SQLI Lab: Boolean Error Exfiltration

[Exon-2000]

Hi,

I would like to know whether I made a mistake in this lab, whether the title is misleading, or if the lab itself is broken.

I attempted to complete the lab using a classic boolean error‑based technique. For example, I tried payloads like:

' AND (SELECT CASE WHEN (SUBSTR(token, 1, 1) = '0') THEN 1/0 ELSE 1 END FROM flag LIMIT 1)=1--

However, this approach never worked. It seems that the THEN 1/0 part always triggers a server error, regardless of whether the condition is true or false, which makes boolean error‑based exfiltration unreliable or impossible in this lab.

I tested multiple variations (CASE WHEN, SUBSTRING, LIMIT 1, etc.) with the same result.

After further testing, I confirmed that the backend appears to be PostgreSQL and that time‑based payloads using pg_sleep() work reliably. Using a time‑based approach, I was able to successfully extract the flag.

So my question is:
– Is there something I missed with boolean error‑based techniques in this lab?
– Or is the lab intentionally solvable only via time‑based injection, despite the title suggesting boolean error‑based exfiltration?

Thanks in advance for any clarification.

:=)

[paj28]

Hi, I noticed you'd been getting busy on the SQL labs! So yes, the intention is you can solve that lab without using time delays. Ideally I'd make it so you could only solve it the intended way, but that's a bit tricky to implement.

I've actually forgotten the payload I used when I created the lab, but this variation of your payload works:

' AND (SELECT 1/(CASE WHEN (SUBSTR(token, 1, 1) = 'a') THEN 0 ELSE 1 END) FROM flag LIMIT 1)=1--

Hope you're having fun :)