Web Application Penetration Testing – Part 4

I was blind, but now I see!
Last week I released a tool that extracts data from a database using Blind SQL Injection techniques. The tool asks a series of TRUE of FALSE questions. Many people are under the impression that this TRUE or FALSE questioning technique is the only way to extract data from a site that has a “Blind” SQL injection vulnerability. As you have probably guessed, that is not correct. You can extract and visually see all the data in a database when exploiting most Blind SQL Injection vulnerabilities.
It is very rare to find an application that queries the database and doesn’t display any of the returned data to the user. Im sure they exist, but for the most part when applications execute queries based upon some type of user input, at least some small portion of that data is returned to the user. If only one field is returned to the user you can use that field to display all of the records in the entire database with manual sql injection. Manual SQL data extraction is something every good pen-tester should know how to do. Eventually your automated tools will fail and when they do, knowing how to manually extract the data will come in handy. Here are some basic steps that I use to manually extract data with SQL injection:
1) Determine if your injection point is a numeric field or a string field.
First, I usually check for numeric fields by trying to do some simple math at the injection point. For example, I’ll submit “recordid=3+1” and see if it returns record number 4. If it returns record 4 then I have a numeric injection point. If you are injecting on the URL the plus sign (+) is a url encoded space. On the url you would submit “recordid=3%2b1“. %2b is an encoded plus sign.
If math doesn’t work I try injecting a single quote (‘) to see if you have a string injection point. For example, I will try to injection ‘ or ‘true’=’true to see if I get a large number of records or a different record back. If the record set returned changes, then I probably have an injection.
2) Eliminate all the data being returned by the original select statement.
This is easy. Injection “AND FALSE” eliminates all the result to the original select statement. So and 1=0 on a numeric field or ‘ and ‘true’=’false on a string field does the job.
3) Determine how many fields were returned by the original select statement with a union.
When you inject a UNION SELECT your second select statement must request the same number of columns as the FIRST select statement (the one your injecting into). To determine how many fields are in the first select, you start with one field and you keep increasing the number of fields until you get a result. So inject and 1=0 union select 1. If a “1” is returned to the screen somewhere you have a match. If no,t try two fields and 1=0 union select 1,2. If a 1 or a 2 are returned to the screen you have a match if not try three fields, and so one until you have a match.
4) Now start using the fields that are displayed to extract data.
Each of the number displayed on the screen can be replaced with a SUBSELECT (a select statement in parenthesis) to retrieve what ever data you want. The one limitation is that each item returned needs to be a single text value. MySQL functions like “CONCAT()” which combines multiple strings into a single string and “GROUP_CONCAT()” which combines the ROWS in the database into a single text string can be used to extract entire databases into a single text blob. Various SQL Injection cheat sheets are available that show you how to examine the schema to figure out your table structure and understand how to extract the data.
The best way to learn is to practice. DVWA (Damb Vulnerable Web App) 1.7 is out and they have added a “Blind SQL Injection” portion to their wonderful tool. Here is a demo of using these techniques on their Blinds SQL Injection Vulnerability.