Boolean SQL Injection Blind

Note: Boolean-based SQL Injection is tedious and requires a lot of manual guessing. Use SQLmap instead.

In the blind sql injection, there is no error message returned back as an output hence we can't know if there is sql injection vulnerability. Boolean means that the response is either [true] or [false]. In real world scenario, [false] means no data returned back as a response and [true] is returned when the response contains data. The aim in this type of sql injection is to return [true] so that we retrieve data. Say we have the URL below

The corresponding SQL query for that is below

select * from profiles where id = '%1%'

To find a sql injection vulnerability, first we need the number of columns in this table. We would start with a payload like below


With the same method, we keep increasing numbers untill no error is returned which determines the number of colums. Once we determine the number of columns, we can start crafting payloads to enumerate the database.

0' UNION SELECT 1,2,3 where database()
like 's%';--

In the above example, we used the [like] operator to look for the entries where there is a database whose name starts with [s].

Since this is boolean based, we need to use the [like] statement in order to adhere to select * from profiles where id = '%1%' LIMIT 1; 0' UNION SELECT 1;-- 0' UNION SELECT 1,2,3 where database() like 's%';-- the [true] and [false] forms of output.

In order to find the database name, we need to keep adding and rotating between characters until we receive a response containing the database name. The next payload would look like the one below

0' UNION SELECT 1,2,3 where database()
like 'sq%';--

Suppose you were able to find the database name and it was [dbhacked] then you will need to dump its tables.

information_schema.tables WHERE
table_schema = 'dbhacked' and table_name
like 'a%';--

With the same manner, keep adding characters untill you hit a response containing table name. Suppose you found a table named [users]. You want to dump its columns.

information_schema.COLUMNS WHERE
TABLE_SCHEMA='dbhacked' and TABLE_NAME='users' and COLUMN_NAME like

Supposed you found column [username] and [password] then to dump them use below payload to find the users

0' UNION SELECT 1,2,3 from users where
username like 'a%

Suppose you found a username called [admin] then use the below to dump its password.

0' UNION SELECT 1,2,3 from users where
username='admin' and password like 'a%

Last updated