Yesterday I got an email from Chema Alonso
who told me about his recent paper titled "Time-Based Blind SQL Injection with Heavy Queries
" which explores the techniques of blind SQL Injection using time based delays to infer values in the database that cannot be read directly. This technique uses heavy queries (using anti-tuning technques) that deliberatley take a long time to run when a value in the where clause turns out to be TRUE or FALSE. The technique can also use packages such as xp_cmdshell in SQL Server or DBMS_LOCK in Oracle to cause a specific delay. In this way the hacker doesn't need to see any data coming back but simply needs to see the response time of the query. The paper looks at a technique of creating badly performing queries that execute por not based on a value (any value) in the database. This way a "newton raphson" like technique can be used to home in on the value sought based on whether the query takes a long time or runs quickly.
This is a nice paper summarising the technqiues.