Blind SQL Injector Tool

Ideal for penetration testers, the Blind SQL injector is an automated database data extraction tool. By importing SQL injections discovered when scanning a website, you can see what a serious impact an SQL injection can have on the website. You will also be able to enumerate databases, tables, dump data and also read specific files on the file system of the web server, depending on the seriousness of the vulnerability. Using this tool, you can also run custom SQL select queries against the database.

Importing and Writing HTTP Requests


The Blind SQL injector needs to know the exact HTTP request from where the remote user can inject data into the database. You can import a HTTP request from a reported SQL injection in a website scan or else write a HTTP request yourself and add an SQL injection point anywhere you would like in the request.

Importing the HTTP Request

From the scan results of a website, right click a reported SQL Injection and select ‘Import to Blind SQL Injector’. This will import the HTTP request used to discover the SQL Injection in the tool, including the injection point for further analyzes.

Writing the HTTP Request

The HTTP request can be written manually as plain text in the HTTP Request tab.

Injection Point

Specify the exact point where the injection point should be placed by placing the cursor at the insertion point and click on the ‘+’ icon from the toolbar. This will insert the ‘${InjectHere}’ token, which will be replaced dynamically by the injection engine using various injection techniques.

Blind SQL Injector Tools

 
1. File Extraction Tool
With this tool you can extract files from the web server by exploiting the discovered SQL Injection.  This is possible if the injection is already validated. Configure the following options to extract files:

  • File Name
    – Specify the exact remote path and filename of the file to extract
  • Offset
    – Specify the character index from where you want to extract data
  • Length
    – Specify how many bytes to extract from such file. Set it to 0 for no limit, i.e. extract all file
  • Text File
    – Tick this option if file is a text file. In this case the extraction algorithm knows it is a text file, making the extraction process much faster.

Note:
Once ‘Extract’ is clicked, if the file extraction is successful you will be prompted to specify a location and filename where to save the extracted file.

 

2. Execute SQL Query Tool

This tool lets you execute arbitrary SQL queries on remote SQL server. The query can only return 1 row and 1 column, therefore the SQL query has to be limited.

  • SQL query
    – Write down the SQL query in this text box
  • Offset
    – Specify the character index from where you want to extract data
  • Length
    – Specify how many bytes to extract from the result returned from the SQL query. Set it to 0 for no limit, i.e. extract all result.

Note:
Once ‘Extract’ is clicked and the SQL query results are successful, you will be prompted to specify a location and filename where to save the results.

Configuring the Blind SQL Injector

Configuration of the Blind SQL Injector can be accessed from the ‘Settings’ tab in the ‘Blind SQL Injector’ node.

Settings > General Tab

  • Database Type
    – Select ‘Automatic’ if the database server is unknown and the blind SQL Injector will try to guess it.  Else, if the SQL server is known, select it from the drop down menu.
  • Extraction Method
    – Select ‘Automatic’ and the tool will try to use the best method possible. ‘Condition based’ extraction method is the most reliable but slowest. Using ‘Union Select’, in some limited cases when the SQL query and injection point permits, the tool will inject in the existing queries other queries but in a direct way, so this method is up to 8 times faster than the previous one.
  • Minimum HTTP Retry
    – The number or retries the application will take before reporting a connection error.
  • Encode SQL Spaces with /**/
    – Tick this to encode SQL spaces with /**/. This is a basic way to fool anti SQL injection algorithms.
  • Force HTTP encoding of the SQL string
    – Tick this option to automatically encode SQL strings used in a GET parameter.
  • Encode all characters
    – Tick this option to encode all characters not just the special characters.
  • Encode spaces with plus
    – Tick this option to encode spaces with a ‘+’ sign instead of %20.
  • Show debug information
    – Enable this option to enable debug logging in the application log.

Settings > Condition Based Extractor node

  • Injection SQL string > Automatic Detection
    – Tick this option if you want that the injection string to be injected in the SQL is determined automatically by the tool.
  • Injection SQL String > provided by user
    -. Select this option to manually specify the Injection SQL string. The condition place is given by the ${condition} token, e.g. 1 AND ${condition}/*.
  • True / False condition detector > Automatic
    – Select automatic for automatic detection. It may not work if more subtle changes occur in the server response, between consecutive requests.
  • True / False condition detector > Provided by Regex
    – Specify the regular expression which must match the response data on true condition.
  • Inverse Regex
    – Enable this option when you want that the true condition is triggered when the condition of the above stated regex is false.
  • Character Extractor

    • Bit Method
      – Select this option to quantize the characters directly to bits and do test on the bits.
    • Half Method
      – If this method is selected, the application will try to find out the numerical value of the character by using the half method, i.e. it will try to find a value in a given interval always splitting the interval in half and testing in which of them the value is, and do this recursively.
    • Try Parallel request
      – Tick this option to request all bits in parallel.

Settings > Union Select based extractor tab

  • Start Column number
    – Specify the minimum number of columns expected in a database.
  • Max column number
    – Specify the maximum number of columns expected in a database.
  • Visible column index
    – Specify a column which the Blind SQL injector can already extract. This setting is used as a reference from the tool. Leave as 0 to set as auto.

Note:
If a database you are scanning may include more than 20 columns per table, increase the value in ‘Max Column Number’.

From the scan results of a website, right click a reported SQL Injection and select ‘Import to Blind SQL Injector’. This will import the HTTP request used to discover the SQL Injection in the tool, including the injection point for further analyzes.

Share this post
  • It seem’s like a very nice tool from what i see. I am somewhat concerned about the sql injection test. Dose this really inject the web site with code to try to pull a test for code injection. Because i tryed this on one of my sites and i got banded from the site for trying to pull information schema. My sites are pretty well able to block injections on most parts. Anyway i want to say that i would love to know were the code is pulling from or injection to before i can make any attempt to use this. I dont want to be causing damage to my web sit’s to tell me if i am doing damage here i know the sites are not injected. Although after using this i am not sure what it has done.
    I check the tables in the php myadmin ok thanks.

    • Hi,

      The Blind SQL injection tool does not inject any code in SQL. However I would still recommend that you perform this on a backup copy of the website / database.

  • Leave a Reply

    Your email address will not be published.