> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/sqli/trick-0138/web-sqli-time-based.md).

# Time Based

## SQLi Regex Bypass & Time-Based Confirmation

Using a newline character (`%0a`) at the start of your input can sometimes bypass `preg_match` filters, particularly those using `^` anchors without the multiline flag, by altering how the regex engine processes the input start. The caret `^` and dollar `$` characters are anchors; `^` matches the position before the first character of the string, and `$` matches the position after the last character of the string. By default, these anchors match the very start and end of the entire input string, not the start and end of individual lines within a multiline string, unless a specific multiline flag (like `m` in PHP's `preg_match`) is used. Introducing a newline at the beginning means the actual injection payload starts on a new line, potentially falling outside the scope of a `^` anchor that expects the pattern to match the absolute beginning of the input. Combine this with SQL comments (`-- -` or `#`) to inject arbitrary SQL while satisfying filter conditions on the end of the input.

For a regex like `/^.*[A-Za-z!#$%^&*()\-_=+{}\[\]\|;:\'\",.<>\/?]|[^0-9]$/`, a payload structured as `%0a[injection]-- -0` can work. The `%0a` potentially breaks the start anchor's effect, allowing the injection to occur on a new line. The comment (`-- -` or `#`) nullifies the rest of the original query line, and the final `0` satisfies the `|[^0-9]$` or similar end condition if present. This technique leverages the fact that filters might only inspect the first line or that the regex anchors are not configured for multiline matching.

For example, an injection starting with a newline can bypass filters that anchor the match to the beginning of the string:

```
test' %0aunion select 1,2,3 -- -
```

Here, `%0a` represents the newline character. Another common comment style is `#`, so `-- -` can often be replaced with `%23` in a URL context.

Confirm time-based SQL injection execution by injecting a `sleep()` or `benchmark()` command within this structure. Time-based blind SQL injection relies on observing the application's response time to infer information or confirm execution.

Using `sleep()`:

```
?id=%0a\'; SELECT sleep(10) -- -0
```

Observe if the response is delayed by approximately 10 seconds, confirming that the injected SQL command was executed. Remember to URL-encode your full payload.

Using `benchmark()`:

```
?id=%0a\' UNION SELECT IF(BENCHMARK(10000000,SHA2(\'test\',512\')),1,1) -- -0
```

This payload uses the `BENCHMARK()` function, which executes an expression repeatedly. A noticeable delay indicates successful injection.
