Blind SQL injection

[pierre]

Hello,

I am looking toward blind SQL injection recently :)

Indeed, in a login:pwd interface I hit a right mail usermane along with this as a password:

test'-SLEEP(5)#

Then I land in the account interface !! I don't take it at all..

Blind SQLi isn't suppose to guess the password by triyng each letters like:

test'-(SELECT * FROM (SELECT(SLEEP(20)))a)-'

test'-(SELECT * FROM (SELECT(SLEEP(20)))b)-'

?

Thanks :)

[digininja]

Blind injection is where you don't get errors or other visible differences from your injection. There isn't a specific set of commands that should or shouldn't work.

[pierre]

Ok I should inspect the server side to know why my injection works.

[digininja]

If you have access to the server code then analyse it to see whats happening and you should get some idea of where the vulnerability is.

[i8igmac]

You could enable 'display_errors = on' in your php.ini file...

just close your eyes and type on your keyboard if you want to practice blind sql injection.

 

As said by digninja. You don't see any Data display on the page that a error exist or data has been modified due to the web applications design. 

 

If you see your page sleep for 20 seconds then display data then this is how you prove sql exist.

 

it may take multiple attempts to confirm injection exist.

Like telling the server to ping your remote machine. Tcp connect to a remote machine. Email a personal account.

Edited October 6, 2017 by i8igmac