Home
Scholarships Portal

Sleep sql injection

  • Sleep sql injection. • 2 yr. What is SQL injection? I think most of us know what SQL injection is, but as a refresher, SQL injection is when someone provides malicious input into WHERE, to run their own statements as well. Starting at version 8. An SQL injection is a security flaw that allows attackers to interfere with database queries of an application. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This can be done using the "AS" clause in postgreSQL. This function will dump the whole database in XML format in just 1 row (be careful if the database is very big as Dec 9, 2022 · Blind SQL injection with time delays | Dec 9, 2022 Introduction. The results of the SQL query are not returned, and the application does not respond any differently Jan 27, 2013 · 11. If the query takes longer to execute than usual, it is an indication that the database returned a result. When it comes to executing a statement, java. To successfully perform Description. If the website does not return an immediate response, it indicates a vulnerability to blind SQL injection. This makes exploiting the SQL Injection vulnerability May 17, 2016 · It’s common to see SQL injection in URIs and form parameters, but here the attacker has hidden the SQL query select * from (select(sleep(20))) inside the User-Agent HTTP request header. This time delay is introduced by using built-in methods such as SLEEP(x Oct 29, 2023 · 1) An attacker makes a request to a website vulnerable to SQL Injection with an injection payload. XSS is often used to bypass access controls such as the same-origin policy. Mar 2, 2016 · We have a simple table: [sql] mysql> describe post; +-----+-----+-----+-----+-----+-----+ | Field | Type | Null | Key | Default | Extra | +-----+-----+-----+-----+-----+-----+ | id | int(10) unsigned | NO | PRI | NULL | auto_increment | | test | varchar(127) | YES | | NULL | | +-----+-----+-----+-----+-----+-----+ 2 rows in set (0. This vulnerability usually happens when an application doesn't properly validate input before passing it into an SQL As described in the Hacker Summary, @spaceraccoon discovered a SQL Injection vulnerability in a web service backed by Microsoft Dynamics AX. Mar 27, 2024 · This SQL Injection will be performed within the text box. This lab contains a blind SQL injection vulnerability. The text box has been replaced with a pre-defined dropdown list and uses POST to submit the form (Source code). For the EXISTS () function to return a 1, the REGEXP query needs to match up, this means you can bruteforce blind values character by character and leak data . query_to_xml. This query basically orders by one column or the other, depending on whether the EXISTS () returns a 1 or not. An example would be: SELECT address FROM (SELECT * FROM address WHERE address=''||(pg_sleep(20))) ss; SQL injection (or SQLi) is a serious vulnerability responsible for many high-profile data breaches. Identify webpage printable union columns by providing false value to back-end query with error-based integer SQL command injection. MySQL. Once you've confirmed that condition triggers a time delay you can build on it. If you’re having trouble locating the table name, the query SQL Injection is a type of vulnerability that occurs in an application's database when an attacker can insert or "inject" SQL commands into a query. Aprende hacking en AWS desde cero hasta convertirte en un experto con htARTE (HackTricks AWS Red Team Expert)! RootedCON es el evento de ciberseguridad más relevante en España y uno de los más importantes en Europa. The user input values are passed as parameters. Impacts and Risks of SQL Injection Attacks. A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. 00 sec) mysql Jun 6, 2015 · So it seems like some sort of sql injection DOS attack. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. SQL injection typically allows an attacker to extract the entire database from the vulnerable website, including user information, encrypted passwords, and business data. So if you are interested in using this technique for dumping explore it for postgreSQL. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven Feb 19, 2021 · 0 AND 3133=(SELECT 3133 FROM PG_SLEEP(1)) is a method of blind sql injection. The malicious user sends a crafted SQL query to extract, add, modify, or delete data from the database. 