Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Blind SQLi using Time delays

Ahmed | Last updated: Nov 27, 2021 12:41PM UTC

Hi there! I was solving the lab where trackingID cookie is vulnerable to blind sql injection and one has to cause time delay of 10 secs. My question is this why do we have to concatenate our payload '|| (SELECT pg_sleep(10))-- and it works but when we try AND operator 'AND Select pg_sleep(10)-- it doesnot work. Thanks in Advance. Ahmed

Mauro | Last updated: Nov 28, 2021 05:32PM UTC

Hey Ahmed, I'm not an expert on the topic, but I think you're maybe mixing string concatenation with OR operator. So for example, queries: Fq6z9xEpntIshzQz' OR (SELECT pg_sleep(5))-- Fq6z9xEpntIshzQz' AND (SELECT pg_sleep(5))-- are not working examples, where: Fq6z9xEpntIshzQz' || pg_sleep(5)-- does work. -- Basically, it might help you if you try to understand the way query is constructed. Assuming the query is constructed like this: SELECT tracking_id FROM user WHERE tracking_id = 'Fq6z9xEpntIshzQz' AND (SELECT pg_sleep(5))--; then, it is not a valid query, but: SELECT tracking_id FROM 'Fq6z9xEpntIshzQz' || pg_sleep(10)--; is. Hope that helps a little.

Ahmed | Last updated: Nov 29, 2021 07:54AM UTC