Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-apache-access-log-detections
Overview
4Dashboards
23Benchmarks
36Queries
1Variables
GitHub

Detection: SQL Injection Blind Based

Overview

Detect blind SQL injection attacks that attempt to extract information from the database using boolean conditions or time delays. Blind SQL injection occurs when an application is vulnerable to SQL injection but does not display database error messages or query results directly. Instead, attackers must infer information by observing differences in application behavior based on boolean conditions.

This detection identifies patterns commonly used in blind SQL injection, including:

  • Conditional statements (AND 1=1, AND 1=2) that manipulate query logic
  • String manipulation functions like SUBSTR and ASCII used to extract data character by character
  • Comparison operations used to test data values
  • URL-encoded variants of these techniques designed to evade detection

Blind SQL injection attacks are particularly stealthy as they don't rely on visible error messages or direct data retrieval, making them harder to detect through traditional means.

References:

Usage

Run the detection in your terminal:

powerpipe detection run apache_access_log_detections.detection.sql_injection_blind_based

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run apache_access_log_detections.detection.sql_injection_blind_based --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
request_method as operation,
request_uri as resource,
status,
http_user_agent as actor,
tp_source_ip as source_ip,
tp_id as source_id,
-- Create new aliases to preserve original row data
status as status_src,
timestamp as timestamp_src,
*
exclude (status, timestamp)


from
  apache_access_log
where
  request_uri is not null
  and (
    -- Blind condition checks
    request_uri ilike '%and%1=1%'
    or request_uri ilike '%and%1=2%'
    or request_uri ilike '%case%when%'
    or request_uri ilike '%substr%(%'
    or request_uri ilike '%substring%(%'
    or request_uri ilike '%ascii%(%'
    or request_uri ilike '%length%(%'
    or request_uri ilike '%benchmark%(%'
    -- Blind patterns with comparison operators
    or request_uri ilike '%and+1>0%'
    or request_uri ilike '%and+1<2%'
    or request_uri ilike '%and+ascii(substring%'
    or request_uri ilike '%and+length(%)%'
    -- URL encoded variants common in blind injections
    or request_uri ilike '%and%28select%'
    or request_uri ilike '%and%28case%'
  )
  and request_uri not ilike '%rand%'
order by
  tp_timestamp desc;

Tags

category = SQL Injection
mitre_attack_ids = TA0001:T1190
owasp_top_10 = A03:2021-Injection
plugin = apache
service = Apache/AccessLog