Blind SQL injection is clone of normal SQL Injection except that when an attacker attempts to use an application, instead of getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a possible SQL Injection attack harder but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements. The attacker provides your database application with some malformed data, and your application uses that data to create a SQL statement using string concatenation. This allows the attacker to vary the semantics of the SQL query. People tend to use string concatenation because they don’t know there’s another, safer method, and let’s be honest, string concatenation is simple, but it’s wrong step. A less common variant is SQL stored procedures that take a parameter and easily execute the argument or perform the string concatenation with the argument and so execute the result. Nowadays, it's very easy to perform Blind SQL injection compare to some years ago because lots of SQL injection tools available on the net. you'll download it from security website or hacker website and use it to check for MySQL, MSSQL or Oracle. By using these automated tools, it's very easy and fast to search out holes or bugs for SQL injection or Blind SQL injection from a web site. Finding Vulnerable URL Before you'll be able to perform Blind SQL Injection testing, you need to find a vulnerable URL or path from the web site where you'll inject malicious code or character to the vulnerable parameter on the web site. you would like to seek out out why your website is at risk of Blind SQL injection before you'll be able to perform SQL injection attack to the vulnerable parameter. to seek out a vulnerable URL path. Testing Vulnerable Parameter From the results of testing in webscan.txt, we found some possible Blind SQL injection bugs at the targeted server and trying to proof that bugs. Let’s say that you simply are auditing an online application server and located an online page that accepts dynamic user-provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value. You now want to check for SQL injection vulnerability, and trying to take advantage of the vulnerability to retrieve the maximum amount as information from the net application’s back-end direction system or maybe is ready to access the underlying package. you want to have a symptom about the vulnerability that has been found by exploiting it until you'll get the findings. to check a vulnerable parameter, you'll be able to use manual technique or automated tool. SQLI Dumper can got a lote of combo list you can use this Combolist or database openbullet its best site to use combo list and sell hits sell and buy digtal goods Using Simple SQLi Dumper For Blind SQL Injection Simple SQLi Dumper (SSDp) is an open source PHP MYSQL injection tool written in Perl scripting language. it's wont to find bugs, errors or vulnerabilities in MySQL database. you need to understand and understand how to use SSDp tool. If you are doing not understand a way to use it, you'll be able to see the assistance menu that inbuilt along with this tool (Use ssdp.pl –h command to work out Help menu). From the targeted URL that i've got tested in Chapter 3 above, I found vulnerability at the parameter pageid is vulnerable for injection. So, I used this vulnerable page to check with SSDp tool.
