/
Blind SQL Injection

Blind SQL Injection

Owned by Neil Matatall
Last updated: Dec 22, 2008Version comment

Introduction

Flash video explaining Blind SQL Injection from the makers of AppScan 

Among others, a hacker can use Blind SQL Injection to read the values or almost any part of your database, discover the data type of columns, and discover which database server you are using.  Blind SQL Injection is a somewhat time consuming vulnerability to exploit.  However, tools are emerging that automate some of the work and the potential for harm is increasing.

Blind SQL Injection is a specific type of SQL Injection Wikipedia defines Blind SQL Injection as :

Blind SQL Injection is used when a web application is vulnerable to SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page.

Blind SQL Injection can be further classified into two types: conditional responses and conditional errors

Conditional Responses

This involves injecting literals into a dynamically built query that allows the hacker to choose when a query evaluates to true or false.

String userID = request.getParameter("userID");

String query = "select * from users where user_id = " + userID;

Imagine if the hacker knew a user_id (123 in this case), and the hacker enters:

123 AND (ascii(substr(SELECT password FROM user_data WHERE user_id=123 , 1, 1)) = 65 )

the query becomes

select * from users where user_id = 123 AND
(ascii(substr(SELECT password FROM user_data WHERE user_id=123 , 1, 1)) = 65 )


This query can be translated as "select everything from the user table where the id=123 and the first letter of the password is an 'A' ".  Using this, the hacker can construct almost any piece of data that the database user has access to by asking a series of yes or no questions.

Conditional Errors

This is a special case of conditional responses where the application returns an error rather than a response. 

String query = "select " + columnName + " from users where userID = " + userID;

Now the hacker enters " 1 / 0 " and the query becomes:

select 1 / 0 from users where userID = 123

Which will throw an error if a user with a userID of 123 does not exist, but will not throw an error if such a user does exist.

Detection

Generally, if you application is not vulnerable to SQL Injection, it by definition should not be vulnerable to Blind SQL Injection.  These instructions can help you determine if you application is vulnerable.

Going back to the first query:

String query = "select * from users where user_id = " + userID;

Enter " 123 + 0 "
The query becomes:

 select * from users where user_id = 123 + 0

 If the query returned the same data as when you entered "123", try injecting "123 and 1 = 0":

select * from users where user_id = 123 and 1 = 0

This will always evaluate to false and the response should come back empty.  If nothing was returned, your query is vulnerable to Blind SQL Injection

If the vulnerable parameter is stored as a String in the database, enter "  ' + '' -- " (this concatenates an empty String) and the query becomes:

select * from users where user_id = '123' + '' -- this is a comment, anything after "--" is ignored

Now try entering "123' and 'a'='":

select * from users where user_id = '123'  and 'a'=''

Once again, if this query returns nothing the query is vulnerable to Blind SQL Injection

Prevention

Use prepared statements!

More Information

Imperva has a very detailed article that covers pretty much the full spectrum.