BBQSQL: Blind SQL Injection Exploitation Tool

What is BBQSQL?##

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

High-Level Usage

Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

  • URL
  • HTTP Method
  • Headers
  • Cookies
  • Encoding methods
  • Redirect behavior
  • Files
  • HTTP Auth
  • Proxies

Then specify where the injection is going and what syntax we are injecting. Read on for details.

Install

sudo pip install bbqsql

BBQSQL Options

In the menu, you will see a place for BBQSQL options. Here you specify the following options:

query

This is described in greater detail below query syntax overview.

csv_output_file

The name of a file to output the results to. Leave this blank if you don’t want the output to a file.

technique

BBQSQL utilizes two techniques when conducting a blind SQL injection attack. The first and default technique used is binary_search. See Wikipedia for more information.

The second technique you can use is frequency_search. Frequency searching is based on an analysis of the English language to determine the frequency in which a letter will occur. This search method is very fast against non-entropic data but can be slow against non-English or obfuscated data.

You can specify either binary_search or frequency_search as the value for this parameter.

comparison_attr

This specifies the type of SQL injection you have discovered. Here you can set which attribute of the http response bbqsql should look at to determine true/false.

You can specify: status_code, url, time, size, text, content, encoding, cookies, headers, or history

If you have identified sql injection that results in a different server status code set ‘status_code’ here. If the cookie is different set ‘cookie’. If the response size is different set ‘size’. You get the jist.

concurrency

Concurrency is based on the gevent library in Python. Functionally, it appears to act like threading but the specifics of how this works can be seen in our DefCon talk here [insert link here]. This setting controls the amount of concurrency to run the attack with. This is useful for throttling the requests and speeding up attack times. For really high-performance web-servers such as nginx, we have been able to set the concurrency to 75. By default, this is set to ’30’.

Query Syntax Overview

If you run into a SQL injection vulnerability that has some weird quirks (such as certain characters can’t be included or functions like ASCII/CHAR do not work), you have probably found yourself writing some sort of script with your custom injection syntax. BBQSQL takes out the scripting part and provides a way for you to paste in your custom query syntax and exploit with ease.

The query input is where you will construct your query used to exfiltrate information from the database. The assumption is that you already have identified SQL injection on a vulnerable parameter, and have tested a query that is successful.

Below is an example query you can use to construct your query.

In this example, the attacker is looking to select the database version:

vulnerable_parameter’; if(ASCII(SUBSTRING((SELECT @@version LIMIT 1 OFFSET ${row_index}) , ${char_index} ,1))) ${comparator:>}ASCII(${char_val}) WAITFOR DELAY ‘0\:0\:0${sleep}’; —

The query syntax is based around placeholders which tell BBQSQL how to execute the attack.

You need to provide the following placeholders of information in order for the attack to work. Once you put these in your query, bbqSQL will do the rest:

${row_index}: This tells bbqSQL to iterate rows here. Since we are using LIMIT we can view n number of row depending on ${row_index} value.

${char_index}: This tells bbqSQL which character from the subselect to query.

${char_val}: This tells bbqSQL where to compare the results from the subselect to validate the result.

${comparator}: This is how you tell BBQSQL to compare the responses to determine if the result is true or not. By default, the > symbol is used.

${sleep}: This is optional but tells bbqSQL where to insert the number of seconds to sleep when performing time-based SQL injection.

Not all of these placeholders are required. For example, if you have discovered semi-blind boolean based SQL injection you can omit the ${sleep} parameter.

HTTP Parameters

BBQSQL has many http parameters you can configure when setting up your attack. At a minimum, you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

  • files
  • headers
  • cookies
  • url
  • allow_redirects
  • proxies
  • data
  • method
  • auth

You specify where you want the injection query to be inserted by using the template ${injection}. Without the injection template, the tool won’t know where to insert the query.

files

Provide files to be sent with the request. Set the value to the path and BBQSQL will take care of opening/including the file.

headers

HTTP headers to be sent with the requests. This can be a string or a dictionary. For example:

{“User-Agent”:”bbqsql“} or “User-Agent: bbqsql

cookies

A dictionary or string of cookies to be sent with the request. For example:

{“PHPSESSIONID”:”123123″} or PHPSESSIONID=123123;JSESSIONID=foobar

url

Specify a url that the requests should be sent to.

allow_redirects

This is a boolean that determines whether http redirects will be followed when making requests.

proxies

Specify an http proxy to be used for the request as a dictionary. For example:

{“http”: “10.10.1.10:3128″,”https”: “10.10.1.10:1080”}

data

Specify post data to be sent along with the request. This can be a string or a dictionary. For example:

{“input_field”:”value”} or input_field=value

method

Specify the method for the http request. Valid methods are

‘get’,’options’,’head’,’post’,’put’,’patch’,’delete’

auth

Specify a tuple of username and password to be used for http basic authentication. For example:

(“myusername”,”mypassword”)

Source: https://github.com/Neohapsis/bbqsql