Blind SQLi: measure twice, SLEEP once

Boolean diffs and time inference when the page gives you nothing. Baselines, false positives, and when to stop grinding characters.

Published Updated 2 min read

No errors. No UNION reflection. Maybe the login button says "Invalid" vs "Invalid credentials" if you squint.

Welcome to blind SQLi.

The application still builds SQL from your input. It just gives you almost nothing back. It is also how you get rate-limited if you point sqlmap at production like a firehose.

The crafter Exploitation step ships boolean and time templates with the right sleep primitives and substring functions per DBMS. Copy one pair into Repeater. Prove the differential before you automate anything.

Boolean first, always

Matched quoting:

' AND (SELECT 1)=1-- 
' AND (SELECT 1)=2-- 

Measure something stable. HTTP status is lazy. Content-Length is better. A fixed substring in HTML or {"success":false} vs {"success":true} in JSON is better still. I log all three when the client lets me.

True and false look identical? Do not jump to SLEEP yet. Try another parameter, POST field, or Cookie header. Blind sinks hide in weird places.

Time-based is fallback math

Baseline ten requests. Median 180ms, spikes to 400ms on bad days? A single 5.2s response means nothing. You want a sustained shift across multiple runs.

Per engine:

MySQL:      ' AND SLEEP(5)-- 
PostgreSQL: ' AND pg_sleep(5)-- 
SQL Server: '; WAITFOR DELAY '0:0:5'-- 

CDN jitter fooled me more than once. Corporate proxies too. Latency garbage? Sell boolean blind in the report or ask for a staging mirror.

Extraction discipline

Substring bit grinding works. Loud in logs. Slow on calendar time. On authorized prod tests I tell the SOC, throttle manually, stop after a short proof string (admin, one email). Full table pulls belong in impact narrative, not necessarily in your traffic capture.

Automate only when scope says you may and someone is watching the WAF dashboard.

Dead ends worth documenting

Numeric cast on input (intval, ORM coercion) kills string tricks. Prepared statements end to end. Delays blocked at PHP max_execution_time with no observable wait. Clean negative with notes is still valuable. Stops the next tester from repeating the same week-long sqlmap job.

Blind injection rewards patience and measurement, not the fanciest payload in the deck.

FAQ

How slow is too slow for time-based tests?
If baseline swings by 2+ seconds without injection, time inference is unreliable. Fix network path or use boolean diffs on content length or JSON fields instead.
Should I use SLEEP or BENCHMARK on MySQL?
SLEEP is readable in Repeater timestamps. BENCHMARK sometimes evades naive SLEEP filters but is harder to tune and can spike CPU on small instances.
Can I automate blind extraction in production apps?
Only with explicit written scope and throttling. sqlmap defaults on a prod API can DoS a small backend and will show up in rate-limit logs.

Related articles