Blind SQL-injections

As Blind SQL injection is a variation of the SQL injection, you can start by reading our article on SQL injections: https://support.detectify.com/support/solutions/articles/48001048942-sql-injection

The result of the SQL query is not always printed on the website. A common example would be a login form. No data from the query is printed for the attacker to see, it is simply processed in the backend whether the query resulted in true or false. In an instance where it is possible to execute an SQL query without getting the result back in text, other feedback methods must be utilised.

There are a few possible methods, but the most common one by far is to have the web site to delay the request depending on the result. A simple example is extracting data character by character by sending a lot of queries, which would look like this:

Request: sleep if first character of password is ‘A’
Website: responded instantly
Request: sleep if first character of password is ‘B’
Website: responded instantly
Request: sleep if first character of password is ‘B’
Website: took one second to respond

We have now extracted to first character, and can now continue when the second one.

Request: sleep if second character of password is ‘A’
Website: responded instantly
Request: sleep if second character of password is ‘B’
Website: took one second to respond

This is then repeated until we have the full password. In reality an attacker would use a modification of this method to be more efficient.

When Detectify and other automated tools test for this vulnerability there is no need to extract the whole database just to confirm a vulnerability. It is enough to send two requests, one that will sleep if executed and one that will not. If the timing difference is great enough it can be assumed that the SQL query did execute and the page therefore is vulnerable. More details about our method can be found here: https://support.detectify.com/support/solutions/articles/48001061898-blind-sql-injections

What can happen and how to remediate it

See the article about SQL injection as both the implications and remediation method are the same as for Blind SQL Injection. 

Resources