Blind SQL injection
What is blind SQL injection?
Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.
With blind SQL injection vulnerabilities, many techniques such as UNION attacks are not effective, because they rely on being able to see the results of the injected query within the application’s responses. It is still possible to exploit blind SQL injection to access unauthorized data, but different techniques must be used.
Techniques to exploit SQL injection
About the techniques to exploit SQL injection flaws, there are five commons techniques. Also, those techniques sometimes can be used in a combined way (e.g. union operator and out-of-band):
- Union Operator: can be used when the SQL injection flaw happens in a SELECT statement, making it possible to combine two queries into a single result or result set.
- Boolean: use Boolean condition(s) to verify whether certain conditions are true or false.
- Error based: this technique forces the database to generate an error, giving the attacker or tester information upon which to refine their injection.
- Out-of-band: the technique used to retrieve data using a different channel (e.g., make an HTTP connection to send the results to a web server).
- Time delay: use database commands (e.g. sleep) to delay answers in conditional queries. It is useful when an attacker doesn’t have some kind of answer (result, output, or error) from the application.
Exploiting blind SQL injection by triggering conditional responses
as you can see web above return response from the database and that query is vulnerable to SQL injection, but the results from the query are not returned to the user. However, the application does behave differently depending on whether the query returns any data. If it returns data (because a recognize id was request), then the blog displayed.
This behavior is enough to be able to exploit the blind SQL injection vulnerability and retrieve information, by triggering different responses conditionally, depending on an injected condition. To see how this works, we suppose that two requests are sent to different queries.
?id=1 and 1=1
?id=1 and 1=2The first requests look normally because that query will return true and display data. And then the second request will not return any data because the query is false.
Let’s exploit with some injection, and we suppose to know the current database with send query substring to extracts some characters from a string.
SUBSTRING(string, start, length)Note: different database different syntax
?id=1 and Ascii(substring(database(),1,1)) > 97
?id=1 and Ascii(substring(database(),1,1)) > 98- The first injection checks the first letter of a database is greater than 97 in ASCII, 97 it's means ‘a’ in ASCII if web it's normally it's mean true.
- and the second injection does not return any data and that means the first letter of a database is ‘b’
And we can continue this process to systematically determine the full name of the database.
Exploiting blind SQL injection by triggering time delay
If the above example that application does not return any different when the injected query executed, so the preceding technique of inducing conditional errors will not work.
In this situation, it is often possible to exploit the blind SQL injection vulnerability by triggering time delays conditionally, depending on an injected condition. Because SQL queries are generally processed synchronously by the application, delaying the execution of an SQL query will also delay the HTTP response. This allows us to infer the truth of the injected condition based on the time taken before the HTTP response is received.
The techniques of triggering a time delay are highly specific to the type of database being used. On Maria DB SQL server, input like the following can be used to test a condition and trigger a delay depending on whether the expression is true:
IF(condition, value_if_true, value_if_false)Now we can combine if a query with the previous substring to extract the name of the database()
?id=1 and IF(Ascii(substring(database(),1,1)) > 97,sleep(2),0)?id=1 and IF(Ascii(substring(database(),1,1)) > 98,sleep(2),0)
- first query if the database() first letter is greater than ‘a’ in ASCII we can see request delay 2 seconds because that query is true.
- and the second query we can see web application instantly retrieves data because we put 0 when if a statement is false.
