Friday, April 20, 2012

Advance Oracle Blind SQL Injection

Had a job to test an application few days back. Its an application using java applet.
Hurm..when I heard its an application via java applet what came in my mind

1 - Internet Explorer will be a better browser 
*which is true in this case..since to use other browser I need to install Java jiniator(something like that)
*no extra addon such as hackbar/tamper data available in IE

2 - Try to hook using proxy tools burp/paros/webscarap/zap etc.
*Success,but no use. Since the data is encrypted well. Failed to crack/reverse them :(
*Tried to use JavaSnoop. Failed to setup it.hahaha

3 - Manual testing!!!
* The best choice.

The developer of this application really confident with their applications. They already guaranteed that there's no bug in their application. So that's why the company that hire them asked me to test the application..

So,after tested it for the 1st day..it is true the application is hard to hack..not because the application,but because the java applet.
How about the application then? LOTS of vulnerability.
I found multiple forms that vulnerable to Oracle Blind SQL Injection.

Then came another problem.
Most of the forms only accept a little amount of characters. some of them accept 30chars..some of them 40chars..the longest acceptable chars is 90chars where I found in one of the vulnerable form.

It is a BLIND SQLI with limitation of characters.

At first I already informed this to the company,but then one of the developer said that..
"So what?..You cannot extract anything just by that 1 or 1=1 1=2 thing right?haha"

Really pissed me off. So I need to extract something from this Blind Sqli to show the impact to this developer guy.

A little of reading and googling found that, for Blind Sqli in Oracle,we need a lots of chars to successfully extract the data.
The only hope I have now is the only form that accept 90chars.

So the how I'm confident it is a blind sqli?
Simple.
When I'm trying to search for " john ", the result of john's profile will appear.
but if I try to search for " john' ", a different profile or a blank profile appear.

So I tried
john' or 1='1 TRUE
john' or 1='2 FALSE

yerp! it is a blind sqli.

Had a read in pentestmonkey cheat sheet and found out that we can use like this as well. called String Concatenation


jo'||'hn = TRUE
jo'||hn = FALSE
jo'||h||'n = TRUE

So here's the idea.

jo'|| INJECTION HERE if TRUE 'h' else 'x' || 'n

- let say we query to find a first letter of current_user='U' ,so if the current_user's first letter start with U,it will be 'h' which completed the string equals jo'||h||'n
- if the 1st letter not start with U, it will be else 'x'..so the string become jo'||x||'n which is not a valid profile available in the application.

hope you get the idea :)

thanks to
-pentestmonkey
-Bojan Zdrnja