Inferential (Blind) SQL Injection

1 min read Application Security

Blind SQL injection occurs when applications don't display database errors or query results, forcing attackers to infer information through application behavior. Boolean-based blind injection uses conditional responses:

// Vulnerable Node.js code
app.get('/user/:id', async (req, res) => {
    const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
    const result = await db.query(query);
    
    if (result.length > 0) {
        res.send('User exists');
    } else {
        res.send('User not found');
    }
});

// Attacker uses boolean conditions to extract data
// Input: 1 AND SUBSTRING((SELECT password FROM users WHERE id=1),1,1)='a'
// Response indicates if first character of password is 'a'

Time-based blind injection uses database delays:

# Vulnerable Ruby code
def check_product(id)
  query = "SELECT * FROM products WHERE id = #{id}"
  Product.find_by_sql(query)
  return "Product checked"
end

# Attacker input: 1; IF(ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))=97, SLEEP(5), 0)--
# 5-second delay confirms first character is 'a' (ASCII 97)