Beginner Guide to SQL Injection Boolean Based (Part 2)

Their so many ways to hack the database using SQL injection as we had seen in our previous tutorial Error based attack, login formed based attack and much more different type of attack in order to retrieve information from the inside database. In the same way today we will learn a new type of SQL injection attack known as Blind Boolean based attack.

An attacker always checks SQL injection vulnerability using a comma () inside URL  to break the statement in order to receive a SQL error message. It is a fight between the developer and attacker, the developer increases the security level and the attacker tries to break it. This time developer had blocked error message as the output on the website. Hence if the database is vulnerable to SQL injection then the attacker does not obtain any error message on the website. The attacker will try to confirm if the database is vulnerable to Blind SQL Injection by evaluating the results of various queries which return either TRUE or FALSE.

Let’s start!!

Using Dhakkan we will demonstrate blind SQL injection.

Lesson 8

Lesson 8 is regarding blind boolean based injection therefore first we need to explore //localhost:81/sqli/Less-8/?id=1 on the browser, this will send the query into the database.

As output, it will display “you are in” the yellow colour text on the web page as shown in the given image.

When an attacker tries to break this query using a comma () //localhost:81/sqli/Less-8/?id=1’

 Or other different technique he will not able to found an error message. Moreover, the yellow colour text will disappear if the attacker tries to inject invalid query which also shown in the given image.

Then attacker will go for blind SQL injection to make sure, that inject query must return an answer either true or false.

Now database test for given condition whether 1 is equal to 1 if the query is valid it returns TRUE, from the screenshot you can see we have got yellow colour text again “you are in”, which means our query is valid.

In the next query which checks for URL

Now it will test the given condition whether 1 is equal to 0 as we know 1 is not equal to 0 hence database answer as ‘FALSE’ query. From the screenshot, it confirms when yellow color text gets disappear again.

Hence it confirms that the web application is infected to blind SQL injection. Using true and false condition we are going to retrieve database information.

Length of database string

The following query will ask the length of the database string. For example, the name of the database is IGNITE which contains 6 alphabets so the length of string for database IGNITE is equal to 6.

Similarly, we will inject given below query which will ask whether the length of database string is equal to 1, in the response of that query it will answer by returning TRUE or FALSE through text “you are in”.

From given screenshot you can see again the text gets disappear which means it has return FALSE to reply NO the length of database string is not equal to 1

Again it will test the length of the database string is equal to 2; it has return FALSE to reply NO the length of database string is not equal to 2. Repeat the same step till we do not receive TRUE for string length 3/4/5/ and so on.

when I test for the string is equal to 8; it answers as true and as result yellow colour text “you are in” appears again.

As we know the computer does not understand the human language it can read the only binary language, therefore, we will use ASCII code. The ASCII code associates an integer value for all symbols in the character set, such as letters, digits, punctuation marks, special characters, and control characters.

For example look at following string ascii code:

1 = I = 73

2 = G = 71

3 = N = 78

4 = I = 73

5 = T = 84

6 = E = 69

Image Source:lookuptable.com

Further, we will enumerate the database name using ascii character for all 8 strings.

Next query will ask from database test the condition whether the first string of database name is greater than 100 using acsii substring.

It reflects TRUE condition hence if you match the ascii character you will observe that from 100 small alphabets string has been running till 172.

Similarly, it will test again whether the first letter is greater than 120. But this time it returns FALSE which means the first letter is greater than 100 and less than 120.

Now next it will equate first string from 101, again we got FALSE.

We had performed this test from 101 till 114 but receive FALSE every time.

Finally receive a TRUE reply at 115 which means the first string is equal to 115, where 115 =‘s’

Similarly, test for the second string, repeat above step by replacing the first string from second.

I received a TRUE reply at 101 which means the second string is equal to 101 and 101 = ‘e’.

Similarly, I had performed this for all eight strings and got the following result:

Given query will test the condition whether the length of string for the first table is equal to 6 or not.

In reply we receive TRUE and text “you are in” appears again on the web site.

Similarly I test for second and third table using same technique by replacing only table number in same query.

1 = s = 115

2 = e = 101

3 = c =99

4 = u =117

5 = r =114

6 = i = 105

7 = t = 116

8 = y = 121

Table string length

We have to use the same technique for enumerating information of the table from inside the database. Given query will test the condition whether the length of string for the first table is greater than 5 or not.

In reply we receive TRUE and text “you are in” appears again on the web site.

Given query will test the condition whether the length of string for the first table is greater than 6 or not.

In reply we receive FALSE and text “you are in” disappears again from the web site.

Given query will test the condition whether the length of string for the first table is equal to 6 or not.

In reply we receive TRUE and text “you are in” appears again on the web site.

Similarly, I test for the second and third table using the same technique by replacing only table number in the same query.

Similarly enumerating fourth table information using the following query to test the condition whether the length of string for the fourth table is equal to 5 or not.

In reply we receive TRUE and text “you are in” appears again on the web site.

