Blind SQL Injection Techniques

Not all SQL injection vulnerabilities conveniently display database errors or query results on the page. Blind SQL injection occurs when an application is vulnerable to injection but doesn't return database output directly. Mastering blind techniques dramatically expands the vulnerabilities you can exploit.

When Injection Goes Dark

Developers often configure production applications to suppress error messages, hiding the detailed SQL errors that make classic injection obvious. The application might simply show a generic "An error occurred" message or even no indication that anything went wrong. Yet the underlying vulnerability persists, waiting for someone who knows how to find it.

Blind injection requires different detection and exploitation approaches because you can't directly see the results of your injected queries. Instead, you must infer information through indirect channels—changes in application behavior, response timing, or subtle differences in output.

Boolean-Based Blind Injection

Boolean-based techniques leverage true/false conditions to extract information one bit at a time. You craft injections that cause the application to behave differently depending on whether a condition is true or false, then systematically test conditions until you've reconstructed the data you want.

Consider a product page at /product?id=5 that normally displays product details. If you inject id=5 AND 1=1, the page should display normally because the condition is true. If you inject id=5 AND 1=2, the condition is false, and the product might not display or the page content might change subtly.

This behavioral difference becomes your oracle. You can now ask true/false questions about the database. Is the first character of the database user's name greater than 'M'? Is the database version number greater than 5? Each question, answered through behavioral differences, slowly reveals the information you seek.

Time-Based Blind Injection

When even Boolean-based behavioral differences aren't visible, time-based techniques provide another avenue. By injecting queries that conditionally cause delays, you can infer information from response timing rather than content.

MySQL's SLEEP() function pauses query execution for a specified number of seconds. MSSQL uses WAITFOR DELAY. PostgreSQL can use pg_sleep(). Injecting IF(condition, SLEEP(5), 0) makes the response take five seconds when your condition is true and returns immediately when false.

Time-based extraction is slower than other methods but works against virtually any vulnerable application regardless of how it handles errors or displays output. Even if the only feedback you get is "request completed," timing that completion reveals the answer to your conditional queries.

Extracting Data Character by Character

Both Boolean and time-based techniques typically extract data one character at a time. You might ask: "Is the first character of the admin password's hash greater than 'f'?" Based on the answer, you narrow down the possibilities with binary search efficiency.

SUBSTRING functions isolate individual characters: SUBSTRING(password,1,1) extracts the first character. ASCII or ORD functions convert characters to numeric values for comparison. Combining these with greater-than or less-than comparisons enables efficient binary search through the character space.

Automation becomes essential for blind extraction. Manually crafting hundreds of requests to extract a single password hash is impractical. Tools like sqlmap automate the entire process, handling detection, technique selection, and data extraction with minimal user intervention.