2) The Website makes an SQL query to the database which also passes the hacker’s payload. The MySQL mysql_ family of functions is deprecated and will be removed from PHP in a future revision. 717 sec Transfer Time : 0 sec Total Time : 5. Apr 27, 2017 · I have a server which seems to be vulnerable to SQL injection with the following payload detected by BurpSuite: param=value,(select*from(select(sleep(10)))a) The application takes twice the time defined in sleep to respond (sleep 10 returns a response after 20 seconds). SQL Injection. Some of the queries in the table below can only be run by an admin. The UNION keyword enables you to execute one Blind SQL injection. Statement and java. Parameterized queries is a technique that aims to separate the SQL query from the user input values. 1 row(s) affected Execution Time : 5. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the SQL injection UNION attacks. Timing injections are only possible where JS can be executed in the database, and can lead to other interesting attacks. Jun 13, 2023 · In conclusion, advanced blind SQL injection is a serious vulnerability that can have severe consequences for web applications. Setting the CommandTimeout to either 0 or something higher than 2 will run fine. I tried to reproduce it in a simpler context with a test table and a simple query: SELECT * FROM users WHERE id = -9000 OR 1073 = Sleep(5) AND foo = 'bar' SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END MySQL SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a') Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. Answer: Prepared Statements Reason: Prepared Statements work by separating the SQL query logic from the user input. Reload to refresh your session. Time-based Blind SQLi :Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. In addition, you can easily create a custom pg_sleep(n) in previous versions by using libc: Jun 29, 2017 · At the string end, the attacker attempts to value SQL injection:'+(select*from(select(sleep(20)))a) Common SQL injection is usually a URL and its parameters, but here the attacker puts the SQL query hidden in the HTTP header into the field. These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to backend databases via SQL (i. SQL Injection Using UNION. Vengeful-Melon. Some methods to manually detect SQL injection indicate a SQL comment. Time-Based Blind SQL Injection. SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. All common web development platforms (including of course PHP, Java, and ASP. Database Reverse Shell SQL Injection Web. Mar 2, 2016 · There, we found a SLEEP(3) attached with OR to the query. If the injection point doesn't use quote marks, then the first sleep payload will execute and comment out the rest of the injection: (select(0)from(select(sleep(0)))v)/*. By exploiting this vulnerability, attackers gain unauthorized access to data beyond their normal privileges. Obviously, this server was the victim of a SQL injection attack. Vulnerability Mapping: ALLOWEDThis CWE ID may be used to map to real-world vulnerabilitiesAbstraction: VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. SELECT IF (1=1,SLEEP (10),'a') The above says if 1=1 then it will have a delay of 10 seconds. This function will return all the data in XML format in just one file. Boolean-based SQL Injection. If the same page is returned, MySQL is most likely the DBMS used by the application. epending Feb 10, 2023 · sqlインジェクションを使った脆弱性診断を実行する際に、しばしば発生する便利な構文のdbms別まとめになります。 日本語で知りたい人や単純に見返す機会も多いと思ったので、 PortSwiggerの学習サイト から翻訳・引用・加筆修正しました。 Apr 18, 2024 · Time-Based SQL Injection relies on the time it takes for a query to execute as an indicator of whether the injected query was successful. Can be this considered a proof of SQL injection? Could I leverage this difference in the responses to conditionally extract data from the db? The high-level idea is: if user(1,1) is 'a' then sleep(0) else sleep(1) Nov 14, 2017 · Test the timebased blind SQL injection vector. If you've got access to a sleep function then you can do a conditional check for true/false questions. MSSQL. 