From: Rick Zhong (sagiko@gmail.com)
Date: Mon Dec 18 2006 - 03:04:22 EST
hi,
It seems you are missing the point for blind SQL injection. For most
Blind SQL injection cases, you do not get a valid display of the SQL
execution results. What you get is a "Yes" or "No" replies from the
server by observing the occurrence whether the server gives you a
valid page or error page.
A very simplified example from a conceptual point of view:
In order to get a userID, you don't expect the server to display the
userID. Instead you inject a SQL statement to ask the server to
display a proper page if "The first letter of the userID is A". If
you get a proper page displayed, then it is true. Otherwise you try to
ask the server to display a proper page if "The first letter of the
userID is B" etc until you get a true reply. Similarly you can ask
any other questions such as whether the length of the user ID is 8,
whether the object xxx exists etc. The key thing is that the server
will only reply you with a true or false so you need to construct your
SQL statement accordingly.
Some useful tools and references:
Absinthe from www.0x90.org/releases/absinthe/
PowerSQL Injector from http://www.sqlpowerinjector.com/ (The tutorial
is very useful)
Hope my explanation can give you a better idea.
regards,
Rick Zhong
On 13 Dec 2006 07:41:30 -0000, One2@onetwo.com <One2@onetwo.com> wrote:
> Hi All,
>
> I am testing a client at the moment who has a Blind SQL Injection vulnerability and am running out of techniques, so need some tips.
>
> I injected the following string to validate that the system has an MSSQL server at the back-end.
>
> or 1=1;select * from sysobjects;--
>
> This returned a valid page.
>
> Also injected the following and got a valid page, but again no data since it is completely blind.
>
> or 1=1;select @@version;--
>
> Replacing sysobjects, in the first example, with an invalid table returns a custom error page that doesn't disclose anything.
>
> It seems that when injecting any invalid sql statement I get the same custom error page coming back that doesn't reveal any information.
>
> My next step was to determine whether the DB was running as system. I tried using the following command;
>
> or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';--
>
> ... but got the error page, indicating that it didn't work - especially since it didn't take 5 seconds. I then tried simplifying it to just;
>
> waitfor delay '0:0:5';--
>
> ... but again, the error page, indicating this command was not working. I thought it was the quotes but the following were successful;
>
> or 1=1;select * from 'sysobjects';--
> or 1=1;select * from "sysobjects";--
>
> I then tried the following to see if I could actually run system commands;
>
> or 1=1;exec master..xp_cmdshell dir;--
>
> ... but this got the error page again indicating unsuccessful.
>
> Any suggestions on gaining further information or access on this system would be appreciated.
>
> Thanks,
> One2
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:28 EDT