CEH's SQL Injection coverage distinguishes between classic (error-based), union-based, boolean-based blind, and time-based blind SQL injection. Time-based blind SQL injection is used when the application does not return database errors or query results to the attacker (no visible output), but the attacker can infer execution behavior by measuring response delays.
A time-based payload intentionally triggers a database delay function (for example, SLEEP(), WAITFOR DELAY, pg_sleep() depending on DBMS). If the injection is successful, the page response time increases predictably, confirming that attacker-controlled SQL is being executed.
Option C is the correct time-based blind probe because it uses conditional logic (IF(1=1, SLEEP(5), 0)) to cause a measurable delay only when the injected condition evaluates true. CEH teaches that this technique is particularly effective against hardened applications that suppress errors and sanitize outputs, because timing becomes the side-channel for confirmation.
Option A and Option D are UNION-based payload patterns intended to extract data via returned result sets, which time-based blind scenarios typically do not provide. Option B is a classic authentication-bypass
/boolean test; it can indicate injection but does not specifically validate time-based blind behavior when output is not observable.
CEH mitigation guidance includes parameterized queries, strict input validation, least-privilege DB accounts, WAF tuning, and centralized logging to detect anomalous query timing patterns.