Exploiting Blind SQLi in an easy way with Python
These days I‘ve been doing Portswigger labs and decide to do them in a different way.
Portswigger is the company behind Burp Suite, the famous proxy used in Web Application Security. In the company website we can find labs with a very good explanation about how Web Attacks works and how you can reproduce them with Burp Suite.
Burp Suite is really a great tool, but as a Linux user I like to do as much as I can in command-line, and this is one of the reasons that I like Python so much. So, I’m reproducing the Portswigger labs just with Python and one of the most interesting is the Blind SQL Injection (SQLi).
As I said, the website has great tutorials explaining the attack, but to be short SQLi is when you can get results based on the exploitation of a input vulnerable to the attack, while in the Blind SQLi you can use SQLi without see the query result, just based on the page response.
In this example, is provided the information that the cookie variable TrackingID is vulnerable to this attack. If you inject a SQL query you can’t see its result but if it’s a valid cookie, the website shows the message ‘Welcome back’ and it’s possible to exploit this page response to use the Blind SQLi.
The goal of this labs is to use this technique to discover the password of the user administrator. We can write a query to compare the length of password but we need to repeat this operation until we see the ‘Welcome back!’ message in the page. This can be done in a easily way with Python.
Now we know that the password length is 20, we need to repeat this process but instead of with length we need to guess each one of the 20 characters. But before that we can use another way to know if a query is true or not by the page length, if the query is true the page length will be bigger because of the ‘Welcome back!’ message and we can the get the length with and without this message.
So, if we use a SQL query we can know that its true if the page has a length of 11233 (this is a common way to know that an input was useful when use brute force with Burp Suite). Now we know that the password has 20 characters and if we guess one of them the HTTP response will be a page with length 11233. Now we can test each input and Python have already a function with the list that we will need.
Each substring of the password was compared to each character and if the response was valid, the character was stored in thePasswordIs variable. So, we just need to print the value of this variable.
And that’s it! We discovered the password of the user administrator with Blind SQLi without neither the need of configure a proxy to intercept the traffic nor the use of Burp Repeater and Burp Intruder, we just used Python.
This lab was made with Python just to become more challenging but in the day-to-day work involving Web Application Security we will face more complex situations and Burp Suite can save a lot of time with them.
