Boolean-based (content-based) Blind SQLi By ITSec Security Consulting Limited

 

Boolean-based (content-based) Blind SQLi By ITSec Security Consulting Limited

Boolean-based (content-based) Blind SQL Injection (SQLi) is a type of SQL injection attack where an attacker sends SQL queries to the database that force the application to return different results based on whether the query returns a TRUE or FALSE result. This type of attack is called “blind” because the attacker does not directly see the results of the query but can infer information based on the application’s behavior.

Overview of Boolean-based Blind SQLi

In a Boolean-based Blind SQLi attack, the attacker exploits vulnerabilities in the application’s input validation to inject malicious SQL code. The goal is to extract information from the database by observing the application’s responses to different queries. The attacker typically uses conditional statements in the SQL query to determine whether a certain condition is TRUE or FALSE.

How Boolean-based Blind SQLi Works

  1. Identifying Vulnerable Input: The attacker identifies an input field in the application that is vulnerable to SQL injection. This could be a search box, login form, or any other input field that interacts with the database.
  2. Crafting Malicious Queries: The attacker crafts SQL queries that include conditional statements. These queries are designed to return different results based on whether the condition is TRUE or FALSE.
  3. Observing Application Behavior: The attacker submits the malicious queries and observes the application’s behavior. Based on the application’s response, the attacker can infer whether the condition in the query was TRUE or FALSE.

Example of Boolean-based Blind SQLi

Let’s consider a simple example of a vulnerable login form. The application uses the following SQL query to authenticate users:

sql

SELECT * FROM users WHERE username = 'user' AND password = 'pass';

An attacker can exploit this query by injecting a conditional statement into the username field:

sql

SELECT * FROM users WHERE username = 'user' AND 1=1 -- ' AND password = 'pass';

In this query:

  • 1=1 is always TRUE, so the query will return a result if the username exists in the database.
  • The -- comment sequence ignores the rest of the query, effectively bypassing the password check.

The attacker can then modify the query to test different conditions and infer information from the application’s response.

Steps to Perform Boolean-based Blind SQLi

  1. Initial Test: The attacker submits a query with a simple condition to test if the input is vulnerable to SQL injection. For example:
  2. sql
  • ' OR 1=1 --
  1. If the application returns a different response, it indicates that the input is vulnerable.
  2. Extracting Information: The attacker crafts queries to extract information from the database. For example, to determine the length of a username:
  3. sql
  • ' AND LENGTH(username) = 5 --
  1. If the application returns a different response, it indicates that the length of the username is 5.
  2. Retrieving Data: The attacker continues to craft queries to retrieve specific data. For example, to determine the first character of the username:
  3. sql
  • ' AND SUBSTRING(username, 1, 1) = 'a' --
  1. If the application returns a different response, it indicates that the first character of the username is ‘a’.

Mitigation Techniques

To protect against Boolean-based Blind SQLi attacks, developers should implement the following mitigation techniques:

  1. Input Validation: Validate and sanitize all user inputs to ensure they do not contain malicious SQL code.
  2. Parameterized Queries: Use parameterized queries or prepared statements to prevent SQL injection. These techniques ensure that user inputs are treated as data, not executable code.
  3. Stored Procedures: Use stored procedures to encapsulate SQL queries and reduce the risk of SQL injection.
  4. Least Privilege Principle: Limit the database permissions of the application to only what is necessary. This reduces the potential impact of a successful SQL injection attack.
  5. Web Application Firewalls (WAF): Deploy a WAF to detect and block SQL injection attempts.

Conclusion

Boolean-based Blind SQLi is a powerful attack technique that allows attackers to extract information from a database without directly seeing the query results. By carefully crafting conditional statements and observing the application’s behavior, attackers can infer sensitive information. Implementing robust input validation, parameterized queries, and other security measures can help protect applications from this type of attack.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 

ITSec Security Consulting Limited

ITSec Security Consulting Limited

IT Security Assessment And Audit, SRAA, Penetration Test (Pen Test),Compliance, Data Security,ISO 27001 Audit, GDPR Audit, PCI DSS, Cyber Security, Risk assessment, Data Protection, Data Privacy, SOX, CISA, CEH,CISSP, CISM

Secure Your Computers from Cyber Threats and mitigate risks with professional services to defend Hackers.

