SQL injection Blind

i am on this site that in susceptible to blind sql injection….i was wondering is there a way to find out the name of a table

that's the point of "blind" SQL injection, you have to guess the table..

first, try to find out the number of columns, ex: index.php?whatever=1 order by 3,4,5,etc

then do:

UNION ALL SELECT lots of nulls.. FROM username,user_name,members,password,pass,etc…

UNION ALL SELECT null,null,null,null(4 columns) FROM members

..correct me if im wrong :o

laverdad wrote: i am on this site that in susceptible to blind sql injection….i was wondering is there a way to find out the name of a table

ehh, wouldn't you know that having completed the relevant challenges? of course, people forget things, that's understandable.

i know how many columns and the name of the columns i need. it is just the table name i need to know. Plus real-world web hacking is not always like these HBH challenges.

laverdad wrote: i know how many columns and the name of the columns i need. it is just the table name i need to know. Plus real-world web hacking is not always like these HBH challenges.

oh i know, i know. =P

@Laverdad, wanna PM me the link?

sent it

try selecting table / column names from the information_schema database. probably won't have access to it though.