Ethical Hacking and Penetration Testing Guide ( PDFDrive )
361 Time-Based SQL Injection In a Boolean-based blind SQL injection, we compared a true statement and a false statement to
enumerate the database. But now let’s assume that there is no distinction between the results of
true and false statements and that there are absolutely no errors returned from the database. For
this reason, this type of SQL injection attack is also known as a totally blind SQL injection attack.
This is where we try performing a time-based SQL injection asking the database to delay per-
form a delay. If the answer to our question is true, it will delay the results for the time we specify,
and if it’s false, there would be no delay at all.
An example of this would be as follows:
If the mysql version is 5, delay for 10 s else no delay.
If the table name in dvwa database is users, delay for 10 s else no delay.
So inshort, for a statement that is true a delay would be induced and for a false statement no or
very little delay would be induced.
One thing you should take into consideration is that when you are asking the database to return
a huge number of data, the application will take time just to return the information that you
asked for and then induce a time delay. This is where lots of tools fail and generate false-positives,
because they fail to distinguish between the time taken by the server to return a data set and the
time asked to delay.
Depending upon the database you are up against, there are built-in functions available that would
delay the responses. Mysql server has a SLEEP() and BENCHMARK function. If you are up against
MSSQL server, you can use waitfordelay,
pg _ sleep()
for postgresql, and so on. I will be demon-
strating a time-based SQL injection on a MySQL server since it is the most popular and widely used
in the community. The syntax is a bit different for other SQL servers, but the concept is the same.
