[Webappsec] SQL injection payloads

[nnp]

Hey,

As I mentioned in my previous email I'm currently making some changes
to the wapiti web application fuzzer. On potential change I'm unsure
about is regarding the actual payloads used to attempt to disrupt SQL
syntax. The current payload is as follows \xbf'"(. That is the
character corresponding to 0xbf, a single quote, a double quote and a
left parenthesis. Do you guys think this is sufficient or should it
also include semi-colons, dashes etc? Or to be guaranteed to find any
potential injection vectors should I go a step further and try actual
SQL e.g UNION etc

Cheers,
nnp

-- 
http://www.smashthestack.org
http://www.unprotectedhex.com