Thilan Dissanayaka Application Security Apr 26

Time based Blind SQL Injection

Blind SQL Injection happens when:

There is a SQL injection vulnerability,

BUT the application does not show any SQL errors or query outputs directly.

In this case, an attacker has to ask questions to the database and observe how the server behaves to extract information bit by bit.

There are two main types:

Boolean-based blind SQLi (based on true/false responses)

Time-based blind SQLi (based on delay in server response)

When the server behaves the same way for both True and False, we use Time delays to detect it!

Example:

Inject:

bash Copy Edit http://victim.com/product.php?id=5' AND IF(1=1, SLEEP(5), 0) -- If the server pauses for 5 seconds, 1=1 condition is true.

Inject:

bash Copy Edit http://victim.com/product.php?id=5' AND IF(1=2, SLEEP(5), 0) -- If no delay, then 1=2 condition is false.

Thus, based on the response time, we infer the truth of the injected statement.

Similarly, we can extract one character at a time by checking:

sql Copy Edit IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)

ALSO READ
Common Web Application Technologies
Feb 11 Application Security

# JWT - JSON Web Tokens JWT is short for JSON Web Token. It is a compact and secure way to send information between two parties – like a client (browser) and a server. We usually use JWTs....

ACID Properties in Databases: The Key to Reliable Transactions
Apr 25 Database Systems

When working with databases, one thing is absolutely critical: keeping your data safe, consistent, and reliable. That's where ACID properties come in — a set of principles that ensure every....

Adapter Pattern explained simply
Apr 26 Software Architecture

Ever needed to connect two incompatible interfaces without changing their source code? That’s exactly where the **Adapter Pattern** shines! The Adapter Pattern is a structural design pattern....

GraphQL - Interview preparation guide
Oct 01 Interview Guides

## What is GraphQL? GraphQL is a query language for APIs and a runtime for executing those queries. It allows clients to request exactly the data they need, reducing over-fetching and....

Common Web Application Attacks
May 17 Application Security

Web applications are one of the most targeted surfaces by attackers. This is primarily because they are accessible over the internet, making them exposed and potentially vulnerable. Since these....

Exploiting a  Stack Buffer Overflow  on Linux
May 11 Exploit development

Have you ever wondered how attackers gain control over remote servers? How do they just run some exploit and compromise a computer? If we dive into the actual context, there is no magic happening.....