Wednesday, March 29, 2017

Blind SQL Injection in er..I'm not sure what's the DBMS is.

A short blogpost from me.
Recently participated in a private bounty program and found an SQL Injection issue on one of the available parameter.

Injection looks like follow:

id=11) and (1=1
Normal eh? But SQLmap and few test cases from me could not determine the DBMS it used. High chance it is MSSQL, MS Access or Jet Database. This is from the observation seen on the patterns that can be seen. I've also asked people around to conclude this. Manage to provide a simple POC such as
id=11) and 1=1 and (1=1 
id=11) and 12 and (1=1
to show the existense of TRUE FALSE condition. But still, to convince the program owner, at least, we need to show it is possible to extract table_name or column_name. After a day of trying, I've figured out how to make the POC. How silly, it is so simple!
 id=11) and (<column_name>=<column_name>
So, if the column_name is exist, it'll be TRUE while if not exist, it'll be FALSE. How to automate it?
All we need to do is run our Burpsuite, send the vulnerable parameter to Intruder. Use Battering Ram attack type, and choose our own wordlist contain the list of column_name. I used the one in SQLmap common_columns.txt

Result as follow: