Boolean with Substring

Context

In this guide, we will explore the exploitation of PostgreSQL Boolean-based SQL Injection using the SUBSTRING function. This technique leverages the ability to extract specific parts of a string, allowing attackers to deduce hidden data through Boolean logic. To effectively follow this guide, you should be familiar with SQL query structure, Boolean logic, the SUBSTRING function, and PostgreSQL Blind SQL Injection.

Theory

Boolean-Based SQL Injection in PostgreSQL

Boolean-based SQL injection is a sophisticated attack vector that exploits the SQL query results dependent on Boolean conditions. By creating conditions that are true or false, attackers can infer data without explicitly seeing it. This method is particularly useful in environments where direct data output is not available.

Vulnerability Model

The core vulnerability exploited in Boolean-based SQL injection lies in the application's handling of SQL queries that evaluate to true or false. By systematically changing or evaluating these conditions, attackers can infer underlying data based on the application's response to the query.

SUBSTRING Function in SQL

The SUBSTRING function is crucial in extracting data from within a string by specifying start position and length. In SQL, this function allows for precise retrieval of string components, aiding attackers in piecing together hidden data, one character at a time.

Core Principle

In the context of an SQL injection, the SUBSTRING function is used to identify specific characters within a string. By integrating Boolean logic, attackers can check whether a part of a string matches a certain condition, revealing sensitive information character by character.

Information Extraction via Boolean Logic

The attacker crafts queries that leverage Boolean logic to dissect and reveal hidden data character by character. This approach allows an attacker to extract sensitive details from a database where output visibility is restricted or nonexistent.

Attack Sequence

Attackers repeatedly execute queries that evaluate Boolean expressions, adjusting parameters to progressively expose data. This method involves deducing the presence of characters in a string and understanding the data structure by observing the application's reaction to these injected statements.

Practice

Boolean-Based SQL Injection with SUBSTRING

Employing the SUBSTRING function in a Boolean-based SQL injection scenario allows attackers to unveil each character of hidden data by evaluating the truthfulness of conditions involving string segments. Below are step-by-step instructions leveraging manual SQL commands to perform such an attack.

  • Check if the first character of the column name is 'a':

    SELECT 1 WHERE SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='users'),1,1)='a';

  • Check if the second character of the column name is 'b':

    SELECT 1 WHERE SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='users'),2,1)='b';

  • Check if the third character of the column name is 'c':

    SELECT 1 WHERE SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='users'),3,1)='c';

By altering the indices and comparing different character values, attackers can sequentially determine the exact names of columns or other vital database information. This iterative process allows complete extraction of sensitive data, despite limited initial access.

Tools

  • sqlmap
  • Burp Suite

These tools facilitate SQL injection by automating complex queries and simplifying the injection process, thereby increasing the efficiency and effectiveness of the attack.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.