Rapid7 Vulnerability & Exploit Database

Blind SQL Injection

Back to Search

Blind SQL Injection

Severity
9
CVSS
(AV:N/AC:L/Au:N/C:C/I:P/A:P)
Published
01/01/2005
Created
07/25/2018
Added
12/29/2010
Modified
06/20/2013

Description

Web applications usually store information in a SQL server in order to, for example, show them to other users. When the application developer uses unvalidated user controlled variables as part of a SQL query; a SQL injection or Blind SQL injection vulnerability is being introduced into the application.

When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injections except that when an attacker attempts to exploit an application, rather then getting a potentially useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential Blind SQL Injection attack more difficult but not impossible. An attacker can still retrieve valuable information and potentially execute operating system commands by asking a series of True and False questions through SQL statements.

Solution(s)

  • http-generic-scritp-blind-sql-injection

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;