What Are Blind SQL Injections?

SQL Injection vulnerability are one of the common and oldest web application security issue. According to OWASP Top 10 List it still features this type of attack at the number one spot as the biggest web application security risk.

The most common method used to check SQL vulnerability is adding single quote (‘). If you use single quote in that field or parameter is directly passed to SQL statement, the database will return error. If database server is properly configured to SQL error, the server will display the error in web application. This way attacker can find out SQL injection Vulnerability. After the presence of SQL injection vulnerability, attacker try different request (UNION SELECT Statements) to receive information about database error response. Then they find out if it’s MySQL, PostgreSQL, Oracle, MSSQL and which version build the database schema, retrieve data from any table of data base. Web server administrators quickly realized that showing errors to the general public is not a wise thing to do, so they started suppressing detailed error messages. This is a flawed solution because it does not address the underlying problem. The SQL interpreter can still parse user input as part of an SQL query.

Content-based Blind SQL Injection

In this method attacker makes SQL query that ask Database TRUE or FALSE questions. Then they analyse different responses between TRUE and FALSE statements.

Example:

The following link will display details about item 35, which are retrieved from a database.

http://www.example.com/item.php?id=35

The SQL statement used for this request is:

SELECT column_name, column_name_2 FROM table_name WHERE id = 35

The attacker may manipulate the request to:

http://www.example.com/item.php?id=35 and 1=2

The SQL statement changes to:

SELECT column_name_2 FROM table_name WHERE ID = 35 and 1=2SELECT name,

description, price FROM Store_table WHERE ID = 35 and 1=2

This will cause the query to return FALSE and no items are displayed in the list. The attacker then proceeds to change the request to:

http://www.shop.local/item.php?id=35 and 1=1

SQL statement changes to:

SELECT column_name, column_name_2 FROM table_name WHERE ID = 35 and 1=1SELECT

name, description, price FROM Store_table WHERE ID = 35 and 1=1

True returns the details of item ID 35 are shown. It gives clear indication that page is vulnerable.

Time-based Blind SQL Injection

In the case of time-based attacks, the attacker makes the database perform a time-intensive operation. If the web site does not return a response immediately, the web application is vulnerable to Blind SQL Injection. A popular time-intensive operation is the sleep operation.

Based on the previous example, the attacker would first benchmark the web server response time for a regular query. They would then issue the following request:

http://www.example.com/item.php?id=35 and if(1=1, sleep(10), false)