The topmost vulnerability in OWASP top 10 vulnerability list is SQL injection and there is a strong reason for that too. SQL-injection is the most common vulnerability that was discovered on websites till date. The most vulnerable database is MySQL database system, other database systems are vulnerable to injections too but they are used in very less amount that is why they cover a lesser area of attack vectors. Other SQL database systems are MSSql, Oracle, Sybase, PostgreSQL. This tutorial is not for core understanding of SQL-injections, for that I will post another tutorial. There are two types of blind SQL-injection and Content-based SQL-injection. In this tutorial, I will show how to exploit Content-based blind string SQL-injection.
For this purpose, I am choosing deliberately vulnerable Website ‘WebGoat’. Which is a project of OWASP itself to make people educate about Web security. I had install WebGoat on my virtual host machine running on my PC connected to my WIFI network. Navigate to the link “Blind Numeric SQL injection” and click on it. The attack page will open in front of you.
See the output if we put the legitimate input into the input field like the default value 101. The output is “Account number is valid”. Now try to put some random value like 101001, now, in this case, the output will be “Invalid account number”. Now we can test and see if Content-based blind SQL injection works or not.
For that put some injections into the input field.
101 and 1=1
As 1 is always equal to 1, that will leads to a true-true statement and hence the output is “Account number is valid”.
Try for a true-false statement as well.
101 and 1=2
As 1 is always not equal to 2, that will leads to a false-false statement and hence the output is “Invalid account number”.
Time to retrieve the data as mentioned in the challenge. We have to find the value of the field pin in table pins for the row with the cc_number of 1111222233334444. The field is of type int, which is an integer. The SQL query to retrieve the data is:
101 and 1=((select pin from pins where cc_number = '1111222233334444')=payload)
When the value of payload is equal to the original pin value then it would be a true-true statement and output is “Account number is valid” and for all other values it would give a true-false statement which would end up in false statement and output is “Invalid account number”.
We set up Burp for the solution. Enter the above string into the input field and hit enter. At Burp we could intercept the request
And then send it to the intruder and then click on the intruder tab and then positions tab, here clear all auto marked injection points and select our injected string, valued ‘payload’ and click Add§ and set attack type to Snipper.
Click on to Payload tab and in Payload Sets set Payload Type to Brute Force. Set Charset to “0123456789”, min and max length to 4. If you are using community edition it would take a long time. To complete this attack fast (as I already knew the pin value that is 2364) select min and max to 2 and then click Payload Processing and add a prefix value 23 then click OK.
Further, click on to options tab and then in “Grep-Match” clear all other options and enter our “Account number is valid” option. Now click Start Attack.
After some time, see the result. Click on column “Account number is valid” two times, the successful attempt will come up and that is request number 47 and pin 2364 in our case.
Go and paste the pin value into the input box. You will get ” Congratulations. You have successfully completed this lesson” message as on screen.
I had used Burp for this tutorial, but you can go and try some other like sqlmap, hijackv1.2 etc.
This tutorial is for education purpose only. Do not try this attack directly on the sites which you are not authorized to or take appropriate permissions to do so.