Blind SQL Injection - Detection And Exploitation


In our previous post "SQL Injection Basics - Union Based", I explained the basic technique not only to find detect sql injection vulnerabilities also how to exploit SQL Injection vulnerabilities with Union based method. However, In this post a security researcher and a good friend of mine ahmad ashraff decided to contribute to RHA and present his research on some blind sqli techniques, So enough from me, Over to Ahmed.


In this post I'm going to share with all on how to detect if the website is vulnerable to Blind SQLi or there is no SQLi at all.

Before, do note that I'm not an expert in this security/hacking scene. This sharing based on my own understanding from articles/discussions among of these great people such as .mario,stampar,R4x0r,Nurfed,benzi and more!!

In Blind SQLi, we need to understand correctly on how the server/website response based on TRUE or FALSE condition.AFAIK, there are 2 ways to detect it.
  1. Quotes
It can be either single quote (') , double quotes (")  or backtick ( ` )
Look at the example below.


A normal page condition ( TRUE condition )

The page become blank (FALSE condition) once we put a single quote

The page back to normal condition (TRUE) once we put another single quote.
We can use these method as well to check the TRUE/FALSE condition under this way of detection.


    2. Numeric Operators
 Make sure you know how to calculate a simple math! 
The example below shows that pic_id is vulnerable to SQLi

Normal page loaded. Because the condition is true. 1=1 is TRUE

The admin word is missing. This shows a FALSE condition since 1=2 is FALSE.
Another way is by using simple calculation. The current page loaded fine on pic_id=13.

The page loaded fine but it shows another page. This is because we added 1 in the pic_id where it'll become 13+1=14 so the page will loaded the pic_id=14

Here are some other method under this technique.

Next, we want to inject it! But how?

i. Common technique
id=1 and 1=1
id=1 and (put our sql query here)=(put our expectation here)
as  example we want to query the current version,
id=1 and substring(@@version,1,1)=4
so, if the current MySQL version used by the website started with 4 the page will load normally (TRUE condition) else the page will be error/blank (FALSE condition)

Example as below
Testing if the MySQL used is version 4.*. Page error,shows that the website is not using that version.

Testing if the MySQL used is version 5.*. Page loaded fine,shows the current version used is 5.*

ii. Using a Case statement
id=1 and 1
id=1 and (CASE when (our sql query here) THEN 1 else 0 END)
If the query is TRUE,it'll resulting 1 where 1 is TRUE condition. Else, it'll resulting 0 where 0 is FALSE condition.

1=2 is wrong,so it'll resulting 0,FALSE.
1=1 is correct,so it'll resulting 1,TRUE.

iii. Time Based

I will explain the time based technique in his my upcoming guest post on RHA
and there are more techniques in SQLi out there. This just a basic way to detect Blind SQLi based on my knowledge and experience. Do have some read and research on them as well. You might find a new way on exploiting, who knows right? :D

That's all guys!

About The Author

Yappare is a web application security Professional, He has been listed in lots of hall of fames and has found lots of high risk vulnerabilities inside lots of CMS platforms. You can follow him on @yappare