SQLbit – Automatize Boolean-Based Blind SQL Injections

SQL Injection or SQLi is the web application security flaw where the hacker or intruder can mislead with the SQL queries that a web application makes to its storage database. This can lead to viewing data, inserting data, manipulating data without having authorized access. The data which is manipulated has totally belonged to other users, or any other data that the web application itself is able to access. Nowadays, all online shopping applications, bank transactions use back-end database servers. So in case, the attacker can exploit SQL injection, the entire server is compromised.

What is Blind SQL Injection?

A blind SQL Injection attack comes into the picture when the targeted web application is vulnerable to SQL Injection, but the twist is that the HTTP responses don’t contain any database results or errors which are supposed to be retrieved as per the query. Blind SQL Injection can be used to get sensitive data from the database servers. Most probably, the hacker asks true or false (1 or 0) queries to the application database and studies those responses based upon the answers of applications.

For Example:

http://geeksforgeeks.org/items.php?id=2

Application transfers the following query to the database:

SELECT title, description, body FROM items WHERE ID = 2

The hacker may then try to inject a malicious query that returns ‘false’:

http://geeksforgeeks.org/items.php?id=2 and 1=2

Now the SQL query should look like this:

SELECT title, description, body FROM items WHERE ID = 2 and 1=2

If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the hacker will inject a query that will return ‘true’:

http://geeksforgeeks.org/items.php?id=2 and 1=1

Now, from the above example, this process can be done through automated tools. SQLbit is one of the automated tools which has the potential to detect boolean-based blind SQL injection on the target web application. SQLbit tool is developed in the Python3 Language and we can download or get the tool from the GitHub platform.

Note: Make Sure You have Python Installed on your System, as this is a python-based tool. Click to check the Installation process: Python Installation Steps on Linux

Installation of SQLbit Tool on Kali Linux OS

Step 1: Clone the tool in your Kali Linux operating system from GitHub platform.

git clone https://github.com/Sunlight-Rim/SQLbit.git

Step 2: Now use the following command to move into the directory of the tool. You have to move in the directory in order to run the tool.

cd SQLbit

Step 3: You are in the directory of the SQLbit. Now you have to install the required dependency of the SQLbit using the following command.

sudo pip3 install -r requirements.txt

Step 4: All the dependencies have been installed in your Kali Linux operating system. Now use the following command to run the tool and check the help section.

python3 sqlbit.py -h

Working with SQLbit  Tool on Kali Linux OS

Example/Usage: Basic Usage

python3 sqlbit.py

We need to add the URL of the target in the config file as this tool does not accept command line arguments.

After entering the URL we need to run the sqlbit.py file.

You can see that we have got the names of tables that are been present in the URL’s database.

There are multiple tables present in the target domain’s database.