Learning Web-Sec - Day 6 - PortSwigger SQL Injection Labs

Blind SQL Injection with Time Delays

It is what it reads, a time delay. SQL allows us to cause time delays by injecting a statement similar to the sleep function in many languages. Just like a sleep function pauses the execution of the program for the number of seconds defined, we can delay the execution of queries with such time delay statements. Different SQL databases have different statements for time delays.

Lab 12 — Blind SQL Injection with Time Delays

Level: Apprentice

Description of Lab:

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

To solve the lab, exploit the SQL injection vulnerability to cause a 10 second delay.

And there’s a statement in the description that looks a bit scary. The “query is executed synchronously”. It’s not something out of the world, It’s just trying to say that the web application will wait for all the processes to get completed, in this case, it’ll wait for the SQL query to send its result, and then we will get the response to the request.

So, let’s start intercepting the requests, and editing them to make our way through the lab.

Here we can see that a request typically takes 1.13 seconds(might vary on your side depending on the speed and geographical factors) and all the time values would be near the original request.

In the bottom right corner, we can see the response time and if our time delay statement works, We will be able to see the delay in the response time.

Let’s go to the cheatsheet and we’ll try all the payloads as we don't know which database we’re working with.

Trying the first one. Here we concatenate the results of the delay statement. If the query executes, we’ll see a time delay.

No luck trying the first payload from the cheatsheet. Now onto the second one.

The 2nd One Didn’t work too. Now the 3rd.

Here, the response took a little over 11 seconds to reach us. Which means the delay of 10 seconds happened.

And congratulations, The lab is solved.