Time-Based Blind SQL Injection is a technique where attackers infer information from the database by injecting conditional time delays. If the condition is true, the database waits before responding; otherwise, it responds immediately.
The attacker uses database-specific sleep functions combined with conditional logic. By measuring response times, they can determine whether conditions are true or false, allowing data extraction character by character.
MySQL: SLEEP(5)
PostgreSQL: pg_sleep(5)
SQL Server: WAITFOR DELAY '0:0:5'
Oracle: DBMS_PIPE.RECEIVE_MESSAGE('x',5)Extracting the database version character by character:
// Check if version starts with '5'
GET /user?id=1; IF(SUBSTRING(@@version,1,1)='5', SLEEP(5), 0)--
// If response takes 5+ seconds, first char is '5'
// Continue with next character position...Due to the slow nature of extraction (one character at a time), attackers typically use automated tools like sqlmap which can efficiently extract entire databases using time-based techniques.