First off let me apologize for the lapse in posts...life has been pretty crazy for the past few months and I simply haven't had any time to devote to blogging. Things seem to be getting to a more manageable state now, so let's get on with it!
I figured I'd get back into the blogging groove by going through the basics of blind SQL injection. So for this post I'm going to assume you know how SQL Injection works (If you don't, kaoticcreations has some good material on the subject http://kaoticcreations.blogspot.com/p/basic-sql-injection-101.html).
Now, what's the difference between a standard SQL injection and a blind SQL injection you ask? With a blind attack, you don't actually see the results of your injection, but rather the page will display differently if you got back valid data vs. an error (which can be as subtle as having the page taking longer to load!).
So let's take a look at an example of this. Below you can see that we've successfully deduced that this input field is vulnerable to attack.
Well look at that, we got a different response. Using this method we can work to deduce the names of the tables and the attributes therein, but in my future examples I'm going to assume that in this same table we're going to look for someone's PIN and that the attribute is called PIN.
So we know the number is between 3,100 and 3,200 (because 3,100 showed as Unregistered as well, I just didn't post a picture of it). So let's try half way between these two.
So, the PIN is between 3,150 and 3,200. Following the same procedure we can finally get to the actual PIN
Now, this was a manual example demonstrating blind SQL injection. There are several tools that can do this automatically such as sqlmap, sqlbrute and others.
As always I hope this has been helpful to understand the basics of how blind SQL injection works. If you have any questions or comments please leave them below.