As we had performed in database enumeration using ascii code similarly we are going to use the same technique to retrieve the table name.

Further, we will enumerate the 4th table name using ascii character for all 5 strings.

Next query will ask from the database to test the condition whether the first string of table name is greater than 115 using acsii substring.

It reflects TRUE condition text “you are in” appears again on the web site hence if you match the ascii character.

Next query will ask from the database to test the condition whether the first string of table name is greater than 120 using acsii substring.

But this time it returns FALSE which means the first letter is greater than 115 and less than 120.

Proceeding towards equating the string from ascii code between number 115 to 120. Next query will ask from the database to test the condition whether the first string of table name is greater than 120 using acsii substring.

It returns FALSE, text get disappear.

It returns TRUE, text gets to appear.

Similarly we had test remaining strings and received following result

1 = u = 117

2 = s = 115

3 = e = 101

4 = r = 114

5 = s = 115

User Name Enumeration

Using the same method we are going to enumerate length of string username from inside the table users

Given below query will test for string length is equal to 4 or not.

 It replies TRUE with help of yellow color text

 Using the same method we are going to enumerate username from inside the table users

Given below query will test for a first string using ascii code.

 We received FALSE which means the first string must be less than 100.

 We received TRUE which means the first string must be more than 50.

Similarly,

 We received TRUE which means the first string must be more than 60.

Similarly,

 We received FALSE which means the first string is less than 70.

Hence first string must lie between 60 and 70 of ascii code.

Proceeding towards comparing string from different ascii code using the following query.

This time successfully receive TRUE with appearing text “you are in”.

Similarly, I had tested for all four string in order to retrieve username:

1 = D = 68

2 = u = 117

3 = m = 109

4 = b = 98

Hence today we had learned how attacker hacked database using blind SQL injection.

!!Try yourself to retrieve the password for user dumb!!

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Database Penetration Testing using Sqlmap (Part 1)

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port, and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables, and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain a string like a name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  • Support for database process’ user privilege escalation via Metasploit’sMeterpreter getsystem command.

These options can be used to enumerate the back-end database management system information, structure, and data contained in the tables.

Sometimes you visit such websites that let you select product item through their picture gallery if you observer its URL you will notice that product item is called through its product-ID numbers.

Let’s take an example

So when attacker visits such kind of website he always checks for SQL vulnerability inside web server for lunching SQL attack.

Let’s check how attacker verifies SQL vulnerability.

The attacker will try to break the query in order to order to get the error message, if he successfully received an error message then it confirms that web server is SQL injection affected.

 From the screenshot you can see we have received error message successfully now we have made SQL attack on a web server so that we can fetch database information.

Databases

 For database penetration testing we always choose SQLMAP, this tool is very helpful for beginners who are unable to retrieve database information manually or unaware of SQL injection techniques.

Open the terminal in your Kali Linux and type following command which start SQL injection attack on the targeted website.  

 -u:  target URL

–dbs: fetch database name

–batch: This will leave sqlmap to go with default behavior whenever user’s input would be required

Here from the given screenshot, you can see we have successfully retrieve database name “acuart

Tables

As we know a database is a set of record which consist of multiple tables inside it therefore now use another command in order to fetch entire table names from inside the database system.

 -D: DBMS database to enumerate (fetched database name)

–tables: enumerate DBMS database table

As a result, given in screenshot, we have enumerated entire table name of the database system. There are 8 tables inside the database “acuart” as following:

T1: artists

T2: carts

T3: categ

T4: featured

T5: guestbook

T6: pictures

T7: products

T8: users

Columns

Now further we will try to enumerate the column name of the desired table. Since we know there is a users table inside the database acuart and we want to know all column names of users table, therefore, we will generate another command for column captions enumeration.

-T: DBMS table to enumerate (fetched table name)

–columns: enumerate DBMS database columns

Get data from a table

Slowly and gradually we have penetrated many details of the database but last and most important step is to retrieve information from inside the columns of a table. Hence, at last, we will generate a command which will dump information of users table.

–dump: dump all information of DBMS database

Here from the given screenshot, you can see it has to dump entire information of table users, mainly users table contains login credential of other users. You can use these credential for login into the server on behalf of other users.

Dump All

The last command is the most powerful command in sqlmap which will save your time in database penetration testing; this command will perform all the above functions at once and dump entire database information including table names, column and etc.

This will give you all information at once which contains database name as well as table’s records.

Try it yourself!!!

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Dumping Database using Outfile

In our previous article you have learned the basic concepts of SQL injection but in some scenarios, you will find that your basic knowledge and tricks will fail. Today we are going to perform SELECT…INTO OUTFILE statement is the easiest way of exporting a table records into a text file or excel file

 This statement allows the user to load table information very rapidly to a text file on the server machine. SELECT … INTO OUTFILE writes the significant rows to a file and gives authority to the use of column and row terminators to specify the output format. The output file is created directly by the MySQL server, so the filename with path should be specified where the user wants the file to be written on the server host. The file must not exist already on the server. It cannot be overwritten. A user requires the FILE privilege to run this statement.

