In the previous article, we have the basics of SQL Injection; what SQLi is and what are the types of SQL injection. And, In this walkthrough, we are going to dump the database of the DVWA website using Blind SQL injection technique. So before starting, let’s talk about what is Blind SQL Injection.
What is Blind SQLi:
Sometimes, the web developers hide the error messages caused by the backed SQL query, but the SQL injection vulnerability still exists in the web application due to improper handling and unsanitized user input. In this case, an attacker can take advantage of true and false statements to determine the backend database and dump data.
How to Exploit Blind SQLi in a website:
We will exploit blind sql injection on the DVWA website (You can setup DVWA as local Pentesting lab). When exploiting the sql injection, the best first step is to identify all the user inputs which are interacting with the Database. To do so, we have identified the endpoint that is vulnerable to SQL injection.
Vulnerable Endpoint: http://192.168.230.130/dvwa/vulnerabilities/sqli_blind/
Vulnerable Parameter: User ID
How to Find Blind SQLi Vulnerability?
Unlike error-based SQL injection, error messages are not shown that could help in the identification of blind sql injection. To identify blind SQLi, we are going to make sure that the vulnerability exists in the website by asking a true or false statement.
See the following payload that always returns true statement and display entries in the database.
- 1′ or 1=1#
Now let’s check the result with the false statement.
- 1′ or 1=2#
Since 1 is not equal to 2, it will not return all the entries of the database. Instead, it will return the left statement that is row number 1.
This way, we identified the presence of blind sql injection in the website by asking true and false statements and comparing the results.
Detecting Blind SQL Injection using Sleep function:
There are scenarios where we can’t see the output of the results on the frontend. In such cases, the sleep() function can be used to detect blind sql injection. The payload works by making the website responding slow for the identification of the vulnerability. If the vulnerability exists, the sleep function will be executed in the database, and the website will load after a certain amount of time.
The following example demonstrates the purpose of sleep () function.
- 1′ AND sleep (10) #
Where sleep (10) is the function that causes the database to sleep for 10 seconds before processing anything. In case if the vulnerability doesn’t exist, we won’t be able to see the page loading for 10 seconds.
Discover Blind SQLi using Benchmark() function:
Sometimes, firewalls block certain features to avoid exploitation of the vulnerabilities. Luckily, we got an alternative to the sleep () function, which can cause a delay in the response and aid in the identification of the blind sql injection attack. Benchmark has basically two parameters, one is to define the number of rounds, and the second parameter defines the algorithm to use. For example, let’s look at the following payload that executes SHA1 hash algorithm 10000000 times to delay response:
- 1′ AND BENCHMARK (10000000, SHA1(1337))#
Identifying no of columns:
Now we know how to determine the blind sql injection in case if there is no error message but the vulnerability still exists. To determine the number of columns, present in the database, we are going to use order by statement and see the response of the website.
- 1′ order by 1# // To check the number of columns using order by statement.
We can iterate the order by (number) to see how many columns the database has. And after 3 iterations, we got no response, which indicates that there are two columns in the database.
Dumping Table names:
The next step of our exploitation is to identify the names of all tables that exist in the database. We can use union all statement to extract all table names using the following payload:
- 1′ union all select 1, group_concat(table_name) from information_schema.tables where table_schema=database()#
The above payload uses group_concat() function to combine all the table names in a single attribute and display the result of all tables present in the current database of information schema.
We found two tables, a guestbook, and users.
Extracting column names of the Database Table:
After identifying all the table names, we can enumerate list of columns in the table using the following payload:
- 1′ union all select 1,group_concat(column_name) from information_schema.columns where table_schema=database()#
The syntax to extract the column names from the tables is the same as extracting table names except that table_name is replaced with column_name and information_schema.columns is used for column names.
With this payload, the identified column names of Table “users” are column_id, comment, name, user_id, first_name, last_name, user, password, and avatar.
Dumping data from Columns:
Now that we know all the columns present in the table, our last step of exploiting sql injection is the exfiltration of all the data present in the database. The payload to extract data is as follows:
- 1′ union all select 1,group_concat(user,password) from users#
This payload concatenates the user and password column from users and displays the result. Since we are more interested in the username and passwords of the users, displaying the rest of the fields such as column_id, comment, and user_id has no point. The displayed result shows the user and the hash of the password stored in the database.
The list of users is admin, Gordon, Hack, Pablo, and Bob. Cracking the password can be done by various tools, including but not limited to john the ripper, hydra, Johny etc.
This concludes our write-up on blind sql injection. We discussed the identification of blind sql injection and how to exfiltrate the entire data from the database using blind sql injection vulnerability.