Blind SQL injection

Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.

boolean-based blind SQL injection

SELECT * FROM products WHERE id = product_id

At first, a malicious hacker uses the application in a legitimate way to discover at least one existing product ID – in this example, it’s product 42. Then, they can provide the following two values for product_id:

42 AND 1=1
42 AND 1=0

If this query is executed in the application using simple string concatenation, the query becomes respectively:

SELECT * FROM products WHERE id = 42 and 1=1
SELECT * FROM products WHERE id = 42 and 1=0

If the application behaves differently in each case, it is susceptible to boolean-based blind SQL injections. If the database server is Microsoft SQL Server, the attacker can now supply the following value for product_id:

42 AND (SELECT TOP 1 substring(name, 1, 1)
FROM sysobjects
WHERE id=(SELECT TOP 1 id
FROM (SELECT TOP 1 id
FROM sysobjects
ORDER BY id)
AS subq
ORDER BY id DESC)) = 'a'

As a result, the sub-query in parentheses after 42 AND checks whether the name of the first table in the database starts with the letter a. If true, the application will behave the same as for the payload 42 AND 1=1. If false, the application will behave the same as for the payload 42 AND 1=0.

time-based blind SQL injection

SELECT * FROM products WHERE id = product_id

A malicious hacker may provide the following product_id value:

42; WAITFOR DELAY '0:0:10'

As a result, the query becomes:

SELECT * FROM products WHERE id = 1; WAITFOR DELAY '0:0:10'

If the database server is Microsoft SQL Server and the application is susceptible to time-based blind SQL injections, the attacker will see a 10-second delay in the application. Now that the attacker knows that time-based blind SQL injections are possible, they can provide the following product_id:

42; IF(EXISTS(SELECT TOP 1 *
FROM sysobjects
WHERE id=(SELECT TOP 1 id
FROM (SELECT TOP 1 id
FROM sysobjects
ORDER BY id)
AS subq
ORDER BY id DESC)
AND ascii(lower(substring(name, 1, 1))) = 'a'))
WAITFOR DELAY '0:0:10'

If the name of the first table in the database structure begins with the letter a, the second part of this query will be true, and the application will react with a 10-second delay. Just like for boolean-based blind SQL injections above, the attacker can use this method repeatedly to discover the name of the first table in the database structure, then try to get more data about the table structure of this table and finally extract data from the table.