How to Blind SQL Injection?
What is Blind SQL Injection?
The word “Blind” here refers to “No error message when suffered by an injection attack”. Thus, it is more difficult to exploit. It returns information, when the application is exploited with SQL payloads that return a ‘true or false’ response from the server. By observing the response, an attacker can extract sensitive information.
There are two types of blind SQL injection:
- Boolean – based Blind SQL injection.
- Time – based Blind SQL injection.
Time – based Blind SQL injection
Time based SQL injection works on time based query/payload and returns the result after some stipulated time.
Using this method, an attacker enumerates the underlying DB. In the case of Time-based Blind SQLi, the attacker injects an SQL command in different parameters that causes a delay (for example, Sleep(10)) and observes whether the response is displayed after the delay of 10 seconds.
Practical Approach
- Traverse to site https://portswigger.net to access the lab.
- Capture the request in any intercepting proxy like burp suite.
In the image below we gave the extra quote (‘) to break the SQL query for the product id field to trigger the error & to enumerate the underlying DB but as the response didn’t throwed any error we will have to test for blind SQLi.
Here we gave the PostgreSQL database query to delay the site for 20 seconds and it worked. We got 20 seconds delay, we can see right corner in the below image.
Impact Of Time-Based Blind SQL Injection Time–based Blind SQL injection will affect the confidentiality, integrity of data along with authentication and authorization aspects of the application. Also attackers can compromise a vulnerable application and steal sensitive information stored in databases such as user credentials, payment details or credit card details. How To Prevent?
- Ensure Secure Coding Practices.
- Use Parameterized Queries wherever possible.
- Using Stored procedures
- Enforcing the least privilege principle to limit the data leak.
Want to know how to find SQLi in other programming languages? click here