Blind SQL injection

Jun 20, 2011  

Security is something that’s all too often ignored, and while recent events have helped highlight how vulnerable and insecure we are, but I still see very lax attitudes towards security.  Most disturbing of all seems a complete lack of interest in secure and unique passwords, and I know that almost all of us are guilty of it to an extent.

Anyway, I want to discuss one of the most common exploits, and perhaps a form of it that is less familiar.  Generally if someone mentions SQL injection (and you know basically what SQL is), then you might think of an UPDATE, INSERT or similar command to be inserted - perhaps to inject additional code into content of the current record.

Blind SQL injection is a little more clever than that, but essentially an extension of the same exploit.  The clever bit is that it can work, even if the page returns the same result whether it succeeds or not.  So you might be testing for SQL injection by looking for abnormalities in the page, or other errors shown on the page, but this may not be the case.  Again you might think that the most damaging thing you can do is call SQL that modifies the content of the database but it can actually be used to figure out passwords and potentially gain access to systems.

How it works is one of two ways - either the injected SQL makes some kind of difference to the returned page, or it can delay the response of the page.  So, if it succeeds there is a measurable difference to a failure in the injection.  So, you can query the database with a series of true/false questions.  Perhaps asking if a particular character of a string has a particular value.  With an automated script, this could eventually work out personal details held in a database.

For more information, you might like to check out the link here:

https://www.owasp.org/index.php/Blind_SQL_Injection