In a “time-based” variant, an attacker inserts SQL commands capable of “pausing” the database to check whether a condition is true or false. This technique makes it possible to extract data character by character by modifying response times, without any visible interaction with the user. <\/p>\n\n
Case study : A flaw in a PostgreSQL-based application<\/h2>\n\n
During a pentest on a web application, a vulnerability of this type was identified. Here’s how it was exploited. <\/p>\n\n
1. Vulnerability detection<\/h3>\n\n
A test request was sent to an application API. An HTTP 200 (OK) response indicated a successful request. However, the addition of an apostrophe (‘) generated an HTTP 500 error, indicating a potential SQL injection flaw. The error disappeared when two apostrophes were added (”), confirming a possible vulnerability in user input management. <\/p>\n\n
<\/p>\n\n
Classic search query in the ‘text’ parameter:<\/p>\n\n <\/p>\n\n We add an apostrophe to our text, which generates an HTTP 500 error code:<\/p>\n\n <\/p>\n\n We add a second apostrophe to see if the error disappears, and this is the case with an HTTP 200 OK response code:<\/p>\n\n <\/p>\n\n <\/p>\n\n To test whether a SQL command could influence response times, a query using PostgreSQL’s pg_sleep() function was sent. Result: the server took several seconds to respond, confirming the possibility of influencing response times (see bottom right of screenshot). To be able to perform a sleep, there are a number of special features to note: <\/p>\n\n <\/p>\n\n Great, we were able to put the database to sleep! The next objective was to exfiltrate data according to conditions verified within SQL queries: <\/p>\n\n <\/p>\n\n <\/p>\n\n Using this approach, characters can be extracted iteratively, checking the database elements one by one.<\/p>\n\n The SQLMap tool did not detect this flaw automatically. A custom payload was added to the configuration file to include specific features: <\/p>\n\n To do this, we add it to the SQLMAP file appropriate for “blind” injections: \/usr\/share\/sqlmap\/data\/xml\/payloads\/time_blind.xml.<\/p>\n\n It’s important to note that we’ve removed the ” ‘ ” at the beginning and end of the payload. This is mandatory, otherwise SQLMAP will interpret them and encode all the characters in the payload, which we don’t want. Some SQLMAP-specific variables are also included, such as : <\/p>\n\n <\/p>\n\n Once the payload has been added. SQLMAP must be launched with the necessary parameters. Here’s the command used: <\/p>\n\n Explanation:<\/p>\n\n The image above shows that SQLMAP has detected the injection thanks to our payload (“ We can therefore retrieve the entire database, and for obvious reasons of confidentiality, we don’t share its contents. Here are the next logical steps: <\/p>\n\n Blind SQL injection vulnerabilities can be avoided through a combination of good development practices and secure configurations.<\/p>\n\n 1. Secure SQL query setup<\/p>\n\n 2. Application-level protection<\/p>\n\n 3. Regular safety tests<\/p>\n\n In conclusion, the “time-based blind SQL injection” vulnerability illustrates the extent to which a poorly secured application can become an entry point for determined attackers. This type of vulnerability, although discreet, can lead to major data loss. By applying good development practices, using advanced detection tools and raising team awareness, it is possible to considerably reduce these risks. <\/p>\n\n![\"Classic](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/image-article1-1024x280.png\")
<\/figure>\n\n![\"An](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/sqli1-1024x279.png\")
<\/figure>\n\n![\"With](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/sqli2-1024x280.png\")
<\/figure>\n\n2. Setting up time-based injection<\/h3>\n\n
\n
https:\/\/<url>\/api\/v1\/products?text=a'||((select\/**\/pg_sleep(10)))||'<\/code><\/p>\n\n![\"The](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/sqli3-1024x394.png\")
<\/figure>\n\n 3. Exploitation conditionnelle <\/h3>\n\n
\n
'||(SELECT\/**\/CASE\/**\/WHEN\/**\/(1=1)\/**\/THEN\/**\/pg_sleep(3)\/**\/END)||'<\/code><\/li>\n<\/ul>\n\n![\"Add](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/sqli4-1024x437.png\")
<\/figure>\n\n\n
'||(SELECT\/**\/CASE\/**\/WHEN\/**\/(1=0)\/**\/THEN\/**\/pg_sleep(3)\/**\/END)||'<\/code><\/li>\n<\/ul>\n\n![\"With](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/sqli5-1024x436.png\")
<\/figure>\n\n4. Automation with SQLMap<\/h3>\n\n
\n
\n
![\"Add](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/sqli6.png\")
<\/figure>\n\nsqlmap.py --level=5 --risk=3 -u \"https:\/\/<url>\/api\/v1\/products?text=asdf*\" -H \"Cookie: XSRF-TOKEN= [\u2026snip\u2026] \" -H \"Origin: https:\/\/<url><\/a>\" -H \"Referer: https:\/\/ <url>\" --dbms=postgresql --random-agent --tamper=space2comment.py --skip-urlencode --technique=T --skip-waf --delay 0.2 --current-db --prefix=\"'\" --suffix=\"'\" --time-sec=3<\/code><\/p>\n\n\n
![\"Result](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/sqli7-1024x572.png\")
<\/figure>\n\n a' ||(SELECT CASE WHEN (8238=8238) THEN PG_SLEEP(3) END)||' <\/code>“). The database name retrieved is “public”. Next, we retrieve the table names by adding the “–tables” parameter instead of “–current-db”: <\/p>\n\nsqlmap.py --level=5 --risk=3 -u \"https:\/\/<url>\/api\/v1\/products?text=asdf*\" -H \"Cookie: XSRF-TOKEN= [\u2026snip\u2026] \" -H \"Origin: https:\/\/<url><\/a>\" -H \"Referer: https:\/\/<url><\/a>\" --dbms=postgresql --random-agent --tamper=space2comment.py --skip-urlencode --technique=T --skip-waf --delay 0.2 --current-db --prefix=\"'\" --suffix=\"'\" --time-sec=3 --tables<\/strong><\/code><\/p>\n\n![\"Data](\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/12\/sqli8-1024x419.png\")
<\/figure>\n\n\n
How can you protect yourself against this type of attack?<\/h2>\n\n
\n
\n
\n