2, PostgreSQL introduced a built-in function, pg_sleep(n), to make the current session process sleep for n seconds. May 27, 2021 · Related content: Read our guide to sql injection attack. SQL (Structured Query Language) Injection, mostly referred to as SQLi, is an attack on a web application database server that causes malicious queries to be executed. Using this access, an attacker can retrieve information from the database in an unauthorized way (especially from those tables that aren’t typically accessible by users). Feb 14, 2024 · The SQL injection can be sorted into three groups. Set the CommandTimeout to 1 second and you will see an exception when running it. You should use prepared statements with either MySQLi or PDO instead. If you’re struggling to find the table name the below query should help you on your way: referrer=admin123' UNION SELECT SLEEP(5),2 where database() like 'u%';-- Feb 9, 2023 · Content-Based BSQL Injection. UNION-based attacks allow the tester to easily extract information from the database. I've tried it already and it works. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. Union-based SQL injection is a technique where an attacker combines the result sets of multiple SQL queries to extract information from the database. Lab: Blind SQL injection with time delays. This technique is commonly used by scanning tools; for example, sqlmap will try SQL injection against specific HTTP request headers with the -p option. Such actions may result in permanent changes to the Jun 5, 2018 · Time-based SQL injection is a type of inferential injection or blind injection attack. String concatenation You can concatenate together multiple strings to make a single string. This lab contains an SQLI in product category filter. Blind. sleep (2) sleep (20) If you get the responses like these, then the attacker can execute the sleep query the same way. This injection depends on number of columns identified by order by clause. Jun 9, 2023 · SQL Injection Attack Techniques Union-based SQL Injection. Through the malicious SQL statements, attackers can steal information from the victim’s database; even worse, they may be able to make changes to the database. INSERT INTO hackdb. In fact the same result would be obtained, by using blind SQL injection in conjunction with any function that exists in only one DBMS. These technologies use prepared statements and parameterized queries. DB2. This is not actually doing any data edit nor exposing anything; it's just checking whether you're vulnerable. This is commonly known as a SQL injection UNION attack. Nov 8, 2023 · Detecting SQL injection vulnerabilities is a crucial part of securing your web applications. with time delays and information retrieval. Con la misión de promover el conocimiento técnico, este congreso es un punto de encuentro clave para Jun 15, 2020 · A SQL injection is a type of vulnerability that gives users access to the database associated with an application, allowing them to execute SQL queries. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the Dec 31, 2012 · queryString = queryString + " and c. SQL ( /ˈɛs kjuː ˈɛl/, hoặc /ˈsiːkwəl/; Structured Query Language) hay ngôn ngữ truy vấn mang tính cấu trúc, là một loại ngôn ngữ máy tính phổ biến để tạo, sửa, và lấy dữ liệu từ một hệ quản trị cơ sở dữ liệu quan hệ. One of the most common practices to protect the code against SQL Injection is encapsulating and parameterizing our SQL Commands. 1. The WAS scanning engine uses a well-known technique in content-based approach, called True / False inference to determine if there is a blind SQL injection vulnerability. ' union select sleep(2),2;-- Find out database name Aug 20, 2019 · When building the underlying SQL statement, if you concatenate strings, both java. The big clue was showing SLEEP itself was not a command, but rather a function, which both answers show, but feel free to mark this answer as accepted. we need to use SQLI to retrieve all products data. Fortunately, you can implement several security practices to increase WordPress security and avoid an SQL attack. You switched accounts on another tab or window. Boolean /** the sleep function in Hypersonic SQL */ private static final String SQL_HYPERSONIC_TIME_FUNCTION = * scans for SQL Injection vulnerabilities, using Hypersonic SQL Injection Cheat Sheet. SQL Injection hoặc SQLi xảy ra khi có một Jan 9, 2024 · Updated: January 9, 2024. Date. The inference approach could be generalized. Because the UNION operator can only be used if both queries have the exact same structure, the attacker must craft a SELECT statement similar to the Mar 27, 2024 · How to Stop SQL Injection in WordPress (9 Methods) If your website has an SQL injection vulnerability, attackers can access, modify, or remove data in your database. Nov 5, 2023 · Q-1: Name a method of protecting yourself from an SQL Injection exploit. (MID(VERSION(),1,1) = ‘5’, SLEEP(15), 