Data exfiltration via a blind Boolean-based SQL injection

An SQL injection is a vulnerability based on an input validation error, which allows a malicious user to insert unexpected SQL statements into an application to perform different actions on it. For example, extract information, delete data or modify the original statements.

There are three types of SQL injections, as follows:

  • In-band SQL injection: This type of SQL injection has the characteristic that is possible to analyze using the same channel used to send the statement. It means that the response generated by the database management system (DBMS) is received in the same analyzed application.
  • Inferential: This type of SQL injection is different from the previous one, as it is not possible to see the errors or the results in the application's response. We need to infer what is happening in the application's backend or use external channels to get the information. At the same time, into the inferential SQL injections are further divided into two types:
    • Boolean-based blind SQL injection: In this type of SQL injection, the statements are focused on changing a Boolean value into the application in order to get different responses. Even though the SQL injection result is not showed directly, the HTTP response content could change to infer the result.
    • Time-based blind SQL injection: This inferential SQL injection depends on the time lapsed to generate a response by the database server. With time variations, it is possible to infer whether the SQL injection is successful or not. To do so, the malicious user inserts functions included in the DBMS to determine what is happening in the backend.
  • Out-of-band SQL injection: In this type of SQL injection, it is not possible to use the same channel to see the error response or infer the result directly. So, we need to use an external channel to know whether the SQL injection is successful or not. For example, using second data storage to receive the results, such as DNS resolution to infer the time lapsed in a request, which is not possible to see in the application.

We will see how it is possible to use Burp Suite to exploit a Boolean-based SQL injection vulnerability.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset