MYSQL Blind With MAKE_SET

Context

This article delves into leveraging the MAKE_SET function in MySQL for blind SQL injection through bit testing. It assumes the reader has foundational knowledge of SQL injection basics, MySQL functions, and blind SQL injection techniques.

Theory

Understanding MAKE_SET Function in MySQL

The MAKE_SET function in MySQL is a powerful tool that returns a set value—a string containing substrings separated by commas—based on the bits set in an integer. This functionality is particularly beneficial for blind SQL injection tests because it allows attackers to infer the value of specific bits in a number, by revealing which substrings are included in the output.

For example, MAKE_SET(6, 'a', 'b', 'c') will return 'b,c' since bits 1 and 2 are set in the binary representation of the number 6 (110).

Blind SQL Injection with Bit Testing

Blind SQL injection is a technique used when the result of a SQL query is not directly visible to the attacker. Instead, attackers make educated guesses about the database contents by analyzing behavioral responses from the application, such as time delays or error messages.

Bit testing in this context involves using bitwise operations to test substrings of database values, one character at a time. This allows attackers to deduce the contents based on which bits are set, leveraging application responses to each input.

Practice

MySQL Blind SQL Injection with MAKE_SET

To exploit a blind SQL injection vulnerability using the MAKE_SET function, follow these steps:

  • Step 1: Identify a vulnerable parameter in the web application. This could be any query parameter in a URL or any field that accepts user input, such as a login form.

    • Example: You have identified that the id parameter in the URL http://example.com/user.php?id=1 is vulnerable to SQL injection.

  • Step 2: Familiarize yourself with the MAKE_SET function via a simple test:

    SELECT MAKE_SET(1, 'a', 'b', 'c');

    This command will return 'a', indicating bit 0 (the first bit) is set.

  • Step 3: Craft a payload to test bits of a character in the database.

    Use the ASCII value of a character and check which bits are set by using MAKE_SET in the context of a SQL injection.

  • Step 4: Deploy your crafted payload. Replace the vulnerable parameter value in the URL with the crafted injection:

    1' AND (SELECT MAKE_SET(ASCII(SUBSTRING((SELECT database()),1,1)), 'a', 'b'))='a' --

    This payload checks if the ASCII value of the first character of the current database name has a specific bit set. If 'a' is part of the result, bit 0 is set.

  • Step 5: Observe the application response.

    Determine whether the application's output changes noticeably, which indicates whether the test condition is true or false.

  • Step 6: Iterate over each character of the target data.

    Test each bit within each byte of the target string, reconstructing the string character by character, bit by bit.

Result

This technique efficiently extracts the database name by assessing individual bits in characters using the MAKE_SET function. It reconstructs database values from partial results, allowing attackers to retrieve sensitive data without direct output visibility.

Tools

  • Burp Suite: A comprehensive tool for web application testing, useful for intercepting HTTP requests to automate and control SQL injection attacks.
  • SQLMap: An open-source penetration testing tool specifically designed to detect and exploit SQL injection vulnerabilities, capable of automating the application of the described technique.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.