O'Reilly logo

Penetration Testing with Perl by Swizec Teller

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Time-based blind SQL injection

Some web pages are written in a way in which no data is actually presented on a web page, including errors and database data. In this case, we need to exploit the MySQL if() and substring() functions to perform true or false operations. We can use these functions with the sleep() MySQL function and check the response time from the server for each query. If we creatively tell the server to sleep() on returning true, we know that our query was successful. This is time-based blind SQL injection in its simplest form. This method might not always be the most reliable one in some circumstances, since the returned result relies on a lot of moving parts, which could throw off the reading of time, such as the network, server ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required