In our Previous tutorial we learnt about SQL Injection characters and different exploitation techniques to exploit SQL Injection Vulnerability. From today we will start learning all exploitation techniques in details with help of examples starting from Boolean Exploitation Technique.
Boolean Exploitation Technique is basically an SQL Injection Exploitation technique where a set of Boolean operations are executed in order to extract juicy information regarding the tables of the database of an web application. Boolean Exploitation technique is mostly used in cases where Hackers have predicted that Blind SQL Injection is possible i.e. in cases where output of the operations or requests is not known. For example, consider an web application in which all the error messages are replaced with custom error messages (which does not reveal any important information to the users) by the web designer or developer i.e. Page may not return the SQL Error instead of SQL Error it shows 404 or 500 or some other custom messages. This method consists of carrying out a series of Boolean queries against the server, observing the answers and finally deducing the meaning of such answers.
|Boolean Exploitation Technique|
Consider an example, suppose we have a vulnerable website say www.example.com and it has a parameter namely "Id" which is vulnerable to SQL Injection. Now suppose we execute the below request in our web browser :
The above query will result into opening of one web page which might throw an custom error message say 404 or 500. If that happens, we suppose that below query is executed at backend of website:
SELECT Field1, Field2, Field3 FROM Users WHERE Id=’$Id’
As we have discussed in previous articles that above SQL is vulnerable to SQL Injection. Our current and most important GOAL is to get values of the username field which is currently not known as we only know about ID parameter as of now. The exploits or tests that we will execute now will aim to get the values of username filed character by character. This can be possible by using some set of inbuilt functions (i.e. standard functions) present in almost all databases.
List of some important functions that we will use to extract information are below:
1. SUBSTRING (text, start_position, length) : This function returns a substring starting from the position “start_position” of text and upto length “length”. If “start_position” is greater than the length of text, the function returns a null value.
2. LENGTH (text): It gives back the number of characters in the input text.
3. ASCII (char): It gives back ASCII value of the input character. A null value is returned if char is 0.
There are lot more functions but above 3 are needed as of now. Using these functions we will execute test on first character and once we get the value of first character, we will move to the second character and so on, until we get the complete value. SUBSTRING function will help us to select one character at a time (selecting a single character means to force the length parameter to 1), and the function ASCII, in order to obtain the ASCII value, so that we can do numerical comparison. The results of the comparison will be done with all the values of the ASCII table, until the right value is found.
For example, lets try below value of "Id" parameter:
$Id=1’ AND ASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1
So the URL will be something like :
http://www.example.com/index.php?id=1’ AND ASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1
And SQL Query will be something like :
SELECT Field1, Field2, Field3 FROM Users WHERE Id=’1’ AND ASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1’
The above example returns a result if and only if the first character of the field username is equal to the ASCII value 97. If we get a false value, then we increase the index of the ASCII table from 97 to 98 and we repeat the request. If instead we obtain a true value, we set to zero the index of the ASCII table and we analyze the next character, modifying the parameters of the SUBSTRING function.
The only problem with above example is that how we will distinguish our tests which are returning true value from ones which are returning false value. This can be possible if we create a query which always returns false, so below value of ID can solve this problem for us :
$Id=1’ AND ‘1’ = ‘2
So Query will be something like :
SELECT Field1, Field2, Field3 FROM Users WHERE Id=’1’ AND ‘1’ = ‘2’
Hence URL will be something like :
http://www.example.com/index.php?id=1’ AND ‘1’ = ‘2
The above query will always returns false value. Does this rings a bell? Huh...
The above query execution will throw an error message (i.e. custom error message say 500). This will be the false value for our tests. Now this custom error message will help us to distinguish the values of test results i.e. which one is true and which one is false.
Sometimes it may happen that above method does not work. For example, If the web server returns two different pages as a result of two identical consecutive web requests i.e. Boolean query executions, we will not be able to discriminate the true value from the false value. In these particular cases, it is necessary to use some filters that allow us to eliminate the code that changes between the two requests and to obtain a template for getting username character by character. Later on, for every Boolean request executed, we will extract the relative template from the response using the same function, and we will perform a comparison between the two templates in order to decide the result of the test.
In the above method, we haven't discussed about determining the termination condition i.e. when we should end the Boolean procedure. The technique to solve this problem uses one characteristic of the SUBSTRING function and the LENGTH function. When the test compares the current character with the ASCII code 0 (i.e., the value null) and the test returns the value true, then either we are done with the Boolean procedure (we have scanned the whole string), or the value we have analyzed contains the null character. To achieve this we will use below value of Id parameter :
$Id=1' AND LENGTH(username)=N AND '1' = '1
where N is the number of characters we have scanned so far. Note: Null value is not counted in value of N.
So the query will become something like below:
SELECT Field1, Field2, Field3 FROM Users WHERE Id='1' AND LENGTH(username)=N AND '1' = '1'
And URL to hit above query will be something like :
http://www.example.com/index.php?id=1' AND LENGTH(username)=N AND '1' = '1
The above query will return either true or false. If above query returns true that means we have extracted the complete value of username. If we get false, it means that username parameter contains a null character in between, so continue the Boolean procedure as explained above until you get the true condition.
That's all about the Boolean Exploitation technique to Exploit SQL Injection Vulnerability. If you have any doubts, feel free to ask. Enjoy Learning! Happy Hacking!