Lab -Exploiting blind SQL injection by triggering time delays.

Welcome back guys to another exciting Blind SQL Injection lab walkthrough with Web Security Academy.

Vulnerability:

• Tracking Cookie 🍪

Aim:

• Cause a 10-second delay 🕑

Tool:

• Web Security Academy
• SQL Injection Cheat Sheet
• Burp Suite — Community Edition
• Foxy Proxy ( configuring browsers to access proxy-servers)

Solutions:

1. Intercept the home page of the shop with Burp Suite and Foxy Proxy.
2. Send the intercepted page with the tracking cookie to Repeater to modify the cookie.

i. Identify the Database Version of the website and use the below appropriate syntax to successful modify the tracking cookie.

3. Send the request in Repeater to observe if there is a 10-second delay with the response of the page.

MySQL: ‘ || (SELECT sleep (10))- -

The MySQL payload caused a 5-second delay therefore this is not the correct database.

PostgreSQL: ‘ ||(SELECT pg_sleep(10))- -

The database is PostgreSQL based on the 10-second response delay.

Thanks for reading my blog. To read more on similar content follow my blog.