Simple Student Attendance System v1.0 - Time Based Blind SQL Injection

Understanding Time-Based Blind SQL Injection in the Simple Student Attendance System v1.0

Security vulnerabilities in web applications often stem from improper input validation and insecure handling of user data. One such vulnerability, recently exposed in the Simple Student Attendance System v1.0, involves a time-based blind SQL injection attack — a technique that exploits the timing of database responses to infer information about the underlying query.

What is Time-Based Blind SQL Injection?

Time-based blind SQL injection is a method where attackers send malicious payloads to the server and observe the response time to determine whether the query is true or false. Unlike traditional SQL injection, which directly reveals data, blind SQL injection requires indirect inference — making it harder to detect but also more powerful in certain scenarios.

For instance, if a query returns a result in 5 seconds when true, and 0 seconds when false, the attacker can deduce the truth value by measuring response time. This technique is particularly effective against databases like MySQL, which supports the SLEEP() function — a built-in function that pauses execution for a specified number of seconds.

Exploiting the Vulnerability: The Case of Simple Student Attendance System

The Simple Student Attendance System (v1.0) is a PHP-based web application hosted on XAMPP, running on Apache and MySQL. Its source code reveals a critical flaw in the delete_student() function in classes/actions.class.php.

public function delete_student(){
    extract($_POST);
    $delete = $this->conn->query("DELETE FROM `students_tbl` where `id` = '{$id}'");
    if($delete){
        $_SESSION['flashdata'] = [ 'type' => 'success', 'msg' => "Student has been deleted successfully!" ];
        return [ "status" => "success" ];
    }else{
        $_SESSION['flashdata'] = [ 'type' => 'danger', 'msg' => "Student has failed to deleted due to unknown reason!" ];
        return [ "status" => "error", "Student has failed to deleted!" ];
    }
}

This code snippet demonstrates a SQL injection vulnerability</strong: the id parameter is directly inserted into the SQL query without sanitization. The extract($_POST) call exposes the input to SQL injection, allowing attackers to manipulate the query.

Attack Vector: The Payload

Using tools like sqlmap, researchers can identify this vulnerability. The following payload was used to test the system:

id=7' AND (SELECT 3738 FROM (SELECT(SLEEP(5)))kVAW) AND 'vAFW'='vAFW

This payload is designed to trigger a time delay when the query is true. The SLEEP(5) function causes the database to pause for 5 seconds if the condition is true. Since the query is structured to be true only if the id value is 7, the response time will increase when the attacker sends this payload.

When the attacker sends id=7' AND SLEEP(5) AND 'vAFW'='vAFW, the server responds with a delay of 5 seconds — indicating that the query is valid. This confirms that the system is vulnerable to time-based blind SQL injection.

Why This Attack Works

MySQL supports SLEEP() as a function that can be used in queries. This allows attackers to create time-based payloads that can be tested via response time. The AND clause ensures that the query is only true when the injected condition is valid — making it ideal for blind SQL injection.

Additionally, the id parameter is not validated or escaped. The system assumes that the input is safe, but in reality, it is not. This lack of input filtering allows malicious users to inject payloads that affect the database.

Real-World Implications

Time-based blind SQL injection attacks can be used to extract data such as:

• Database version
• Table names
• Column names
• user credentials

By gradually testing different payloads, attackers can infer information about the database structure. For example:

id=7' AND (SELECT SLEEP(5) FROM information_schema.tables WHERE table_name = 'students_tbl') AND 'vAFW'='vAFW

By changing the table_name value, the attacker can determine if a table exists. If the response time increases, the table exists — allowing the attacker to map the database structure.

Best Practices for Mitigation

To prevent such vulnerabilities, developers must follow secure coding practices:

• Use prepared statements — always use PDO or mysqli_stmt to prevent SQL injection.
• Validate input — check for numeric values, limit length, and sanitize.
• Use parameterized queries — never concatenate user input directly into SQL.
• Implement rate limiting — prevent repeated queries from triggering time delays.

For example, instead of:

extract($_POST);
$delete = $this->conn->query("DELETE FROM `students_tbl` where `id` = '{$id}'");

the correct implementation would be:

if ($stmt = $this->conn->prepare("DELETE FROM `students_tbl` WHERE `id` = ?")) {
    $stmt->bind_param("i", $id);
    $stmt->execute();
    if ($stmt->affected_rows > 0) {
        $_SESSION['flashdata'] = [ 'type' => 'success', 'msg' => "Student has been deleted successfully!" ];
        return [ "status" => "success" ];
    } else {
        $_SESSION['flashdata'] = [ 'type' => 'danger', 'msg' => "Student has failed to deleted due to unknown reason!" ];
        return [ "status" => "error" ];
    }
}

This version uses prepare() and bind_param() — ensuring that the id value is treated as a parameter, not a string. This prevents SQL injection entirely.

Conclusion

The Simple Student Attendance System v1.0 demonstrates how even simple web applications can be vulnerable to sophisticated attacks like time-based blind SQL injection. By failing to sanitize user input, developers open the door to exploitation. The use of SLEEP() functions in MySQL makes this attack possible, and tools like sqlmap can easily detect such flaws.

Security must be a priority in development. Always use prepared statements, validate inputs, and avoid direct query concatenation. These practices not only prevent SQL injection but also improve application stability and reliability.