Why Blind SQL Injection

Why blind sql injection?

Blind SQL Injection is used when a web application is vulnerable to an SQL injection, but the

results of the injection are not visible to the attacker.

The page with the vulnerability may not be one that displays data but will display differently

depending on the results of a logical statement injected into the legitimate SQL statement

called for that page.

This type of attack can become time-intensive because a new statement must be crafted for

each bit recovered. [Wikipedia]

How blind sql injection can be used?

There are several uses for the Blind Sql Injection:

• Testing the vulnerability;

• Finding the table name;

• Exporting a value;

Every techniques are based on the 'guess attack', because we only have two different input:

TRUE or FALSE. Let me explain better...

Testing vulnerability (MySQL - MSSQL):

Let's star with an easy example. We have this type of URL:

site.com/news.php?id=2

it will result in this type of query on the database:

SELECT * FROM news WHERE ID = 2

Now, we can try some sql injection techniques, for example the blind sql injection!

site.com/news.php?id=2 and 1=0

SQL query is now:

SELECT * FROM news WHERE ID = 2 and 1=0

In this case the query will not return anything (FALSE) because 1 is different from 0; Let's do

the litmus test: try to get the TRUE statement forcing the AND to be TRUE;

site.com/news.php?id=2 and 0=0

In this case 0 is equal to 0... Got it! We should now see the original news page. We now know

that is vulnerable to Blind Sql Injection.