Blind SQL Injection

Blind SQL injection applies when a vulnerable query exists but the application returns no database output and no error text. The response gives no direct indication of what the database returned. Data is extracted by asking the database yes-or-no questions and observing which of two different application responses corresponds to true versus false.

Boolean-Based Blind Injection

Boolean-based blind injection works by injecting a conditional expression that evaluates to true or false, and observing whether the application's response changes between the two states.

Suppose a product lookup returns a page with product information when the product exists, and an empty page when it does not. An injected condition appended to the WHERE clause:

id=1 AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'

If the first character of the admin password is a, the full condition is true and the page shows product information. If it is not a, the condition is false and the page is empty. By iterating through possible characters and observing the response, the attacker determines the value one character at a time.

Binary search reduces the request count. Instead of testing all 95 printable ASCII characters linearly, test whether the ASCII code of the character is greater than 64, then greater than 96, and so on. This resolves each character in at most 7 requests instead of 95.

Extracting a 32-character password hash with binary search requires approximately 7 x 32 = 224 requests. A full database schema can be mapped in thousands of requests. Automated tools complete this in minutes.

Time-Based Blind Injection

Time-based blind injection is used when the application returns identical responses for true and false conditions, removing the observable difference needed for boolean-based extraction. The channel shifts from response content to response timing.

The injected condition triggers a database delay function when the condition is true:

id=1 AND IF(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a', SLEEP(5), 0)

In MySQL, SLEEP(5) delays the response by 5 seconds. If the response takes 5 seconds, the condition was true. If it returns immediately, the condition was false. The same binary search approach applies.

The equivalent in other databases: PostgreSQL uses pg_sleep(5); SQL Server uses WAITFOR DELAY '0:0:5'; Oracle uses dbms_pipe.receive_message(('a'),5).

Request Volume and Detection

Both techniques generate a high volume of requests against a single endpoint with structurally similar parameters. This pattern is detectable by a WAF or anomaly detection system that monitors per-endpoint request rates or parameter structure variation. Time-based injection is slower than boolean-based because each true condition adds a deliberate delay, which multiplies the total extraction time.

Neither technique requires error output or direct query results in the response. Suppressing errors does not prevent blind injection; it only removes error-based extraction as an option.