π Table of Contents
- π What is SQL Injection?
- πΆοΈ What is Blind SQL Injection?
- π€ Why is it Called "Blind"?
- π£ Exploitation Technique: Conditional Responses
- π‘οΈ How to Prevent Blind SQL Injection
- π Additional Resources
π What is SQL Injection?
SQL Injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can lead to unauthorized access to data, deletion of data, or even full compromise of the database server.
πΆοΈ What is Blind SQL Injection?
Blind SQL Injection is a type of SQL Injection where the attacker does not see the results of their injected queries directly in the application's response. Unlike regular SQL injection, there's no visible output or error message β hence the term "blind."
However, attackers can still infer information based on how the application behaves β for example, differences in response times or content.
π€― Why is it Called "Blind"?
In traditional SQL injection, you see the output of your injected query directly. But in blind SQL injection:
- β No error messages are shown.
- β Query results are not returned to the user.
- β The application may behave differently depending on whether a condition is true or false.
So, like being blindfolded, you're guessing what's happening behind the scenes β but clever techniques let you "see" through logic or timing responses.
π£ Exploitation Technique: Conditional Responses
Attackers exploit blind SQL injection by triggering different behaviors in the application based on true/false conditions in SQL queries.
πͺ Example Scenario
An application uses a tracking cookie:
Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4
The backend runs a SQL query like:
SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4'
If the ID exists, the app responds with:
π Welcome back
This behavior allows us to inject conditions and observe if the welcome message appears.
βοΈ How It Works Step-by-Step
Letβs test if a condition is true using injected logic:
- Inject a condition that evaluates to true:
xyz' AND '1'='1
β€ If the message "Welcome back" appears β condition is true
- Inject a condition that evaluates to false:
xyz' AND '1'='2
β€ If the message doesnβt appear β condition is false
By observing these responses, we can ask yes/no questions to extract sensitive data one bit at a time.
π Practical Example: Extracting a Password Character by Character
Assume thereβs a table Users with columns Username and Password. We want to find the password for the user 'Administrator'.
We use the SQL function SUBSTRING() to extract characters one at a time:
Step 1: Test first character > 'm'
xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm
β π’ "Welcome back" appears β First character > m
Step 2: Test first character > 't'
xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 't
β π΄ "Welcome back" does not appear β First character β€ t
Step 3: Narrow down to exact letter
Eventually, this confirms the first character is 's':
xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's
β π’ "Welcome back" appears β Character confirmed as s
π Repeat this process to extract each character of the password.
π Note: Some databases use
SUBSTR()instead ofSUBSTRING(). Always check the SQL dialect.
π Additional Resources
π Stay secure, and remember: never test vulnerabilities on systems without explicit permission!
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.