Skip to content

Blind SQL Injection

In the previous article we looked at how we can use SQL injection to bypass a login page.

While this is really useful (in the case of logins), we are only getting a true or false response from the server. Is there anything else we can do with the query?

Blind SQL

Blind SQL injection attacks are where the server is vulnerable to SQLi, But the responses don't directly contain the results of the SQL Query.

This means that the tehcniques for enumeration we will discuss later are not effective. As we are unable to see the results within the page response.

However, even with the True or False responses we can still build up a picture of what is going on in the database. By comparing the response of the page, to out input we can start to infer the structure and contents of the database

Note

In these examples, the response is pretty clear. We either get a "Succesful" login, or a "Failed" login.

Some times you may not get it this easy. However, we can still use blind SQL and things like timing attacks (compairng the response time of the page with Good, and Failed Queries) to infer the information.

Blind SQL Demonstration

Lets of back to our Login Page.

We know that this string allows us to Login as the "Sam" user.

SELECT * FROM user WHERE username = "foo" OR 1 = 1;# 
Back to top