Blind Injections
Last updated
Last updated
Blind SQL Injection is a type of SQL injection attack where the attacker cannot see the result of the query directly. Instead, they infer information from the application's behavior, such as differences in response times or error messages. This method is useful when error messages are not displayed, but the application still processes the injected SQL commands. Sadly blind injection challenges are generally harder than normal SQLi question, but that doesn't mean you can't solve it :)
To identify Blind SQL Injection vulnerabilities, pay attention to subtle differences in application responses. Indicators include:
Behavior Testing: Entering SQL syntax that does not produce visible errors but causes changes in application behavior, such as differences in response times or content.
Boolean-based Testing: Using boolean conditions (true/false) to determine the existence of a vulnerability.
If Statements: This is one of the key techniques for Blind SQL Injection. Also very useful to test simpler things blindly yet accurately. The syntax is slightly different based on the database used.
MySQL If Statement
IF(condition,true-part,false-part) SELECT IF(1=1,'true','false')
SQL Server If Statement
IF condition true-part ELSE false-part IF (1=1) SELECT 'true' ELSE SELECT 'false'
Oracle If Statement
IF condition THEN true-part; ELSE false-part; END IF; IF (1=1) THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF;
PostgreSQL If Statement
SELECT CASE WHEN condition THEN true-part ELSE false-part END; SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END;
SQLite If Statement
if(condition, true-part, false-part) SELECT iif(1<2, "True", "False");
Example:
or maybe a form
SQLMap: An automated tool for SQL injection and database takeover.
Burp Suite: A web vulnerability scanner with tools for manual testing.
Havij: An automated SQL injection tool.
https://ctflearn.com/challenge/430 [Quite hard]
Hint: First use auth by-pass then start applying blind SQL.
The application includes a "Welcome back" message in the page if the query returns any rows.
The database contains a different table called users, with columns called username and password.
Identify if the application is vulnerable to Blind SQL Injection and find out the password of the administrator user.
Blind SQL Injection exploits differences in application behavior to infer database information without directly viewing the results. Identifying and exploiting these vulnerabilities requires careful observation and systematic testing.
Time-based Testing: Using time delays (e.g., SLEEP function) to measure response times and infer database information. (More on this in )
You are provided with a web application that uses a tracking for analytics, and performs a SQL query containing the value of the submitted cookie.
We find out that the first character is not an a, but using Burp Suite Intruder this can be automated easily. With the free version, this is rather slow but gets the work done. You can write a to do this too (but it is out of scope for this topic).
