A fast, minimalistic scanner for time-based SQL injection (SQLi) detection – built in Go.

• ⚡ Time-based SQL Injection detection via precise sleep(n) delta measurement.
• 🧐 Drift-tolerant detection using -negdrift / -posdrift to handle real-world network jitter.
• ❌ False-positive control with -maxtime to skip outliers.
• 🚦 Stop-at-first-match with -spm to minimize redundant testing.

• 🎯 Dynamic payloads using {SLEEP} placeholders, automatically replaced at runtime.
• 🌐 Auto-encoding for payloads with spaces unless -encode is explicitly set.
• 📥 Payload validation: skips empty lines, comments (#), and lines without {SLEEP}.
• 🔧 Debug output for ignored/auto-encoded payloads (line number, reason).

• 🔁 Supports GET and POST methods with -post flag.
• 👤 Custom User-Agent string via -user-agent.
• 🎭 User-Agent header injection (-add-ua) to test payloads through headers.
• 📂 Support for multiple custom headers with -header "Key:Value".

• 🔗 Full proxy support with -proxy.
• 🔁 Replay proxy for vulnerable findings only (-replay-proxy).
• 🛠️ Modular replay engine supports full POST replay with correct content types and headers.

• 🧵 Multi-threaded scanning using -threads to control concurrency.
• 💤 Adjustable delay between requests with -delay, applies to base and payloads.
• ⏳ Adaptive timeout calculated using sleep * timeoutmultiplier + timeoutbuffer.

• 🧹 Clean mode (-clean) to output only vulnerable URLs (ideal for piping).
• 🔔 Integration with ProjectDiscovery notify for real-time alerts (-notify).
• 🔧 Color-coded debug logs with detailed CLI feedback (-debug).
• 📛 Legend, banners, and prefixes for clean, readable output.

• 🚫 Skips invalid or malformed URLs from stdin (with debug messages).
• ✅ Ensures payloads in file are syntactically valid and informative when skipped.

Requires Go 1.18+

go install github.com/c1phy/sqltimer/cmd/sqltimer@latest

The binary sqltimer will be available in your $GOBIN directory.

Each URL must contain at least one GET parameter:

https://target.com/page?id=1
https://site.org/search?q=test

Save as urls.txt.

(select*from(select(sleep({SLEEP}))a)
' OR sleep({SLEEP}) --
1') AND SLEEP({SLEEP}) AND ('1'='1
" OR sleep({SLEEP})) --

Save as payloads.txt.

{SLEEP} will be replaced dynamically based on the -sleep parameter, e.g., sleep(10)

cat urls.txt | sqltimer -payloads payloads.txt -sleep 10 -threads 20 -encode -notify

sqltimer/
├── payloads.txt
├── urls.txt
└── sqltimer (binary from go install or build)

🔥 SQLi suspicion in param 'q' with payload '(select*from(select(sleep(10)))a)' → https://example.com/search?q=test (Δ=10.2s ≈ 1x sleep ±0.1s/0.5s)

The -negdrift and -posdrift options define how much timing deviation is tolerated when matching the sleep time against the server's real delay.

• -sleep 2
• -negdrift 0.1
• -posdrift 0.5

Sqltimer dynamically sets the HTTP client timeout based on your -sleep parameter:

timeout = (sleep × timeoutmultiplier) + timeoutbuffer

Example:

• -sleep 2
• -timeoutmultiplier 6
• -timeoutbuffer 10

Resulting Timeout:

(2 × 6) + 10 = 22 seconds

This ensures slow SQLi payloads are not cut off prematurely but keeps the scanner responsive.

Install notify:

go install github.com/projectdiscovery/notify/cmd/notify@latest

Configure it (Slack, Discord, Telegram) via ~/.config/notify/provider-config.yaml.

Then simply use:

cat urls.txt | sqltimer -payloads payloads.txt -notify

All matches will be piped into your notify pipeline automatically.

• Use a higher -sleep value (e.g., 10) for more reliable detection.
• For stable networks, keep default drift settings: -negdrift 0.1 and -posdrift 0.5.
• In noisy environments (e.g., cloud targets), increase -posdrift slightly (e.g., 0.6) to reduce false negatives.
• Use -debug to trace timing behavior and fine-tune drift or delays.

• Enable -add-ua to test payloads in the User-Agent header.
• Switch to -post if GET-based payloads are filtered or blocked by the server.
• Use -spm (stop-after-match) to reduce noise and scan faster by skipping further payloads once a hit is found.

• Pipe input from tools like waybackurls, gau, or ffuf.

• Combine with -clean for chaining into other tools:

  sqltimer ... -clean | awk '{print $1}'

• Use -proxy to send all traffic through a proxy (e.g., Burp/ZAP).
• Use -replay-proxy to send only detected vulnerable requests through a secondary proxy for logging, inspection, or exploitation.
• If both are specified, -proxy takes precedence and is used for all traffic.

• Set a custom -user-agent to blend in or bypass basic filters.
• Use -header "Key:Value" one or more times to add arbitrary HTTP headers (e.g., auth tokens, X-Forwarded-For).
• Use -delay to slow down scanning for unstable targets or rate-limited endpoints (e.g., -delay 2).

MIT License – use it, improve it, share it.

This tool is provided for educational and authorized security testing purposes only.
Do not use it on systems without explicit permission.
The author assumes no responsibility for any misuse or damage caused by this tool.

Marc-Oliver Munz – munz4u.de

• 🌐 Website: https://munz4u.de
• 🐦 Twitter/X: @marcolivermunz
• 🌀 Bluesky: @munz4u.de
• 💼 LinkedIn: linkedin.com/in/marc-oliver-munz

Feel free to connect, contribute, or give feedback!