0) Simple Overview. CWE Glossary Definition. May 26, 2021 · Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data. Blind SQL Injection은 사용자의 입력이 SQL 쿼리로 해석되기는 하나 웹 애플리케이션이 HTTP 응답에 어떠한 데이터나 데이터베이스 오류 메시지를 전혀 표시하지 않을 때 사용됩니다. PreparedStatement define two methods: executeQuery(String sql), for executing an SQL SELECT statement. Informix. PreparedStatement are prone to SQL Injection attacks. Input: ' OR IF(1=2, SLEEP(5 Jun 7, 2021 · The longer sleep times used in this injection type, the easier it is to spot in the results, but the longer it will take to gather information. Nov 17, 2019 · Time-based Blind SQLi : Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. Same as the basic SQL Injection challenge, it has a single text field for user Dec 30, 2020 · Today’s topic is all about Blind SQL injection detection and exploitation. This SQL injection cheat sheet contains examples of useful syntax that you can use to perform a variety of tasks that often arise when performing SQL injection attacks. It's also worth noting that this specifically The following stacked query detects if the website if vulnerable to Time Based SQL injection, by checking the website time response. Ingres. , SQL injection). SQL injection (SQLi) refers to a critical web security flaw enabling malicious actors to manipulate an application’s database queries. Here is a very simple piece of C# code to test the CommandTimeout with. Let's find out the database version. In this type of attack, the data is extracted through the same channel used to inject the Nov 18, 2022 · Parameterized queries. SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. Aug 3, 2015 · 61. DSSS — Damn Small SQLi Scanner. You signed in with another tab or window. This page is about the SQL injection cheat sheet. We can use MySQL's VERSION() function for that. When an application is vulnerable to SQL injection, and the results of the query are returned within the application's responses, you can use the UNION keyword to retrieve data from other tables within the database. Monitor the response time when you increase the time, as shown below. Implement a Firewall. This function can be leveraged to execute timing attacks (discussed in detail at Blind SQL Injection). 어떤 경우에는 응답의 결과가 항상 동일하여 해당 결과만으로 참과 거짓을 판별할 수 없는 경우가 있을 수 있다. 이런 경우 시간을 지연시키는 쿼리를 주입(injection)하여 응답 시간의 차이로 참과 거짓 여부를 판별할 수 있다. Query. The image below illustrates this idea. Sep 2, 2020 · If I enter +select(sleep(5))+ the server wait for a period of time greater than 5" and then responds with "connection failed". Introduction. CWE-564: SQL Injection: Hibernate. Oct 21, 2014 · This is an efficiency hack to speed up the process of fuzzing a website for SQL Injection. XML tricks. query. Let’s imagine that you are using the search feature of an application, using the following keyword to search May 3, 2023 · In a time-based blind SQL injection attack, the attacker sends SQL queries to the database that include a delay function, such as “SLEEP” or “WAITFOR”. NoSQLMap — Automated NoSQL Database Pwnage. @Pacerier: this answer appeared 5 years later, but the example uses DO, which is indeed more elegant than SELECT. This blog discussed the different types of blind SQL injection attacks, provided a cheat sheet of payloads, and described advanced techniques to bypass firewalls and other security measures. 3) The payload contains a request which forces an HTTP request back to the hacker’s machine containing data from the database. In this case, 5 seconds will be sufficient. These are marked with “– priv” at the end of the query. jSQL Injection — Java Tool For Automatic SQL Database Injection. Aug 15, 2019 · Use secure coding practices, independent on the language. The complete list of SQL Injection Cheat Sheets I’m working is: Oracle; MSSQL; MySQL; PostgreSQL; Ingres; DB2; Informix; I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. We appreciate @spaceraccoon's clear and thorough report, which helped us quickly and effectively triage the report and remediate the vulnerability. NET but also Ruby or Python) have mechanisms that you can use to avoid SQL Injection vulnerabilities including Blind SQL Injections. To prevent this type of SQLite injection we need to accept the user input as a string and then perform the operation on the database like as shown below. XSS allows attackers to 'inject' client-side scripts into pages that will be processed and delivered to other users for viewing. More specific than a Base weakness. The best choice is to use prepared statements SQL Injection Scanner Tools : SQLMap — Automatic SQL Injection And Database Takeover Tool. e. GitHub Gist: instantly share code, notes, and snippets. The most popular time-intensive operation is a sleep operation. Nov 3, 2023 · Repeat the enumeration process from the Boolean-based SQL Injection by inserting the SLEEP() method inside the UNION SELECT query. 