This scenario clearly describes the need for Time-Based Blind SQL Injection, an advanced SQL injection technique covered in the CEH v13 Web Application Hacking module. Blind SQL injection is used when an application does not return database errors or visible output, making traditional techniques ineffective.
According to CEH v13, Time-Based Blind SQL Injection is particularly useful when:
The backend database type is unknown
Error messages are suppressed
UNION queries fail
No direct data is returned in responses
In this technique, attackers inject SQL statements that deliberately introduce time delays using database-specific functions such as SLEEP(), WAITFOR DELAY, or BENCHMARK(). The ethical hacker then observes the application’s response time to determine whether the injected condition is true or false.
For example:
' OR IF(1=1, SLEEP(5), 0) --
If the application response is delayed, it confirms that the injected SQL statement was executed successfully. CEH v13 categorizes this method as behavioral-based inference, where the attacker extracts information one bit at a time by analyzing timing differences.
Other options are incorrect because:
Content-Based Blind SQL Injection relies on visible differences in responses, which the question states are unavailable.
Union-Based SQL Injection requires knowing column count and data types.
Error-Based SQL Injection depends on database error messages being displayed.
CEH v13 emphasizes Time-Based Blind SQL Injection as a last-resort yet highly effective technique when dealing with hardened applications that suppress output, making it a frequent exam-tested concept.
