Blind SQLi Authentication Bypass
In Blind SQLi is when we get little to no Feedback to confirm whether our Injected Queries were, in fact, successful or not, this is because the error messages have been disabled, but the injection still works regardless.
Login Forms that are connected to a Database of Users are often developed in such a way that the web Application isn't interested in the content of the Username and Password but more whether the two make a matching pair in the Users Table.
The web application is asking the Database "Do you Have the USERNAME user - PASSWORD password ", and the database replies with either (True/False) and, depending on that answer, dictates whether the Web Application lets you proceed or not.
- Website Processing Query:
- The
usernameandpasswordvalues are taken from the Login form Fields.
- The
select * from users where username='username' and password='password' LIMIT 1;
- Making the Query Return True:
- Because
1=1is a True Statement and we used anOROperator, this will always cause the Query to return as True, which satisfies the web applications logic that the database found a valid USERNAME/PASSWORD combination and that access should be Allowed.
- Because
' OR 1=1;--
- Current Query:
select * from users where username='' and password='' OR 1=1;
- Login Field:
┌──────────┐
| USERNAME | ➜ user' OR 1=1;--
|──────────|
| PASSWORD | ➜ ***********
└──────────┘