Exfiltrate data from Blind SQL Injection (Boolean Based) | Using Scripting

-



Hey guys,

we all know what is SQLi and also know Blind SQLi but we will talk about how to exfiltrate data using Blind SQL (Boolean based).

Boolean Based

This type is referer to True and False we will ask if this item exists and the application will answer with Yes or No.

We will try this attack on a vulnerable login page, the following screenshot is a simple request to login


we can simply try a payload list of payloads like 

' or '1'='1

'or'1'='1'%23

'or''=''--

and tried these payloads with double quotes but it will not work, we can guess how the function work, the function is taking password and username it could check the result from the database when we execute query

SELECT * FROM users WHERE username='$uname' AND pass='$pass'

variables contain the user input it will return the user info from the DB the application can check the numbers of rows which back in the result of the query so the above query will return one row which contains the user info but when we try our payload in the query like this

SELECT * FROM users WHERE username='' AND pass=''or'1'='1'


this will return more than one row so if the application check the number of rows it will not log us in but we can add a simple word to help us to solve this problem 

SELECT * FROM users WHERE username='' AND pass=''or'1'='1' limit 1,1#'

 

note that when you use to limit it use the index numeric 0 is referer to the first result, not 1 it like an array, using the last payload it will return just the first row from the result, now we could log in and we can change the user by change the number after the limit keyword it will back the next row of the result, but we wanna dump some data from the Database but how? we will use two major functions ascii and substring these functions will help us in our exploit, ascii function converts the value to its ascii number, substring function give us mobility with the strings we can give it a string and return what we need from it like the first or second character substring("string",1,1) this will return the first character of first-word substring("string",2,1) and this will return second letter, our payload will be like this

' or ascii(substring("test",1,1))=116 limit 1,1%23

this payload will return true substring func will return t letter and pass it to ascii func and we will compare if the result of ascii func is equal to 116 if true we will be logged in and we used limit again to just return one row of the result, we can use query and pass the result to substring

' or ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=98 limit 1,1%23

the payload will work in the payload we will execute a query to return tables name and return just the first table and pass the name to the substring which will return the first letter and pass it to ascii and compare it, we can't do that manually but we should ask an important question how we can that our payload return true? if there is an error message for invalid login it will help but in our case, if you enter a valid username and password it will redirect you to your profile so we can check the Location header so we should disable the redirect in our script.

our simple script will first return the number of tables using the following payload

' or (select count(table_name) from information_schema.tables where table_schema=database())=5 limit 1,1#

it will return the count of tables and will compare if it equal to 5 or not we will automate this but i wanna show the sample of payload we will use


we can add a proxy of Burp to track the requests from our script this for loop will get the count of tables that we should dump and set it in variable length, the second part will have 3 for loops first one will return the length of table name and set it to tableLength variable, second for loop will take the length of table name and start dumping the letters and will dump it with another for loop will pass in the numbers from 48 to 122 which ascii values contain numbers, letters uppercase & lowercase, and some social characters 


the script will print the table's name.

The final result of the script


we just dumped the tables we can use the same process to dump the column's names and dump data from columns, can u try it?! the PHP code used in this topic is


you can include it to your localhost (change the DB connection and query) and try to dump columns and data using scripting.

you can see ascii values in this link.

Send to me on FB if you have questions, see u.

Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Let's Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

Using CSRF I Got Weird Account Takeover

-
Image
Hi guys, I'm back again this bug was interesting and weird let's start. let's refer to the target's name as (target.com) I start to test the domain like what I do in my testing, I used sublist3r to enumerate the subdomains, in one of these subdomains I start to test the password reset function I sent a request to my email to change the password, i opened the link and sent the request to change the password but i used my Burp to see the request and it looks like that there is a token for CSRF I tested this token and deleted it but the change happens, that means there is no filtring for this token there is a CSRF bug here and there is another thing the token of reset password not in the request not in the cookies or in the body so i think it's in the sessions and how i knew that? I test the function of reset password I sent another link to my account and i sent the same request but it returns 403, I opened the new reset link bug didn't use it and I go b
Read more