Understanding boolean based SQL injection

Question

I am trying to understand the concept of Boolean Based Blind SQL Injection. I have gone through OWASP Guide To SQLi to understand it. However I am confused with how exactly does it work. Below is what I understand from the article in the above link. Please let me know if my understanding is correct or if I am misunderstanding something.

So as per the link above, we assume a sample URL where the vulnerable parameter is 'id' as:

http://www.example.com/index.php?id=1'

So the coreesponding query being executed on the server could be:

SELECT field1, field2, field3 FROM Users WHERE Id='$Id' 

Now assuming that Users contains a field named Username, we want to extract the value of the Username field where id=1 using our boolean technique. So we try to guess this value character by character by doing this:

$Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1 

The article says that we keep increasing the ASCII value from 97 onwards 1 by 1 whenever we find the evaluation to be false.

Now the problem here is how to find whether the result that gets returned from the above query is TRUE or FALSE.

So to solve this problem, the article says that we try to perform the following before we try the above:

$Id=1' AND '1' = '2 so this would generate the query SELECT field1, field2, field3 FROM Users WHERE Id='1' AND '1' = '2'.

After the execution of the above query, the server would return certain status (a page, a redirection etc.). Now since 1=2 will always be evaluated to FALSE, we would get to know what happens in the event of a FALSE result returned from a query.

Now we can match this result with the result that we get by the execution of $Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1 and thus conclude if the test against 97 (or any specific ASCII value) evaluates to TRUE FALSE.

1. Is my understanding of the above correct ?
2. If yes, then in the query, $Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1, why do we need the part after the AND? I mean, can't we confirm the result (as confirmed in the analysis above) without the bold pat of the query? Why is bold part of the query really needed?
3. Since in this technique also we are basically trying to see the error page and distinguish it from the success page, should it not be considered as an error based SQLi rather than calling it boolean based?

Answer 1

Is my understanding of the above correct ?

Yes, your understanding is correct.

‍

If yes, then in the query, $Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1, what is the need of the bold part above? I mean, can't we confirm the result (as confirmed in the analysis above) without the bold pat of the query ? Why is bold part of the query really needed ?

For exploiting a SQL injection successfully it is necessary that the resulting SQL is valid. The trailing AND '1'='1 is to fit the injected code into the existing statement. Since we escaped from a string literal with 1' at the begin we need to introduce a new string literal at the end. However, one could also use AND ASCII(SUBSTRING(username,1,1))='97 as MySQL can compare string with integer values.

‍

Since in this technique also we are basically trying to see the error page and distinguish it from the success page, should it not be considered as an Error Based SQLi rather than calling it Boolean Based ?

Error-based SQL injection would be the case when the server would respond with the actual technical error message like:

#1064 - You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

Here you can see which portion of the resulting SQL did fail and you may reason how to fix it up with the injection.

In boolean-based SQL injection all you see is just a different behavior on different inputs. This different behavior may include the response of an error message, but unless it’s one with technical details that tell what went wrong it doesn’t help you more than any other boolean behavior.