Time-based SQLi

Go back

A time-based SQLi is when we internationally delay the response from the database based on the condition.

For instance, given the condition "if the DBMS is MariaDB, wait 5 seconds", assuming the usual requests takes 1 second, if the sleep request takes ~6 seconds, then will know that the DBMS is MariaDB.

Manual Time-based SQLi

A Time-based SQLi is a Boolean-based SQLi in which we added a UNION SELECT calling the function sleep:

-UNION SELECT NULL        (boolean-based request)
+UNION SELECT SLEEP(5)    (time-based request)

The select is ONLY called if there is at least one record selected, meaning the condition in the where is at least true for one record.

As the Boolean-based SQLi is based on failing or not the condition of the where, we don't have anything new to do.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • AND 1=IF(1=1,SLEEP(5),0): alternative to SELECT