🦆
Web-Hacking
  • 🌎About
  • 💉SQL Injection
    • 📑Boolean SQL injection
  • 📁LFI (Local File Inclusion)
Powered by GitBook
On this page

Last updated 8 months ago

Boolean-based SQL injection is a type of SQL injection attack that exploits the boolean logic in SQL queries. In this comprehensive guide, we will delve into the intricacies of this vulnerability, exploring various payloads and techniques used to exploit it effectively.

Firstly, let's clarify the concept of boolean. In computing, boolean refers to a system of algebraic notation that represents logical propositions using binary digits, where 0 signifies false and 1 signifies true. For our purposes, we'll focus on the binary nature of boolean variables, which can only have two possible values: 0 (false) or 1 (true).

To qualify as a boolean-based SQL injection, the injection must be blind, meaning it does not directly output data but rather forces the application to return a true or false response. This characteristic distinguishes boolean-based SQL injection from other types of injection attacks.

The most common payload used in boolean-based SQL injection is the ' OR 1=1 statement. This payload leverages the boolean logic in SQL to always evaluate to true, effectively bypassing authentication mechanisms or filtering conditions set by the application.

However, it's essential to note that boolean-based SQL injection attacks can be slow due to the need to enumerate all possibilities by iterating through true and false conditions. This iterative process increases the time required for the attack to yield results but can ultimately lead to successful exploitation if executed patiently and meticulously.

Suppose we have a vulnerable login form that uses SQL queries to authenticate users:

Now, let's say the attacker wants to bypass the authentication and gain unauthorized access. They can input the following username and password:

Username: admin' OR 1=1 -- Password: anything you want

After injection, the SQL query becomes:

In this modified query:

  • The OR 1=1 part always evaluates to true, effectively bypassing the password check.

  • The -- at the end is used to comment out the rest of the original query, ensuring that any subsequent code is ignored by the database.

As a result, the query will return the data of the first user it finds in the database, likely the admin user, granting unauthorized access to the attacker.

PreviousSQL InjectionNextLFI (Local File Inclusion)
  1. 💉SQL Injection

📑Boolean SQL injection

SELECT * FROM users WHERE username = 'input_username' AND password = 'input_password';
SELECT * FROM users WHERE username = 'admin' OR 1=1 --' AND password = 'anything';