Boolean SQL Injection Blind
Note: Boolean-based SQL Injection is tedious and requires a lot of manual guessing. Use SQLmap instead.
In the blind sql injection, there is no error message returned back as an output hence we can't know if there is sql injection vulnerability. Boolean means that the response is either [true] or [false]. In real world scenario, [false] means no data returned back as a response and [true] is returned when the response contains data. The aim in this type of sql injection is to return [true] so that we retrieve data. Say we have the URL below
The corresponding SQL query for that is below
To find a sql injection vulnerability, first we need the number of columns in this table. We would start with a payload like below
With the same method, we keep increasing numbers untill no error is returned which determines the number of colums. Once we determine the number of columns, we can start crafting payloads to enumerate the database.
In the above example, we used the [like] operator to look for the entries where there is a database whose name starts with [s].
Since this is boolean based, we need to use the [like] statement in order to adhere to http://domain.com/profile?id=1 select * from profiles where id = '%1%' LIMIT 1; 0' UNION SELECT 1;-- 0' UNION SELECT 1,2,3 where database() like 's%';-- the [true] and [false] forms of output.
In order to find the database name, we need to keep adding and rotating between characters until we receive a response containing the database name. The next payload would look like the one below
Suppose you were able to find the database name and it was [dbhacked] then you will need to dump its tables.
With the same manner, keep adding characters untill you hit a response containing table name. Suppose you found a table named [users]. You want to dump its columns.
Supposed you found column [username] and [password] then to dump them use below payload to find the users
Suppose you found a username called [admin] then use the below to dump its password.
Last updated