search

SQL Injection & XSS Playground

This is my playground for SQL injection and XSS

hashtag
Classic SQL Injection

hashtag
Union Select Data Extraction

mysql> select * from users where user_id = 1 order by 7;              
ERROR 1054 (42S22): Unknown column '7' in 'order clause'
mysql> select * from users where user_id = 1 order by 6;
mysql> select * from users where user_id = 1 union select 1,2,3,4,5,6;

hashtag
Authentication Bypass

hashtag
Second Order Injection

hashtag
Dropping a Backdoor

hashtag
Conditional Select

hashtag
Bypassing Whitespace Filtering

hashtag
Time Based SQL Injection

hashtag
Sleep Invokation

hashtag
XSS

hashtag
Strtoupper Bypass

Say we have the following PHP code that takes name as a user supplied parameter:

Line 3 is vulnerable to XSS, and we can break out of the input with a single quote ':

For example, if we set the name parameter to the value of a', we get:

Note that the a got converted to a capital A and this is due to the strtoupper function being called on our input. What this means is that any ascii letters in our JavaScript payload will get converted to uppercase and become invalid and will not execute (i.ealert() != ALERT()).

To bypass this constraint, we can encode our payload using JsFuck, which eliminates all the letters from the payload and leaves us with this:

hashtag
References

MySQL SQL Injection Cheat Sheetpentestmonkeychevron-right
MSSQL Injection Cheat Sheetpentestmonkeychevron-right
http://breakthesecurity.cysecurity.org/2010/12/hacking-website-using-sql-injection-step-by-step-guide.htmlbreakthesecurity.cysecurity.orgchevron-right
PreviousPentesting CheatsheetsNextActive Directory & Kerberos Abuse

Last updated