# High

Di bawah ini adalah *source-code* dari *Blind SQL Injection* level high di DVWA.

```php
vulnerabilities/sqli_blind/source/high.php
<?php
​
if( isset( $_COOKIE[ 'id' ] ) ) {
    // Get input
    $id = $_COOKIE[ 'id' ];
​
    // Check database
    $getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
    $result = mysqli_query($GLOBALS["___mysqli_ston"],  $getid ); // Removed 'or die' to suppress mysql errors
​
    // Get results
    $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
        // Feedback for end user
        echo '<pre>User ID exists in the database.</pre>';
    }
    else {
        // Might sleep a random amount
        if( rand( 0, 5 ) == 3 ) {
            sleep( rand( 2, 4 ) );
        }
​
        // User wasn't found, so the page wasn't!
        header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
​
        // Feedback for end user
        echo '<pre>User ID is MISSING from the database.</pre>';
    }
​
    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
​
?> 
```

## Mencari Informasi <a href="#mencari-informasi" id="mencari-informasi"></a>

Pada level ini terdapat perbedaan tentang cara melakukan inputan. Sekarang form inputan berada di halaman **cookie-input.php** (lalu nilanya dijadikan [*cookie*](https://www.w3schools.com/php/php_cookies.asp)) dan hasilnya akan ditampilkan di halaman **index.php**.

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M06eX85DrJs_up20A2A%2F-M06zQSHHCqYZw4t_TYd%2Fimage.png?alt=media\&token=d2336ed3-69d2-4163-9c3f-8596c4d8dd45)

Saya mencoba membuatnya bernilai **false** dengan membuat nilai `id` menjadi '`'`'.

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M06eX85DrJs_up20A2A%2F-M072FR2myOLDHG5MeJD%2Fimage.png?alt=media\&token=9164faad-7db6-4bc2-b70c-dd82a660f893)

Setelah mengetahui pesan jika melakukan kesalahan, selanjutnya saya mencoba menggunakan *payload* berikut untuk melihat apakah hasilnya bernilai **true** atau **false**:

```
1 or 1 = 1#
```

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M06eX85DrJs_up20A2A%2F-M072a-JPAiQK8rdeKnY%2Fimage.png?alt=media\&token=b763eab7-7d8e-4196-a6a4-6d0ce6d17526)

Dan hasilnya **true**! Selanjutnya kita akan menggunakan SQLMap. 😁

## Melakukan Serangan <a href="#melakukan-serangan" id="melakukan-serangan"></a>

Gunakan perintah berikut lalu jalankan:

```
sqlmap -u "http://172.17.0.2/vulnerabilities/sqli_blind/?id=1" --cookie="PHPSESSID=jusi9ccuu6qfk9m3tqdf103jo2; security=high" --dbs
```

![](https://gblobscdn.gitbook.com/assets%2F-LzH5Vfe8_AlGL8KPrs2%2F-M06eX85DrJs_up20A2A%2F-M073faSalKon-BWuMPi%2Fimage.png?alt=media\&token=19d174f2-9848-4567-a372-aa002f6539a6)

Berhasil! Terlihat bahwa terdapat 2 database yang tersedia.

Sama seperti *SQL Injection* level high, saya belum bisa menjelaskan kenapa ini bisa terjadi. ☹

Tetap semangat! Happy Hacking! 😊


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.anggipradana.com/tutorial/dvwa/sql-injection/blind/high.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.