

Many in InfoSec get confused about the difference between standard and blind
SQL injection. Here’s a simple way to think about it. In both cases you
are asking questions to an entity in hopes of getting back valuable
information; the key to standard vs. blind is the type of question you have
to ask.
Standard SQL Injection
So imagine you’re in some sort of fantasy setting and you come upon a room
guarded by a soldier. You’re told that you must learn the entire contents of
the room he’s protecting, but you’re not allowed to go inside to see it
directly.
You have to figure it out just by asking the guard questions.
To start with, you ask, “Tell me the Spanish word for the thing closest to
the door.” The guard answers back, “I don’t know the Spanish word for ‘pile
of gold'”. You then ask him the Spanish word for the most expensive thing in
the room, and he responds, “I don’t know the Spanish word for “King’s
Crown.”
This is something like standard SQL Injection, where you are asking
the guard to perform some operation on the thing you’re asking for, and when
it says it doesn’t understand it includes the answer you were looking for.
This is the all-too-common ‘barf the database error on the screen’ scenario.
But that’s old school.
After a couple of these the guard figures out what you’re doing, and he
stops giving you valuable information. He thinks he’s smart, so he decides
that instead of giving long answers that could have information in them, he
now will only answer yes or no to any question you ask. This is a lot
like a developer creating a custom error message for his web app when the
database barfs. If the query returns true you get your standard results, if
not (for any reason), you get the generic error with no goodies in it.
Blind SQL Injection
So now you just have to come up with a bunch of creative questions that will
reveal information from nothing but yes/no answers. This is
blind injection, and it will take much more time, since you’re not
getting any output, but as long as you’re allowed to just keep asking it’s
just a matter of getting enough responses.
“Does the item by the door start with the letter ‘a’?”
“No.”
Get a weekly breakdown of what’s happening in security and tech—and why it matters.
“Does the item by the door start with the letter ‘b” ?”
“No.”
You then go down the list until you hit ‘g”, for gold. Now you move to the
second letter. And so on.
In the database world this sounds something like, “Does the first table in
the database have a first letter higher than ‘a’? If so, your query will go
through and you’ll get whatever it was you were supposed to get from that
page. If not, you’ll get the standardized error page.
So, error equals no, and regular result equals yes. So you keep asking: “Is
it higher than ‘b’?” And so on.
It takes a while (and a lot of requests and responses), but eventually you
build out the complete answer. That’s Blind SQL Injection.
TL;DR: Standard SQL Injection works by asking questions that will
confuse the app into returning answers in an error message. Blind SQL
Injection works by asking questions that can only have a yes or no answer.
From there you simply iterate through all your options until all the yes and
no responses build out your desired results.
0 responses on "Immortality is Achievable"