BLIND SQL INJECTION (redtiger.lab)-Part 3

aayush malla
5 min readSep 23, 2020

--

Till now we have completed up to level 3.

Today we will be looking into variant of SQL Injection Known as Blind SQL Injection.

Blind SQL Injection is a type of SQL Injection attack where the HTTP responses do not contain the result of the relevant SQL query or the details of any database errors.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect but in case of Blind SQL injection web application doesn’t display any kind of error. Thus the attacker extracts information by asking a series of true false questions.

When attackers ask a series of true false questions then by analyzing the reaction of the web application to those questions the attacker can perform Blind SQL Injection.

Today we will be performing Blind SQL Injection on Level 4 of redtigers lab. This lab might be difficult for beginners to perform blind sql injection.If you don’t understand this lab you are recommended to learn more about Blind Sql Injection and try it on metasploitable.

Here when we open level 4 of the redtiger labs and click on Click me a get request is sent with parameter id =1.

Here our target is to get the value of the first entry in table level4_secret in column keyword.

Step 1: Our first step is to identify no of columns in table level4_secret including column ‘keyword’.

Here as we have discussed previously we can determine no of columns by using order by as well as union select.

Using order by : When we use order by then passing the query id = 1 order by 2 # shows query returned 1 rows and all other numbers except 1&2 shows query returned 0 rows. Which means that there are 2 columns in level4_secret table among which one column name is ‘keyword’.

fig 1: Response when order by 2
fig 2: Response when order by is 3

Here when we use union select then the response is slightly different that is when we use query :id=1 union select 1,2 from level4_secret

It will show query returned 2 rows and if we alter the no of columns other than 2 then we will get query returned 1 rows as output .So from this way also we can identify no of columns in the table level4_secret.

fig 3: using query id=1 union select 1,3,from level4_secret
fig 4: using query id=1 union select 1 from level4_secret

Step 2: So from above two ways we get to know that there are 2 columns.Now we have to find which column is column ‘keyword’.

For this we can check it by placing keyword in place of 1 and 2.

id =1 union select keyword,2 from level4_secret => returns 2 rows

id =1 union select 1,keyword from level4_secret => returns 1 rows

Thus from this we can say that the ‘keyword’ is the first column.

Step 3: Now we have to determine the length first entry in the ‘keyword’ column and for this we have to use following queries.

At first lets check whether the length of the first entry is greater than 20 or not using query:

1 union select keyword,2 from level4_secret where length(keyword)>20

fig 5: 1 union select keyword,2 from level4_secret where length(keyword)>20

It gives 2 rows so this means that the above query is true .

Now again lets check whether the length of the first entry is greater than 25 or not using query:

1 union select keyword,2 from level4_secret where length(keyword)>25

fig 6: 1 union select keyword,2 from level4_secret where length(keyword)>25

It gives 1 rows so this means that the above query is false.

Now from these queries we get to know that the length of the first entry is in between 20 and 25 .So now lets check whether the length is 21 or not using the query:

1 union select keyword,2 from level4_secret where length(keyword)=21

fig 7 : 1 union select keyword,2 from level4_secret where length(keyword)=21

BINGO!! we get the length of the first entry in the column “keyword” which is 21.

Step 4: Now In order to determine the first entry we have to write a python program to print each character of the first entry in ‘keyword’ column.

Understanding the above program

The program below runs for loop for all the letters in keyword. It then compares those individual letter with each letter of string defined above(line no 2), again using for loop for the specified strings. In the variable params the code ascii(substring(keyword,%i,1))= %i is used to get the ASCII of each character in keyword in respective position defined by, x in for loop ASCII and substring are sql keywords where, ASCII converts character into their ASCII code and substring(‘word’,position,no_of_letters) gives the substring from the word that is in position and have specified no. of characters.

The program above checks if there is 2 rows; which happens when a string is at a position in keyword. The first character from keyword comes, then second character and then so on until we get, all the 21 characters as shown in the figure below. SQL query would be:

SELECT * FROM ?category? WHERE id = 1 UNION SELECT keyword,1 FROM level4_secret WHERE ASCII(SUBSTRING(keyword,position_of_keyword,1) = ascii_of_printables

url and cookies are captured using burp suite.

Step 5: Now we can run the above program and the get the first_entry in the column keyword.

fig 8: Output

Here we get to know that the first entry in the column ‘keyword’ is killstickswithbr1cks!

Now enter this is the word find and click the button .

fig 9: Successfully hacked

BINGO!!! We have performed Blind Sql Injection successfully.

Link to Part 4:

References:

--

--

aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst