User Tools

Site Tools


hacking:sql_injection:mysql:blind_sql_injections

Hacking - SQL Injection - MySQL - Blind SQL Injections

About Blind SQL Injections

In a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. There are two kind of Blind Sql Injections.

  • Normal Blind: You can not see a response in the page, but you can still determine result of a query from response or HTTP status code.
  • Totally Blind: You can not see any difference in the output in any kind. This can be an injection a logging function or similar. Not so common, though.

In normal blinds you can use if statements or abuse WHERE query in injection (generally easier).

In totally blinds you need to use some waiting functions and analyze response times. For this you can use BENCHMARK() and sleep(10) in MySQL.

Real and a bit Complex Blind SQL Injection Attack Sample

This output taken from a real private Blind SQL Injection tool while exploiting SQL Server back ended application and enumerating table names.


Making Databases Wait / Sleep For Blind SQL Injection Attacks

Use this if it's really blind, otherwise just use 1/0 style errors to identify difference.

Be careful while using times more than 20-30 seconds; database API connection or script can be timeout.

BENCHMARK()

Basically, we are abusing this command to make MySQL wait a bit. Be careful you will consume web servers limit so fast!

BENCHMARK(howmanytimes, do this)

Are we root?

IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(1))

Check Table exist in MySQL

IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))

Clear SQL Injection Tests

These tests are simply good for blind sql injection and silent attacks.

product.asp?id=4
  product.asp?id=5-1
  product.asp?id=4 OR 1=1 
 
product.asp?name=Book
  product.asp?name=Bo'%2b'ok
  product.asp?name=Bo' || 'ok 
  product.asp?name=Book' OR 'x'='x

hacking/sql_injection/mysql/blind_sql_injections.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki