MySQL Blind With LIKE

Context

This article aims to teach the exploitation of MySQL Blind SQL Injection using the LIKE operator to extract data from a database. The content assumes the reader is familiar with basic SQL syntax, as well as the concepts of pattern matching and wildcards in SQL. Additionally, knowledge of general MySQL Blind SQL Injection techniques is presumed.

Theory

Pattern Matching with LIKE in SQL

The LIKE operator in SQL is utilized to search for a specific pattern within a column. It is especially useful when the exact data is not known and a matching pattern must be determined. LIKE supports the use of the following wildcards:

  • %: Represents zero or more characters.
  • _: Represents a single character.

Understanding how to effectively use these wildcards allows for flexible query construction, facilitating the discovery of data when the complete value is unknown.

Blind SQL Injection with LIKE

Blind SQL Injection occurs when a web application does not visibly display the results of a query, but execution can still be inferred through other means. In this context, the LIKE operator is employed to infer the presence or absence of certain data.

  1. Attack Sequence: By issuing queries that use the LIKE operator, an attacker can infer information about the database contents based on the application's response (e.g., whether or not data exists that matches the query pattern).

  2. Vulnerability Model: In vulnerable applications, user input is directly embedded into SQL queries without proper sanitization, rendering them susceptible to injection attacks that manipulate the query structure.

Practice

MySQL Blind SQL Injection using LIKE

  1. Identify a Vulnerable Input Field: Locate an input field within the web application that appears to interact with a MySQL database. This could be a username or search field where user input is processed without adequate validation.

  2. Initial Query with Wildcards:

    SELECT * FROM users WHERE username LIKE 'a%';
    • Explanation: The above query attempts to retrieve all users whose usernames begin with the letter 'a'. % serves as a wildcard indicating any number of following characters.

  3. Inference Through Pattern Matching: Adjust the wildcard pattern incrementally to infer data.

    SELECT * FROM users WHERE username LIKE 'admin%';
    • Explanation: By refining the initial pattern to 'admin%', you can gauge the presence of any usernames beginning with the string 'admin'. This is repeated iteratively to deduce the complete value through successive queries.

Result: Through this method, one can extract sensitive data by gradual pattern refinement and inference from the application's behavior.

Automated Blind SQL Injection with LIKE

  1. Leverage Automated Tooling: Simplify the manual injection process by using an automated tool like sqlmap to execute blind SQL injection with the LIKE operator. 
    sqlmap -u 'http://example.com/vuln.php?id=1' --technique=B --dbms=mysql --level=5 --risk=3
    • Explanation: Configure sqlmap with the parameters to focus on blind SQL injection techniques using the LIKE operator, targeting a specific vulnerable URL.

Result: This approach automates the extraction of sensitive data using LIKE patterns, significantly reducing manual effort while enhancing precision and speed in exploitation.

Tools

  • sqlmap: A powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws, including blind SQL injection using LIKE.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.