718 sec And we are good to go. The best method to prevent SQL injections is to use current technology. However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered. Avoid dynamic SQL at all costs. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. Here’s how: In this case, threat actors want to retrieve the first character of the admin user's password by injecting the substring function. Query MySQL Blind SQL Injection in ORDER BY clause using a binary query and REGEXP. Weakness ID: 564. Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆ Background. Explore real-life SQL Injection attack examples and find out ways to prevent SQLi. May 1, 2024 · SQL Injection Cheat Sheet. feedback (feedback) VALUES ( (SELECT SLEEP(5)) ) Result. This vulnerability can enable attackers to view, modify, or delete data they shouldn't access, including information of other users or any data the application can access. You signed out in another tab or window. Feb 25, 2020 · February 25, 2020. if the injection point is using single quote, then the 2nd payload will execute: Oct 21, 2019 · Cross-site scripting (XSS) is a type of code-injection vulnerability found typically in web applications. name like :name"; While setting the name parameter, most would generally use this. Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Blind SQL injection with time delays! Without further ado, let’s dive in. BBQSQL — A Blind SQL-Injection Exploitation Tool. Nov 6, 2023 · SQL Injection is a common security issue, and understanding it is essential for anyone interested in cybersecurity. In this case, the attacker performs a database time-intensive operation. The complete list of SQL Injection Cheat Sheets I’m working is: Oracle. This can subsequently lead to mass compromise of user accounts, data being Learn how to exploit SQL injection vulnerabilities in PostgreSQL databases with useful payloads and bypass techniques - a guide for pentesters and CTF players. SELECT * from emp_master where emp_id='12 OR 1=1'; Whenever we run the above query it will Nov 14, 2021 · Task 1 Brief. This lab contains a blind SQL injection Jul 16, 2020 · Blind SQL injection: Time-based SQL injection If the web application doesn’t return errors and the returned information is the same for boolean-based payloads, the attacker sends a payload that includes a time delay command such as SLEEP, which delays the whole response Sep 21, 2023 · You can now repeat the enumeration process from the Boolean based SQL Injection, adding the SLEEP() method into the UNION SELECT statement. SQL injection is a code injection technique for applications with a database connection. Understanding how to create a valid UNION-based attack to extract information. An attacker can retrieve data from different tables or columns by exploiting the UNION operator. Inferential injection attack is a type of attack in which no data is transferred between the attacker and the database and the attacker won’t be able to get results as easily as in an in-band injection attack. Name a protocol beginning with D that can be used Dec 14, 2023 · The medium level uses a form of SQL injection protection, with the function of mysql_real_escape_string(). ago. This can allow the attacker to view, manipulate, or delete data in the database. This delay is created by using functions like SLEEP(x ' or sleep(2) and 1=1# --> try get delay, sleep only operates when all other conditions are true and there is a requirement to operate it. @spaceraccoon demonstrated that the flaw was exploitable via XML-formatted HTTP payload requests to the server. This is why it is also called a blind injection SQLi. Whitewidow — SQL Vulnerability Scanner. PostgreSQL. For technical reasons that I don't understand, this query never seems to complete. May 28, 2021 · If you can execute it through the repeater, then it is not a false positive. This is most likely a blind SQL injection, testing whether you're vulnerable to SQL Injection by checking whether your server takes the specified time or more to reply