BSQL Hacker Console Manual

26-8-2007

BSQL Hacker

BSQL (Blind SQL) Hacker designed to exploit blind SQL injection vulnerabilities virtually in any possible database and any possible condition.

BSQL Hacker aims for experienced users who want to automate any Blind SQL Injection issue.

Features

Requirements


Parameters

Request Related Parameters

These parameters are related with HTTP requests.

Post Request
Add Post Data
-ap, --addpost

Adds new post data to the request. You can use more than once.

Post data will be encoded, supply not encoded post data.

Syntax: -ap “name=value”

Add Post Data File
-apf, -addpostfile

Adds new post data from text file. You can use more than once.

Post data will be encoded, supply not encoded post data.

Syntax: -apf “name=c:\case001\postinj.txt”

Add Post Request File
-aprf, -addpostrequestfile

Post data from text file. You can use more than once.

Post data should be encoded, supply encoded post data.

Syntax: -aprf “c:\case001\rawpostdata.txt”

Sample post data file:

------------------------------------------------

name=value&name2=value2

------------------------------------------------

Get Request
Query
-q, --query

Query part of the request. Query string should be encoded. If you do not supply any query parameter application assumes “/” as query. You can not combine query with host URL. You should supply query with this parameter.

Syntax: -q “id=10&document=test”

Cookies
Add Cookie
-ac, --addcookie

Add new cookie to the request. You can use more than once.

Post data will be encoded, supply not encoded post data.

Syntax: -q “id=10&document=test”

Add Cookie Request File
-acrf, -addcookierequestfile

Add several cookies from text file. You can use more than once.

Cookie data should not include reserved characters and should be separated by “;”.

Syntax: -acrf “c:\case001\cookiedata.txt”

Sample cookie data file:

------------------------------------------------

name=value&name2=value2

------------------------------------------------

Headers
Add Header
-ah, --addheader

Add new header to the request. You can use more than once.

Header name should not include reserved characters.

Syntax: -ah “HTTP_X_FORWARDED_FOR={INJECTION}”

            -ah “HTTP_X_FORWARDED_FOR=value”


Connection Related Parameters

These parameters are related with HTTP connection.

Threading
Thread Count
-t, --threadcount

Default is 5. Value should be an integer.
This is simultaneous connection will be done to server. You can hammer the server or drop lots of connections if you go so far.
If you are using MySQL BENCHMARK() think about single thread or a few threads.
If you supply any integer less than 2 it will work in single-threaded mode.

Syntax: -t 7

Start Delay
-sd, --startdelay

Default is 500. Value should be an integer, as milliseconds.
How many milliseconds that you want to wait for between first requests.
It’s the start delay between requests in for first time. If you open all connection at a time possibly most of them will drop. Thus this delay can help the starting process.
Syntax: -sd 1000

Miscellaneous
Enable Automatic Redirects
-ar, --allowredirect

Default is false. BSQLHacker will follow redirects if you enable this flag.
Generally it’s useless but you may want to use it while using “search string (-ss)” in redirected page.

This is a flag parameter.

Syntax: -ar

Request Timeout
-rt, --requesttimeout

Default value is 300000 milliseconds. This parameter will specify how many milliseconds BSQLHacker should wait before drop a connection.

Value should be an integer. If you are running BSQLHacker in multithreaded mode then you should consider using a high value.

Syntax: -rt 5000

Proxy Related
Enable Proxy
-ep, --enableproxy

Default value is false. If you are going to use a proxy you have to use this flag.

This is a flag parameter.

Syntax: -ep

Proxy URL
-p, --proxy

Value should be a valid URL. URL can include port / username / password and protocol. URL should include protocol like http or https.

Also you should use Enable Proxy (–ep) flag to use proxy.

Syntax: -ep http://127.0.0.1:8080

                 -ep https://username:password@proxy.com

Authentication Related
Default Network Credentials
-dc, --defaultcredentials

This is a flag parameter. Use default credentials of current user / application.

Syntax: -dc administrator

Username
-u, --username

Username for “Basic Authentication” or “NTLM authentication”.

Syntax: -u administrator

Password
-pwd, --password

Password for “Basic Authentication” or “NTLM authentication”.

Syntax: -pwd w00t

Domain Name
-m, --domain

Domain for “NTLM authentication”

Syntax: -m SECRETZONE

Error Handling
Error Retry
-er, --errorretry

Default is 3. Value should be an integer.
If one connection returns an error (this can be a connection problem or not false either not true response) BSQL Hacker try to do injection again. This option specifies that.

Syntax: -er 1

Error Retry Sleep
-ers, --errorretrysleep

Default is 1000. Wait time between retries as milliseconds.

Syntax: -ers 3000

Injection Related

These parameters are related SQL Injection engine.

Magic Variables

SQL Injection in BSQLHacker working in quite hard way. You should provide to full SQL Injection query.

TODO: WRITE ABOUT MAGIC VARIABLES…

Disable Confirm Found Char
-dcfc, --dconfirmfoundchar

Default value is True.
If you are using a limited pattern range (which is default) you can not be sure returned value true unless you are sure it’s in range. Because the nature of binary search. In this case you can enable this option to check final char. If you disable this option you’ll not loose a lot but you may rarely get false responses.

