Content-based Blind SQL Injection attacks

In the case of the Content-based Blind SQL Injection, an attacker performs various SQL queries that claim the database TRUE or FALSE responses. Then the attacker observes differences between TRUE and FALSE statements.

Here is an example of an online webshop, which displays items for sale. The following link displays details about the item with ID 14,  that is retrieved from a database.
http://www.webshop.local/item.php?id=14

The SQL query used to get this request is:
SELECT columnName, columnName2 FROM table_name WHERE id = 14

The attacker manipulates the request into:
http://www.webshop.local/item.php?id=14 and 1=2

Now, the SQL query looks like:
SELECT columnName2 FROM tableName WHERE ID = 14 and 1=2SELECT name, description, price FROM StoreTable WHERE ID = 14 and 1=2

This results in the query returning FALSE with no items displayed in the list. The attacker then proceeds to modify the request to:
http://www.webshop.local/item.php?id=14 and 1=1

Now, the SQL query looks like:
SELECT columnName, columnName2 FROM tableName WHERE ID = 14 and 1=1SELECT name, description, price FROM StoreTable WHERE ID = 14 and 1=1

The database will return TRUE, and the details of the item with ID 14 are displayed. This is an indication that this webpage is vulnerable.

Time-based Blind SQL Injection

In this case, the attacker performs a database time-intensive operation.

If the website does not return an immediate response, it indicates a vulnerability to Blind SQL Injection. The most popular time-intensive operation is a sleep operation.
Based on the example above, the attacker would benchmark the web server response time for a regular SQL query, and then would issue the request below:
http://www.webshop.local/item.php?id=14 and if(1=1, sleep(15), false)

The website is vulnerable if the response is delayed by 15 seconds.

Comments

Post a Comment

Popular posts from this blog

SQLMAP Tamper Scripts WAF bypass

Use and load all tamper scripts to evade filters and WAF: sqlmap -u ‘ http://www.site.com/search.cmd?form_state=1 ’ — level=5 — risk=3 -p ‘item1’ — tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords General Tamper testing: tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus...
Read more
4 Years :-) I got full time job and Just couldn't get enough time to update the blog, but I promise to keep posting off and on now. Life’s Good Alhamdulillah! Cheers & Happy 2026!
Read more

Different types of cross-site scripting attacks

Image
Stored (persistent) XSS Stored or persistent XSS attacks occur when the malicious scripts are permanently stored on the targeted server(s); this can occur in a database, on a message board, in comment fields, or on other user input pages. Victims receive a malicious script when the information is requested from the server. Reflected XSS A reflected attack occurs when the malicious script is not contained on the server but is included in the input sent to the server. Errors messages and search results are two commonly used vectors. These attacks are often delivered to the target via an email or on another site, often by tricking the target into choosing a link containing the malicious script or through user submitting the malicious form. The malicious code then reflects to the user's browser. This reflection causes the browser to believe that the script is trustworthy and prompts the browser to execute the script. DOM based attacks There is a third type of attack, known...
Read more