BLIND SQL INJECTION (redtiger.lab)-Part 3

Till now we have completed up to level 3.

Today we will be looking into variant of SQL Injection Known as Blind SQL Injection.

Blind SQL Injection is a type of SQL Injection attack where the HTTP responses do not contain the result of the relevant SQL query or the details of any database errors.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect but in case of Blind SQL injection web application doesn’t display any kind of error. Thus the attacker extracts information by asking a series of true false questions.

When attackers ask a series of true false questions then by analyzing the reaction of the web application to those questions the attacker can perform Blind SQL Injection.

Today we will be performing Blind SQL Injection on Level 4 of redtigers lab. This lab might be difficult for beginners to perform blind sql injection.If you don’t understand this lab you are recommended to learn more about Blind Sql Injection and try it on metasploitable.

Here when we open level 4 of the redtiger labs and click on Click me a get request is sent with parameter id =1.

Here our target is to get the value of the first entry in table level4_secret in column keyword.

Step 1: Our first step is to identify no of columns in table level4_secret including column ‘keyword’.

Here as we have discussed previously we can determine no of columns by using order by as well as union select.

Using order by : When we use order by then passing the query id = 1 order by 2 # shows query returned 1 rows and all other numbers except 1&2 shows query returned 0 rows. Which means that there are 2 columns in level4_secret table among which one column name is ‘keyword’.

fig 1: Response when order by 2
fig 2: Response when order by is 3

Here when we use union select then the response is slightly different that is when we use query :id=1 union select 1,2 from level4_secret

It will show query returned 2 rows and if we alter the no of columns other than 2 then we will get query returned 1 rows as output .So from this way also we can identify no of columns in the table level4_secret.

fig 3: using query id=1 union select 1,3,from level4_secret
fig 4: using query id=1 union select 1 from level4_secret

Step 2: So from above two ways we get to know that there are 2 columns.Now we have to find which column is column ‘keyword’.

For this we can check it by placing keyword in place of 1 and 2.

id =1 union select keyword,2 from level4_secret => returns 2 rows

id =1 union select 1,keyword from level4_secret => returns 1 rows

Thus from this we can say that the ‘keyword’ is the first column.

Step 3: Now we have to determine the length first entry in the ‘keyword’ column and for this we have to use following queries.

At first lets check whether the length of the first entry is greater than 20 or not using query:

1 union select keyword,2 from level4_secret where length(keyword)>20

fig 5: 1 union select keyword,2 from level4_secret where length(keyword)>20

It gives 2 rows so this means that the above query is true .

Now again lets check whether the length of the first entry is greater than 25 or not using query:

1 union select keyword,2 from level4_secret where length(keyword)>25

fig 6: 1 union select keyword,2 from level4_secret where length(keyword)>25

It gives 1 rows so this means that the above query is false.

Now from these queries we get to know that the length of the first entry is in between 20 and 25 .So now lets check whether the length is 21 or not using the query:

1 union select keyword,2 from level4_secret where length(keyword)=21

fig 7 : 1 union select keyword,2 from level4_secret where length(keyword)=21

BINGO!! we get the length of the first entry in the column “keyword” which is 21.

Step 4: Now In order to determine the first entry we have to write a python program to print each character of the first entry in ‘keyword’ column.

Understanding the above program

The program below runs for loop for all the letters in keyword. It then compares those individual letter with each letter of string defined above(line no 2), again using for loop for the specified strings. In the variable params the code ascii(substring(keyword,%i,1))= %i is used to get the ASCII of each character in keyword in respective position defined by, x in for loop ASCII and substring are sql keywords where, ASCII converts character into their ASCII code and substring(‘word’,position,no_of_letters) gives the substring from the word that is in position and have specified no. of characters.

The program above checks if there is 2 rows; which happens when a string is at a position in keyword. The first character from keyword comes, then second character and then so on until we get, all the 21 characters as shown in the figure below. SQL query would be:

SELECT * FROM ?category? WHERE id = 1 UNION SELECT keyword,1 FROM level4_secret WHERE ASCII(SUBSTRING(keyword,position_of_keyword,1) = ascii_of_printables

url and cookies are captured using burp suite.

Step 5: Now we can run the above program and the get the first_entry in the column keyword.

fig 8: Output

Here we get to know that the first entry in the column ‘keyword’ is killstickswithbr1cks!

Now enter this is the word find and click the button .

fig 9: Successfully hacked

BINGO!!! We have performed Blind Sql Injection successfully.

Link to Part 4:

References:

--

--

--

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Flexibility: Getting to Know the Talon.One API | Talon.One

Header image

How human behaviour influences the technical approach to a platform ~

Things to Consider Before Hiring the Right Developer

Ansible : Hello World

5 Jamstack Myths Debunked!

SOLIDWORKS NOT UPDATING THE DIMENSIONS OF PART AS CHANGING EQUATIONS

Space Creation and Ownership in KeplerSwap Benefits.

IoT OS and RTOS for Internet of Things Devices

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
aayush malla

aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst

More from Medium

Kasm Workspaces Hacking Lab?

TryHackMe: Network Fundamentals — What is Networking Walkthrough

Lot-of-Logs ! San-Diego CTF.

TryHackMe : Vulnversity Walkthrough