BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly


Friday, April 20, 2012

Blind SQL Injection [TuT]

This is the 2nd level (in logic counting) for the famous and most used method, known as SQL Injection.
If you don't know Basic SQLi yet, I recommend you learn it before continuing on with this tutorial!


Step 1- Finding Vulnerabilities

Well, as you know in the big deep deep web there are a lot of websites, most of them are hackable. A vulnerable website has security holes ranging from XSS/SQLi/LFI/RFI and much more I could go on and on. Therefore we will take this test website and look at this example below.

To find out if it's vulnerable to SQL Injection we will undergo a little test.
For that we will add some strings. As everybody knows the number 1 is equal to 1. But not to 2.
Therefore we will compare these two examples:

Code: and 1=1
and and 1=2
If "and 1=1" loads perfectly, but "1=2" is missing some content, the website is vulnerable.
However, if they both load without missing content, it is not vulnerable.

Step 2 - Finding The MySQL Version

This isn't very much of use in this kind of injection, but it might be useful if you are gathering intelligence.
To find it out, you'll have to 'guess' the version.
It's either 4 or 5.
To find it out do this:

Code: and substring(@@version,1,1)=5
or and substring(@@version,1,1)=4
If one of them is loading without missing any content, it's that version.
(You can do the same with the database name and user)

Step 3 - Guessing The Table Names

As you can see guessing is important in Blind SQLi.
To get the right table you'll have to guess it this way:
Insert your guessed table in the underlined part. If the website is loading without content missing, then the table exists.

Suppose we've got this:

Code: and (select 1 from admin limit 0,1)=1
Step 4 Guessing The Columns In A Table.

We will now guess the columns in this certain table (example = admin).

Do this:

This is an example:

Code: and (select substring(concat(1,username),1,1) from admin limit 0,1)=1
Suppose we've found a username and a password column in the table admin.

Step 5 Extracting Information From The Columns

Note: You can do the same with some tools.
But I prefer to do it manually.

For this we have to put the syntax in ascii and guess it's char.
Note that each time you'll do this, you'll get 1 letter.

Do this:

Suppose that we've guessed 70. The website then loads normally. That means that the number must be higher.
Keep guessing until the website will load with some content missing.
So that means the first number that would load false after a number that would load true, is the right char.

Suppose that it's 85.

The example would be:

Code: and ascii(substring((select concat(username,0x3a,password) from admin limit 0,1),1,1))>85
To get the first letter of username password you'll have to use a asscii table.
Here is one:
Navigate to the found char (which is "dec" in the ascii table) and lookup the "chr".

That means that the char from the example (85) is the capital letter U.

To find the 2nd letter and higher you will have to change the underlined number in the syntax:

You'll notice when you'll get to the end when (number),1 isn't giving any information anymore.

Suppose we've now found that the usernameassword = UserAdmin:BagelJuic - Now you just gotta find the administration panel and login and wala!
©2012, copyright BLACK BURN


Post a Comment


7 Years Earning Experience

The Earning Source You Can Trust

Follow by Email