In our previous post "SQL Injection Basics - Union Based", I explained the basic technique not only to find detect sql injection vulnerabilities also how to exploit SQL Injection vulnerabilities with Union based method. However, In this post a security researcher and a good friend of mine ahmad ashraff decided to contribute to RHA and present his research on some blind sqli techniques, So enough from me, Over to Ahmed.
In this post I'm going to share with all on how to detect if the website is vulnerable to Blind SQLi or there is no SQLi at all.
Before, do note that I'm not an expert in this security/hacking scene. This sharing based on my own understanding from articles/discussions among of these great people such as .mario,stampar,R4x0r,Nurfed,benzi and more!!
|A normal page condition ( TRUE condition )|
|The page become blank (FALSE condition) once we put a single quote|
|The page back to normal condition (TRUE) once we put another single quote.|
|Normal page loaded. Because the condition is true. 1=1 is TRUE|
|The admin word is missing. This shows a FALSE condition since 1=2 is FALSE.|
|Another way is by using simple calculation. The current page loaded fine on pic_id=13.|
|The page loaded fine but it shows another page. This is because we added 1 in the pic_id where it'll become 13+1=14 so the page will loaded the pic_id=14|
Here are some other method under this technique.
id=1 and 1=1
id=1 and (put our sql query here)=(put our expectation here)as example we want to query the current version,
id=1 and substring(@@version,1,1)=4so, if the current MySQL version used by the website started with 4 the page will load normally (TRUE condition) else the page will be error/blank (FALSE condition)
Example as below
|Testing if the MySQL used is version 4.*. Page error,shows that the website is not using that version.|
|Testing if the MySQL used is version 5.*. Page loaded fine,shows the current version used is 5.*|
ii. Using a Case statement
id=1 and 1
id=1 and (CASE when (our sql query here) THEN 1 else 0 END)If the query is TRUE,it'll resulting 1 where 1 is TRUE condition. Else, it'll resulting 0 where 0 is FALSE condition.
I will explain the time based technique in his my upcoming guest post on RHA.
Yappare is a web application security Professional, He has been listed in lots of hall of fames and has found lots of high risk vulnerabilities inside lots of CMS platforms. You can follow him on @yappare