About Me

Name:
Location: Winnipeg, Manitoba, Canada

The Wholefood Farmacy makes eating healthy easy, convenient and affordable. We offer pure, nutrient-dense, ready-to-eat, whole food meals, snacks, soups, smoothie mixes and treats for the children. All of our foods are vegetarian, most are raw and vegan as well. We also offer many gluten-free and nut-free whole food choices for those with food sensitivities - see our FAQ section of the Whole Food Farmacy Website for more information.

Saturday, June 03, 2023

Learning Web Pentesting With DVWA Part 3: Blind SQL Injection

In this article we are going to do the SQL Injection (Blind) challenge of DVWA.
OWASP describes Blind SQL Injection as:
"Blind SQL (Structured Query Language) injection is a type of attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal , the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible."
To follow along click on the SQL Injection (Blind) navigation link. You will be presented with a page like this:
Lets first try to enter a valid User ID to see what the response looks like. Enter 1 in the User ID field and click submit. The result should look like this:
Lets call this response as valid response for the ease of reference in the rest of the article. Now lets try to enter an invalid ID to see what the response for that would be. Enter something like 1337 the response would be like this:

We will call this invalid response. Since we know both the valid and invalid response, lets try to attack the app now. We will again start with a single quote (') and see the response. The response we got back is the one which we saw when we entered the wrong User ID. This indicates that our query is either invalid or incomplete. Lets try to add an or statement to our query like this:
' or 1=1-- -
This returns a valid response. Which means our query is complete and executes without errors. Lets try to figure out the size of the query output columns like we did with the sql injection before in Learning Web Pentesting With DVWA Part 2: SQL Injection.
Enter the following in the User ID field:
' or 1=1 order by 1-- -
Again we get a valid response lets increase the number to 2.
' or 1=1 order by 2-- -
We get a valid response again lets go for 3.
' or 1=1 order by 3-- -
We get an invalid response so that confirms the size of query columns (number of columns queried by the server SQL statement) is 2.
Lets try to get some data using the blind sql injection, starting by trying to figure out the version of dbms used by the server like this:
1' and substring(version(), 1,1) = 1-- -
Since we don't see any output we have to extract data character by character. Here we are trying to guess the first character of the string returned by version() function which in my case is 1. You'll notice the output returns a valid response when we enter the query above in the input field.
Lets examine the query a bit to further understand what we are trying to accomplish. We know 1 is the valid user id and it returns a valid response, we append it to the query. Following 1, we use a single quote to end the check string. After the single quote we start to build our own query with the and conditional statement which states that the answer is true if and only if both conditions are true. Since the user id 1 exists we know the first condition of the statement is true. In the second condition, we extract first character from the version() function using the substring() function and compare it with the value of 1 and then comment out the rest of server query. Since first condition is true, if the second condition is true as well we will get a valid response back otherwise we will get an invalid response. Since my the version of mariadb installed by the docker container starts with a 1 we will get a valid response. Lets see if we will get an invalid response if we compare the first character of the string returned by the version() function to 2 like this:
1' and substring(version(),1,1) = 2-- -
And we get the invalid response. To determine the second character of the string returned by the version() function, we will write our query like this:
1' and substring(version(),2,2) = 1-- -
We get invalid response. Changing 1 to 2 then 3 and so on we get invalid response back, then we try 0 and we get a valid response back indicating the second character in the string returned by the version() function is 0. Thus we have got so for 10 as the first two characters of the database version. We can try to get the third and fourth characters of the string but as you can guess it will be time consuming. So its time to automate the boring stuff. We can automate this process in two ways. One is to use our awesome programming skills to write a program that will automate this whole thing. Another way is not to reinvent the wheel and try sqlmap. I am going to show you how to use sqlmap but you can try the first method as well, as an exercise.
Lets use sqlmap to get data from the database. Enter 1 in the User ID field and click submit.
Then copy the URL from the URL bar which should look something like this
http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Now open a terminal and type this command:
sqlmap --version
this will print the version of your sqlmap installation otherwise it will give an error indicating the package is not installed on your computer. If its not installed then go ahead and install it.
Now type the following command to get the names of the databases:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id
Here replace the PHPSESSID with your session id which you can get by right clicking on the page and then clicking inspect in your browser (Firefox here). Then click on storage tab and expand cookie to get your PHPSESSID. Also your port for dvwa web app can be different so replace the URL with yours.
The command above uses -u to specify the url to be attacked, --cookie flag specifies the user authentication cookies, and -p is used to specify the parameter of the URL that we are going to attack.
We will now dump the tables of dvwa database using sqlmap like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa --tables
After getting the list of tables its time to dump the columns of users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users --columns
And at last we will dump the passwords column of the users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users -C password --dump
Now you can see the password hashes.
As you can see automating this blind sqli using sqlmap made it simple. It would have taken us a lot of time to do this stuff manually. That's why in pentests both manual and automated testing is necessary. But its not a good idea to rely on just one of the two rather we should leverage power of both testing types to both understand and exploit the vulnerability.
By the way we could have used something like this to dump all databases and tables using this sqlmap command:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id --dump-all
But obviously it is time and resource consuming so we only extracted what was interested to us rather than dumping all the stuff.
Also we could have used sqlmap in the simple sql injection that we did in the previous article. As an exercise redo the SQL Injection challenge using sqlmap.

References:

1. Blind SQL Injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
2. sqlmap: http://sqlmap.org/
3. MySQL SUBSTRING() Function: https://www.w3schools.com/sql/func_mysql_substring.asp
More information

  1. Computer Hacker
  2. Hacking Tools Kit
  3. How To Make Hacking Tools
  4. Pentest Tools Website
  5. Hacking Tools Software
  6. Hacking Tools Name
  7. Hacker Tools For Pc
  8. Hacking Tools For Kali Linux
  9. Hack Tools Download
  10. Hacking Tools Hardware
  11. Pentest Tools Free
  12. Hacking Tools Name
  13. Hacking Tools And Software
  14. Hack Tools
  15. Physical Pentest Tools
  16. Hacker Tools 2019
  17. How To Make Hacking Tools
  18. Hacking Tools For Windows 7
  19. Pentest Tools Online
  20. Hacker Tools Github
  21. Hacker Tools 2019
  22. Nsa Hacker Tools
  23. How To Make Hacking Tools
  24. Hack App
  25. Hacker
  26. Hacking Tools For Windows Free Download
  27. Pentest Tools Framework
  28. Pentest Tools Find Subdomains
  29. Hack Tool Apk
  30. Hackrf Tools
  31. Hacker
  32. Pentest Tools
  33. Hacker
  34. Nsa Hack Tools
  35. Pentest Tools Download
  36. Kik Hack Tools
  37. Hacking Tools Free Download
  38. Hack Tools Github
  39. How To Hack
  40. Hacking Tools Online
  41. Hacker Tools List
  42. Hack Tools Pc
  43. Hacking Tools Windows
  44. Hack Tools For Windows
  45. Hacking Tools 2019
  46. Game Hacking
  47. Hacker Tools For Windows
  48. Hack Tools
  49. Black Hat Hacker Tools
  50. Nsa Hack Tools
  51. Best Hacking Tools 2019
  52. Hack Tools For Windows
  53. Pentest Tools Download
  54. Hacking Apps
  55. Hacker Tools Free
  56. What Are Hacking Tools
  57. Hacking Tools Usb
  58. Pentest Tools Url Fuzzer
  59. Hacking Tools Windows 10
  60. Hacker Tools For Ios
  61. New Hack Tools
  62. Hack Tools Github
  63. Pentest Tools Tcp Port Scanner
  64. New Hacker Tools
  65. Pentest Tools Tcp Port Scanner
  66. Hacking Apps
  67. Pentest Tools Alternative
  68. Github Hacking Tools
  69. Hacking App
  70. Hackers Toolbox
  71. Pentest Tools Framework
  72. Pentest Tools For Mac
  73. Usb Pentest Tools
  74. Hak5 Tools
  75. Install Pentest Tools Ubuntu
  76. Nsa Hack Tools Download
  77. Hackers Toolbox
  78. Hacker Tools Software
  79. Hacking Tools For Kali Linux
  80. Bluetooth Hacking Tools Kali
  81. Hacker Tools Linux
  82. Blackhat Hacker Tools
  83. Hack App
  84. Install Pentest Tools Ubuntu
  85. Physical Pentest Tools
  86. Hacking Tools For Games
