Blind SQL Injection

mrpentestguy
3 min readOct 11, 2021

--

Today we will learn how we can find blind SQL injection and also at the end I will give you small automation where you can find some bugs with it.

So let's get started

What is a SQL injection?

A SQL injection is a web application attack where the attacker “injects” SQL statements that will manipulate or access application data, whether it be sensitive or public. These attacks leverage areas in web applications that ask for user input. If user inputs in an app are not sanitized properly, an attacker can use a SQL injection to gain access to the associated app data store.

For example, say you are taking the input of a user ID from a user. The legitimate SQL query would look like this:

SELECT * FROM users WHERE id = '42'
'42' OR '1'='1'
SELECT * FROM users WHERE id = '42' OR '1'='1';

What types of SQL injection are there?

  1. In-band SQLi
  2. Error-based SQLi
  3. Union-based SQLi
  4. Blind SQLi

Blind SQLi

Attackers came up with methods to go around the lack of error messages and still know if the input is being interpreted as an SQL statement. This is how the Blind SQL Injection technique was born (sometimes called Inferential SQL Injection). There are two variants of this technique that are commonly used: Content-based Blind SQL Injection and Time-based Blind SQL Injection.

Content-based Blind SQL Injection

Using a simple page, which displays an article with a given ID as the parameter, the attacker may perform a couple of simple tests to determine if the page is vulnerable to SQL Injection attacks.

Example URL:

http://newspaper.com/items.php?id=2
sends the following query to the database:

SELECT title, description, body FROM items WHERE ID = 2
The attacker may then try to inject a query that returns ‘false’:

http://newspaper.com/items.php?id=2 and 1=2

If the web application has a different response to the database returning true than it returning false, the attacker knows the app is vulnerable to a SQL injection. By continuing to use true/false tests against the database, the attacker can find additional information about it and potentially even the contents of the database itself.

Time-based Blind SQLi

Time-based Blind SQLi queries the system to perform time-intensive operations. A typical time-intensive operation that can be used for a Time-based Blind SQLi is the sleep() operation. An attacker can send a query to the database to sleep for a certain period, and if the web application delays its response by that period, it is vulnerable.

EXAMPLE:

http://www.shop.local/item.php?id=34 and if(1=1, sleep(10), false)

The web application is vulnerable if the response is delayed by 10 seconds.

Depending on the database server’s performance and load, it should take just a moment to finish this operation. The important thing is, from the attacker’s point of view, to specify a high-enough number of BENCHMARK() function repetitions to affect the database response time noticeably.

Example combination of both queries:

1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE(‘MSG’,’by 5 seconds’)),null) FROM users WHERE user_id = 1;
If the database response took a long time, we may expect that the first user password character with user_id = 1 is character ‘2’.

(CHAR(50) == ‘2’)

Tools used for Finding Blind SQL

  1. SQLMAP
  2. Automate the bash script here

#!/bin/bash

for i in $(cat <You custom payload list >) ; do
cat $1 | grep “=” | qsreplace “$i” >> sqli
ffuf -u FUZZ -w sqli -s -ft “<5000” | tee -a vulnSqli.txt
rm sqli
; done

You can store the above-automated bash script and run it like vuln. sh <your URLs >. The URLs that can be taken from gf would be better option.

Consequences of Blind SQL Injections

Blind SQL Injections are often used to build the database schema and get all the data in the database. This is done using brute force techniques and requires many requests but may be automated by attackers using SQL Injection tools.

References
http://www.cgisecurity.com/questions/blindsql.shtml
http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
http://www.securitydocs.com/library/2651
http://seclists.org/bugtraq/2005/Feb/0288.html
http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

I hope you liked my reading

Thank you

--

--

mrpentestguy

Security Researcher | Bug Bounty hunter | Security Engineer | CTF player | OSINT