'and looking for errors or other anomalies. In fact, don't limit yourself to single quote. You should test the following payloads as well:
OR 1=2, and looking for differences in the application's responses.
Accept-Language, you might get surprised.
99is the user ID, we can test for
WHEREclause of a
SELECTquery. This type of SQL injection is generally well-understood by experienced testers.
UPDATEstatements, within the updated values or the
INSERTstatements, within the inserted values.
SELECTstatements, within the table or column name.
SELECTstatements, within the
released = 1is being used to hide products that are not released. For unreleased products, presumably
released = 0.
--is a comment indicator in SQL, and means that the rest of the query is interpreted as a comment. This effectively removes the remainder of the query, so it no longer includes
AND released = 1. This means that all products are displayed, including unreleased products.
1=1is always true, the query will return all items.
wienerand the password
bluecheese, the application checks the credentials by performing the following SQL query:
--to remove the password check from the
WHEREclause of the query. For example, submitting the username
administrator'--and a blank password results in the following query:
administratorand successfully logs the attacker in as that user.
UNIONkeyword, which lets you execute an additional
SELECTquery and append the results to the original query.
username=admin'#. The server does not validate special characters in the username so this account successfully goes into the backend database. Suppose that there is a "change password" API that executes the following SQL query:
admin'#, the attacker can invoke the "change password" API and the SQL query becomes:
\'), double quotes (
\") and backslashes (
\\). Suppose we want to feed in a single quote
addslashes('), it becomes
\', which is
%5c%27in URL encoding. Now, we can use the payload
addslashes(%df%27), it comes
%df%5c%27since the single quote is escaped. If the backend database uses GBK encoding:
%df%5cwill be interpreted as a traditional Chinese character, therefore the single quote will not be escaped. This attack is less common since most databases use UTF-8 encoding instead of GBK encoding. In fact, I have never seen GBK encoding in the real world.
mysqlis the result of
SELECT DATABASE();. It turns "blind" SQLi into "not so blind" SQLi.
SELECT <webshell> INTO OUTFILE <path>statement. For example, a PHP webshell can be created using this payload:
' UNION SELECT 1,'' INTO OUTFILE '/var/www/html/images/webshell.php';.
lib_mysqludf_sysis a MySQL plugin containing some dangerous functions such as
sys_eval(). It is not a built-in lib in MySQL so we have to import it first. After that, we can use sys_eval() to execute any command.
sqlmap -u <url> --os-shelluses UDF behind the scene.
?) is used as a placeholder. The following payloads will be interpred as: