Getting Started with the Acunetix Blind SQL Injector

The Blind SQL Injector is a tool that forms part of the Acunetix Manual Pen Testing Tools suite (available to download for free). The Blind SQL Injector allows you to enumerate MySQL and MSSQL databases via a Blind SQL injection vulnerability.

You can start using the Blind SQL Injector by launching the Acunetix Tools application, and selecting the Blind SQL Injector from the Tools Explorer.

Blind SQL Injector

The top pane in the Blind SQL Injector is where you can enter an HTTP request which you know is vulnerable to Blind SQL Injection. The bottom pane shows enumerated data extracted from the database via the Blind SQL injection attack.

Adding an injection point

Before you can start enumerating a database through an SQL injection you will need to paste a vulnerable HTTP request and add an injection point.

An injection point is the exact point where the SQL injection payload should be placed. This can be specified by placing the cursor at the correct position in the HTTP request and clicking on the ‘+’ icon in the toolbar. The selected text will be replaced with the ${injecthere} token, which will be replaced dynamically by the injection engine using various SQL injection techniques.

Blind SQL Injector

Once an injection point is set, you can click on the initialize injection button to start the injection process. The Blind SQL injector will first test if it is able to inject SQL commands into the request. In the event of an error, you might need to tweak the Blind SQL injector’s advanced settings (more on this below).

Blind SQL Injector

Once the injection process has started, you will see basic details about the DBMS in the bottom left-pane of the screen.

Blind SQL Injector
By using the data extraction functions in the top toolbar, you can further enumerate the database schema, as well as any table data. Table data will show up in the bottom-right-hand pane. You can also export the database’s structure and table data using the toolbar.

Blind SQL Injector

Blind SQL Injector accompanying tools

The Blind SQL injector includes a file extraction tool and an SQL query execution tool, both available from the Tools tab.

Blind SQL Injector

File extraction tool

  • File Name – Specify the exact remote path and filename of the file to extract
  • Offset – Specify the character index from where you want to extract data
  • Length – Specify how many bytes to extract from such file. Set it to 0 for no limit, i.e. extract all file
  • Text File – Tick this option if file is a text file. In this case the extraction algorithm knows it is a text file, making the extraction process much faster

Execute SQL query tool

  • SQL query – Write down the SQL query in this text box
  • Offset – Specify the character index from where you want to extract data
  • Length – Specify how many bytes to extract from the result returned from the SQL query. Set it to 0 for no limit, therefore, extract all result

Advanced configuration

The Blind SQL Injector can be configured with additional advanced settings from the Settings tab.

  • Settings > General tab
    • Database – Type Select ‘Automatic’ if the database server is unknown and the blind SQL Injector will try to guess it. Otherwise, if the SQL server is known, you can select it from the drop down menu.
    • Extraction Method – Select ‘Automatic’ and the Blind SQL Injector will try to use the best method possible. ‘Condition based’ extraction method is the most reliable but also the slowest. Using ‘Union Select’, in some limited cases when the SQL query and injection point permits. The Union Select method is much faster than the Condition based method.
    • Minimum HTTP Retry – The number or retries the application will take before reporting a connection error.
    • Encode SQL Spaces with /**/ – Enabling this option will encode SQL spaces with /**/. This is a basic method of bypassing anti-SQL injection protections and filters.
      Force HTTP encoding of the SQL string – Enable this option to automatically encode SQL strings used in a GET parameter.
    • Encode all characters – Enable this option to encode all characters not just the special characters.
    • Encode spaces with plus – Enable this option to encode spaces with a + sign instead of %20
    • Show debug information – Enable this option to enable debug logging in the application log
  • Settings > Condition based extractor tab
    • Injection SQL string
      • Automatic detection – Select this option if you want that the injection string to be injected in the SQL is determined automatically by the Blind SQL Injector
        Provided by user – Select this option to manually specify the Injection SQL string. The condition place is given by the ${condition} token, e.g. 1 AND ${condition}/*
    • True/False condition detector
      • Automatic – Select this option for automatic condition detection. It may not work if more subtle changes occur in the server response, between consecutive requests
      • Provided by RegEx – Specify the regular expression which must match the response data on true condition
    • Inverse RegEx – Enable this option when you want that the true condition is triggered when the condition of the above stated RegEx is false
    • Character Extractor
      • Bit method – Select this option to quantize the characters directly to bits
      • Half-bit method – If selected, the Blind SQL Injector will try to find out the numerical value of a character by using the half method. This method involves recursively trying to find a value in a given interval by splitting the interval in half and testing in which of them the value lies.
      • Try parallel requests – Tick this option to request all bits in parallel
  • Settings > Union Select based extractor tab
    • Start Column number – Specify the minimum number of columns expected in a database.
    • Max column number – Specify the maximum number of columns expected in a database.
    • Visible column index – Specify a column which the Blind SQL injector can extract. To have the Blind SQL Injector automatically detect this, set this to 0.

Acunetix is an automated web application security scanner and vulnerability management platform. In addition, Acunetix also provides a suite of manual pentesting tools that allow users to quickly and easily confirm and take automated testing further.

Share this post
  • Hi,

    The Blind SQL injection tool does not inject any code in SQL. However I would still recommend that you perform this on a backup copy of the website / database.

  • Leave a Reply

    Your email address will not be published.