Time-Based Blind SQL Injection with Heavy Queries

Chema Alonso sent me a link to this Microsoft paper which is based on his PhD thesis.  It explores how to exploit time-based SQL injection on any database backend without the use of usual “delay functions” like waitfor delay, benchmark, DBMS_LOCK, etc.  Well worth a read.


Leave a Reply