Let's consider a simpler scenario where the application does not process the payload asynchronously. This is a far more common scenario. Typically, in a blind injection scenario we can use conditional statements in the injected query to infer data from the database. If the preceding example vulnerability was not asynchronous, we could introduce a significant delay in the response. Combine that with a traditional if-then-else and we can make assumptions about the data we are trying to retrieve.
The high-level pseudocode we'd use for this type of attack looks like this:
if password starts with 'a' delay(5 seconds) else return false if password starts with 'aa' delay(5 seconds) else return true if password starts with 'ab' delay(5 seconds) else return false [...]
We could repeatedly check for the contents of the password
field for a particular user, simply by observing the server response time. In the preceding pseudocode, after the first three iterations, we'd be...