Thilan Dissanayaka Web App Hacking Apr 26

Time based Blind SQL Injection

Blind SQL Injection happens when:

There is a SQL injection vulnerability,

BUT the application does not show any SQL errors or query outputs directly.

In this case, an attacker has to ask questions to the database and observe how the server behaves to extract information bit by bit.

There are two main types:

Boolean-based blind SQLi (based on true/false responses)

Time-based blind SQLi (based on delay in server response)

When the server behaves the same way for both True and False, we use Time delays to detect it!

Example:

Inject:

bash Copy Edit http://victim.com/product.php?id=5' AND IF(1=1, SLEEP(5), 0) -- If the server pauses for 5 seconds, 1=1 condition is true.

Inject:

bash Copy Edit http://victim.com/product.php?id=5' AND IF(1=2, SLEEP(5), 0) -- If no delay, then 1=2 condition is false.

Thus, based on the response time, we infer the truth of the injected statement.

Similarly, we can extract one character at a time by checking:

sql Copy Edit IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)

ALSO READ
REST API - Interview preparation guide
May 08 Interview Guides

## What is a REST API? A REST (Representational State Transfer) API is an architectural style for designing networked applications. It uses standard HTTP methods to interact with resources, making....

Factory Pattern explained simply
Apr 26 Software Architecture

# Factory Pattern Imagine you want to create objects — but you don't want to expose the creation logic to the client and instead ask a factory class to **create objects for you**. That's....

GraphQL - Interview preparation guide
Oct 01 Interview Guides

## What is GraphQL? GraphQL is a query language for APIs and a runtime for executing those queries. It allows clients to request exactly the data they need, reducing over-fetching and....

Writing a Shell Code for Linux
May 17 Exploit development

Shellcoding is the art of writing position-independent code that can be used as the payload in exploitation scenarios. In this guide, we'll explore how to write shellcode for x86 Linux systems,....

Assembly programming for beginners
Mar 23 Low-level Development

Assembly is a low-level programming language. You already know that low-level programming languages are close to machines and very hard to understand by humans. We have already written some programs....

Building a Web3 CLI Tool for the Ballerina Language: From Idea to Reality
Apr 26 WSO2

🚀 Excited to finally share my journey of building a web3 CLI tool for Ballerina! This tool bridges the gap between Ethereum smart contracts and the Ballerina programming language by automatically....