Learning Web Pentesting With DVWA Part 3: Blind SQL Injection

In this article we are going to do the SQL Injection (Blind) challenge of DVWA.
OWASP describes Blind SQL Injection as:
"Blind SQL (Structured Query Language) injection is a type of attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal , the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible."

To follow along click on the SQL Injection (Blind) navigation link. You will be presented with a page like this:

Lets first try to enter a valid User ID to see what the response looks like. Enter 1 in the User ID field and click submit. The result should look like this:

Lets call this response as valid response for the ease of reference in the rest of the article. Now lets try to enter an invalid ID to see what the response for that would be. Enter something like 1337 the response would be like this:

We will call this invalid response. Since we know both the valid and invalid response, lets try to attack the app now. We will again start with a single quote (') and see the response. The response we got back is the one which we saw when we entered the wrong User ID. This indicates that our query is either invalid or incomplete. Lets try to add an or statement to our query like this:

' or 1=1-- - 

This returns a valid response. Which means our query is complete and executes without errors. Lets try to figure out the size of the query output columns like we did with the sql injection before in Learning Web Pentesting With DVWA Part 2: SQL Injection.
Enter the following in the User ID field:

' or 1=1 order by 1-- - 

Again we get a valid response lets increase the number to 2.

' or 1=1 order by 2-- - 

We get a valid response again lets go for 3.

' or 1=1 order by 3-- - 

We get an invalid response so that confirms the size of query columns (number of columns queried by the server SQL statement) is 2.
Lets try to get some data using the blind sql injection, starting by trying to figure out the version of dbms used by the server like this:

1' and substring(version(), 1,1) = 1-- - 

Since we don't see any output we have to extract data character by character. Here we are trying to guess the first character of the string returned by version() function which in my case is 1. You'll notice the output returns a valid response when we enter the query above in the input field.
Lets examine the query a bit to further understand what we are trying to accomplish. We know 1 is the valid user id and it returns a valid response, we append it to the query. Following 1, we use a single quote to end the check string. After the single quote we start to build our own query with the and conditional statement which states that the answer is true if and only if both conditions are true. Since the user id 1 exists we know the first condition of the statement is true. In the second condition, we extract first character from the version() function using the substring() function and compare it with the value of 1 and then comment out the rest of server query. Since first condition is true, if the second condition is true as well we will get a valid response back otherwise we will get an invalid response. Since my the version of mariadb installed by the docker container starts with a 1 we will get a valid response. Lets see if we will get an invalid response if we compare the first character of the string returned by the version() function to 2 like this:

1' and substring(version(),1,1) = 2-- - 

And we get the invalid response. To determine the second character of the string returned by the version() function, we will write our query like this:
1' and substring(version(),2,2) = 1-- -
We get invalid response. Changing 1 to 2 then 3 and so on we get invalid response back, then we try 0 and we get a valid response back indicating the second character in the string returned by the version() function is 0. Thus we have got so for 10 as the first two characters of the database version. We can try to get the third and fourth characters of the string but as you can guess it will be time consuming. So its time to automate the boring stuff. We can automate this process in two ways. One is to use our awesome programming skills to write a program that will automate this whole thing. Another way is not to reinvent the wheel and try sqlmap. I am going to show you how to use sqlmap but you can try the first method as well, as an exercise.
Lets use sqlmap to get data from the database. Enter 1 in the User ID field and click submit.
Then copy the URL from the URL bar which should look something like this
http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Now open a terminal and type this command:

sqlmap --version 

this will print the version of your sqlmap installation otherwise it will give an error indicating the package is not installed on your computer. If its not installed then go ahead and install it.
Now type the following command to get the names of the databases:

sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id 

Here replace the PHPSESSID with your session id which you can get by right clicking on the page and then clicking inspect in your browser (Firefox here). Then click on storage tab and expand cookie to get your PHPSESSID. Also your port for dvwa web app can be different so replace the URL with yours.
The command above uses -u to specify the url to be attacked, --cookie flag specifies the user authentication cookies, and -p is used to specify the parameter of the URL that we are going to attack.
We will now dump the tables of dvwa database using sqlmap like this:

sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa --tables 

After getting the list of tables its time to dump the columns of users table like this:

sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users --columns 

And at last we will dump the passwords column of the users table like this:

sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users -C password --dump 

Now you can see the password hashes.
As you can see automating this blind sqli using sqlmap made it simple. It would have taken us a lot of time to do this stuff manually. That's why in pentests both manual and automated testing is necessary. But its not a good idea to rely on just one of the two rather we should leverage power of both testing types to both understand and exploit the vulnerability.
By the way we could have used something like this to dump all databases and tables using this sqlmap command:

sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id --dump-all 

But obviously it is time and resource consuming so we only extracted what was interested to us rather than dumping all the stuff.
Also we could have used sqlmap in the simple sql injection that we did in the previous article. As an exercise redo the SQL Injection challenge using sqlmap.

