== Blind SQL Injection Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection. === Difference Let's first start with the difference between a normal SQL injection and a blind SQL injection. In a normal SQL injection the error messages from the database are displayed and gives enough information to find out how the query is working. Or in the case of an union based SQL injection the application does not reflect the information directly on the webpage. So in the case where nothing is displayed you will need to start asking the database questions based on a true or false statement. That's why a blind SQL injection is much more difficult to exploit. There are several different types of blind SQL injections: content based and time based SQL injections. === Example In this case we are trying to ask the database a boolean question based on for example a unique id, for example suppose we have the following url: `https://my-shop.com?article=4` On the server side this query will be translated as follows: ---- SELECT * from articles where article_id = 4 ---- When we want to exploit this we change the url into: `https://my-shop.com?article=4 AND 1=1` This will be translated to: ---- SELECT * from articles where article_id = 4 AND 1 = 1 ---- If the browser will return the same page as it used to when using `https://my-shop.com?article=4` you know the website is vulnerable for a blind SQL injection. If the browser responds with a page not found or something else you know a blind SQL injection might not work. You can now change the SQL query and test for example: `https://my-shop.com?article=4 AND 1=2` which will not return anything because the query returns false. So but how do we actually take advantage of this? Above we only asked the database for trivial question but you can for example also use the following url: `https://my-shop.com?article=4 AND substring(database_version(),1,1) = 2` Most of the time you start by finding which type of database is used, based on the type of database you can find the system tables of the database you can enumerate all the tables present in the database. With this information you can start getting information from all the tables and you are able to dump the database. Be aware that this approach might not work if the privileges of the database are setup correctly (meaning the system tables cannot be queried with the user used to connect from the web application to the database). Another way is called a time based SQL injection, in this case you will ask the database to wait before returning the result. You might need to use this if you are totally blind so there is no difference between the response you can use for example: ---- article = 4; sleep(10) -- ----