My third python web testing script in this series is a blind SQL injection script. It is used to automatically extract data from a MYSQL database using blind SQL injection techniques. There are already many tools out there that do this, but this one is a little different. It uses a different technique to extract the data.
Most Blind SQL injection tools will either Brute Force or repeatedly cut the alphabet in half to formulate it’s next guess. For example, if the database name was “CAT” a Brute Force tool would ask the following questions..
Is the first letter of my database name = “A” (answer:NO)
Is the first letter of my database name = “B” (answer:NO)
Is the first letter of my database name = “C” (answer:YES)
Is the second letter of my database name = “A” (answer:YES)
Is the third letter of my database name = “A” (answer:NO)
And so on.
More efficient tools play 50 questions and make their guesses like this:
Is the first letter of my database name < "M" (answer: YES)
Is the first letter of my database name < "G" (answer YES)
Is the first letter of my database name < "D" (answer YES)
Is the first letter of my database name < "B" (answer NO)
Is the first letter of my database name = "B" (answer NO, OK it must be C)
Then it moves on to the second letter, and so on, and so one.
This tool uses a different technique. It uses a per letter frequency table to predict the next letter. For example, if you have a Q there is a HIGH probability that the next letter is a U. The technique is discussed in an excellent paper titled "Technique of quick exploitation of 2blind SQL Injection" which can be downloaded here The paper is by Dmitry Evteev (Positive Technologies), Vladimir (D0znp) and Voronzov (ONSec). The paper is really good and so far, the results are too! Using this technique I’ve found I’m able to extract data with much fewer request than with brute force techniques. Improved performance and stealth!
I took their technique and implemented in a python script. To use my script you give the script a vulnerable URL, and you put your SQL query in the URL with carets as markers at the point on injection.
For example:

mark.baggett$ $ python "^database()^#"
end of word found
Found target acuart in 79 guesses.

Let’s compare that to a brute force tool.

mark.baggett$ perl -blind cat -sql "database()" -url
// Blind SQL injection brute force.
// /

trying: acuart#### results:
database() = acuart
total hits: 126

That is pretty nice! We went from 126 guesses to only 79. That is AWESOME when you consider that to determine you’ve reached the end of the line you have to go through the entire character set and make 38 guesses. Executing a MySQL function call like database() is an nice easy demo, but the tool is capable of more. You can put any SQL statement you want in there that returns a single text string. For example, you can extract all the tables from the schema with something like this:

mark.baggett$ python "^%28select%20concat%28%28select%20group_concat%28table_name%29%20from%20information_schema.tables%20where%20table_schema!=0x6d7973716c%20%20and%20table_schema!=0x696e666f726d6174696f6e5f736368656d61%29%29%29^#"

There are some significant limitations to this release of the tool. The character tables are not complete. Unfortunately, the paper posted by Dmitry and company didn’t include the complete character frequency tables. It is missing a few characters such as M, N, punctuation and numeric values. In this script I just used a default frequency table for those characters which I am sure makes it less efficient. If you know where I can find the correct tables for those characters please drop me a line.
You can download the tool here:
Thanks to the Acunetix guys at for their awesome test site and their tool.
Mark Baggett
Join me for SANS 504 Hacker Techniques, Exploits and Incident handling in San Antonio November 13th! REGISTER TODAY

About the author

Leave a Reply