5. Blind Content‐Based SQL Injection - VascoLucas01/SQL-Injection-stuff GitHub Wiki

In a content-based blind SQL injection attack, the perpetrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack. For example, consider a web application that asks a user to enter an account number. A simple verion of this web page might look like the one shown below.

When a user enters an account number into that page, they will see a listing of the information associated with that account, as shown below.

The SQL query supporting this application might be something similar to this:

SELECT FirstName, LastName, Balance

FROM Accounts

WHERE AccountNumber = '$account'

where the $account field is populated from the input field shown in the first figure. In this scenario, an attacker could test for a standard SQL injection vulnerability by placing the following input in the account number field:

52019' OR 1=1;--

If successful, this would in the following query being sent to the database:

SELECT FirstName, LastName, Balance

FROM Accounts

WHERE AccountNumber = '52019' OR 1=1

This query would match all results. However, the design of the web application may ignore any query results beyond the first row. If this is the case, the query would display the same results as shown in the second figure. Though the attacker may not be able to see the results of the query, that does not mean that the attack was unsuccessful. However, with such a limited view into the application, it is difficult to distinguish between a well-defended application and a successful attack.

The attacker can perform further testing by taking input that is known to produce results, such as providing the account number 52019 from the second figure and using SQL that modifies that query to return no results. For example, the attacker could provide this input to the field:

52019' AND 1=2

If the web application is vulnerable to blind SQL injection attack, it would send the following query to the database:

SELECT FirstName, LastName, Balance

FROM Accounts

WHERE AccountNumber = '52019' AND 1=2

This query, of course, never returns any results, because 1 is never equal to 2! Therefore, the web application would return a page with no results, such as the one shown below. If the attacker sees this page, they can reasonably sure that the application is vulnerable to blind SQL injection and can then attempt more malicious queries that alter the contents of the database or perform other unwanted actions.