Blind SQL Injection Tutorial to Hack a Website

In the previous article, we have the basics of SQL Injection; what SQLi is and what are the types of SQL injection. And, In this walkthrough, we are going to dump the database of the DVWA website using Blind SQL injection technique. So before starting, let’s talk about what is Blind SQL Injection.

What is Blind SQLi:

Sometimes, the web developers hide the error messages caused by the backed SQL query, but the SQL injection vulnerability still exists in the web application due to improper handling and unsanitized user input. In this case, an attacker can take advantage of true and false statements to determine the backend database and dump data.

How to Exploit Blind SQLi in a website:

We will exploit blind sql injection on the DVWA website (You can setup DVWA as local Pentesting lab). When exploiting the sql injection, the best first step is to identify all the user inputs which are interacting with the Database. To do so, we have identified the endpoint that is vulnerable to SQL injection.

Vulnerable Endpoint: http://192.168.230.130/dvwa/vulnerabilities/sqli_blind/

Vulnerable Parameter: User ID

Vulnerable Parameter

How to Find Blind SQLi Vulnerability?

Unlike error-based SQL injection, error messages are not shown that could help in the identification of blind sql injection. To identify blind SQLi, we are going to make sure that the vulnerability exists in the website by asking a true or false statement.

See the following payload that always returns true statement and display entries in the database.

Payload:

  • 1′ or 1=1#

Now let’s check the result with the false statement.

Payload:

  • 1′ or 1=2#

Since 1 is not equal to 2, it will not return all the entries of the database. Instead, it will return the left statement that is row number 1.

User id

This way, we identified the presence of blind sql injection in the website by asking true and false statements and comparing the results.

Detecting Blind SQL Injection using Sleep function:

There are scenarios where we can’t see the output of the results on the frontend. In such cases, the sleep() function can be used to detect blind sql injection. The payload works by making the website responding slow for the identification of the vulnerability. If the vulnerability exists, the sleep function will be executed in the database, and the website will load after a certain amount of time.

The following example demonstrates the purpose of sleep () function.

Payload:

  • 1′ AND sleep (10) #

Where sleep (10) is the function that causes the database to sleep for 10 seconds before processing anything. In case if the vulnerability doesn’t exist, we won’t be able to see the page loading for 10 seconds.

Detecting Blind SQL Injection using Sleep function

Discover Blind SQLi using Benchmark() function:

Sometimes, firewalls block certain features to avoid exploitation of the vulnerabilities. Luckily, we got an alternative to the sleep () function, which can cause a delay in the response and aid in the identification of the blind sql injection attack. Benchmark has basically two parameters, one is to define the number of rounds, and the second parameter defines the algorithm to use. For example, let’s look at the following payload that executes SHA1 hash algorithm 10000000 times to delay response:

Payload:

  • 1′ AND BENCHMARK (10000000, SHA1(1337))#

Discover blind sqli injection

Identifying no of columns:

Now we know how to determine the blind sql injection in case if there is no error message but the vulnerability still exists. To determine the number of columns, present in the database, we are going to use order by statement and see the response of the website.

Payload:

  • 1′ order by 1# // To check the number of columns using order by statement.

Identifying no of columns

We can iterate the order by (number) to see how many columns the database has. And after 3 iterations, we got no response, which indicates that there are two columns in the database.

sql injection

Dumping Table names:

The next step of our exploitation is to identify the names of all tables that exist in the database. We can use union all statement to extract all table names using the following payload:

  • 1′ union all select 1, group_concat(table_name) from information_schema.tables where table_schema=database()#

The above payload uses group_concat() function to combine all the table names in a single attribute and display the result of all tables present in the current database of information schema.

We found two tables, a guestbook, and users.

Dumping Table

Extracting column names of the Database Table:

After identifying all the table names, we can enumerate list of columns in the table using the following payload:

Payload:

  • 1′ union all select 1,group_concat(column_name) from information_schema.columns where table_schema=database()#

The syntax to extract the column names from the tables is the same as extracting table names except that table_name is replaced with column_name and information_schema.columns is used for column names.

Extracting column names of the Database Table

With this payload, the identified column names of Table “users” are column_id, comment, name, user_id, first_name, last_name, user, password, and avatar.

Dumping data from Columns:

Now that we know all the columns present in the table, our last step of exploiting sql injection is the exfiltration of all the data present in the database. The payload to extract data is as follows:

  • 1′ union all select 1,group_concat(user,password) from users#

This payload concatenates the user and password column from users and displays the result. Since we are more interested in the username and passwords of the users, displaying the rest of the fields such as column_id, comment, and user_id has no point. The displayed result shows the user and the hash of the password stored in the database.

Dumping data from Columns

The list of users is admin, Gordon, Hack, Pablo, and Bob. Cracking the password can be done by various tools, including but not limited to john the ripper, hydra, Johny etc.

This concludes our write-up on blind sql injection. We discussed the identification of blind sql injection and how to exfiltrate the entire data from the database using blind sql injection vulnerability.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

Security Against Hacks: A Simple Game of Economics

One of the cold hard truths behind cybersecurity is that it's impossible to prevent a hack 100% of the time. It only takes one...

Certain Things That You Must Know About Microsoft MS-500 Exam and Its Practice Tests

If you want to be a Microsoft 365 security administrator, then there would be a number of responsibilities that will fall on your shoulders,...

Quick Ways to Avoid Being Watched by the NSA’s PRISM Program

Big brother is on the watch online. Today, a week hardly passes without news of government spying, whistleblowers, cell phone hacking, or even private photos...

Android Post Exploitation: Exploit ADB using Ghost Framework in Kali Linux

This article is the part of Android Hacking tutorial; it covers step by step guide to exploit Android ADB to get the persistent connection...

LOOKING FOR HACKING RECIPES FORM THE PRO?

Then sign up for FREE to the ehacking’s exclusive group. You will get the exclusive tips/tricks, tutorials, webinars & courses that I ONLY share with my fellow on this exclusive newsletter.