If you enable this it will take a few more requests. It depends on pattern and data so totally unpredictable but generally 1 more for 50 chars (1 more for 400 requests) or even less.
This is a flag parameter.

Syntax: -cfc

Length
-l, --length

Default value is 30. Value should be an integer.
If you know the value of data that you are going to retrieve you can specify it in here. For example if it’s a hash or other fixed length stuff.
Syntax: -l 32

Start Position
-sp, --startposition

Default value is 0. Value should be an integer.

If you know which part of data you need to get you can use start position and length to limit data.

Syntax: -sp 10

Detection Related

These parameters are related with SQL Injection detection.

Detection Mode
-dm, --detectionmode [
time | search | deep]

This parameter set detection mode of results.

Available values: time, search, deep

Search

Application will look for specified search signature to figure out true conditions.

Time

Application will analyze response time to figure out true conditions. (It may not be accurate and fast as search option but it’s a must in totally blind SQL injections)

Deep

Deep Blind SQL Injection detection is new way to gather more response in fewer requests (4 times than classical blind) in totally Blind SQL Injection scenarios. This method explained in a different paper. It’s going to work in SQL Server very well in most of the cases. There is no char set limit it can read any data (not NULL safe for binary reading). SQL Statement should support deep blind SQL injection.

Default method is search. You can use `t` instead of time and `s` instead of search and so on.

If you are going to use search you have to supply search string (-ss) for positive result.

Syntax: -dm search

            -dm t

Search String True
-dt, --detectiontime

Default value is 3 (as seconds). If response is faster then this value then response is true. You have to use this with (–dm t) time detection mode option.

Syntax: -dt 5

Search String True
-sst, --searchstringtrue

This string will be searched in responses and if it found BSQLHacker accept response as true.

Currently there is no support for direct HTTP status responses. If you want to detect redirections and that kind of stuff you can use –ss “Object Moved” or similar syntax where it’s applicable.

You can write RegEx if you enable RegEx flag by (–rx) parameter.

Syntax: -sst “12 products found”

            -rx -sst “[\d]* products found”

Search String False
-ssf, --searchstringfalse

This parameter is same with (–sst) but this is for false responses.  

This is required if we want to determine unexpected responses otherwise these will return as false positives.

Syntax: -ssf “not found”

RegEx Support for Search
-rx, --regex

Default is false. If you enable this flag BSQLHacker will try to use RegEx syntax to find signatures for supplied search string (-sst or -ssf).

Syntax: -rx


Session Token Support Related Parameters

These parameters are related with session token support for requests. If attack point requires tokens or some dynamic input like ASP.NET ViewState then you have to use token support.

Token usage will double all requests because BSQL Hacker first do a request to token page then will do a request to injection page with given token.

Token requests are not share same request settings with normal request. “t“ is special prefix for token settings. You can use extra t prefix to setup token requests. You can use totally different credentials, request or even you can use a different proxy.

These parameters are supported by token requests;

Token URL
-turl, --tokenurl

Value should be a valid URL.

URL to extract token. You should supply full URL including Query unlike injection request settings.

Syntax: -turl http://localhost/extract.aspx

Token Extract RegEx
-tex, --tokenregex

Value should be a valid RegEx search string. Only first match will be accepted as {TOKEN} magic string. Currently there is no way to use more than one token. Yeah another nasty limitation!

Syntax: -turl http://localhost/extract.aspx

Disable Token Session Share
-dtss, --disabletokensessionshare

Default value is Enabled. By default token extraction and normal requests are sharing same session for one injection request not all of them. Generally this is a must!
But if you got a strange case you can disable this.

This is a flag parameter.

Syntax: -dtss

-tsr, --tokensamerequest

Default value false.

If you want to use same request settings in token extraction process you should enable this flag otherwise you should supply required token request settings (if it’s required).

This is flag parameter.

Syntax: -tsr

BSQLHacker Related Parameters

Silent (ALPHA)
-s --silent

This is a flag parameter. Not documented yet.

Syntax: -s

Output (ALPHA)
-o --output

Not documented yet.

Syntax: -o “C:\report.xml”

Matrix Sucks (ALPHA)
-msux, --matrixsucks

This is a flag parameter.
Alternative but not so productive way to visualise attacking process. May mess up with your console.

Syntax: -msux

Help (ALPHA)
-h, --help, -?

This is standalone parameter; it will quit after do its own job. Not documented yet.

Syntax: -h


Examples

-ep -p http://127.0.0.1:8080 -t 2 -ap "pr={TOKEN}" -ss 8901711 -aprf "c:\inj.txt" -turl http://XSS:81/blind/csrf_generate.php -tex "value=\"(.*)\">" -q /blind/csrf.php http://XSS:81/

Use Proxy in “http://127.0.0.1:8080”,
Run “2” threads simultaneously,
Add post with special {TOKEN} string named “pr”,

Search for “5901711” for determine true conditions,

Add new post file from “c:\inj.txt”,

Do a request to “http://XSS:81/blind/csrf_generate.php” to extract a token,

Extract token by this RegEx “value=\"(.*)\">”,

Path and query to do “/blind/csrf.php”

Request to “http://XSS:81/” host.

Recent Blog Posts

See all of the blog posts