dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6c.adoc
Nanne Baars a484467419 Adding extra lesson for order by clauses
2017-06-15 19:08:19 +02:00

60 lines
2.9 KiB
Plaintext
Raw Blame History

== Blind SQL Injection
Blind SQL injection is a type of SQL injection attack that asks the database true or false
questions and determines the answer based on the applications response. This attack is often used when the web
application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL
injection.
=== Difference
Let's first start with the difference between a normal SQL injection and a blind SQL injection. In a normal
SQL injection the error messages from the database are displayed and gives enough information to find out how
the query is working. Or in the case of an union based SQL injection the application does not reflect the information
directly on the webpage. So in the case where nothing is displayed you will need to start asking the database questions
based on a true or false statement. That's why a blind SQL injection is much more difficult to exploit.
There are several different types of blind SQL injections: content based and time based SQL injections.
=== Example
In this case we are trying to ask the database a boolean question based on for example a unique id, for example
suppose we have the following url: `https://my-shop.com?article=4`
On the server side this query will be translated as follows:
----
SELECT * from articles where article_id = 4
----
When we want to exploit this we change the url into: `https://my-shop.com?article=4 AND 1=1`
This will be translated to:
----
SELECT * from articles where article_id = 4 AND 1 = 1
----
If the browser will return the same page as it used to when using `https://my-shop.com?article=4` you know the
website is vulnerable for a blind SQL injection.
If the browser responds with a page not found or something else you know a blind SQL injection might not work.
You can now change the SQL query and test for example: `https://my-shop.com?article=4 AND 1=2` which will not return
anything because the query returns false.
So but how do we actually take advantage of this? Above we only asked the database for trivial question but you can
for example also use the following url: `https://my-shop.com?article=4 AND substring(database_version(),1,1) = 2`
Most of the time you start by finding which type of database is used, based on the type of database you can find
the system tables of the database you can enumerate all the tables present in the database. With this information
you can start getting information from all the tables and you are able to dump the database.
Be aware that this approach might not work if the privileges of the database are setup correctly (meaning the
system tables cannot be queried with the user used to connect from the web application to the database).
Another way is called a time based SQL injection, in this case you will ask the database to wait before returning
the result. You might need to use this if you are totally blind so there is no difference between the response you
can use for example:
----
article = 4; sleep(10) --
----
Reference in New Issue View Git Blame Copy Permalink