Hello guys, Hope everyone is good. I would like to share one of my recent findings.
What is Time Based SQL Injection?
This type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic:
If the first letter of the first database’s name is an ‘A’, wait for 10 seconds.
If the first letter of the first database’s name is a ‘B’, wait for 10 seconds. etc.
How I find & exploited this vulnerability?
First I started to work on error balancing technique to find whether SQL Injection is possible or not. Then I managed to balance the error which means the SQL Injection is confirmed partially.
After spending some amount of time, I cannot able to any type of SQL Injection from the web application. Last but not least I tried to pause the website for a few seconds using the payload “
WAITFOR DELAY ‘0:0:10’ ”
Finally, the payload works, the server waited for around 10 secs and responded back with the response. The server started to act on my instruction.
Here comes the automation, why automation? because the time-based SQLI is a time taking process to perform. Due to that, after confirming that SQL Injection is possible on the web application, I used that particular request on SQLmap through Text Document by mentioning the * on Payload section “Email=*”. At last SQLmap did the work for me.
Remediation:-
Avoid dynamic SQL at all costs. The best choice is to use prepared
statements also known as parameterized queries. You can also use stored procedures if your SQL database supports them (most databases do, for example, MySQL, Oracle, MS SQL Server,
PostgreSQL). Additionally, you may filter and escape special characters (such as the single quote used for basic SQL Injections) for all input fields and other user data inputs. Filtering and escaping on its own, however, is not enough.
