Blind SQL Injection | Triggering Conditional Response | Part 1 | Ishara Abeythissa
@TH3VeNoM
Hey guys, Hope you have a good day. When I researching about SQL Injection techniques it was not easy to understand by the first shot for me. So I started follow “Try Harder” attitude and I found pretty cool Web Application Pen testing course which hosting portswigger and it’s freely available service. After I go through it I learned much more things about Blind SQL Injection techniques. And in this article I will extract few descriptions of them.
What is Blind SQL Injection?
In simple Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.
It can be exploit using,
- Triggering Conditional Response
Today I’m gonna show a bit demonstration about this technique. And keep note I’m using portswigger practical lab for this and I will not go through Problem and Solutions. So Basically in this Environment having vulnerable SQL Injection parameter in request header called TrackingID (Cookie).
When a request containing a TrackingId cookie is processed, the application determines whether this is a known user using an SQL query like this:
SELECT TrackingId FROM Table_Name WHERE TrackingId = ‘Cookie Value’
This query is vulnerable to SQL injection, but the results from the query are not returned to the user. However, the application does behave differently depending on whether the query returns any data. If it returns data (because a recognized TrackingId was submitted), then a “Welcome back” message is displayed within the page.
This behavior is enough to be able to exploit the blind SQL injection vulnerability and retrieve information, by triggering different responses conditionally, depending on an injected condition. To see how this works, suppose that two requests are sent containing the following TrackingId cookie values in turn:
abcd ‘ +OR+1=1- -
In this query that mentioned above will lead to give “Welcome Back” message within the page. because the injected or 1=1 condition is true
abcd ‘ +OR+1=2- -
2nd scenario value will cause the query to not return any results, because the injected condition is false, and so the “Welcome back” message will not be displayed. This allows us to determine the answer to any single injected condition, and so extract data one bit at a time.
Practical
In the real world scenario cases. Most of the time you will be know Only username after some enumeration. In this case I’ll show how to identify usernames and passwords by kinda brute-force using Blind SQL Injection vulnerability.
Submitting request to the server, it gives back response with “Welcome Back” message. So now let’s see submitting quote into cookie parameter what will be the response from the server.
“Welcome Back” message is not return within the response page. Now let’s put true condition into this vulnerable cookie parameter.
Query : ‘+or+1=1- -
To verify this payload let’s input false condition
Query: ‘+or=1=2- -
In real world cases attacker might be don’t know table names, column names, database names. Somehow attacker need to know at least a 1 username in this database for this attack. Anyhow I know ‘administrator’ is one of user inside this database.
Enumerate db_Tables
Query: ‘+UNION+SELECT+’a’+FROM+($table_name$)+WHERE+1=1- -
above query will lead to detect table name with true condition.
In burp I send request header to Intruder.
As you can see above figure I highlighted table name with ‘$’ mark. adding sample runtime list of table name can be detect tables inside the database.
It shows users gives “Welcome Back” string return to response page. And now we know there has table called users.
Enumerate tables_COLUMNS
I’ll break this article into part II. keeping touch for part II will be enumurate username & passwords from db. Happy Hacking ☺