We already saw how a SQL Injection vulnerability works. In this recipe, we will cover a different type of vulnerability of the same kind, one that does not show any error message or hint that could lead us to the exploitation. We will learn how to identify a blind SQLi.
- Log into DVWA and go to SQL Injection (Blind).
- It looks exactly the same as the SQL Injection form we know from a previous recipe. Introduce a
1in the text box and click Submit. - Now, let's do our first test with
1':
We get no error message, but no result either; something interesting could be happening here.
- We do our second test with
1'':
The result for ID=1 is shown, this means that the previous tests (1') resulted in an error that was captured and processed by the application. It's highly probable that we have an SQL Injection here, but it seems to be blind, no information about the database is shown, so we will need to guess.
- Let's try to identify what happens when the user injects a code that is always false, set
1'and'1'='2as the user ID.'1' never equals '2', so no record meets the selection criteria in the query and no result is given.
- Now, try a query that will always be true when the ID exists:
1'and'1'='1.
This demonstrates that there is a Blind SQL Injection in this page. If we get different responses to a SQL code injection that always results to false, and to another one with an always true result, we have a vulnerability, because the server is executing the code even if it doesn't show it explicitly in the response.
Error-based SQL Injection and Blind SQL Injection are on the server side, the same side as the vulnerability: the application doesn't sanitize inputs before it uses them to generate a query to the database. The difference between them lies in the detection and exploitation.
In an error-based SQLi, we use the errors sent by the server to identify the type of query, tables, and column names.
On the other hand, when we try to exploit a blind injection we need to harvest the information by asking questions, for example: "' and name like 'a%", means "does the user name starts with 'a'?" to us, if we get a negative response we will ask if the name starts with 'b' and after having a positive result we will move to the second character: "' and name like 'ba%". So it may take some more time to detect and exploit.
The following information might prove useful for a better understanding of Blind SQL Injection: