If you’re interested in SQL Injections you may have heard about Blind SQL Injections. A typically characteristic of a blind SQL Injection is the fact that the resulting page varies from the original because you injected a false statement.
Despite all that there is the possibility of a so called Totally Blind SQL Injection. The problem with this kind of injection is that the attacker can not see any response to his Query. If this is the case the attacker still has some options to test if his query gets executed. The first case, which i won’t describe here, is working with conditional errors. The second however is using Time Delays.
The idea behind using time delays is as simple as the fact that your query needs time to give you the results: by using built-in functions you can create a query which needs more time so you can see which part of it gets executed. The command we’re going to discuss here is called benchmark.
The basic usage of benchmark:
A basic example:
To use this technique in a query we use the case when-condition:
UNION SELECT (CASE WHEN (substr(username, 1,1)) > 103) THEN benchmark(1000000,ENCODE(‚benchmark‘,’test‘)) ELSE ‚false‘ END), NULL , NULL
This query tests if the first character of the username is between g and z. If the condition is true, the page will load a few seconds longer – if not it will load normaly.
IMPORTANT: Your union select statement needs the right number of columns!
So now that you have a basic overview you can go out and test your applications on Totally Blind SQL Injections.