Lecture 62 - Getting The Admin Password Using a Time-Based Blind SQLi
So, now we know the username is administrator.
We know the password length is 20 characters.
The next target is to actually get that password.
The problem with that is it's a 20 character password and we can't actually get it displayed anywhere.
Therefore we're going to have to follow a very similar approach to what we did in the previous blind SQL injection example.
Again we're simply just manipulating the condition in here.
We're asking if the user name is administrator and the first character of the password is 'a'.
And the way we're doing this we're using the sub string function.
So again you can look this function up basically what this function does.
It can divide the strength and what we're saying is the strength that we want to divide is the value of the password and we want to get the first characters, that why we're saying 1 and 1.
So this specifies where to start the division from and this specifies how many characters you want to get.
So we're saying we want to start our division at the first character.
We will only want to get one character starting from there.
And therefore we're checking if the first letter or the first character in the password is equal to 'a', if it is sleep for 10 seconds otherwise move on.
And then we do that for the next character by changing this value to 2.
So we're going to say is the second character is equal to 'a'.
And then we say if the second character is equal to 'b'.
And go ahead, go through all of the possible characters to actually get every single character in the password very similar to what we did in the previous example.
That's why I'm kind of going through it quicker than I did in the previous example.
So if you don't remember how this works please go back and revise that example.
So let's go ahead and let's edit this.
So instead of saying the length we're actually now doing substring.
And we're doing it for the password and we're getting the first character starting for 1 and then we're checking if that is equal to 'a' then I want you to sleep for 10 seconds otherwise don't do any of that, don't sleep for anything and let's hit enter.
And as you can see we didn't sleep for any seconds at all which means that the first character of the password is not the letter a'.
So now you have to go ahead and try the letter 'b' and the letter 'c' and move on to all possible characters.
And as mentioned the previous examples that could take a lot of time.
Therefore what we usually do is send it to the intruder.
But bear with me I'm not repeating myself, there is a slight difference with this example that's why I'm covering it in here because I know we use the intruder in the previous example you should know by now what the intruder does.
It basically allow us to specify certain locations within the request where we can automatically change and send to the target web application and then get our results straight away instead of having to manually guess every single character.
And we actually relied on the sniper first and then I showed you how to do the cluster bomb but with this example because I showed you the sniper and it's actually the simpler and longer way of doing it, I'm going to go ahead and do it with the cluster bomb straight away.
So the first thing we wanna do is clear out all the signs that we have and we need to specify the locations in our request that we actually want to modify.
So as we know the first thing that we want to modify in our request is this part of it where we actually change the character that we want to guess.
And the second thing that we want to modify is the letters.
So again you want to replace this with every single possible character that could be used in a password.
Therefore we're going to go to the request.
And the first thing that we want to modify is in here it's this number 1, so we're gonna highlight it like this and click on add the characters.
So as you can see it's gonna add these characters surrounded by these characters which means that this part of the request will be changed based on whatever configuration I'm gonna set later on and the next part that we want to change is this 'a' letter.
Again we're gonna click on add to add it in here.
So now we're basically gonna be modifying this part and this part of the request and we need to change the attack type to the cluster bomb because we're actually going to be changing two parts or manipulating two parts in the request and then we're gonna go to the payloads.
Now this party is similar to what we did before.
So the first set is actually gonna be numbers and we're just gonna go from 1 to 20
And we're gonna go one number at a time.
So what this will do it will basically increase this number from 1 to 20.
The next set, so we're going to specify the next set from here and in this one we're gonna do a brute force and we want to guess one character at a time and this is the character set that we'll be using.
So we're using alphabetical characters and numbers without special characters but that's fine for this example it really depends on your example and your target.
But basically what we're doing here with the second set we're modifying the second part of our request in here and we're replacing this a with all of the characters that we're specifying in here in every request.
So as you can see the configuration that we set between set 1 and set 2 is going to result in 720 requests, which you would have had to do manually but now they will all be done automatically for you by burp suite by the intruder pluggin of burp suite.
Now so far it's been very similar to what we did previously.
But the main thing that we want to change is if you go here to the resource pool, it's usually set to the default which will basically send 10 concurrent requests at the same time.
That's good in most scenarios.
But because in our scenario we actually want to monitor the amount of time taken for the response to get back to us because remember this is a time-based blind SQL injection.
Therefore the results would be much more accurate.
If we send only one request at a time, obviously it'll be slower but your results would be more accurate.
By default, you would not have this option in here, that's an option that I created.
So therefore instead of keeping it at the default, you would need to create a new resource pool.
You can call it whatever you want, so let's this time, just call it 1 request and we're gonna take the maximum concurrent requests and we're gonna set it to 1.
So we actually only send 1 request at a time, wait for the response, log the amount of time taken for that response.
So that later on when we come back and analyze the results, we know which ones were the correct characters.
So these little things that in a real life scenario it might make you even doubt yourself because if you set it to 10 concurrent requests at the same time you're gonna be sending 10 requests and waiting for delays for 10 of these requests.
Whatever result you get back.
The time is not going to be very accurate and you'll think there's something wrong with your payload and then you're gonna have to go back and start playing with it and thinking why is the normal test is working.
But when I'm trying to guess characters it's breaking, it's just simply just because you're sending too many requests at the same time.
So once you're happy with all of this, similar to what we did previously we're gonna click on start attack.
Burp suite is gonna go ahead and execute the configuration that you said.
So it's going to start guessing the password for you by increasing this number to get every single character of the 20 characters that make up the password and then guess the value of that character based on the brute force option that we set in set 2.
Now how are you going to determine the correct guesses based on the information that is displayed here.
In the previous example we went by the length because as I said before and as you remember the page that was loading changed based on the injection or the payload that we were sending it.
So we looked at the length of the page and if it was of a certain length we knew that that is the correct character.
But so far we rely on the time taken for the response to come back to us to decide whether a certain guess is correct or not.
And therefore we're going to have to go to the columns in here and we're gonna have to enable the response received.
And now we have a new column in here that shows us the amount of time taken for the response to come back in milliseconds keep in mind.
So I know you're seeing 65 and 89 that's not in seconds, that's in milliseconds.
So now what we're looking for is 1000 or something that is over 1000.
So so far we don't really have anything that took over 1000 which means that so far we haven't really guessed any correct characters.
But if you let this run for long enough you should start getting the characters one by one similar to what we did in the previous lecture.
So there you go. As you can see now we got a correct guess already.
So we know the 19th character is the letter 'd', because that took over 10 seconds to load.
So that is the first character that we guessed and simply all you have to do is just let it run right now once it's done, as I showed in the previous lecture again, you're just gonna have to open up a text file and literally match every character to its position in the password.
And then you would be able to extract the full password for the administrator simply by monitoring the amount of time taken for the response to come back to us.