Detection: SQL Injection Time Based
Overview
Detect time-based SQL injection attacks that attempt to extract information by causing delays in database response times. Time-based SQL injection is a blind SQL injection technique where attackers infer information based on the time it takes for the database to respond. By injecting functions that cause the database to pause or delay execution, attackers can determine if conditions are true or false based on whether the response is delayed.
This detection identifies:
- Database-specific sleep/delay functions across multiple database platforms (SLEEP, BENCHMARK, PG_SLEEP, WAITFOR DELAY)
- Conditional time-delay patterns used to extract data bit by bit
- Various URL encoding techniques used to obfuscate time-based injection attempts
- Heavy computational functions used to cause delays when direct sleep functions are blocked
Time-based SQL injection is particularly effective against applications where other injection techniques fail, as it requires no error messages or direct output from the database query. It's a stealthy technique that can be used even when the application provides minimal feedback.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.sql_injection_time_basedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.sql_injection_time_based --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere request_uri is not null and ( -- Time-based functions for various database types request_uri ilike '%sleep%(%' or request_uri ilike '%benchmark%(%' or request_uri ilike '%pg_sleep%(%' or request_uri ilike '%dbms_pipe.receive_message%(%' or request_uri ilike '%waitfor%delay%' or request_uri ilike '%GENERATE_SERIES%' )order by tp_timestamp desc;