Let’s start!!

Lesson 7

Open the browser and type following SQL query in URL

From the screenshot, you can read “you are in….. Use outfile” now let’s try to break this statement.

OKAY! The Query has been broken successfully we receive the error message when we had used single quote (‘) in order to break query hence it confirms that it is vulnerable.

After making lots of efforts finally successfully the query gets fixed if noticed the step for SQL injection is similar to the previous chapter only techniques to fix the query is different.

Now the following query will dump the result into a text file. Here you need to mention the path where the user wants the file to be written on the server host. The file must not exist already on server user always use a new text file for overwriting database information.

From the screenshot, you can perceive that still it is showing error message now open another tab for the output of the resultant query.

Now add file name hack1.txt to check the output of the above query.

hence you can see we get the output of executed query inside a text file. This will save the hack1.txt file inside the server machine also.

Execute the following query to retrieve the database name using union injection using a new text file.

Hence you can see we have successfully get security as database name as result.

Next query will provide entire table names saved inside the database using another text file.

From the screenshot you can read the following table names:

Now we’ll try to find out column names of users table using the following query.

Hence you can see it contains so many columns inside it I had chosen only two columns for further enumeration.

At last, execute the following query to read all username and password inside the table users from inside its column.

From the screenshot, you can read the username and password save the inside text file.

Note: you can try the same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Form Based SQL Injection Manually

In our previous article we had performed Form Based SQL injection using sqlmap but today we are going to perform Form Based SQL injection in DHAKKAN manually. There are so many examples related to login form like Facebook login; Gmail login; other online accounts which may ask you to submit your information like username and password.

Let’s start!! 

LESSON 11

This lesson is much similar to lesson 1,2,3,4 if you not familiar with these lessons then please go through it from here. You will come to know how to perform SQL Injection manually step by step in order to retrieve the data from inside the database system.

Lesson 11 is regarding POST error based single quotes (‘) string so when you will explore this lab on the browser you will observe that it contains a text field for username and password to login inside web server. As we are not a true user so we don’t know the correct username and password but being hacker we always wish to get inside the database with help of SQL injection. Therefore first we will test whether the database is vulnerable to SQL injection or not.

Since lesson itself sound like an error based single quotes (‘) string, thus I had used single quotes () to break the query inside the text field of username then click on submit.

Username:      ’

 From the given screenshot you can see we have got an error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when breaking the query we get an error message, now let me explain what this error message says.

The right syntax to use near ”” and password=” LIMIT 0,1’

Now we need to fix this query with help of # (hash) comment; so after adding single quotes (‘) add a hash function (#) to make it syntactically correct.

Username:  ‘   #

From the screenshot, you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between and # the query will execute successfully with certain result according to it. Now to find out the number of columns used in the backend query we’ll use order by clause

From the screenshot, you can see I received an error at the order by 3 which mean there are only two columns used in the backend query

Similarly, insert query for union select in between and # to select both records.

Username: 

From the screenshot, you can see it also shown successfully logged in, now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from the screenshot, you can read the database name “security

Username:

Through the given below query, we will be able to fetch tables name present inside the database.

Username:

From the screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using the following query

Username:  ‘

Their so many columns but we interested in username and password only.

At last, execute the following query to read all username and password inside the table users.

Username:

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about single quotes string error based injection in lesson 11.

Lesson 12

In some scenario you will try to use single quotes string for test SQL vulnerability or will go extend in order to break the query even after knowing that database is vulnerable but you will be not able to get break the query and receive error message because might the developer had blacklist the single quotes (‘) at the backend query.

Lesson 12 is similar to previous lesson 11 but here you will face failure if you used single quotes for breaking the query since the chapter sound closed to post Error based double quotes string (“). Thus I had used double quotes () to break the query inside the text field of username then click on submit.

username: 

From the given screenshot you can see we have got the error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when breaking the query we get an error message, now let me explain what this error message says.

The right syntax to use near ‘”””) and password=(“”) LIMIT 0,1’

Now we need to fix this query with help of ) closing parenthesis and  # (hash) comments; so after double quotes (“) add ) closing parenthesis hash function (#) to make it syntactically correct.

username:  “)   #

From the screenshot, you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between ‘) and # the query will execute successfully with certain result according to it. Now to find out the number of columns used in the backend query we’ll use order by clause

username:  “) order by 3 #

From the screenshot, you can see I received an error at the order by 3 which means there are only two columns used in the backend query

Similarly, insert query for union select in between “)and # to select both records.

Username:

 From the screenshot, you can see it also shown successfully logged in, let’s now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from the screenshot, you can read the database name “security

Username:

Through the given below query, we will be able to fetch tables name present inside the database.

Username:

From the screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using the following query

Username:

Their so many columns but we interested in username and password only.

At last, execute the following query to read all username and password inside the table users.

Username:

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about double quotes string error based injection in lesson 12.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here