-
Notifications
You must be signed in to change notification settings - Fork 420
SQL Engine
ron190 edited this page Feb 4, 2025
·
22 revisions
πjSQL generates default SQL syntax based on a template which is editable in tab SQL Engine, allowing to live-debug and optimize queries on the fly for current identified engine.
Any SQL part is defined by a unique ${tag} and all tags are replaced by its concrete value in the final query.
The entire template is roughly like the following:
character insertion layer # input prefix
${indices}:Union or ${binary.mode} & ${test}:Time+Blind # strategy layer
${window} # chars substring
${window.char}:Multibit+Bittest & ${bit} # chars position index
${injection}:all # main select
${database} ${table} ${fields} # all fields with main from
${field.value} # field syntax
${indice} & ${calibrator} # Union specific
${limit} # rows index
${limit.value} # substring index...&name=2212100212 # input prefix
union select 1,1,1,1,( # strategy layer
select concat(0x53714c69,ifnull(
mid(( # chars substring
select group_concat(0x04,r,0x05,q,0x04 order by r separator 0x06) # main select
from( # all fields with main from
select schema_name r,count(table_name)q # field syntax
from information_schema.tables
right join information_schema.schemata on schema_name=table_schema
group by r order by 1
limit 0,65536 # rows index
)x
),1,65537)
,''),0x01030307)
),1,1-- -I0Hq-
Database: get names with number of tables -
Tables: get names with number of rows -
Columns: get names -
Rows: get de-duplicated rows-
Field: single column name, all fields are concatenated into${fields}with separator -
Field Separator: added between fields to separate column values
-
-
Metadata: get engine info like version and current user
-
Union: apply union-based select -
Stack: apply stack query -
Error: apply exception trigger that includes the result -
Binaryβ bitwise strategies-
Modeβ${binary.mode}: useAND/ORdepending on the initial query state (eg.where 1=1 AND,where 1=0 OR) -
Blind: get resultYes/Nofor given bit from ASCII code of a single char -
Time: get delayYes/Nofor given bit from ASCII code of a single char -
Multibit: get specific result for given bits from ASCII code of a single char -
Bit testβ${test}: returntruewhen the bit of given ASCII code is1, else returnfalse
-
-
Char Sliding Windowβ${window.char}: set a substring of data -
Rows Sliding Windowβ${limit}: set rows starting at specific position (seeLIMIT) -
Limit start indexβ${limit.value}: setLIMITinitial position, some engine starts at0and some at1 -
Capacityβ${capacity}: set specificUnionquery to measure indexes response size -
Calibratorβ${calibrator}: repeat given char forUnioncapacity measure -
Failsafe: setUnionindex withN0+1form -
End comment: set SQL comment to ignore internal query remaining parts
-
Order by: set wrong column index to trigger specific engine error -
Order by error: expected engine error when order by index is wrong -
String error: expected SQL syntax error when query is incorrect -
Truthy: list of predicate checked as true by engine -
Falsy: list of predicate checked as false by engine
-
Privilege: get current user's read permission -
Read: get file content to read -
Write body: set file content to write -
Write path: set file path to write