Friday, February 8, 2013

Back to it: Blind SQL Injection Basics

Hello everyone!

First off let me apologize for the lapse in posts...life has been pretty crazy for the past few months and I simply haven't had any time to devote to blogging. Things seem to be getting to a more manageable state now, so let's get on with it!

I figured I'd get back into the blogging groove by going through the basics of blind SQL injection. So for this post I'm going to assume you know how SQL Injection works (If you don't, kaoticcreations has some good material on the subject http://kaoticcreations.blogspot.com/p/basic-sql-injection-101.html).

Now, what's the difference between a standard SQL injection and a blind SQL injection you ask? With a blind attack, you don't actually see the results of your injection, but rather the page will display differently if you got back valid data vs. an error (which can be as subtle as having the page taking longer to load!).

So let's take a look at an example of this. Below you can see that we've successfully deduced that this input field is vulnerable to attack.




Notice that we didn't get anything back from the injection (SQL responses, etc.),but we can definitely see we got the "Registered" response. Now, if we get a "Registered" response when feeding it something true (because 1 does indeed equal 1), what happens if we try something blatantly false such as 1=2? What will happen then?


Well look at that, we got a different response. Using this method we can work to deduce the names of the tables and the attributes therein, but in my future examples I'm going to assume that in this same table we're going to look for someone's PIN and that the attribute is called PIN.


 Well, the PIN could be any number really...so what I've done here is guessed an arbitrary number to give us a starting point. Let's say we want to see if the pin number is less than 10,000.


 Sure enough it is. Ok, so we know the pin is less than 10,000. What if we choose something smaller, say 3,000?


Nope, so we know that the PIN is somewhere between 3,000 and 10,000. If we go up by 100's we end up getting to 3,200. NOTE: if you are searching for a particular number like this, a better method is probably a binary search algorithm (search by halves each time) than doing it arbitrarily like i'm doing in this example.


So we know the number is between 3,100 and 3,200 (because 3,100 showed as Unregistered as well, I just didn't post a picture of it). So let's try half way between these two.


So, the PIN is between 3,150 and 3,200. Following the same procedure we can finally get to the actual PIN

So, now we know that the PIN on this record is "3156".

Now, this was a manual example demonstrating blind SQL injection. There are several tools that can do this automatically such as sqlmap, sqlbrute and others.

As always I hope this has been helpful to understand the basics of how blind SQL injection works. If you have any questions or comments please leave them below.