Boolean Injection Discovery

Context

Boolean Injection Discovery is a technique used in offensive cybersecurity to identify SQL Injection vulnerabilities that rely on true or false evaluations within SQL queries. This guide assumes that you have a fundamental understanding of SQL injection basics, Boolean logic, and the nature of HTTP request and response interactions. This skill is essential for cybersecurity professionals looking to exploit, or defend against, vulnerabilities associated with web applications.

Theory

Boolean Injection Techniques

Boolean-based SQL Injection exploits the binary (true or false) nature of certain conditions in SQL queries. The core idea is to inject payloads that evaluate against the database and observe the outcome based on the response. Successful exploitation allows an attacker to infer the structure of the database and potentially retrieve sensitive data.

An attack sequence in Boolean-based SQL Injection generally involves sending a series of HTTP requests with crafted parameters. Each request manipulates the SQL query on the server to evaluate to true or false, based on how the database interprets the input.

Sqlmap String Options

Sqlmap is a powerful tool that automates SQL Injection discovery and exploitation. It includes functionalities to handle strings in a Boolean-based attack effectively:

  • --string: Use this option to specify a string that signifies a true condition within the responses. The presence of this string indicates that the injected condition was true.

  • --not-string: This option specifies a string that signifies a false condition. If this string appears in the response, the injected condition resulted in a false evaluation.

Content Comparison Methods

Content comparison is critical in detecting an SQL injection. By observing how content changes between true and false evaluations, an attacker can identify vulnerabilities. Key options in sqlmap for content comparison include:

  • --code: Compares HTTP status codes to determine different response behaviors. Variances in status code depending on the payload suggest possible injection points.

  • --text-only: This mode processes only the text content of a response, ignoring any HTML structure. It helps in creating a straightforward basis for comparing responses to injected queries.

Sqlmap Code Analysis

Analyzing HTTP status codes can be an effective strategy to detect Boolean injections. Some web applications may return different status codes when different Boolean outcomes are encountered:

  • A consistent 200 status code may indicate a true condition whereas a different code, such as 500, might reflect a false condition. This analysis can guide pentesters in identifying SQL injection exploits.

Text Only Responses

By ignoring HTML structure, the --text-only option allows testers to focus directly on altering text content in HTTP responses, leading to simple yet powerful comparisons to detect discrepancies attributed to SQL injection attempts.

Title Based Injection Detection

Using the page title is another novel method for detecting Boolean injections. When page titles differ between true and false queries, it can be indicative of injection vulnerabilities:

  • The --titles switch leverages this by comparing the titles of the documents delivered in the HTTP responses.

Practice

Boolean Injection Discovery with sqlmap

Sqlmap provides several options to discover Boolean-based SQL Injection vulnerabilities. Here are practical examples on how to use these features:

  • Detecting with --string

    sqlmap -u "http://example.com/vuln.php?id=1" --string="Welcome"

    This command attempts to discover vulnerabilities by identifying responses containing the string "Welcome," which is presumed to appear only in true scenario responses.

  • Detecting with --not-string

    sqlmap -u "http://example.com/vuln.php?id=1" --not-string="Error"

    By specifying the non-appearance of "Error" in results, this test implies that a response without this string suggests the execution of a true statement.

  • Using --code for Status Code Comparison

    sqlmap -u "http://example.com/vuln.php?id=1" --code=200

    The command evaluates responses based on the HTTP status code 200 indicating typical successful action, helping to highlight differences based on SQL query evaluations.

  • Focusing with --text-only

    sqlmap -u "http://example.com/vuln.php?id=1" --text-only

    This command focuses exclusively on differences in textual content between responses, ignoring changes in HTML formatting or structures.

  • Title-Based Detection with --titles

    sqlmap -u "http://example.com/vuln.php?id=1" --titles

    It compares the titles of response pages to determine potential discrepancies indicative of successful Boolean injection exploit attempts.

Tools

  • sqlmap

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.