Time-based blind SQL injection is a technique where an attacker extracts information by observing the response time of database queries. Unlike boolean-based blind injection, this method doesn't rely on visible differences in output—only timing.
When error messages are suppressed and boolean responses look identical, attackers can use time delays to infer information. If a condition is true, the query includes a delay (like SLEEP(5)); if false, it executes immediately.
WARNING: In many countries (including UK) it is illegal to use this attack.
Up to 6 months in jail for unauthorised accessI've set up a vulnerable test system here so that you can have a go.
I promise not to prosecute.
This challenge demonstrates how attackers can extract data by measuring query execution times. The system shows execution time for each query, allowing you to see how time-based attacks work.
Note: In a real attack, the attacker would measure response times programmatically. Here, we display the execution time to help you understand the technique.
Time-based blind SQL injection relies on conditional delays:
CASE WHEN condition THEN SLEEP(5) ELSE 0 END - delays if condition is truecondition AND SLEEP(5) - delays if condition is trueBy systematically testing each character and measuring response times, an attacker can reconstruct entire passwords or other sensitive data character by character.
Note: SQLite uses SUBSTR() instead of MySQL's SUBSTRING() function.