For as long as SQL injection has been around, it is still not old news — at least for attackers. Attackers will take whatever path they can to reach an exploit The simpler the path, the better. However, sometimes they need to use a little more elbow grease.

That’s where blind SQL injection comes in. If an attacker were a magician, this attack would be the last handkerchief out of his SQL injection sleeve.

What Is Blind SQL Injection?

The Open Web Application Security Project (OWASP) gave the following definition of blind SQL injection:

“Blind SQL (Structured Query Language) injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application’s response. This attack is often used when the Web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.”

This is called a blind attack because the actor can’t easily see the intended target without asking the important questions. An attacker typically uses blind SQL injection if traditional methods continually fail to glean information. Blind injection is a last resort.

Blind SQL Injection Attack Metrics

IBM Managed Security Services continuously monitors billions of events reported every year by client devices in over 100 countries. Analysis of the blind SQL injection data accumulated between Jan. 1, 2015, and Nov. 30, 2015, revealed some interesting findings.

Clearly, traditional SQL injection attempts win out over blind SQL injection attempts, but there are some months when attackers make a concerted effort against their targets to use blind SQL injection.

Mitigating Blind SQL Injection

Without investing time into testing, it’s virtually impossible to tell if your database deployment and its front-end infrastructure are vulnerable to blind SQL injections. SQL injection testing tools can help organizations identify SQL weaknesses in applications — but attackers can use those same tools to find entry points into the same applications.

Interested in the evolving cyber threat landscape? Read the latest IBM X-Force Research

More from Software Vulnerabilities

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…