Time-based SQL injection is a type of inferential injection or blind injection attack.
Inferential injection attack is a type of attack in which no data is transferred between the attacker and the database and the attacker won’t be able to get results as easily as in an in-band injection attack. This is why it is also called a blind injection attack. An attacker can reconstruct and make a new database structure inside the database.
In a time-based attack, an attacker sends an SQL command to the server with code to force a delay in the execution of the queries.
The response time indicates whether the result of the query is true or false. Depending on the response, the attacker will execute another query. Because the attacker has to enumerate each character by character, this is usually a slow intrusion technique, especially for large databases.
For example, in MySQL, the function SLEEP can be used, this function is only available since MySQL 5.
When an attacker tries to use these functions in the query and if he is successful in slowing the response, it proves SQL injection is possible and the server is using MySQL as a database. This can lead the attacker to inject a more complex payload.
Likewise in SQL Server, the functions WAIT FOR DELAY can be used to suspend the execution for the specified amount of time or WAIT FOR TIME can be used to suspend the execution of the query and continue it when system time is equal to the parameter.
SQL injection can leave the application at a high-risk, resulting in an impact on confidentiality, and integrity of data. Also, it can affect the authentication and authorization aspects of the application.
An attacker can compromise a vulnerable application and steal sensitive information stored in databases such as user credentials, payment details, or credit card details.
There are various efficient ways to patch SQL injection attacks from taking place, as well as defending against them. Data that comes from a third-party reference, like user input, should not be trusted and it should be assumed to be malicious in nature.
We can mitigate SQL injection using the following techniques:
Use of prepared statements (with parameterized queries)
Use of stored procedures
Whitelist input validation
Escaping all user-supplied input
Enforcing the least privilege