Blind SQL injection with time delays - KA4KA4/PortSwigger-SQL-injection-Labs GitHub Wiki

Hello. today we are going to talking about new type of SQL injection called Blind SQL Injection. before we start we need to know what is blind sql injection and how does it work.

  • what is blind SQL injection?

it's type of SQL injection attack happening when attacker sends malicious SQL to database and response will not be returned. but it asks the database true or false questions and determines the answer based on the applications response.

  • here are some examples of blind SQL injection:
  1. Time-Based Blind SQL Injection
  2. Error-Based Blind SQL Injection
  3. Content-Based Blind SQL Injection
  4. use Out-Of-Band technique

this lab target Time-Based Blind SQL Injection by use query for asking database and infer whether the query has been executed or not. it happens by detect time delay for execute the query. if our asking to the database is right delay time will execute. if not, Code response will return directly

now access the lab and send request to repeater:

1

now we need query That will use for sending. portswigger facilitate proccess of queries and collect it into one web page. check the link https://portswigger.net/web-security/sql-injection/cheat-sheet

go to Time delays:

2

note: in real life testing or bug hunting you should try all of the queries and not just depend on portswigger cheat-sheet. Database will be PostgreSQL.

3

now the query will be as following:

'||pg_sleep(10)--

-Explain: first break syntax query with ' then using || for string concatenation and pass the query. then using PostgreSQL function pg_sleep(10) to sleep for 10 seconds. the "10" value represents the number of seconds to sleep. ending the query with -- comment telling database anything will be ignored after comment.

now send the query

4

note: responding is delay for 10 second. this mean application is vulnerable for SQL injection. in real life we can add query and ask database about names that inside database if exists response will delay. if not it will return directly.

and now we solve the lab

5

thank you 🥇