Burp Suite User Forum

Login to post

Blind SQL injection with time delays

anon | Last updated: Sep 17, 2020 07:28PM UTC

There are some things I didn't understand about this lab: 1) How can we find out what version of SQL the server is running? Is it just a matter of testing the syntax of each version until one works? 2) The SQL injection cheat sheet says that the time delay syntax for PostgreSQL is SELECT pg_sleep(10). Why does x' SELECT pg_sleep(10)-- not work? 3) I tried using x' pg_sleep(10)-- and it didn't work. Why do we need the concatenation operator ||?

Uthman, PortSwigger Agent | Last updated: Sep 18, 2020 12:50PM UTC

Hi, 1. You can find out further information here. You essentially want to run a query that retrieves the version: https://portswigger.net/web-security/sql-injection/examining-the-database 2. This blog has a great explanation: https://blog.yekki.co.uk/sql-injection/ "x' SELECT pg_sleep(10)--" would not work because the entire TrackingID would be false instead of True. The solution shows TrackingId=x' || pg_sleep(10)-- (the TrackingId is False, whilst pg_sleep(10) is True. You know this based on the observed delay) 3. The operator || is a logical OR. This means that both statements are evaluated but only the True one is executed. In this case, you should observe a delay with the option mentioned in the solution (we know this because TrackingId=x' is False).

Amir | Last updated: Oct 11, 2021 04:51PM UTC

doesn't matter if the trackingID is correct or not adding the following sql query works anyways -> ' || (select pg_sleep)-- I am just still not sure why do we need to concatenate

Amir | Last updated: Oct 11, 2021 04:51PM UTC

doesn't matter if the trackingID is correct or not adding the following sql query works anyways -> ' || (select pg_sleep)-- I am just still not sure why do we need to concatenate

Uthman, PortSwigger Agent | Last updated: Oct 12, 2021 04:26PM UTC

Hi!

It is based on concatenation, as you mentioned, so you can ignore my point because it's incorrect. Apologies for the confusion there.

It looks like it just combines the two SQL 'payloads' into a single string so the single quote is closing the string and concatenating this with the select statement allows that statement to be executed (triggering the time delay). Rana explains this very well in her video here.

You need to Log in to post a reply. Or register here, for free.