Blind SQL injection is one of vulnerabilities that found in websites, i said this vulnerability is very easy to find in fact there are still many websites that are very vulnerable with SQL injection even big website or web governments.
If attacker can exploit your website with SQL injection the attacker can do anything on your website, because this vulnerability is over take database data. Attacker can get into your web database and edit that data.
Blisqy is a tool to aid Web Security researchers to find Time-based Blind SQL injection on HTTP Headers and also exploitation of the same vulnerability.
The exploitation enables slow data siphon from a database (currently supports MySQL/MariaDB only) using bitwise operation on printable ASCII characters, via a blind-SQL injection.
For interoperability with other Python tools and to enable other users utilise the features provided in Blisqy, the modules herein can be imported into other Python based scripts.
When testing for Time-based Blind SQL injections, any network lag or congestion can affect the effectiveness of your fuzzing or exploitation. To compensate for the possible network lags and uncertainties that might cause delays, Blisqy time comparison is dynamic and it’s calculated at runtime for each test. The tests utilizes
greenlet(alight-weight cooperatively-scheduled execution unit) to provide a high-level synchronous API on top of
libevevent loop. It provides a fast and efficient way of carrying out the payload tests in a short time, also, one particular test should not affect another because they are not fully done in a sequential method.
Blisqy now supports fuzzing for Time-based Blind SQL Injection on HTTP Headers and the main functionalities (fuzzing and exploitation) separated to independent files for portability.
Fuzzing with Blisqy
To use the Fuzzing functionality, import the following module in your Python script and provide a target along with the fuzzing data as shown below :
Target parameters should be in a Dictionary/JSON format, for example (Note the variable data-types):
Invoking the fuzzer once the target parameters are provided is as shown below :
You can checkout
FindBlindSpot.py for this example provided.
Sample Fuzzing Output
If you are successful, you should get a report of the ‘injectable’ tests carried out. Please note, as much as Blisqy tries to compensate for network lags and congestion while testing it’s is important to proof-test the reported positive tests before proceeding.
Below is a sample report:
Exploitation with Blisqy
After finding a potential Time-based Blind SQL injection, you can prepare a script to Exploit the vulnerable Web application.
Just as the fuzzer, you can import the module for exploitation in your Python script and define a template for the exploitation operation. Below is an example of how to import the module in a Python script:
Next, you will need to provide details of your target along with it’s target parameters for exploitation. Below is a sample implementation of exploiting the found blind sql injection found by the fuzzer:
The target data should be in a Dictionary/JSON format specifying the server, port, the found vulnerable header and it’s value (some applications will need or check for a certain value). Also Note the variable data-types.
Target parameters should follow allowing the user to specify some options related to the exploitation preferences.
- sleepTime is the delay to be used in the payloads
- payload is an option to run the exploitation with a custom SQL query e.g.
select @@hostname. The default option is
- mysqlDig enables the exploitation to be automatic and to enumerate all the available tables in the schema.
- interactive is an option to enable the user interact with the exploitation routine. This can be handy when you want to skip to the interesting parts of the DB.
- verbosity can be high, medium or low. This just controls the output information from the exploitation routine.
After providing your target and its parameters, the next thing to provide is a template for the exploitation routine. Blisqy provides a way users can specify where to inject the exfiltration SQL payload and the
sleeptime delay. Below is an example of an implementation for one of the found vulnerabilities on the sample report provided in the previous subsection.
Found injection on X-Forwarded-For header:
Template for this particular injection:
During runtime, the
*sql* will be replaced with an SQL injection payload and
*time* will be replaced with a delay for sleep().
Once all these are done, the last part is to instantiate the exploitation routine and let the
MysqlDigger() method do the working.
You can check
ExploitBlindSpot.py for this example provided.
Below is an example of an exploitation operation:
- (PDF) Time-Based Blind SQL Injection via HTTP Headers: Fuzzing and Exploitation.. Available from: https://www.researchgate.net/publication/328880240_Time-Based_Blind_SQL_Injection_via_HTTP_Headers_Fuzzing_and_Exploitation
- PentesterLab – From SQL Injection to Shell II https://pentesterlab.com/exercises/from_sqli_to_shell_II/course