of payloads like
' or '1'='1
'or'1'='1'%23
'or''=''--
and tried these payloads with double quotes but it will not work, we can guess how the function work, the function is taking password and username it could check the result from the database when we execute query
SELECT * FROM users WHERE username='$uname' AND pass='$pass'
variables contain the user input it will return the user info from the DB the application can check the numbers of rows which back in the result of the query so the above query will return one row which contains the user info but when we try our payload in the query like this
SELECT * FROM users WHERE username='' AND pass=''or'1'='1'
this will return more than one row so if the application check the number of rows it will not log us in but we can add a simple word to help us to solve this problem
SELECT * FROM users WHERE username='' AND pass=''or'1'='1' limit 1,1#'
note that when you use to limit it use the index numeric 0 is referer to the first result, not 1 it like an array, using the last payload it will return just the first row from the result, now we could log in and we can change the user by change the number after the limit keyword it will back the next row of the result, but we wanna dump some data from the Database but how? we will use two major functions ascii and substring these functions will help us in our exploit, ascii function converts the value to its ascii number, substring function give us mobility with the strings we can give it a string and return what we need from it like the first or second character substring("string",1,1) this will return the first character of first-word substring("string",2,1) and this will return second letter, our payload will be like this
' or ascii(substring("test",1,1))=116 limit 1,1%23
this payload will return true substring func will return t letter and pass it to ascii func and we will compare if the result of ascii func is equal to 116 if true we will be logged in and we used limit again to just return one row of the result, we can use query and pass the result to substring
' or ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=98 limit 1,1%23
the payload will work in the payload we will execute a query to return tables name and return just the first table and pass the name to the substring which will return the first letter and pass it to ascii and compare it, we can't do that manually but we should ask an important question how we can that our payload return true? if there is an error message for invalid login it will help but in our case, if you enter a valid username and password it will redirect you to your profile so we can check the Location header so we should disable the redirect in our script.
our simple script will first return the number of tables using the following payload
' or (select count(table_name) from information_schema.tables where table_schema=database())=5 limit 1,1#
it will return the count of tables and will compare if it equal to 5 or not we will automate this but i wanna show the sample of payload we will use
we can add a proxy of Burp to track the requests from our script this for loop will get the count of tables that we should dump and set it in variable length, the second part will have 3 for loops first one will return the length of table name and set it to tableLength variable, second for loop will take the length of table name and start dumping the letters and will dump it with another for loop will pass in the numbers from 48 to 122 which ascii values contain numbers, letters uppercase & lowercase, and some social characters the script will print the table's name.
The final result of the script
we just dumped the tables we can use the same process to dump the column's names and dump data from columns, can u try it?! the PHP code used in this topic is
you can include it to your localhost (change the DB connection and query) and try to dump columns and data using scripting.
Comments
Post a Comment