Penetration Testing for Blind SQL Injection using BBQSQL
SQL (Structured Query Language) is the language used for interaction with databases. SQL injection is a web application attack that injects malicious syntax in SQL Queries.
BLIND SQL INJECTION
Blind SQL Injection consists of techniques for exploiting the SQL injection vulnerabilities by performing a binary search one character at a time, which is very time consuming .
An example of Blind SQL injection is :
UNAME = "' or (ASCII(SUBSTR(SELECT user(),1,1))>63) --";
PASS = "";
QUERY = "select * from users where pass=md5('"+PASS+"') and uname='"+UNAME+"'";
QUERY evaluates to:
select *
from users where pass=md5('')
and uname='' or (ASCII(SUBSTR(SELECT user(),1,1))>63) --'
select *
from users where pass=md5('') and
uname=''
or (
ASCII( << char -> int
SUBSTR( << slice string
SELECT user() << current user
,1,1) << first char
)>63 << 63 = '?'
) --' << comment
There are a lot of tools available for penetration testing for Blind SQL injection such as:
- SQLMAP
- SQLNINJA
- BSQL Hacker
- Mole
- Havij
During penetration testing, if these tools don’t work, we’ll end up writing a custom script. So here is a treat! BBSQL can simplify a tricky blind SQL injection attack.
Blind SQL Injection with BBQSQL
BBSQL can be used to exploit the Blind SQL injection and can help to reach for hidden vulnerabilities.
BBSQL is fast, simple, versatile, and extensible.
BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings.
The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.
Similar to other SQL injection tools you provide certain request information.
Must provide the usual information:
- URL
- HTTP Method
- Headers
- Cookies
- Encoding methods
- Redirect behavior
- Files
- HTTP Auth
- Proxies
Here is a usage guide for the tool :
root@kali:~# bbqsql _______ _______ ______ ______ ______ __ | \ | \ / \ / \ / \ | \ | $$$$$$$\| $$$$$$$\| $$$$$$\| $$$$$$\| $$$$$$\| $$ | $$__/ $$| $$__/ $$| $$ | $$| $$___\$$| $$ | $$| $$ | $$ $$| $$ $$| $$ | $$ \$$ \ | $$ | $$| $$ | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$ | $$__/ $$| $$__/ $$| $$/ \ $$| \__| $$| $$/ \ $$| $$_____ | $$ $$| $$ $$ \$$ $$ $$ \$$ $$ \$$ $$ $$| $$ \ \$$$$$$$ \$$$$$$$ \$$$$$$\ \$$$$$$ \$$$$$$\ \$$$$$$$$ \$$$ \$$$ _.(-)._ .' '. / 'or '1'='1 \ |'-...___...-'| \ '=' / `'._____.'` / | \ /.--'|'--.\ []/'-.__|__.-'\[] | [] BBQSQL injection toolkit (bbqsql) Lead Development: Ben Toews(mastahyeti) Development: Scott Behrens(arbit) Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K) SET is located at: http://www.secmaniac.com(SET) Version: 1.0 The 5 S's of BBQ: Sauce, Spice, Smoke, Sizzle, and SQLi Select from the menu: 1) Setup HTTP Parameters 2) Setup BBQSQL Options 3) Export Config 4) Import Config 5) Run Exploit 6) Help, Credits, and About 99) Exit the bbqsql injection toolkit bbqsql>
Happy hunting! Blind SQL is now simple and fast.
# This tool works extremely quickly. Try it, it comes built into Kali Linux!
#For educational purposes only, penetration testing without permission is a legal offence. The author holds no responsibility if you misuse this tutorial.