Lab 13 : Blind SQL injection with time delays

StarMan

Problem Statement :

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

To solve the lab, exploit the SQL injection vulnerability to cause a 10 second delay.

To solve this lab we will be using  Time delays –

You can cause a time delay in the database when the query is processed. The following will cause an unconditional time delay of 10 seconds.

Oracledbms_pipe.receive_message((‘a’),10)
MicrosoftWAITFOR DELAY ‘0:0:10’
PostgreSQLSELECT pg_sleep(10)
MySQLSELECT SLEEP(10)

Conditional time delays

You can test a single boolean condition and trigger a time delay if the condition is true.

OracleSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN ‘a’||dbms_pipe.receive_message((‘a’),10) ELSE NULL END FROM dual
MicrosoftIF (YOUR-CONDITION-HERE) WAITFOR DELAY ‘0:0:10’
PostgreSQLSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END
MySQLSELECT IF(YOUR-CONDITION-HERE,SLEEP(10),’a’)

Solution was simple in this case. Because, it was just to create the time delay.

As discussed above, try using all of the above methods (oracle, microsoft, postgreSQL, MYSQL) since we don’t know which database this below site is using.

Lets see the steps.

  1. So basically, here we don’t know what is the response, there is no error nothing. So we can use this time delay technique to find out what is happening.

Below example – from the MYSQL DATABASE. When the condition is true and matches with the values inside the database then the delay condition will be triggered and they query will be delayed as described and will be executed after that xyz delay which we have defined.

In the below example – I am querying First name ‘vicky’ then the query will wait for 10 seconds and then execute.

Similarly way, the below Lab was for PostGreSQL  : –

Note: here the 2 pipe here is nothing but string concatenation in postgreSQl.

Like we use UNION in mysql/MSSQL.

In another way we can also say we are running the below Asynchronous query  refer to Note above. 

Query : ‘X ||pg_sleep(10)–

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s