Blind SQLi: Column Name Guessing

TL;DR

This guide shows how to find a column name in a database using Blind SQL Injection. We’ll use boolean-based techniques and tools like sqlmap.

Understanding Blind SQLi

Blind SQL Injection happens when the web application doesn’t show error messages or data directly, but you can still infer information by observing its behaviour (e.g., whether a page loads differently). We’ll focus on boolean-based injection where we ask ‘yes/no’ questions.

Step 1: Identify a Vulnerable Parameter

1. Find an input field: Look for search boxes, login forms, or any place you can enter data.
2. Test for Injection: Try basic SQL injection payloads like ' OR '1'='1 and see if the response changes significantly. If it does, you likely have a vulnerability. Be careful not to break the application!

Step 2: Determine the Database Management System (DBMS)

Knowing your DBMS helps tailor payloads. You can try common functions or error messages:

• MySQL: Try payloads like ' AND version()
• PostgreSQL: Try ' AND version()
• MSSQL: Try ' AND @@version

If you get a different response, it suggests the DBMS is present.

Step 3: Guessing Column Names

1. Initial Setup: Assume the table name is known (or find it first using similar techniques). Let’s say the table is called ‘users’.
2. Boolean-Based Payloads: We’ll test each column name one by one. Start with common names like ‘id’, ‘username’, ‘password’, ’email’.
3. Crafting the Payload: The basic structure will be something like this (example for MySQL): ' AND IF(SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users' LIMIT 1, 0), 1, 1) = 'i', 1, 0)
4. Explanation:

• INFORMATION_SCHEMA.COLUMNS is a database table containing column metadata.
• TABLE_NAME = 'users' filters the results to only columns from our target table.
• LIMIT 1, 0 gets the first column name (offset 0, limit 1).
• SUBSTRING(..., 1, 1) extracts the first character of the column name.
• IF(..., 1, 0) returns 1 if the extracted character matches ‘i’ and 0 otherwise.

Step 4: Automating with sqlmap

sqlmap can automate this process:

sqlmap -u "http://example.com/vulnerable_page?param=value" --dbs users --columns -p param

• -u: The target URL
• –dbs: Specifies the database name (if known).
• –columns: Tells sqlmap to enumerate columns.
• -p: Specifies the vulnerable parameter.

sqlmap will try different column names and report those that are found.

Step 5: Refining the Guess

1. Iterate: If sqlmap doesn’t find all columns, manually refine your payloads. Increase the length of the substring you extract (e.g., SUBSTRING(..., 1, 2)).
2. Character by Character: If you know a column exists but not its full name, guess character by character using boolean-based injection and payloads like this (MySQL): ' AND IF(SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users' LIMIT 1, 0), 1, 1) = 'a', 1, 0) Change ‘a’ to each letter of the alphabet.

Important Considerations

• Time-Based Injection: If boolean-based injection is too slow, consider time-based injection (using functions like SLEEP() in MySQL).
• Error Handling: Be mindful of application error handling. Sometimes errors can give away information.
• Rate Limiting: Avoid sending too many requests quickly to avoid being blocked by the server.