In this tutorial, we'll explore the concept of blind SQL injection, a type of web application vulnerability that can allow an attacker to manipulate SQL queries and gain unauthorized access to a database.
You will learn:
Prerequisites: Basic understanding of SQL and web development concepts.
Blind SQL Injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. It is called "blind" because we are sending commands to the database without seeing the database output.
A. True and False Statements
Start by sending a true statement (e.g., 1=1) and a false statement (e.g., 1=2) to the database. If the response varies, it's a sign the site may be vulnerable to blind SQL injection.
B. Data Extraction
Once you've identified a potential vulnerability, you can extract data by asking a series of true/false questions via the SQL query.
C. Time Delays
You can also inject queries that cause deliberate delays, observing the response time to infer if a statement is true or false.
D. Countermeasures
Preventing blind SQL injection involves input validation, use of parameterized queries, and limiting database permissions.
Please note that these examples are for educational purposes only, and should not be used for malicious activities.
Example 1: Detecting Vulnerability
URL = 'http://site.com/page.php?id=1'
True statement = 'http://site.com/page.php?id=1 or 1=1'
False statement = 'http://site.com/page.php?id=1 or 1=2'
If the page loads correctly for the true statement and gives an error or different output with the false statement, it's a sign of vulnerability.
Example 2: Data Extraction
URL = 'http://site.com/page.php?id=1'
Length of database name = 'http://site.com/page.php?id=1 and length(database())>1'
You can increment the number until the response changes to find the exact length of the database name.
Example 3: Time Delays
URL = 'http://site.com/page.php?id=1'
Time delay = 'http://site.com/page.php?id=1 AND sleep(10)=0'
If the page takes 10 seconds longer to load, the statement is true.
In this tutorial, we've covered the basics of blind SQL injection, how to detect and exploit vulnerabilities, and some countermeasures.
Next, learn more about other types of SQL injection, like time-based and out-of-band injections. Additional resources include:
Exercise 1: Try to detect if the following URL is vulnerable to blind SQL injection: http://site.com/login.php?username=admin
Exercise 2: Extract the length of the database name from a vulnerable site.
Exercise 3: Cause a delay of 5 seconds on a vulnerable site.
Solutions:
http://site.com/login.php?username=admin or 1=1 and http://site.com/login.php?username=admin or 1=2http://site.com/login.php?username=admin and length(database())>1, incrementing the number until the response changes.http://site.com/login.php?username=admin AND sleep(5)=0 and observe if the page takes 5 seconds longer to load.