SQL Injection Question

[peak]

Hello EZ Members

The Task is very simple tough the answer is not.

There are 3 Rules in this real life sqlinjection.

1. MySQL Server without Subqueries (Subqueries are not supported <4.1)
2. Union Injection without Output.
3. Error Messages contain no extra information (no error based injection possible)
4. No Sleep and benchmark does not make a significant change in response time (no time based injection possible)

But I do know the tables and columns!

What I think could be the solution:

I can work out a different kind of blind injection using the union and and if statement in the where part.
The Problem is:
I need something like (select 1 union select 2) that will be a valid part of a sql Query but without a subquery used to let it fail and give me a feedback is the equation I use for blind injection is true or false.

I failed to find something like that yet.

Maybe some l33t old mysql Admin has an Idea?

sincerely

peak

[Dio-Gt]

You Want to go manual or with a program like: Havij, sqlmap..?

[Stackprotector]

I think you will need plain blind-sqli. Using (programmers example) if(toAscii(substr(table.users.password, 1)) == 1){ TRUE) else FALSE. There are loads of examples based on if the page loads or not.

[Dio-Gt]

Blind_SQLi ti's not easy if you want to exact infos ! it will takes hours ..exept if you know where the infos (db,tables etc...) ...

//if you are not fun o manual then better try it with program:)