  87. Hacking Tools Github
  88. How To Make Hacking Tools
  89. Wifi Hacker Tools For Windows
  90. Pentest Tools Online
  91. Hack Tools For Windows
  92. Underground Hacker Sites
  93. Hacking Tools Pc
  94. Pentest Tools Port Scanner
  95. Pentest Tools Download
  96. Hacker Tools Apk
  97. Hack Rom Tools
  98. Pentest Tools
  99. How To Install Pentest Tools In Ubuntu
  100. Beginner Hacker Tools
  101. Hack Tools Download
  102. Hack Tools 2019
  103. Hackers Toolbox
  104. Usb Pentest Tools
  105. Hack Tools For Ubuntu
  106. Hacking Tools Online
  107. Best Hacking Tools 2020
  108. How To Install Pentest Tools In Ubuntu
  109. Hacker Techniques Tools And Incident Handling
  110. Hacker Tools 2020
  111. Hacking Tools Github
  112. Hacking Tools Windows
  113. Best Hacking Tools 2020
  114. Best Pentesting Tools 2018
  115. Underground Hacker Sites
  116. Pentest Tools For Ubuntu
  117. Termux Hacking Tools 2019
  118. Hack Tool Apk
  119. Hacker Tools Windows
  120. Hacking Tools 2019
  121. Hacking Tools And Software
  122. Hacking Tools For Windows
  123. Hacking Tools For Mac
  124. Hack Tools
  125. Hacker
  126. How To Make Hacking Tools
  127. Pentest Tools Linux
  128. Hack Tools 2019
  129. Hak5 Tools
  130. Pentest Tools Github
  131. Hacking Tools For Windows 7
  132. Hack Tools Mac
  133. Hack Tools Download
  134. Hacker Tools Linux
  135. Tools 4 Hack
  136. Hacker Tools Mac
  137. Hacker Tools Free Download
  138. Hacker Tool Kit
  139. Hacking Tools Usb
  140. Pentest Tools Android
  141. Hacking Tools Pc
  142. Pentest Automation Tools
  143. Hacking Tools And Software
  144. How To Install Pentest Tools In Ubuntu
  145. Kik Hack Tools
  146. Pentest Tools Windows
  147. Beginner Hacker Tools
  148. Easy Hack Tools
  149. Hack And Tools
  150. Beginner Hacker Tools
  151. Hacks And Tools
  152. Hack Tools For Mac
  153. Hacker Tools
  154. Hack Tools For Games
  155. Hacking App
  156. Hacking Tools For Beginners
  157. Bluetooth Hacking Tools Kali
  158. Hack App
  159. Hacker Tools 2019
  160. Hacking Tools For Windows 7
  161. Tools Used For Hacking
  162. Pentest Reporting Tools
  163. How To Install Pentest Tools In Ubuntu
  164. Hack Tools
  165. Pentest Tools Kali Linux
  166. Install Pentest Tools Ubuntu
  167. Hacks And Tools
  168. Pentest Tools Nmap
  169. Ethical Hacker Tools
  170. Hacker Tools Linux

posted by Whole Food Farmacy | 11:55 AM

0 Comments:

Post a Comment

<< Home