Thilan Dissanayaka Application Security Apr 26

Boolean based Blind SQL Injection

Blind SQL Injection happens when:

There is a SQL injection vulnerability,

BUT the application does not show any SQL errors or query outputs directly.

In this case, an attacker has to ask questions to the database and observe how the server behaves to extract information bit by bit.

There are two main types:

Boolean-based blind SQLi (based on true/false responses)

Time-based blind SQLi (based on delay in server response)

Real-World Example Setup Imagine a product page with a URL like:

bash Copy Edit http://victim.com/product.php?id=5 and the vulnerable backend PHP code:

php Copy Edit <?php $id = $_GET['id']; $query = "SELECT * FROM products WHERE id = '$id'"; $result = mysqli_query($conn, $query); if (mysqli_num_rows($result) > 0) { // Display the product details $row = mysqli_fetch_assoc($result); echo "Product Name: " . $row['name']; } else { echo "No product found."; } ?> Problems:

No sanitization

User input directly used in SQL query

BUT importantly:

The page only says "Product found" or "No product found"

It does NOT show any SQL error messages or database outputs!

Boolean-Based Blind SQL Injection Basic Attack Idea: Inject a condition that changes the page behavior depending on TRUE or FALSE.

Example payload:

bash Copy Edit http://victim.com/product.php?id=5' AND 1=1 -- 1=1 is TRUE.

So the product page loads normally.

Payload to test FALSE:

bash Copy Edit http://victim.com/product.php?id=5' AND 1=2 -- 1=2 is FALSE.

The page now says "No product found".

Extracting Data Step by Step We can guess characters one by one.

Example: Try to extract the first letter of the database name:

sql Copy Edit ' AND SUBSTRING(database(),1,1)='a' -- URL encoded:

bash Copy Edit http://victim.com/product.php?id=5'%20AND%20SUBSTRING(database(),1,1)='a'%20--+ If the first letter is 'a', page shows "Product found".

Otherwise, "No product found".

We can automate this with a tool like SQLMap, or manually brute-force character by character.

ALSO READ
Singleton Pattern explained simply
Apr 26 Software Architecture

Ever needed just one instance of a class in your application? Maybe a logger, a database connection, or a configuration manager? This is where the Singleton Pattern comes in — one of the simplest....

CI/CD concepts - Interview preparation guide
Jan 05 Interview Guides

## What is CI/CD? CI/CD stands for Continuous Integration and Continuous Delivery/Deployment. CI is the practice of automatically integrating code changes from multiple contributors into a....

Proxy Pattern explained simply
Apr 26 Software Architecture

Sometimes you don't want or can't allow direct access to an object. Maybe it's expensive to create, needs special permissions, or you want to control access in some way. This is where the **Proxy....

Netcat The Hacker's Swiss Army Knife
May 02 Penetration Testing

Netcat, often abbreviated as `nc`, is a versatile command-line networking tool that can be used for almost anything related to TCP, UDP, or UNIX-domain sockets. It's beloved by network engineers,....

AWS - Interview preparation guide
May 08 Interview Guides

## What is Amazon EC2 and what are its features? Amazon EC2 (Elastic Compute Cloud) is a web service that provides resizable compute capacity in the cloud. It allows you to launch and manage....

 OWASP Top 10 explained - 2021
Mar 03 Application Security

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation focused on improving the security of software. It provides free, vendor-neutral tools, resources, and standards that....