Main:
Blind SQL Injection explained
What is Blind SQL Injection?
Blind SQL Injection works in a similar way to SQL Injection except the page is not displaying an error message.
How do I find an Blind SQL vulnerability?
To find a page which is vulnerable to SQL you need to add to a premade SQL Query. For instance
http://www.example.com/blind/sql/vulnerable.php?id=2
This query is asking;
SELECT (require data) FROM (required form) WHERE id = 2.
We can exploit this by adding and extra query on the end. eg
http://www.example.com/blind/sql/vulnerable.php?id=2 AND 1=1
This should not change the output but still show the AND 1=1 in the url.
How does this help me?
You now have a page which can answer true or false to any query you ask it. By using subqueries and such you can discover data off a database. This takes time and effort and therefore is ineffiecent. A better way to solve this problem is a simple brute force type program which can develop a picture of the database.
Finding Column Number
By using the "ORDER BY" Clause, you can find out how many columns are being queried ie
http://www.example.com/blind/sql/vulnerable.php?id=2 ORDER BY 5
If there are more than 5 columns then you will be able to still see your results, otherwise you will receive and error or a bland page
Grabbing Different Table's Data
You can also use UNION statements to grab data from other tables ie
http://www.example.com/blind/sql/vulnerable.php?id=99999 UNION ALL SELECT null,null,concat(username,password),null,null FROM users
How do I do this?
Well, simply you connect to the vulnerable file and attempt things such as substrings for example;
http://www.example.com/blind/sql/vulnerable.php?id=2 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 109
This asks for the first user table in the database and the 1st character in it's name. If it fits the critera that the name begins with a letter after m iin the alphabet then it will display the article. Now a bruteforce type program can show the whole name by continueing the sequence until it has all the data.
This is not a very well known exploit and very difficult to prevent and spot. Watch out for it as it can be very useful!!
Thanx for reading guys
mozzer
Blind SQL Injection works in a similar way to SQL Injection except the page is not displaying an error message.
How do I find an Blind SQL vulnerability?
To find a page which is vulnerable to SQL you need to add to a premade SQL Query. For instance
http://www.example.com/blind/sql/vulnerable.php?id=2
This query is asking;
SELECT (require data) FROM (required form) WHERE id = 2.
We can exploit this by adding and extra query on the end. eg
http://www.example.com/blind/sql/vulnerable.php?id=2 AND 1=1
This should not change the output but still show the AND 1=1 in the url.
How does this help me?
You now have a page which can answer true or false to any query you ask it. By using subqueries and such you can discover data off a database. This takes time and effort and therefore is ineffiecent. A better way to solve this problem is a simple brute force type program which can develop a picture of the database.
Finding Column Number
By using the "ORDER BY" Clause, you can find out how many columns are being queried ie
http://www.example.com/blind/sql/vulnerable.php?id=2 ORDER BY 5
If there are more than 5 columns then you will be able to still see your results, otherwise you will receive and error or a bland page
Grabbing Different Table's Data
You can also use UNION statements to grab data from other tables ie
http://www.example.com/blind/sql/vulnerable.php?id=99999 UNION ALL SELECT null,null,concat(username,password),null,null FROM users
How do I do this?
Well, simply you connect to the vulnerable file and attempt things such as substrings for example;
http://www.example.com/blind/sql/vulnerable.php?id=2 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 109
This asks for the first user table in the database and the 1st character in it's name. If it fits the critera that the name begins with a letter after m iin the alphabet then it will display the article. Now a bruteforce type program can show the whole name by continueing the sequence until it has all the data.
This is not a very well known exploit and very difficult to prevent and spot. Watch out for it as it can be very useful!!
Thanx for reading guys
mozzer
Posted by 
