Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
50 views

Solve SQL Injection Lab

To test for blind SQL injection, the document recommends inserting time delays into database queries by using functions like pg_sleep(10) for PostgreSQL. This allows detecting SQLi even without direct feedback from the server. The document explains how to manually test with different time delay functions for various databases, and also how to automate testing using an intruder payload that inserts the time delays to check multiple requests at once.

Uploaded by

sandy yadav
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
50 views

Solve SQL Injection Lab

To test for blind SQL injection, the document recommends inserting time delays into database queries by using functions like pg_sleep(10) for PostgreSQL. This allows detecting SQLi even without direct feedback from the server. The document explains how to manually test with different time delay functions for various databases, and also how to automate testing using an intruder payload that inserts the time delays to check multiple requests at once.

Uploaded by

sandy yadav
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Solving the lab

To solve this lab we need to visit the homepage and intercept the request. We then need to
replace the tracking cookie with the following value:

TrackingId=x'||pg_sleep(10)--

How to test for this

Since we are talking about blind SQLi we will not be receiving information from the server to
even confirm wheter or not we have a SQLi on our hands. In these cases we have several options
that allow us to create a noticeable delay (for example a sleep of 10 seconds), however this sleep
command will differ from database system to database system.

Oracledbms_pipe.receive_message(('a'),10)

MicrosoftWAITFOR DELAY '0:0:10'

PostgreSQLSELECT pg_sleep(10)

MySQLSELECT sleep(10)

We can easily manually test for all of these values

TrackingId=x'||dbms_pipe.receive_message(('a'),10)

TrackingId=x'||WAITFOR DELAY '0:0:10'

TrackingId=x'||pg_sleep(10)

TrackingId=x'||sleep(10)

What is happening here is that the server is executing a query in the background. By entering the
single quote, we are closing that query, we can then add an OR statement (||). The last step would
be to execute our command (see list above).

When the page loads for much longer than the other requests, we know we might have a blind
SQLi.

Other options
We might want to try our SQLi with several other options besides our sleep command and
maybe with a combination of single and double quote items. I think you can imagine how this
can get confusing fast?

To not have to do this manually for every single request, we can send that request to the intruder.

Right click on the request and click "Send to Intruder". Ones in the intruder select the payload
location that you want to test for. In our case we left the x'|| since it will be the same for all
requests that we send:

We can then fill our payload options with whatever attack vector we wish.

We will then have to study every request to see if we can find requests that are different from the
rest in any way.
Resources for this lecture
https://portswigger.net/web-security/sql-injection/blind/lab-time-delays

You might also like