14 - Blind SQL injection with time delays

This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

To solve the lab, exploit the SQL injection vulnerability to cause a 10 second delay.

Given : Injection point(TrackingId), Attack type(Blind time-based)
End goal : Cause a delay of 10 second in response

As it mentioned in challenge that is a sqli in TrackingId. And we have to create a 10 second delay we have to try every database time delay functionality. For me following query works - ' || pg_sleep(10) ||'

If it give 10s delay in response , your lab get solved.

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell