Inferential (Blind) SQL Injection

Boolean-Based

Boolean-based SQL Injection refers to the response we receive from our injection attempts, which could be a true/false, yes/no, on/off, 1/0 or any response that can only have two outcomes.

The goal of this method is to use the ... like '%';-- to find database, tables, columns and after it, and potential username and password.

Example:

admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a%

Time-Based

Same than Boolean-Based but without visual indicator. So, The indicator will be based on the time the query takes to complete. To perform it, we use the built-in method SLEEP(x) alongside the UNION statement.

The SLEEP() method will only ever get executed upon a successful UNION SELECT statement.

Example:

admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';--

PreviousIn-Band SQLi NextSQLi warning

Last updated 1 year ago

hashtagBoolean-Based

hashtagExample:

hashtagTime-Based

hashtagExample:

Boolean-Based

Example:

Time-Based

Example: