A Fantasy Explanation of Standard vs. Blind SQL Injection
By Daniel Miessler on January 22nd, 2010: Tagged as Information Security
Many in InfoSec get confused about the difference between standard and blind SQL injection. Here’s a simple way to think about it. In both cases you are asking questions to an entity in hopes of getting back valuable information; the key to standard vs. blind is the type of question you have to ask.
So imagine you’re in some sort of fantasy setting and you come upon a room guarded by a soldier. You’re told that you must learn the entire contents of the room he’s protecting, but you’re not allowed to go inside to see it directly. You have to figure it out just by asking the guard questions.
To start with, you ask, “Tell me the Spanish word for the thing closest to the door.” The guard answers back, “I don’t know the Spanish word for ‘pile of gold’”. You then ask him the Spanish word for the most expensive thing in the room, and he responds, “I don’t know the Spanish word for “King’s Crown.”
This is something like standard SQL Injection, where you are asking the guard to perform some operation on the thing you’re asking for, and when it says it doesn’t understand it includes the answer you were looking for. This is the all-too-common ‘barf the database error on the screen’ scenario.
But that’s old school.
After a couple of these the guard figures out what you’re doing, and he stops giving you valuable information. He thinks he’s smart, so he decides that instead of giving long answers that could have information in them, he now will only answer yes or no to any question you ask. This is a lot like a developer creating a custom error message for his web app when the database barfs. If the query returns true you get your standard results, if not (for any reason), you get the generic error with no goodies in it.
So now you just have to come up with a bunch of creative questions that will reveal information from nothing but yes/no answers. This is blind injection, and it will take much more time, since you’re not getting any output, but as long as you’re allowed to just keep asking it’s just a matter of getting enough responses.
“Does the item by the door start with the letter ‘a’? “
“No.”
“Does the item by the door start with the letter ‘b” ?”
“No.”
You then go down the list until you hit ‘g”, for gold. Now you move to the second letter. And so on.
In the database world this sounds something like, “Does the first table in the database have a first letter higher than ‘a’? If so, your query will go through and you’ll get whatever it was you were supposed to get from that page. If not, you’ll get the standardized error page.
So, error equals no, and regular result equals yes.
So you keep asking: “Is it higher than ‘b’?” And so on.
–
Bottom line: Standard SQL Injection works by asking questions that will confuse the app into returning answers in an error message. Blind SQL Injection works by asking questions that can only have a yes or no answer (with a generic error being no, and a regular result being yes); from there you simply iterate through all your options until all the yes and no responses build out your desired results. ::