to the request. For this particular SQL injection method, cybercriminals insert harmful SQL injection code into a web application's input fields forcing the database to return a boolean (true or false) result. sql. In the request there is a request to get the Category and there is a parameter called category and this parameter is our injection point. ' or sleep(2)# --> try get delay admin' and sleep(2)# --> will delay only if the user admin exists ' union select sleep(2),null# --> check if it produces delay ' union select sleep(2),null,null,null,null# --> check if it produces delay, check for different Sep 17, 2020 · What SQL Injection is and how to spot it. Blind sqli applies time to determine the content of the database, mostly using if conditions (cf eg SQL Injection Cheat Sheet - Conditional Time Delays). The results of the SQL query are not returned, and the application does not respond any differently based on whether the For this SQL Injection we can rely on the trusty time based blind SQL Injection payloads, except for it to be a table, we need to give it an alias. This can allow an attacker to view data that they are not normally able to retrieve. 오류 기반 SQL Injection 이나 UNION 기반 SQL Injection 은 데이터베이스 오류 또는 원래 SQL This post is part of a series of SQL Injection Cheat Sheets. It's ideal if you want to dump a lot of data in just 1 row: SELECT query_to_xml('select * from pg_user',true,true,''); database_to_xml. Injection flaws allow attackers to relay malicious code through an application to another system. When a web application communicates with a database using input from a user that hasn’t been properly validated, there runs the potential of an attacker being able Nov 4, 2023 · Time delay is introduced by using built-in methods such as SLEEP(x) Out-of-Band SQL Injection is a type of SQL injection attack where the attacker can exfiltrate data from a web application Dec 25, 2023 · Boolean-based blind Blind SQL Injection เป็นการโจมตีแบบที่ไม่ต้องเอาผลลัพธ์ออกมาแสดงผล จะใช้การถามเข้าไปแล้วผลลัพธ์จะออกมาเป็น ใช่(True) กับ ไม่ใช่(False) เช่น เราจะใส่ input Oct 23, 2021 · SQL-referrer=admin123' UNION SELECT SLEEP(5),2 from users where username like ‘admin’ and password like ‘4961’; Task-9 Out-of-Band SQLi Q. This might include data that belongs to other users, or any other data that the application can access. In-Band SQLi. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. It creates a new command which will wait for 2 seconds. Last modified: 2024-05-01. setParameter("name", "%" + name + "%"); Now, as mentioned above traditional parameter like " 1=1 " cannot be injected because of the TypedQuery and Hibernate will handle it by default. Determine back-end query number of columns by observing http response size with wfuzz in error-based integer SQL command injection. Blind SQL Injection - Time based SQL. Whole scripts written in Perl, Python, and other languages This way hacker can easily get all the sensitive information just by injecting some piece of code. Apr 5, 2016 · 2. Since this is a time-based attack, the sleep () command must be used. Hibernate is a database ORM framework for Java offering developers a uniform interface and syntax to interact independently with underlying relational databases like MySQL, PostgreSQL, and many more. Security. Based on the responses the application is determined to be vulnerable Oct 13, 2023 · A time-based SQL injection is a blind injection technique where an attacker forces the database to wait a pre-determined amount of time, evaluating the response time to determine if an injected Apr 20, 2021 · SQL injection is a technique through which attackers can execute their own malicious SQL statements generally referred to as a malicious payload. The Hibernate Query Language is a SQL dialect very similar to a limited version of MySQL or pgSQL and it is Apr 27, 2023 · SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a') This will cause an unconditional time delay of 10 seconds. The following condition is True because 1=1, which later executes the sleep function, so a 10 seconds delay is what we are expenting on the website's response. Payloads are crafted to send multiple True/False questions to the server. Jul 16, 2021 · Learn about SQL Injection and explore the types of SQLi. xs fg zf vp no fy xd jk ui pq

This site is designed by National Informatics Centre (NIC). Content, DATA owned and maintained by Department of School Education, Government of West Bengal.