MySQL Blind With REGEXP

Context

This article explores the technique of exploiting MySQL blind SQL injection using the REGEXP operator for data extraction. A reader is expected to be familiar with regular expressions, SQL queries, HTTP requests, and general concepts around MySQL blind SQL injection.

Theory

Understanding REGEXP in MySQL

The REGEXP operator in MySQL is employed for pattern matching with regular expressions. It is a powerful tool that allows for complex string analysis within SQL queries. In the context of blind SQL injection, REGEXP can be leveraged to discern data by matching patterns in the database. This capability is particularly useful for infiltrating systems where direct data retrieval is obscured.

Blind SQL Injection with REGEXP

When performing blind SQL injection using REGEXP, the attacker constructs patterns that will result in a true or false response from the application. By observing these responses, an attacker can incrementally reconstruct information from the database.

The vulnerability stems from improper validation and sanitization of input fields, allowing injection of arbitrary SQL queries that execute on the database. Even without visibility into the actual data, these injections function by exploiting the application server's true or false responses to determine the validity of the payload.

Practice

MySQL Blind SQL Injection with REGEXP

Here, we demonstrate a step-by-step technique for leveraging REGEXP in a MySQL blind SQL injection scenario:

  • Identify an injectable parameter:

    • Manually test different input fields of a web application to find a parameter that is susceptible to SQL injection.

  • Inject a REGEXP pattern:

    SELECT * FROM users WHERE username='admin' AND password REGEXP BINARY '^a'; --

    This query checks if the password for the user 'admin' starts with the letter 'a'. The use of REGEXP BINARY ensures that the match is case-sensitive.

  • Observe the Response:

    • After injecting the above query, observe the application's response to determine if the pattern matches. Depending on the application's architecture, a successful match might redirect you, produce a distinct message, or alter behavior in another discernible manner.

  • Iterate Over Characters:

    • You will need to test different characters in place of '^a' in the above query (such as '^b', '^c', etc.), iterating through the possible character set until you successfully map out the entire string (password or data field).

Result

This SQL injection technique allows an attacker to extract sensitive data from a web application's database by learning the correct pattern of characters one by one through true/false response-based inference.

Tools

  • sqlmap: An open-source tool that automates the process of detecting and exploiting SQL injection vulnerabilities as well as taking over database servers.
  • Burp Suite: Widely used in web application security testing, it can intercept and modify web traffic and is helpful in testing for SQL injection vulnerabilities, including manual pattern iteration.

This method of SQL injection is invasive and must be conducted within a controlled environment respecting all legal and ethical guidelines.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.