Sunday, June 24, 2012


CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.


Continuing the SQLI-LABS series, we discussed the Error based injections, and discussed Union type injections and double query injections. In today's post we would be discussing Blind injections. Blind injections got this name because during blind injections, you do not get any help from the application. All the errors are suppressed from the end user.
Therefore complete injection is based on a guess. The tester does not see any error responses to tune his  injections.
Blind Injections can be classified mainly into two categories:

  • Boolean based Blind injections
  • Time based Blind injections.

Boolean Based
As per wikipedia "In computer science, the Boolean or logical data type is a data type, having two values (usually denoted true and false), intended to represent the truth values of logic and Boolean algebra. It is named after George Boole, who first defined an algebraic system of logic in the mid 19th century".
Well in certain web applications, you can witness that the database does not write any fields on the web page or somehow union injections do not work, and the mysql errors are also not displayed on the page, so technically there is no direct channel through which the database writes on web page. In this case the only option left is to use blind injections. With Blind injections we cannot dump the strings or names directly but need to deduce names character by character.
In general when we were dealing with error based injections, we ask the database questions like, dump us the database name, version, table names etc. In case of blind injections, we change the way we ask questions to database and rephrase questions like is the first letter of the database this? and answer comes out as either yes or no or true or false. Check the video at the end of the post for more detailed explanation.

Less-8 line number 29
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

basic injection example:
1' AND '1'='1 -- returns true

1' AND '1'='0  -- returns false

Therefore by evaluating the strings character by character we can dump the complete database.

No comments:

Post a Comment