Forum Thread: Explotation Blind Boolean Based [SQL Injection] by Mohamed Ahmed .

i will give an explanation on a technique that belongs to the branch of SQLi Injection, in this case, it is called "Blind SQLi Boolean Based".

this explanation will be for beginners and intermediates the advanced explanation i will post it later in the forum :)

1.- What is a "SQLi Boolean Based Blind"?

If they can be fixed in the name, this one says them all. When we say "Boolean based" we mean that it is based on Boolean values, that is, true or false / true and false. And when I say "Blind" I mean that the Injection is blind, that is, it does not show us any sign of error.

The only way to extract data that is in the current database, would be using brute force, ie guessing.

2.- Explaining two important functions

One of the most common functions we use when exploiting a Blind Boolean Based is ascii (), with this we return some valid character from the "ASCII" table (if I am not mistaken).

Another would be substring () with this we return a substring of another substring.

3.- Checking if the site is vulnerable

There are some ways to check if the website we have in hand is vulnerable to a SQLi Boolean Based Blind, we can use the "AND" statement, then some operation, which results in a value true or false (boolean), true or false, for example, we can use AND 1 = 1, which would be equal to True / True, since 1 equals 1 : D.

And if I put it, and 1 = 0, it should give me a false / false result, since 1 is not equal to 0. An example on a website: regional & id = 19350 'and 1 = 1 - -

As you can see, at the end put a "- -", which is a comment, the server only reads what is between the ' and the commentary - - that is, and 1 = 1 : D. Everything that goes after - - the server will not read it.

Well, as you could see in the site page, it reflected the entire text of the news, as it gave us a result as true. And now, if I use "and 1 = 0" I would return a false result, since 1 is not equal to 0 as I said above, example:

http: // session = Registration & id = 19350 'and 1 = 0 - -

And this gives us a sign that it is vulnerable : D.

Apart from using "AND" we can also use "having", which would be another alternative. that is, we replace the and and put having, eg: 'having 1 = 1 - -

Another alternative is, "DIV", we replace having or and and place div, example: 'div 1 = 1 - -

4.- Exploitation of vulnerability

The first phase to exploit the vulnerability, would be to extract the name of the database, for this, we will be searching the DB name character by character .., making use of the database () function, example:

http: // victim / news.php? section = Regional & id = 19350 'and ascii (substring (database (, 1,1)) = 116 - -

Okay, I explain, this is asking the server if the first character of the database starts with 116, where 116 corresponds to "t" in the ascii table, then the server will give me a response based on boolean values, ie if the first character SI starts with the letter t it will return me true, otherwise it will return me false : D. For example, if I do the following: 'and ascii (substring (database (), 1,1)) = 115 - -

Returns me false, that is, the first non-character begins with the letter "s" which in decimal corresponds to 115, (it is in the ascii table). I leave the following to support later:

Ok, and by default I know the name of the db is " truji1_news ", since I have made a scam to the site : D.

Then you can increase the number of characters and search letter by letter, increasing by 1.1, 2.1 and so on. Although they can get bored and last a lot.

Now we can continue to extract the names of the existing tables of the DB, for this, we do the following: 'and (select count (*) from news) - -

As you can see, here I am asking if there is a table called news and it returns me a result is true, that is, YES, there is a table called news in the database : D. And use select count () with a as we do not yet have the columns in that table : D.

You can place after from the name of a table and it will check to see if it exists.

Now, the next step would be to find the names of the columns of the current table, for this, we replace the * with the name of the column to verify if it exists, example: 'and (select count (id) from news) - -

With this, I'm asking if there is a column named "id" in the table "news", and this returns me as result true : D, that is, if there is a column with the name "id", so we can be replacing ourselves and searching name by name each column, example: / / ...... sorry for hiding the real website but this is because Site privacy

Replace id and put date, and this tells me that if there is a column with that name hehe D.

The last phase would be obtaining the data of each table, for this, we will use the following: 'and ascii (substring (1,1)) = 49 - -

Then, with this I ask the server if the first character in the first row of the "id" column is 1, which means 49 in decimal : D, so we can search character by character until we get the real data, increasing the limit of 0.1 to 1.1 to 2.1 and so on ;-). And if we want to move to the next row, we change 1.1 by 2.1 and so on D.

And well, that was everything, I hope you liked the tutorial and have managed to understand.

Greetings, Mohamed Ahmed

1 Response

Hi ,

I am just confused with the statement below. For the logic to be ture/true in the statement shouldn't the operation be 'OR 1=1? If you put and 1=1, its like not doing anything at all, cause the result will always depent on the statement before 'and. regional & id = 19350 'and 1 = 1 - -

Thanks in advance.

Share Your Thoughts

  • Hot
  • Active