| About Blog Cheatsheets Defense Links Offense |
| Offense |
| Code Audit Exploit Hacking Input Validation Metasploit Methods Nmap OSSTMM Test OWASP Webtest Pentest Physical Pentest Backtrack Pentest SQL Inject |
SQL Inject
| Character | Description |
| ' | Apostrophe or tick, terminates a statement |
| -- | Double minus, single line comment, ignored remainder of statement |
| + | Plus, space, correctly format statements |
| ,@variable | Appends variables, identify stored procedures |
| ?Param1=a&Param1=b | Creates Param=ab, identify stored procedures |
| @@@variable | Call internal server variable |
| Returns odbc error, no target data | |
| SET | Assign variables, multiline statements |
| % | Percent, wild card that matches any string of zero or more chars |
|
OR 1=1 ' OR '1'='1 |
Creates true condition (bypass logic checks) |
| UNION ALL SELECT field FROM table WHERE condition | Retrieves all rows from table if condition is true (1=1) |
| INSERT INTO Users VALUES('neo',trinity') | Can bypass authentication |