SQL injection/Blind
- Related tools: mysqli-blindutils
There are primarily two types of blind sql injection vulnerabilities: partial blind and total blind.
Partial blind injection is referred to as partial because data returned by the application changes to some extent. This may mean it simply does not display in one instance while it displays in the other.
Completely blind vulnerabilities will not result in a change of the returned dataset in the page output, thus timing attacks must be utilized for successful exploitation because they affect the HTTP response time rather than the HTTP response data.
There are traditionally two types of exploitation for blind sql injection:
- Blind data extraction
- Boolean enumeration
Each exploitation method has viable options for both partial blind and total blind injection. Blind data extraction is by far faster than boolean enumeration. When using boolean enumeration for exploitation of sql injection, an attacker is able to receive only one bit of data per request. With printable text characters this usually requires 7 requests (because the highest order bit is never set in latin1 printable characters), however this will require up to 8 requests for a byte of binary data. In comparison, blind extraction can be used to retrieve values exceeding a full byte per request.
Blind extraction
There are two types of blind SQL extraction attacks:
- Partial-blind: Pre-computation based (Tool: mysqli-blindutils > sqli-hap.py)
- Full-blind: Timing based
The only things that these methods have in common is:
- These attacks are all limited in some fashion because of environment and latency or dataset, respectively.
- Successful exploitation requires automation programming.
Boolean Enumeration
There are primarily two types of attacks used for boolean enumeration:
- Partial-blind: Response based (Tool: mysqli-blindutils > sqli-p.pl)
- Full-blind: Timing based (Tool: mysqli-blindutils > sqli-slee.py)