References:

1. Blind SQL Injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
2. sqlmap: http://sqlmap.org/
3. MySQL SUBSTRING() Function: https://www.w3schools.com/sql/func_mysql_substring.asp

Related word

1. Hacking Tools Windows 10
2. Pentest Automation Tools
3. Hacking Tools For Pc
4. Hacker Security Tools
5. Hacker Tools 2020
6. Pentest Tools Download
7. Pentest Tools Review
8. Hacking Tools Software
9. Hacker Tools Software
10. Pentest Tools List
11. Hacking Tools 2019
12. Pentest Box Tools Download
13. Hacking Tools Windows
14. New Hack Tools
15. Hack Tools Online
16. Hacker Tools List
17. Hacking Tools For Pc
18. Hacker Hardware Tools
19. What Is Hacking Tools
20. Hacker Tools For Pc
21. Hack Tools For Mac
22. Nsa Hacker Tools
23. Hacker Tools List
24. Pentest Tools Download
25. Hacking Tools For Windows 7
26. Hacker Tools Github
27. Hack Tool Apk
28. Hack Website Online Tool
29. Hacking Tools Pc
30. Hacker Tools Free Download
31. Hacker Tools Hardware
32. Hack Tool Apk No Root
33. Underground Hacker Sites
34. Android Hack Tools Github
35. Hack Tools Pc
36. Underground Hacker Sites
37. Hacks And Tools
38. Pentest Tools Framework
39. Hack Tools Github
40. Hacker Tools For Windows
41. Nsa Hack Tools
42. Pentest Tools Website Vulnerability
43. Hacking Tools For Beginners
44. Hacker Tools For Windows
45. Hacker Tools Hardware
46. Nsa Hacker Tools
47. Hacking Tools Free Download
48. New Hacker Tools
49. Hack Tools For Windows
50. Hacking Tools Windows 10
51. How To Hack
52. Hacker Tools Hardware
53. Hack Tools For Windows
54. Pentest Tools Open Source
55. Bluetooth Hacking Tools Kali
56. How To Hack
57. Hack Tools 2019
58. Pentest Tools For Ubuntu
59. Black Hat Hacker Tools
60. Hack Tools Online
61. Nsa Hack Tools Download
62. Hacker Tools For Windows
63. Hacking Tools Free Download
64. Hacking Tools 2019
65. Hacker Tools Mac
66. Github Hacking Tools
67. World No 1 Hacker Software
68. Hacker
69. Computer Hacker
70. Hack Tools 2019
71. Hack Tools For Pc
72. Hacking App
73. Underground Hacker Sites
74. Kik Hack Tools
75. Hacker Tools Free Download
76. Hacking Tools Windows 10
77. Termux Hacking Tools 2019
78. Hack Tools For Games
79. Pentest Tools Bluekeep
80. Hacker Tools Online
81. Pentest Tools Bluekeep
82. Hacker Hardware Tools
83. Hack Tool Apk
84. Hacking Tools Windows 10
85. Growth Hacker Tools
86. Hacker Tools
87. Pentest Tools Tcp Port Scanner
88. Hacker Tools For Ios
89. Hacker Tools Linux
90. Hack App
91. What Is Hacking Tools
92. Hacker Tools 2019
93. Hacking Tools Windows
94. Hack Tools Mac
95. Pentest Tools Website Vulnerability
96. Beginner Hacker Tools
97. Hacks And Tools
98. Hack Tools
99. Pentest Tools Find Subdomains
100. Hack Tools For Pc
101. Pentest Tools Online
102. Hack Tools For Pc
103. Android Hack Tools Github
104. Pentest Tools Open Source
105. Hacker Tools Linux
106. Hack Website Online Tool
107. Hacker Tools Online
108. Pentest Tools Github
109. Hack Tool Apk No Root
110. Hack Rom Tools
111. Hacker Tools Linux
112. Pentest Tools For Android
113. Pentest Tools Github
114. Nsa Hacker Tools
115. Hack Website Online Tool
116. Beginner Hacker Tools
117. Computer Hacker
118. Hacking Tools Software
119. How To Hack
120. Physical Pentest Tools
121. Github Hacking Tools
122. Hak5 Tools
123. Nsa Hack Tools Download
124. Hacking Tools Windows
125. Hackrf Tools
126. Hacking Tools For Windows Free Download
127. Tools Used For Hacking
128. Pentest Tools
129. Pentest Recon Tools
130. Hacker Tools Free
131. Hacking Tools Kit
132. Pentest Tools Framework
133. Ethical Hacker Tools
134. Hacking Tools Hardware
135. Hack Tools For Windows
136. Hacking Tools Windows 10
137. Blackhat Hacker Tools
138. Hack Tools Github
139. Pentest Tools Github
140. Pentest Tools Kali Linux
141. Pentest Tools Framework
142. Hacker Tools Linux
143. Hackrf Tools
144. Hacker Tools 2019
145. Hack Website Online Tool
146. Hacker Tools Apk
147. Best Hacking Tools 2020
148. Hacker Tools 2019
149. Pentest Tools Github
150. New Hack Tools
151. How To Install Pentest Tools In Ubuntu