‘id=1 length(select schema_name from information_schema limit 0,1)>1’ - Checks how long the first databases name is. ‘id=1 length(select count(*) from information_schema.tables where table_schema=’SPECIFIC DATA BASE YOU WANT TO CHECK’)>1′ - Checks how many tables a specific database has. ‘id=1 length(select count(*) from information_schema)>1’ - Checks how many databases are on the server. Result: Website loads CORRECTLY!! YAY!! This means that the SQL version is in fact version 5.Īt this point you pretty much get it… Now I will teach you advanced ways of extracting information such as database names, # of databases, and number of tables. This means that the SQL database is not version 1. Result: Website loads incorrectly, or not all of the website loads. At this point it is a good idea to try and enumerate the websites SQL version we can do this like so. Lets say we verified that the website is ‘Boolean blind sql’ injectable. This basically gives you all the information you need, just like a game of 20 question, just as if a statement is correct and the website will tell you if you are right or wrong. This is the hard part, making sure that the website TELLS you, that your statement after ‘and’ is FALSE. Result: Website does not load everything it should! This can come in many shapes and forms, from not displaying the main page, to not displaying a column that is dynamically generated by SQL. We all know 1 is NOT equal to 2 so the SQL command should not load whatever it wanted to!.
(The verification of Blind SQL) Ex: ‘id=1 and 1=2’ Result: Website loads completely fine, all data showing as it should, because 1=1.
This may not seem like much, but lets look at the curious case of ‘Boolean based Blind SQL injection’. The only thing you can do is display ERRORS or load the website incorrectly. The website shows you nothing!!! You can not display database information straight to the website. Now BLIND SQL injection works basically the way it sounds. What this is really doing is allowing the user to SEE where the values ‘1,2,3,4,5,6’ are displayed on the website so they can display information like usernames to those sections of the website. The classic ‘id=2 UNION select 1,2,3,4,5,6 –‘ example is used.
Standard SQL injection typically allows users to VISUALIZE the data extracted from the SQL database. Blind SQL injection is an interesting flavor of the classic SQL injection we are all familiar with.