Boolean-Based Blind

Context

The purpose of this guide is to explore Boolean-Based Blind SQL Injection within Oracle databases and demonstrate how it can be used to extract data by interpreting true or false responses returned by the vulnerable application. This technique requires a solid understanding of SQL query structure, Boolean logic, and Oracle database functions such as CASE WHEN, SUBSTR, LENGTH, ASCII, and INSTR.

Theory

Boolean-Based Blind SQL Injection

Boolean-Based Blind SQL Injection is a method that exploits the true or false responses from a database when executing SQL queries. Attackers use this type of injection to extract information by sending specific queries and observing how the application reacts. This technique works by crafting queries that force the application to return different results based on whether a condition is true or false.

Oracle SQL Query Manipulation

In Oracle databases, SQL queries can be manipulated to alter their logic, enabling attackers to glean information indirectly. By injecting specific Oracle SQL functions and conditions, it's possible to receive valid responses from the database that help deduce hidden information without directly retrieving it.

Key Oracle Functions for Boolean-Based Blind

Oracle SQL functions are crucial when constructing Boolean conditions in injections. Functions like CASE WHEN, SUBSTR, LENGTH, ASCII, and INSTR are often utilized:

  • CASE WHEN: Used to return a value based on conditional logic.
  • SUBSTR: Extracts a substring from a string based on specified indices.
  • LENGTH: Returns the number of characters in a string.
  • ASCII: Provides the ASCII value of the first character in a string.
  • INSTR: Finds the location of a substring within a string.

Comparison-Based Inference

This technique involves using comparison operators within SQL queries to deduce data based on the database's response. By leveraging true or false logic, attackers can infer information one bit at a time. This is achieved by systematically querying the database to test various conditions and analyzing the outcomes.

Practice

Boolean-Based Blind SQL Injection

By manually executing crafted SQL queries, we can manipulate the responses received to extract sensitive data from a vulnerable Oracle database.

  • Step 1: Start with a query to test the first character of a username:

    SELECT CASE WHEN (SUBSTR((SELECT username FROM users WHERE ROWNUM=1),1,1)='a') THEN 'true' ELSE 'false' END FROM DUAL;

    This query checks if the first character of the username is 'a'. If correct, the response will reflect a 'true' condition; otherwise, it will be 'false'.

  • Step 2: Determine the ASCII value of the first character in a password:

    SELECT CASE WHEN (ASCII(SUBSTR((SELECT password FROM users WHERE ROWNUM=1),1,1))>100) THEN 'true' ELSE 'false' END FROM DUAL;

    This query checks if the ASCII value of the first password character is greater than 100. Based on the response, you can infer information about the character.

  • Step 3: Identify the length of an email address:

    SELECT CASE WHEN (LENGTH((SELECT email FROM users WHERE ROWNUM=1))=10) THEN 'true' ELSE 'false' END FROM DUAL;

    Here, you test whether the email field contains 10 characters. The response helps determine the actual length of the email address.

By repeating and modifying these queries, attackers can extract information character by character until they obtain the full data set.

Tools

  • sqlmap
  • Burp Suite

These tools automate various aspects of SQL injection and analysis, aiding in the discovery and exploitation of vulnerabilities.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.