url with time based blind sql injection payload not working.

[HarshilPatel007]

Describe the bug
url with time based blind sql injection payload not working.
ex. https://website.com/page.php?id=1'+/*!or*/+/*!sleep*/(5)--+-

Environment details
Please share the below details to help us quickly validate/replicate the issue.

• httpx -version : v1.1.1
• go version : go version go1.17.1 linux/amd64

Error details
given url doesn't worked.

[ehsandeep]

@HarshilPatel007 the latest version of httpx is 1.1.2, also make sure to feed these URLs with quotes "https://website.com/page.php?id=1'+/*!or*/+/*!sleep*/(5)--+-"

[HarshilPatel007]

@ehsandeep , got the same results.

➜  webappsec httpx -l target.txt -status-code -response-time -follow-redirects -verbose

    __    __  __       _  __
   / /_  / /_/ /_____ | |/ /
  / __ \/ __/ __/ __ \|   /
 / / / / /_/ /_/ /_/ /   |
/_/ /_/\__/\__/ .___/_/|_|
             /_/              v1.1.2

		projectdiscovery.io

Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
➜  webappsec

[ehsandeep]

@HarshilPatel007 can you share the output of curl -v "https://website.com/page.php?id=1'+/*!or*/+/*!sleep*/(5)--+-"?

[HarshilPatel007]

➜  ~ curl -v "https://website.com/page.php\?id\=1'+/*\!or/+/*\!sleep*/(5)--+-"
*   Trying IP:443...
* Connected to website.com (IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=website.com
*  start date: May 19 00:00:00 2021 GMT
*  expire date: May 19 23:59:59 2022 GMT
*  subjectAltName: host "website.com" matched cert's "website.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5619d230d9a0)
> GET /page.php\?id\=1'+/*!or/+/*!sleep*/(5)--+- HTTP/2
> Host: website.com
> user-agent: curl/7.79.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 404 
< date: Sun, 26 Sep 2021 04:53:26 GMT
< server: Apache
< last-modified: Tue, 23 Apr 2019 05:30:34 GMT
< accept-ranges: bytes
< content-length: 11816
< vary: Accept-Encoding
< content-type: text/html
< 
.........
HTML OUTPUT
.........
.........

[HarshilPatel007]

@ehsandeep

[ehsandeep]

@HarshilPatel007 we will be required to have an input URL for further information, you can join https://discord.gg/projectdiscovery and DM @pdteam