Contact Us:

Find Us immediately for the Security Assessment in Hong Kong(HK), United Kingdom(UK), Europe(EU), Estonia(EE), Singapore(SG), Canada(CA):

Website:

www.itsec.hk

www.itseceu.uk

www.sraa.com.hk

www.penetrationtest.hk

www.itsec.vip

Facebook:

https://www.facebook.com/ITSec-Security-Co...

Google:

https://itsecsecurityconsulting.business.s...

Contact Us: 

https://itsec.vip/contact/

留言

  1. Penetration Test By ITSec Security Consulting Limited2025年1月11日 清晨5:13

    It is for blind sql injection of pentest (penetration test) or sraa (IT Security Risk Assessment and Audit)

    回覆刪除
  2. Penetration Test By ITSec Security Consulting Limited2025年1月11日 晚上9:05

    It is nice

    回覆刪除
    回覆
    1. Alexis2025年2月9日 上午9:14

      Yes, a nice guide for penetration tests and it security assessment

      刪除
  3. Penetration Test By ITSec Security Consulting Limited2025年1月12日 晚上10:17

    A nice shoot for penetration test

    回覆刪除
  4. Penetration Test By ITSec Security Consulting Limited2025年1月14日 晚上9:47

    A nice pentest and sraa guide

    回覆刪除
  5. Penetration Test By ITSec Security Consulting Limited2025年1月14日 晚上9:54

    It is nice

    回覆刪除
  6. Penetration Test By ITSec Security Consulting Limited2025年1月15日 晚上9:48

    Pentest and SRAA note

    回覆刪除
  7. Alexis2025年1月22日 凌晨3:51

    It is great

    回覆刪除
  8. Alexis2025年1月22日 晚上9:58

    It is great and good for sraa and pentest

    回覆刪除
  9. Alexis2025年2月7日 凌晨12:02

    It is good for sraa and pentest

    回覆刪除

張貼留言

這個網誌中的熱門文章

Types of XSS Attacks By ITSec Security Consulting Limited

圖片
Introduction to XSS Attacks Cross-Site Scripting (XSS) is a prevalent web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts, often written in JavaScript, can steal sensitive information, manipulate website content, or impersonate users. XSS attacks exploit the trust users place in a website, leading to severe consequences for both users and web applications. Types of XSS Attacks Stored XSS (Persistent XSS)  Stored XSS occurs when malicious scripts are permanently stored on the target server, such as in a database, comment field, or forum post. When a user accesses the affected page, the script is executed in their browser. For example, an attacker might inject a script into a user profile page, which then executes whenever another user views that profile. Example CVE: CVE-2020–10385: A stored XSS vulnerability in the WPForms Contact Form plugin for WordPress. Reflected XSS  Reflected XSS happens when ma...
閱讀完整內容

Understanding Out-of-Band SQL Injection: A Comprehensive Guide By ITSec Security Consulting Limited

圖片
Introduction to SQL Injection SQL Injection (SQLi) is a prevalent attack vector that exploits vulnerabilities in web applications by manipulating SQL queries. It allows attackers to interfere with the queries an application makes to its database, potentially leading to unauthorized access to sensitive data. What is Out-of-Band SQL Injection? Out-of-Band SQL Injection (OOB SQLi) is a type of SQL injection where the attacker does not receive a response from the attacked application on the same communication channel. Instead, the application sends data to a remote endpoint controlled by the attacker. This method is particularly useful when the attacker cannot use the same channel to launch the attack and gather results. How Out-of-Band SQL Injection Works Out-of-Band SQLi relies on the ability of the database server to make DNS or HTTP requests to a remote server. The attacker injects a payload that triggers these requests, allowing them to exfiltrate data without direct interaction with ...
閱讀完整內容

Boolean-based (Content-based) Blind SQL Injection

圖片
  Introduction SQL Injection (SQLi) is a code injection technique that exploits vulnerabilities in an application's software. It allows attackers to interfere with the queries that an application makes to its database. Blind SQL Injection occurs when an attacker can infer information from the database without seeing the actual data. Boolean-based Blind SQLi relies on true/false conditions to extract information. Understanding SQL Injection SQL Injection allows attackers to execute arbitrary SQL code on a database. There are several types of SQL Injection: Classic SQL Injection : Directly retrieves data from the database. Blind SQL Injection : Infers data indirectly when the application does not display error messages or data directly. Time-based Blind SQL Injection : Uses time delays to infer information. Error-based SQL Injection : Relies on error messages to extract data. Blind SQL Injection Blind SQL Injection is used when the application does not display error messages or data ...
閱讀完整內容