Blind SQL (Structured Query Language) injection is a type of SQL Injection where the attacker asks the database true or false questions and determines the answer based on the applications response. This attack is often used when in the any state (success or error), the web application is configured to show generic page specified by the developer instead of useful error messages. Blind SQLi is an inferential type of sql injection.
Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.
Exploiting Blind SQL Injection
For demonstration we are going to use DVWA Vulnerable Web App. To know more about DVWA or install it on your system pleas visit the Setting up Web Pentesting Lab. At DVWA we are going to use the SQL Injection example for the demonstration and also set the security level to low in DVWA.
In this example if we put the user ID then it will show the details of user.
Now when we try to break the query and inject our sql query like Error based injection, then it will show nothing, which means this web application may have consists Blind SQL Injection vulnerability.
To exploit Blind SQL injection vulnerability, we need to ask the database a series of true or false questions. And when the asked question is true then the database will successful run its query otherwise not. For example, normally the above application takes user ID as input. Now with the user ID we also provide our question or query, like below
1' and <Our_Query(Question)>
And when our question is true then the database will execute query and further proceed, otherwise not. For example , we know that the database name is “dvwa”, we can check this by below query
1' and ((select database())) = "dvwa" #
And if will change the database to something else, then the web application will not respond.
1' and ((select database())) = "abcd" #
So by using the above technique we can exploit Blind SQL injection in web application.
Types of Blind-SQL Injection
There are two types if Blind-Injection :
In this post we look at some basic concepts of Blind SQL injection. In next post we are going to see Boolean-based SQL Injection in details.