[Webappsec] SQL injection payloads
John Dangler
jdangler at terremark.com
Sat Apr 26 20:54:52 EDT 2008
nnp~
Are you looking for expressions which may lead you to a sql injection,
or are you looking for an actual sql injection? If the latter, I would
definitely carry this further, at least to certain keywords used. If the
former, '"();: would be a sufficient start.
Jack
-----Original Message-----
From: webappsec-bounces at lists.owasp.org
[mailto:webappsec-bounces at lists.owasp.org] On Behalf Of nnp
Sent: Saturday, April 26, 2008 1:35 PM
To: webappsec at lists.owasp.org
Subject: [Webappsec] SQL injection payloads
Hey,
As I mentioned in my previous email I'm currently making some changes
to the wapiti web application fuzzer. On potential change I'm unsure
about is regarding the actual payloads used to attempt to disrupt SQL
syntax. The current payload is as follows \xbf'"(. That is the
character corresponding to 0xbf, a single quote, a double quote and a
left parenthesis. Do you guys think this is sufficient or should it
also include semi-colons, dashes etc? Or to be guaranteed to find any
potential injection vectors should I go a step further and try actual
SQL e.g UNION etc
Cheers,
nnp
--
http://www.smashthestack.org
http://www.unprotectedhex.com
_______________________________________________
Webappsec mailing list
Webappsec at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/webappsec
More information about the Webappsec
mailing list