Time-Based Blind SQL Injection (Identification and Exploitation)
What is SQL Injection?
According to Portswigger definition, SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
What is Time-Based Blind SQL Injection?
Time-Based blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
In my pen-testing experiences, I have come across one of the target lets named it http://www.redacted.com which was vulnerable to Time-Based BlindSQL injection where, by incorporating simple special characters, It was easy to determine SQL Injection vulnerability. Let’s consider below is the complete target information.
Target URL: http://www.redacted.com/login.php?action=process
Vulnerable Parameter: Email_Address
POC:
Step 1: Navigate to above mentioned Target URL and enter email_address and password values. Append single (‘)quote at the end of email_address parameter and analyze the response generated from web server. It displays error along with time to process request which is 234 milliseconds as shown in below screenshot.
Step 2: Repeat the step 1 and add two single quotes at the end of email_address parameter in the captured request as shown in below screenshot. In the server response, error has been disappeared and time to process request remains same as 234 milliseconds.
Step 3: Repeat the above request and add following payload in email_address field which will enforce database to delay in response by 20 Sec i.e. (20000 milliseconds). The application took 20231 milliseconds to respond the request compared with 234 milliseconds for the original request.
Payload Used:
‘+(select*from(select(sleep(20)))a)+’
Step 4: Now, Capture the Login Post based request in burp suite and save it as sqlfile.txt which has following request data.
Step 5: Fire up SQLMap and type following command to detect or identify Backend database and Database Name.
sqlmap -r path to/sqlfile.txt --dbs
Step 6: Type the below command to get Table Names for Database ex: Dbsqli.
sqlmap -r path to/sqlfile.txt -D dbsqli --tables --dbms=mysql
Step 7: Type the below command to extract all the column Names for table admin_access.
sqlmap -r path to/sqlfile.txt -D dbsql1 -T admin_access --columns --dbms=mysql
Here, as per information disclosure restriction policy further exploitation wasn’t possible. But Hopefully, this will help readers of this blog to understand how Blind Based SQL injection vulnerability can be detected using proxy tool like Burp Suite and exploited using SQLMap.
Please do like and follow for further reading……
Thank You!
